Oracle fixes more than 300 vulnerabilities

The US software manufacturer Oracle holds its Patch Day every three months. Oracle calls these "Critical Patch Updates" (CPU). Due to the extensive product portfolio and the rather long update cycle, there are regularly several hundred gaps to be filled.

The first CPU day 2020, comes with 334 vulnerabilities and fixes. Several of the gaps are classified as critical. For this classification, Oracle uses the industry standard CVSS 3.0 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. The next scheduled Oracle CPU day is April 14, 2020.

Oracle closed most of the vulnerabilities in the Enterprise Manager. Of the 50 vulnerabilities, 10 can be exploited without user login via the network, 4 reach the CVSS score 9.8. Added to this are vulnerable components from the database server and Fusion Middleware, the gaps of which are only counted for these products.

Fusion Middleware follows right behind. It receives updates for 38 security vulnerabilities, 30 of which can be used over the network without logging in via HTTP. Three of the weak points achieve the CVSS score 9.8. The database server manages with updates against 12 gaps, three of which can be used remotely. The highest CVSS score is 7.7. The well-known open-source database server MySQL ranks in the upper middle field with 19 gaps. These include six vulnerabilities that can be exploited over the network without user login. A vulnerability sets the highest CVSS score at 7.5.

In Java SE (Standard Edition), Oracle has closed a total of 12 vulnerabilities, all of which can be exploited without user login via the network (CVSS maximum value 8.1). The latest Java generation 13, launched in September, receives its second and probably the last security update with Java 13.0.2. Java 13 will be replaced by Java 14 in March 2020. In contrast, Java 11 is provided with updates for eight years. Java 11 is a so-called LTS version (Long Term Support). Both Java generations have seven vulnerabilities that were eliminated in January.

Mainly Java 8 (JRE - Java Runtime Environment) remains relevant for users, which will be supplied with free security updates for private use until at least the end of 2020. Commercial users, on the other hand, have had to pay for these updates since April 2019, but will be provided for them until March 2025. The latest version is Java 8 Update 241 (8u241), in which Oracle has closed 11 holes. As a browser extension (plug-in), Java only runs in Internet Explorer.