VENDOR UPDATE | 26 April 2021

Oracle Database Critical Patch And Security Update April 2021

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Product Critical Patch Summary

This Critical Patch Update contains 10 new security patches for Oracle Database Server Products:

New security patches for Oracle Database Products:
- Oracle Database 12.1.0.2
- Oracle Database 12.2.0.1
- Oracle Database 18c
- Oracle Database 19c
- Oracle Database 20.2

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-5360	Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite)	None	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-17527	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	18c, 19c
CVE-2019-3740	Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J)	None	Oracle Net	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-11023	Oracle Application Express (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2021-2234	Java VM	Create Session	Oracle Net	No	5.3	Network	High	Low	None	Un- changed	None	High	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-7760	Oracle Application Express (CodeMirror)	Valid User Account	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	Prior to 20.2
CVE-2021-2173	Recovery	DBA Level Account	Oracle Net	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2175	Database Vault	Create Any View, Select Any View	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2245	Oracle Database - Enterprise Edition Unified Audit	Create Audit Policy	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	18c,19c
CVE-2021-2207	Oracle Database - Enterprise Edition	RMAN executable	Local Logon	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022.
The patch for CVE-2020-17527 also addresses CVE-2020-13943 and CVE-2020-9484.
The patch for CVE-2020-5360 also addresses CVE-2020-5359.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Database Configuration Assistant (Apache Commons Compress): CVE-2019-12402.

Oracle Database Server Client-Only Installations:

The following Oracle Database Server Vulnerability included in the Critical Patch Update affects client-only installations: CVE-2020-5360.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT