The April 2020 Oracle Critical Patch Update (CPU) includes 397 patches across Oracle’s product suite, an 18 percent hike over the January 2020 CPU and a 33% year-over-year increase. The CPU includes:

  • 15 patches for Java SE
  • 51 patches for Oracle Fusion Middleware
  • 74 patches for Oracle E-Business Suite
  • 16 patches for Oracle Knowledge

Although the April 2020 CPU preview mentioned a potential patch for the recently released Java 14, today’s Update does not include any fixes for Java 14.


Waratek’s Advice to Customers & Prospects
Waratek Patch and Waratek Upgrade customers will receive runtime virtual patches that address the Oracle CPU CVEs as part of their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.

Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.


Q2 CPU Java SE highlights

  • One hundred percent (100%) of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
  • Two (2) new deserialization vulnerabilities in Java SE are patched.
  • One (1) information disclosure vulnerability (CVE-2019-18197) in the native code of JavaFX affects only Java 8.
  • One (1) vulnerability (CVE-2020-2764) affects only Java Advanced Management Console.
  • Four vulnerabilities affect the Java Secure Socket Extension (JSSE) and affects applications via HTTPS


Regarding other Oracle products

  • Oracle Business Intelligence and Oracle Knowledge were patched against the infamous 4-year old CVE-2016-1000031 Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution deserialization vulnerability.
  • Fifteen (15) of the 16 CVEs in Oracle Knowledge may be exploited remotely.
  • Oracle Fusion Middleware was patched against 8 deserialization vulnerabilities.
  • Forty-four (44) of the Orcale Fusion Middleware CVEs can be remotely exploited.
  • Seventy (70) of the Oracle E-Business Suite vulnerabilities may be remotely exploitable without requiring user credentials.

Read the full Oracle CPU news release here.