Oracle Critical Patch Update October 2020 fixed 421 vulnerabilities

On October 20, 2020, Oracle officially released the Oracle Critical Patch Update Advisory – October 2020. This security update released 421 vulnerability patches, of which Oracle Fusion Middleware has 46 vulnerability patch updates, mainly covering Oracle Weblogic, Oracle Endeca Information Discovery Integrator, Oracle WebCenter Portal, Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, and more… Oracle Critical Patch Update October 2020 fixed 36 vulnerabilities which can be exploited remotely without authentication.

Vulnerability Detail

Multiple deserialization vulnerabilities in Oracle WebLogic Server. 
These vulnerabilities allow unauthenticated attackers to send constructed malicious requests through HTTP, IIOP, and T3 protocols to execute code in Oracle WebLogic Server. The critical vulnerability numbers are as follows:
  • CVE-2020-14882
  • CVE-2020-14841
  • CVE-2020-14825
  • CVE-2020-14859
  • CVE-2020-14820

A remote attacker who successfully exploited the CVE-2020-14882 vulnerability can construct a special HTTP request, take over WebLogic Server without authentication, and execute arbitrary code on WebLogic Server.

Oracle E-Business Suite multiple serious vulnerabilities

This critical patch update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
  • CVE-2020-14855
  • CVE-2020-14805
  • CVE-2020-14875
  • CVE-2020-14876
Oracle Enterprise Manager multiple serious vulnerabilities
This critical patch update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
  • CVE-2019-13990
  • CVE-2018-11058
  • CVE-2019-17638
  • CVE-2020-5398
  • CVE-2020-1967

Oracle Financial Services Applications multiple serious vulnerabilities

This critical patch update contains 53 new security patches for Oracle Financial Services applications. 49 of these vulnerabilities can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
  • CVE-2019-17495
  • CVE-2019-10173
  • CVE-2020-10683
  • CVE-2020-9546
  • CVE-2020-11973
  • CVE-2020-14824

Solution

In this regard, we recommend that users install the latest patches in time.