|
本帖最后由 windjack 于 2020-7-16 15:02 编辑
ORACLE 2020.07月14安全补丁更新来啦!
多达433个新的安全漏洞!
护网行动刻不容缓!
详情参见官方文档
Oracle Critical Patch Update Advisory - July 2020
https://www.oracle.com/security-alerts/cpujul2020.html
Critical Patch Update (CPU) Program Jul 2020 Patch Availability Document (PAD) (Doc ID 2664876.1)
https://support.oracle.com/epmos ... nyxp13_256#chdcbgga
Oracle Database Server Risk MatrixThis Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here. CVE# | Component | Package and/or Privilege Required | Protocol | Remote
Exploit
without
Auth.? | | Supported Versions Affected | Notes | Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability | CVE-2016-1000031 | MapViewer (Apache Commons FileUpload) | Valid User Account | HTTP | No | 8.8 | Network | Low | Low | None | Un-
changed | High | High | High | 12.2.0.1, 18c, 19c | See Note 1 | CVE-2020-2968 | Java VM | Create Session, Create Procedure | Multiple | No | 8.0 | Network | High | Low | Required | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2016-9843 | Core RDBMS (zlib) | Create Session | Oracle Net | No | 7.2 | Network | Low | High | None | Un-
changed | High | High | High | 18c |
| CVE-2020-2969 | Data Pump | DBA role account | Oracle Net | No | 6.6 | Network | High | High | None | Un-
changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2020-8112 | GeoRaster (OpenJPG) | Create Session | Oracle Net | No | 5.7 | Network | Low | Low | Required | Un-
changed | None | None | High | 18c |
| CVE-2020-2513 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2971 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2972 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2973 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2974 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2976 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2975 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 |
| CVE-2019-17569 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 4.8 | Network | High | None | None | Un-
changed | Low | Low | None | 12.2.0.1, 18c, 19c |
| CVE-2020-2977 | Oracle Application Express | Valid User Account | HTTP | No | 4.6 | Network | Low | Low | Required | Un-
changed | Low | Low | None | 5.1-19.2 |
| CVE-2020-2978 | Oracle Database - Enterprise Edition | DBA role account | Oracle Net | No | 4.1 | Network | Low | High | None | Changed | None | Low | None | 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2019-13990 | MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava) | Local Logon | None | No | 0.0 | Local | Low | Low | Required | Un-
changed | None | None | None | 12.2.0.1, 18c, 19c | See Note 2 | CVE-2018-18314 | Oracle Database (Perl) | Local Logon | None | No | 0.0 | Local | High | High | None | Un-
changed | None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 3 | CVE-2019-10086 | Spatial Studio (Apache Commons Beanutils) | Local Logon | None | No | 0.0 | Local | Low | Low | None | Un-
changed | None | None | None | Spatial Studio: Prior to 19.2.1 | See Note 4 | CVE-2019-16943 | TFA (jackson-databind) | Local Logon | None | No | 0.0 | Local | High | High | None | Un-
changed | None | None | None | 12.2.0.1, 18c, 19c | See Note 5 |
Oracle GoldenGate Risk MatrixThis Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | | Supported Versions Affected | Notes | Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability | CVE-2020-14705 | Oracle GoldenGate | Process Management | TCP | Yes | 9.6 | Adjacent
Network | Low | None | None | Changed | High | High | High | Prior to 19.1.0.0.0 |
| CVE-2019-0222 | GoldenGate Stream Analytics | Security (ActiveMQ) | TCP | No | 6.5 | Network | Low | Low | None | Un-
changed | None | None | High | Prior to 19.1.0.0.1 |
| CVE-2019-14379 | GoldenGate Stream Analytics | Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark) | None | No | 0.0 | Local | Low | Low | None | Un-
changed | None | None | None | Prior to 19.1.0.0.1 | See Note 1 |
|
|