Oracle October 2020 Critical Patch Update for All Product Families Threat Alert

Oracle October 2020 Critical Patch Update for All Product Families Threat Alert

October 31, 2020 | Mina Hao

Overview

On October 20, 2020, local time, Oracle released Critical Patch Update (CPU) for October 2020, its own security advisories, and third-party security bulletins, which fix 402 vulnerabilities of varying severity levels. For details about affected products and available patches, see the appendix.

For complete information, see Oracle’s official security advisory from the following link:

https://www.oracle.com/security-alerts/cpuoct2020.html

Fixed Vulnerabilities

ProductNumber of VulnerabilitiesNumber of Remote Exploits Without AuthenticationCVSS Base Score
Oracle Database server2838.8
Oracle Big Data Graph519.8
Oracle REST Data Services729.8
Oracle TimesTen In-Memory Database449.8
Oracle Communications Applications989.8
Oracle Communications52419.8
Oracle Construction and Engineering979.8
Oracle E-Business Suite27259.8
Oracle Enterprise Manager11109.8
Oracle Financial Services Applications52489.8
Oracle Food and Beverage Applications436.1
Oracle Fusion Middleware46369.8
Oracle GraalVM115.3
Oracle Health Sciences4410.0
Oracle Hospitality Applications639.4
Oracle Hyperion919.8
Oracle Insurance Applications669.8
Oracle Java SE885.3
Oracle MySQL5449.8
Oracle PeopleSoft15129.8
Oracle Policy Automation666.1
Oracle Retail Applications28259.8
Oracle Siebel CRM339.8
Oracle Supply Chain439.8
Oracle Systems10410.0
Oracle Utilities Applications539.8
Oracle Virtualization708.2

Affected Products and Versions

For details, see the appendix.

Critical Patch Update (CPU)

       A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.

Solution

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and VersionsPatch Availability Document
Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0Enterprise Manager
Big Data Spatial and Graph, versions prior to 3.0Database
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0Enterprise Manager
Enterprise Manager for Peoplesoft, version 13.4.1.1Enterprise Manager
Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090Systems
Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090Systems
Hyperion Analytic Provider Services, version 11.1.2.4Fusion Middleware
Hyperion BI+, version 11.1.2.4Fusion Middleware
Hyperion Essbase, version 11.1.2.4Fusion Middleware
Hyperion Infrastructure Technology, version 11.1.2.4Fusion Middleware
Hyperion Lifecycle Management, version 11.1.2.4Fusion Middleware
Hyperion Planning, version 11.1.2.4Fusion Middleware
Identity Manager Connector, version 9.0Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3Oracle Construction and Engineering Suite
Management Pack for Oracle GoldenGate, version 12.2.1.2.0Fusion Middleware
MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and priorMySQL
MySQL Enterprise Monitor, versions 8.0.21 and priorMySQL
MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and priorMySQL
MySQL Workbench, versions 8.0.21 and priorMySQL
Oracle Access Manager, version 11.1.2.3.0Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0Oracle Supply Chain Products
Oracle Application Express, versions prior to 20.2Database
Oracle Application Testing Suite, version 13.3.0.1Enterprise Manager
Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0Oracle Financial Services Applications
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.4.0Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2Oracle Communications EAGLE
Oracle Communications Element Manager, versions 8.2.0-8.2.2Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, version 8.1Oracle Communications Messaging Server
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0Oracle Communications Offline Mediation Controller
Oracle Communications Services Gatekeeper, version 7Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2-8.4Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.2.0-8.2.2Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.2.0-8.2.2Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19cDatabase
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0Fusion Middleware
Oracle Enterprise Session Border Controller, version 8.4Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0Oracle Financial Services Data Foundation
Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9Oracle Financial Services Data Governance for US Regulatory Reporting
Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, version 8.0.6Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Profitability Management
Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0Oracle Financial Services Regulatory Reporting with AgileREPORTER
Oracle Financial Services Retail Customer Analytics, version 8.0.6Oracle Financial Services Retail Customer Analytics
Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0Oracle Financial Services Applications
Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Signal, version 9.0Health Sciences
Oracle Healthcare Data Repository, version 7.0.1Health Sciences
Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0Health Sciences
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7Oracle Hospitality RES
Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.15Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Insurance Accounting Analyzer, version 8.0.9Oracle Insurance Accounting Analyzer
Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Data Foundation, versions 8.0.6-8.1.0Oracle Insurance Data Foundation
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26Oracle Insurance Applications
Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15Java SE
Oracle Java SE Embedded, version 8u261Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.20Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20Oracle Policy Automation
Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1Database
Oracle Retail Advanced Inventory Planning, version 14.1Retail Applications
Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0Retail Applications
Oracle Retail Back Office, versions 14.0, 14.1Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0Retail Applications
Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0Retail Applications
Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0Retail Applications
Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1Retail Applications
Oracle Solaris, versions 10, 11Systems
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0Database
Oracle Transportation Management, version 6.3.7Oracle Supply Chain Products
Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.16Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8Systems
PeopleSoft Enterprise HCM Global Payroll Core, version 9.2PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58PeopleSoft
PeopleSoft Enterprise SCM eSupplier Connection, version 9.2PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12Oracle Construction and Engineering Suite
Siebel Applications, versions 20.7, 20.8Siebel

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.