Oracle drops 219 fixes in October 2019 critical patch update

Credit: Dreamstime

Oracle has released a giant October 2019 Critical Patch Update (CPU) containing fixes for 219 security flaws affecting 23 products, many of which stem from flaws in open source components. 

The highest severity bug in this quarterly security update, CVE-2018-14721, affects the Oracle NoSQL Database and has a CVSS v3 score of 10 out of 10. 

The bug is in the jackson-databind Java library component of Oracle NoSQL Database and affects versions prior to 19.3.12. According to Oracle, the flaw is “easily exploitable” by an unauthenticated attacker over the internet.

“While the vulnerability is in Oracle NoSQL Database, attacks may significantly impact additional products,” Oracle notes. “Successful attacks of this vulnerability can result in takeover of Oracle NoSQL Database.” 

While this CPU is massive, Oracle has issued a larger set of patches to fix 276 security flaws affecting 80 products in 2016. Oracle as usual recommends its CPU patches "without delay" due to consistent reports of attacks on systems after it releases CPU patches.   

The October 2019 CPU also contains fixes for 15 more security flaws with a CVSS v3 score of between 9.8, some with very old CVE identifiers that have previously been patched by Oracle in other products. In total there are 18 with a CVSS v3 score of at least 9. 

CVE-2017-6056, for example, affects an Apache Tomcat component of the Instantis EnterpriseTrack product of Oracle Construction and Engineering. Once again, it’s easily exploitable over the internet and doesn’t require credentials.  

Another flaw in this high-severity 9.8 category, CVE-2019-14379, affects the Oracle Banking Platform and can be exploited by a remote, unauthenticated attacker who, if successful, could take over the banking platform. 

Oracle Financial Services Analytical Applications Infrastructure can also be overtaken by a remote attacker over the internet if they successfully exploited the flaw CVE-2019-14379. 

Security firm Tenable draws attention to several critical flaws affecting Oracle’s widely-deployed products and offers some extra details about what type of flaws they are. 

Oracle MySQL has a memory flaw in the SQLite component of Oracle MySQL’s Workbench product affecting versions 8.0.17 and prior. The easily exploitable bug allows an unauthenticated attacker with network access via MySQL Workbench to compromise and takeover the product.

There’s also a serious issue affecting the Jython command line interface component of Oracle Enterprise Manager.  

Two critical flaws affect Oracle Middleware. One is a remote code execution vulnerability in the Apache Commons FileUpload library and there’s a patch for the Virtual Directory Server component of Oracle Fusion Middleware. Tenable discovered this flaw, CVE-2016-1000031, in 2016. An attacker can exploit the bug newly disclosed affected products to compromise Oracle Virtual Director using HTTP requests. 

The second critical flaw affecting Oracle Middleware is CVE-2019-2904. It’s not publicly known what type of flaw this is but it could allow an unauthenticated attacker to take over Oracle JDeveloper and ADF with crafted HTTP requests. 

The last flaws Tenable highlights are CVE-2016-0729, CVE-2019-3862. The first concerns a memory flaw in the XML Parser library in Apache Xerces-C that were patched by Apache in 2016.    

“This vulnerability exists in the Integration Broker in Oracle PeopleSoft. It could allow a remote, unauthenticated attacker to cause a denial of service,” Tenable explains. 

The second, CVE-2019-3862, was first patched by Oracle in March 2019 and is due to a memory flaw in the libssh2 library for the SSH2 protocol. 

“Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools,” explained Oracle. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags OraclejavamysqlcpuapachepeoplesoftNoSQLSQLitecritical patch update

More about ApacheEnterpriseInstantisMySQLOraclePeopleSoftTenable

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts