VENDOR UPDATE | 27 October 2020

Oracle Database Critical Patch And Security Update October 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Product Critical Patch Summary

This Critical Patch Update contains 19 new security patches for Oracle Database Server Products:

  • New security patches for Oracle Database Products:
    • Oracle Database 11.2.0.4
    • Oracle Database 12.1.0.2
    • Oracle Database 12.2.0.1
    • Oracle Database 18c
    • Oracle Database 19c

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-12900 Core RDBMS (bzip2) DBA Level Account Oracle Net No 8.8 Network Low Low None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14735 Scheduler Local Logon None No 8.8 Local Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14734 Oracle Text None Oracle Net Yes 8.1 Network High None None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2018-2765 Oracle SSL API None HTTPS Yes 7.5 Network Low None None Un-
changed
High None None 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-13935 Workload Manager (Apache Tomcat) None HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.0.1, 18c, 19c  
CVE-2020-11023 Oracle Application Express (jQuery) None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 20.2  
CVE-2020-11023 ORDS (jQuery) None HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c See Note 1
CVE-2020-14762 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-9281 Oracle Application Express Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14899 Oracle Application Express Data Reporter Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14900 Oracle Application Express Group Calendar Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14898 Oracle Application Express Packaged Apps Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14763 Oracle Application Express Quick Poll Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14741 Database Filesystem Resource, Create Table, Create View, Create Procedure, Dbfs_role Oracle Net No 4.9 Network Low High None Un-
changed
None None High 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-14901 RDBMS Security Analyze Any Oracle Net No 4.9 Network Low High None Un-
changed
High None None 19c  
CVE-2020-14736 Database Vault Create Public Synonym Oracle Net No 3.8 Network Low High None Un-
changed
Low Low None 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-14743 Java VM Create Procedure Multiple No 3.1 Network High Low None Un-
changed
None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14740 SQL Developer Install Client Computer User Account Local Logon No 2.8 Local Low Low Required Un-
changed
Low None None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c  
CVE-2020-14742 Core RDBMS SYSDBA level account Oracle Net No 2.7 Network Low High None Un-
changed
None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  

Notes:

  • Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"

 

Additional CVEs addressed are:

  • The patch for CVE-2019-12900 also addresses CVE-2016-3189
  • The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
  • The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
  • The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937

 

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Core RDBMS (LZ4): CVE-2019-17543
  • Core RDBMS (Zstandard): CVE-2019-11922
  • Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
  • Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
  • Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
  • Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
  • SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
  • SQL Developer (Apache Log4j): CVE-2017-5645
  • SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
  • SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
  • SQL Developer (JCraft JSch): CVE-2016-5725
  • SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382

 

Oracle Database Server Client-Only Installations

  • The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.

 

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • Tmaxsoft
  • Tmaxsoft
  • SplashBI
nlight-IT