Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

Databases

Yo, sysadmins! Thought Patch Tuesday was big? Oracle says 'hold my Java' with huge 334 security flaw fix bundle

House of Larry delivers massive update for 93 products

Shaun Nichols in San Francisco Wed 15 Jan 2020  //  21:33 UTC

Oracle has released a sweeping set of security patches across the breadth of its software line.

The January update, delivered one day after Microsoft, Intel, Adobe, and others dropped their scheduled monthly patches, addresses a total of 334 security vulnerabilities across 93 different products from the enterprise giant.

As you may imagine, most IT admins will only need to test and apply a handful of the updates for their specific platforms.

For Oracle's flagship Database Server, the update includes an even dozen patches. Three of those are remotely exploitable without authorization, including one flaw in Apache Tomcat (CVE-2019-10072), one in Big Red's database gateway (CVE-2020-2512), and one for the Core RDBMS product (CVE-2020-2510). The highest CVSS rating was afforded to CVE-2020-2511, a locally-exploitable flaw in Core RDBMS, which scored at 7.7.

Some of the highest severity flaws were found in Oracle's communications apps, where 23 of the 25 CVE-listed bugs were said to be remotely exploitable without the need for any authentication. Six of those were given CVSS scores of 9 or higher.

Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should

READ MORE

Fusion Middleware was host to 38 CVE-listed bugs, 30 remotely exploitable and three (CVE-2020-2555, CVE-2020-2551, CVE-2020-2546) that were assigned CVSS scores of 9.8 out of 10. In other words - patch them now.

Solaris was the recipient of 10 patches this time around, though only two of those were found to be remotely exploitable. The Sun ZFS Storage Appliance Kit was host to a particularly nasty RCE flaw, CVE-2019-9636.

Also of note was CVE-2020-2696, an elevation of privilege flaw in the Solaris 10 Common Desktop Environment, which was discovered by Marco Ivaldi, principal security adviser at Italian infosec shop Mediaservice.net. In a detailed dissection of the bug, Ivaldi describes the flaw as a "cute straight-out-of-the-manual memory corruption" issue, and suggested a number of similar bugs are likely to exist.

"During my audit, many other potentially exploitable bugs have surfaced in dtsession and in the Common Desktop Environment in general," said Ivaldi. "Therefore, regardless of patches released by vendors, you should really consider removing the setuid bit from all CDE binaries."

Now that details on the vulnerabilities are out, admins are encouraged to test and apply all of the Oracle patches as soon as possible. ®
Send us news
7 Comments

Oracle scores big win with Fujitsu Japan for its Alloy partner cloud

But Big Red's $8 billion investment plan may not be all it seems

Graph databases speaking the same language after ISO gives GQL the nod

Standards body adoption could help ease portability between vendors

Valkey publishes release candidate and attracts new backer

Open source Redis alternative gathers momentum

Oracle changes its tune with HQ move to Music City

Nashville 'ticked all the boxes' for Big Red's employees, says founder Ellison

Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

It’s the second time the World-Check list has fallen into the wrong hands

Mega city council's Oracle ERP system still not legally safe, compliant... 2 years after rollout

Fusion software misses another deadline, one external auditors for Birmingham City Council described as 'absolutely crucial'

Palantir and Oracle buddy up on cloud infrastructure

But do all Foundry workloads move to OCI? It's up to the customer, spy-tech firm says

North American S/4HANA migrations ramping among SAP users

Skills access still an issue for organizations hoping to beat the 2027 ECC support deadline

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Linux Foundation marshals support for open source alternative to Redis

Follows the vendor's decision to overhaul licensing of the popular cache database

Progress outbids private equity in offer for MariaDB plc

MySQL sibling saga continues as 40-year-old infrastructure software firm enters the fray

PostgreSQL pioneer's latest brainchild promises time travel to dodge ransomware

Michael Stonbraker on the neat side effects of putting an operating system on top of a database