VENDOR UPDATE | 27 October 2020
Oracle Database Critical Patch And Security Update October 2020
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.
Oracle Database Product Critical Patch Summary
This Critical Patch Update contains 19 new security patches for Oracle Database Server Products:
- New security patches for Oracle Database Products:
- Oracle Database 11.2.0.4
- Oracle Database 12.1.0.2
- Oracle Database 12.2.0.1
- Oracle Database 18c
- Oracle Database 19c
Oracle Database Server Risk Matrix
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complex | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2019-12900 | Core RDBMS (bzip2) | DBA Level Account | Oracle Net | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14735 | Scheduler | Local Logon | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14734 | Oracle Text | None | Oracle Net | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2018-2765 | Oracle SSL API | None | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2020-13935 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.0.1, 18c, 19c | |
| CVE-2020-11023 | Oracle Application Express (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-11023 | ORDS (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 1 |
| CVE-2020-14762 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-9281 | Oracle Application Express | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14899 | Oracle Application Express Data Reporter | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14900 | Oracle Application Express Group Calendar | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14898 | Oracle Application Express Packaged Apps | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14763 | Oracle Application Express Quick Poll | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14741 | Database Filesystem | Resource, Create Table, Create View, Create Procedure, Dbfs_role | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2020-14901 | RDBMS Security | Analyze Any | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
High | None | None | 19c | |
| CVE-2020-14736 | Database Vault | Create Public Synonym | Oracle Net | No | 3.8 | Network | Low | High | None | Un- changed |
Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2020-14743 | Java VM | Create Procedure | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14740 | SQL Developer Install | Client Computer User Account | Local Logon | No | 2.8 | Local | Low | Low | Required | Un- changed |
Low | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
| CVE-2020-14742 | Core RDBMS | SYSDBA level account | Oracle Net | No | 2.7 | Network | Low | High | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
Notes:
- Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"
Additional CVEs addressed are:
- The patch for CVE-2019-12900 also addresses CVE-2016-3189
- The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
- The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
- The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Core RDBMS (LZ4): CVE-2019-17543
- Core RDBMS (Zstandard): CVE-2019-11922
- Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
- Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
- Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
- Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
- SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- SQL Developer (Apache Log4j): CVE-2017-5645
- SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
- SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
- SQL Developer (JCraft JSch): CVE-2016-5725
- SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382
Oracle Database Server Client-Only Installations
- The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.
Further Help and Assistance
For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT
Share this article
Latest Articles
- 22 October 2021
Oracle Database Critical Patch And Security Update October 2021 - 22 July 2021
Oracle Database Critical Patch And Security Update July 2021 - 26 April 2021
Oracle Database Critical Patch And Security Update April 2021 - 22 January 2021
Oracle Database Critical Patch And Security Update January 2021 - 27 October 2020
Oracle Database Critical Patch And Security Update October 2020 - 16 July 2020
Oracle Database Critical Patch And Security Update July 2020 - 15 April 2020
Oracle Database Critical Patch And Security Update April 2020 - 23 January 2020
Oracle Database Critical Patch And Security Update January 2020 - 16 October 2019
Oracle Database Critical Patch And Security Update October 2019 - 17 July 2019
Oracle Database Critical Patch And Scurity Update July 2019
