Oracle has released a giant October 2019 Critical Patch Update (CPU) containing fixes for 219 security flaws affecting 23 products, many of which stem from flaws in open source components.
The highest severity bug in this quarterly security update, CVE-2018-14721, affects the Oracle NoSQL Database and has a CVSS v3 score of 10 out of 10.
The bug is in the jackson-databind Java library component of Oracle NoSQL Database and affects versions prior to 19.3.12. According to Oracle, the flaw is “easily exploitable” by an unauthenticated attacker over the internet.
“While the vulnerability is in Oracle NoSQL Database, attacks may significantly impact additional products,” Oracle notes. “Successful attacks of this vulnerability can result in takeover of Oracle NoSQL Database.”
While this CPU is massive, Oracle has issued a larger set of patches to fix 276 security flaws affecting 80 products in 2016. Oracle as usual recommends its CPU patches "without delay" due to consistent reports of attacks on systems after it releases CPU patches.
The October 2019 CPU also contains fixes for 15 more security flaws with a CVSS v3 score of between 9.8, some with very old CVE identifiers that have previously been patched by Oracle in other products. In total there are 18 with a CVSS v3 score of at least 9.
CVE-2017-6056, for example, affects an Apache Tomcat component of the Instantis EnterpriseTrack product of Oracle Construction and Engineering. Once again, it’s easily exploitable over the internet and doesn’t require credentials.
Another flaw in this high-severity 9.8 category, CVE-2019-14379, affects the Oracle Banking Platform and can be exploited by a remote, unauthenticated attacker who, if successful, could take over the banking platform.
Oracle Financial Services Analytical Applications Infrastructure can also be overtaken by a remote attacker over the internet if they successfully exploited the flaw CVE-2019-14379.
Security firm Tenable draws attention to several critical flaws affecting Oracle’s widely-deployed products and offers some extra details about what type of flaws they are.
Oracle MySQL has a memory flaw in the SQLite component of Oracle MySQL’s Workbench product affecting versions 8.0.17 and prior. The easily exploitable bug allows an unauthenticated attacker with network access via MySQL Workbench to compromise and takeover the product.
There’s also a serious issue affecting the Jython command line interface component of Oracle Enterprise Manager.
Two critical flaws affect Oracle Middleware. One is a remote code execution vulnerability in the Apache Commons FileUpload library and there’s a patch for the Virtual Directory Server component of Oracle Fusion Middleware. Tenable discovered this flaw, CVE-2016-1000031, in 2016. An attacker can exploit the bug newly disclosed affected products to compromise Oracle Virtual Director using HTTP requests.
The second critical flaw affecting Oracle Middleware is CVE-2019-2904. It’s not publicly known what type of flaw this is but it could allow an unauthenticated attacker to take over Oracle JDeveloper and ADF with crafted HTTP requests.
The last flaws Tenable highlights are CVE-2016-0729, CVE-2019-3862. The first concerns a memory flaw in the XML Parser library in Apache Xerces-C that were patched by Apache in 2016.
“This vulnerability exists in the Integration Broker in Oracle PeopleSoft. It could allow a remote, unauthenticated attacker to cause a denial of service,” Tenable explains.
The second, CVE-2019-3862, was first patched by Oracle in March 2019 and is due to a memory flaw in the libssh2 library for the SSH2 protocol.
“Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools,” explained Oracle.