Oracle July 2020 Critical Patch Update for All Product Families Threat Alert

Oracle July 2020 Critical Patch Update for All Product Families Threat Alert

July 31, 2020 | Mina Hao

Overview

On July 14, 2020 local time, Oracle released its July 2020 Critical Patch Update (CPU), its own security advisories, and third-party security bulletins, which fix 443 vulnerabilities of varying severity levels. For details about affected products and available patches, see the appendix.

For complete information, see Oracle’s official security advisories from the following link:

https://www.oracle.com/security-alerts/cpujul2020.html

Fixed Vulnerabilities

ProductNumber of VulnerabilitiesNumber of Remote Exploits Without AuthenticationCVSS Base Score
Oracle Database server1918.8
Oracle Berkeley DB307.3
Oracle Global Lifecycle Management100
Oracle GoldenGate319.6
Oracle TimesTen In-Memory Database100
Oracle Commerce437.4
Oracle Communications Applications604610
Oracle Construction and Engineering20159.8
Oracle E-Business Suite30249.1
Oracle Enterprise Manager14109.8
Oracle Financial Services Applications38269.8
Oracle Food and Beverage Applications407.3
Oracle Fusion Middleware52489.8
Oracle GraalVM439.1
Oracle Health Sciences Applications449.8
Oracle Hospitality Applications119.8
Oracle Hyperion304.2
Oracle iLearning118.2
Oracle Insurance Applications647.5
Oracle Java SE11118.3
Oracle JD Edwards669.8
Oracle MySQL4069.8
Oracle PeopleSoft1198.2
Oracle Retail Applications47429.8
Oracle Siebel CRM559.8
Oracle Supply Chain22189.8
Oracle Systems719.8
Oracle Utilities Applications117.5
Oracle Virtualization2508.2

Affected Products and Versions

For details, see the appendix.

Critical Patch Update (CPU)

       A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.

Solution

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and VersionsPatch Availability Document
Category Management Planning & Optimization, version 15.0.3Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1Database
Hyperion Financial Close Management, version 11.1.2.4Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and priorMySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and priorMySQL
MySQL Connectors, versions 8.0.20 and priorMySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and priorMySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and priorMySQL
Oracle Agile Engineering Data Management, version 6.2.1.0Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1Enterprise Manager
Oracle AutoVue, version 21.0Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1Oracle Commerce
Oracle Communications Analytics, version 12.1.1Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3, 12.0Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6Enterprise Manager
Oracle Configurator, versions 12.1, 12.2Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1Java SE
Oracle Java SE Embedded, version 8u251Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0Retail Applications
Oracle Retail Extract Transform and Load, version 19.0Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0Retail Applications
Oracle Retail Fusion Platform, version 5.5Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3Retail Applications
Oracle Retail Invoice Matching, version 16.0Retail Applications
Oracle Retail Item Planning, version 15.0.3Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3Retail Applications
Oracle Retail Order Broker, version 15.0Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3Retail Applications
Oracle Retail Sales Audit, version 14.1Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0Retail Applications
Oracle SD-WAN Aware, version 8.2Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.2, 9.0Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Solaris, version 11Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0Database
Oracle Transportation Management, versions 6.3.7, 6.4.3Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8Systems
PeopleSoft Enterprise FIN Expenses, version 9.2PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and priorSiebel

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.