VENDOR UPDATE | 16 July 2020

Oracle Database Critical Patch And Security Update July 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Server Critical Patch Summary

• 19 new security patches for Oracle Database Server.
  •   1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials
  •   None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

These Critical patch updates are applicable to the following database versions:

• Oracle Database 11.2.0.4
• Oracle Database 12.1.0.2
• Oracle Database 12.2.0.1
• Oracle Database 18c
• Oracle Database 19c

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	MapViewer (Apache Commons FileUpload)	Valid User Account	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2968	Java VM	Create Session, Create Procedure	Multiple	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-9843	Core RDBMS (zlib)	Create Session	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	18c
CVE-2020-2969	Data Pump	DBA role account	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-8112	GeoRaster (OpenJPG)	Create Session	Oracle Net	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	18c
CVE-2020-2513	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2971	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2972	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2973	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2974	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2976	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2975	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-17569	Workload Manager (Apache Tomcat)	None	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.0.1, 18c, 19c
CVE-2020-2977	Oracle Application Express	Valid User Account	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	5.1-19.2
CVE-2020-2978	Oracle Database - Enterprise Edition	DBA role account	Oracle Net	No	4.1	Network	Low	High	None	Changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-13990	MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)	Local Logon	None	No	0.0	Local	Low	Low	Required	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 2
CVE-2020-18314	Oracle Database (Perl)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 3
CVE-2019-10086	Spatial Studio (Apache Commons Beanutils)	Local Logon	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Spatial Studio: Prior to 19.2.1	See Note 4
CVE-2019-16943	TFA (jackson-databind)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 5

Notes:

1. MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
2. The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
3. None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
4. The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
5. The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.

Additional CVEs addressed are below:

• The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
• The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
• The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
• The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
• The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
• The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.

 

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT