SoylentNews is people
SoylentNews
Submission Preview
Oracle Ties Previous All-Time Patch High with January Updates
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [Threatpost]
Time: 2020-01-14 23:47:00 UTC
Original URL: https://threatpost.com/oracle-cpu-all-time-patch-high-january/151861/ [threatpost.com] using UTF-8 encoding.
Title: Oracle Ties Previous All-Time Patch High with January Updates
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Oracle Ties Previous All-Time Patch High with January Updates
Arthur T Knackerbracket has found the following story [threatpost.com]:
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy [threatpost.com]. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy [threatpost.com]. In addition, you will find them in the message confirming the subscription to the newsletter.
The software giant patched 300+ bugs in its quarterly update.
Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle’s previous all-time high for number of patches issued, in July 2019 [threatpost.com]. This overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement [oracle.com] that some of the vulnerabilities affect multiple products.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible,” it added.
In its customer relationship management (CRM) platforms, there are 15 patches for Oracle PeopleSoft (12 remotely exploitable without authentication, two critical); and five patches for Oracle Siebel CRM (all remotely exploitable without authentication, two critical).
On the vertical-specific software front, Oracle patched 12 bugs in Oracle Construction and Engineering (eight remotely exploitable without authentication, two critical); 24 flaws for Oracle Financial Services Applications (six remotely exploitable without authentication); one bug for Oracle Food and Beverage Applications; three for Oracle Health Sciences Applications (all are remotely exploitable without authentication, three critical); five patches for Oracle Hospitality Applications (two remotely exploitable without authentication); one patch for Oracle iLearning; nine patches for Oracle JD Edwards (all remotely exploitable without authentication, four critical); four patches for Oracle Utilities Applications (all of these vulnerabilities remotely exploitable without authentication, one is critical); and 22 patches for Oracle Retail Applications (14 remotely exploitable without authentication, eight critical).
January’s massive CPU also features 17 patches for Oracle Systems (eight are remotely exploitable without authentication, three critical); two patches for Oracle Hyperion (one is remotely exploitable without authentication, and is critical); eight patches for Oracle Supply Chain (all are remotely exploitable without authentication, one is critical); Oracle GraalVM (five patches, three remotely exploitable without authentication, one critical); and 22 patches for Oracle Virtualization (three of are remotely exploitable without authentication).
And finally, the vendor issued 12 security patches for Oracle Java SE. All of the vulnerabilities are remotely exploitable without authentication, and are considered severe only when a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows).
“Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases,” according to Oracle.
Threatpost has reached out to several researchers for insight into specific vulnerabilities and will update this post accordingly.
Also adding to Tuesday’s patch bonanza was Adobe’s security updates [threatpost.com] for Illustrator CC for Windows and Experience Manager; while Microsoft took the wraps off [threatpost.com] of January 2020 Patch Tuesday, tackling 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches. These included a major crypto-spoofing bug impacting Windows 10 users that was found by the NSA. Also, Intel issued an update [threatpost.com] including a high-severity privilege-escalation flaw.
Overall Adobe patched nine flaws in Illustrator CC and Experience Manager.
The issue lies in underlying reference software used by multiple cable-modem manufacturers to create device firmware.
Mozilla tackles high-severity bugs in its latest Firefox 72 and Firefox ESR 68.4 releases at the same time rolls a major privacy feature .
Join thousands of people who receive the latest breaking cybersecurity news every day.
A major crypto-spoofing bug impacting #Windows10 [twitter.com] users has been fixed as part of #Microsoft [twitter.com]’s January Patch Tuesday… https://t.co/ZyrFQqxv6C [t.co]
3 hours ago
Get the latest breaking news delivered daily to your inbox.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
-- submitted from IRC
