VENDOR UPDATE | 15 April 2020

Oracle Database Critical Patch And Security Update April 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Server Executive Summary

This Critical Patch Update contains 8 NEW security fixes for the Oracle Database Server:

8 NEW security fixes for the Oracle Database Server.

2 of these vulnerabilities may be remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).
None of these fixes are applicable to client-only installations, (i.e., installations that do not have the Oracle Database Server installed).

These Critical patch updates are applicable to the following database versions:

Oracle Database 11.2.0.4
Oracle Database 12.1.0.2
Oracle Database 12.2.0.1
Oracle Database 18c
Oracle Database 19c

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK									Supported Versions Affected
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected
CVE-2020-2735	Java VM	Create Session	Oracle Net	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-10251	Oracle Multimedia	Create Session	Oracle Net	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	12.1.0.2
CVE-2019-17563	WLM (Apache Tomcat)	None	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.0.1, 18c, 19c
CVE-2020-2737	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2853	Oracle Text	Create Session	OracleNet	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-7103	Oracle Application Express	None	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 19.1
CVE-2020-2514	Oracle Application Express	End User Role	HTTPS	No	4.6	Network	Low	Low	Required	Un- changed	None	Low	Low	Prior to 19.2
CVE-2020-2734	RDBMS/Optimizer	Execute on DBMS_SQLTUNE	Oracle Net	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c

Additional CVE's addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251 and CVE-2019-11358.
The patch for CVE-2019-17563 also addresses CVE-2019-12418.
The patch for CVE-2019-2853 also addresses CVE-2019-2756, CVE-2019-2759 and CVE-2019-2852.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT