VENDOR UPDATE | 23 January 2020

Oracle Database Critical Patch And Security Update January 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Server Executive Summary

This Critical Patch Update contains 12 NEW security fixes for the Oracle Database Server:

• 12 NEW security fixes for the Oracle Database Server.
  • 3 of these vulnerabilities may be remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).
  • None of these fixes are applicable to client-only installations, (i.e., installations that do not have the Oracle Database Server installed).

These Critical patch updates are applicable to the following database versions:

• Oracle Database 11.2.0.4
• Oracle Database 12.1.0.2
• Oracle Database 12.2.0.1
• Oracle Database 18c
• Oracle Database 19c

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2020-2511	Core RDBMS	Create Session	OracleNet	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2510	Core RDBMS	None	OracleNet	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2518	Java VM	Create Session	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-10072	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2512	Database Gateway for ODBC	None	OracleNet	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2515	Database Gateway for ODBC	Create Session	OracleNet	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2527	Core RDBMS	Create Index, Create Table	OracleNet	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2731	Core RDBMS	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2568	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2569	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.2.0.1, 18c, 19c
CVE-2020-2517	Database Gateway for ODBC	Create Procedure, Create Database Link	OracleNet	No	3.3	Network	High	High	None	Un- changed	None	Low	Low	12.2.0.1, 18c, 19c
CVE-2020-2516	Core RDBMS	Create Materialized View, Create Table	OracleNet	No	2.4	Network	Low	High	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

1. This patch also addresses four additional vulnerabilities: CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232. For Windows platform - due to CVE-2019-0232 - the CVSS 3.0 score is 8.1.

Additional CVEs addressed are below:

• The patch for CVE-2019-10072 also addresses CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT