重庆思庄Oracle、Redhat认证学习论坛

标题: ORACLE 2020.07.14 CPU补丁发布 [打印本页]

作者: windjack 时间: 2020-7-16 14:35
标题: ORACLE 2020.07.14 CPU补丁发布
本帖最后由 windjack 于 2020-7-16 15:02 编辑

ORACLE 2020.07月14安全补丁更新来啦！

多达433个新的安全漏洞！

护网行动刻不容缓！

详情参见官方文档

Oracle Critical Patch Update Advisory - July 2020
https://www.oracle.com/security-alerts/cpujul2020.html

Critical Patch Update (CPU) Program Jul 2020 Patch Availability Document (PAD) (Doc ID 2664876.1)
https://support.oracle.com/epmos ... nyxp13_256#chdcbgga

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#

Component

Package and/or Privilege Required

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req'd

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2016-1000031

MapViewer (Apache Commons FileUpload)

Valid User Account

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

12.2.0.1, 18c, 19c

See Note 1

CVE-2020-2968

Java VM

Create Session, Create Procedure

Multiple

No

8.0

Network

High

Low

Required

Changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2016-9843

Core RDBMS (zlib)

Create Session

Oracle Net

No

7.2

Network

Low

High

None

Un-
changed

High

High

High

18c

CVE-2020-2969

Data Pump

DBA role account

Oracle Net

No

6.6

Network

High

High

None

Un-
changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2020-8112

GeoRaster (OpenJPG)

Create Session

Oracle Net

No

5.7

Network

Low

Low

Required

Un-
changed

None

None

High

18c

CVE-2020-2513

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2971

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2972

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2973

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2974

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2976

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2020-2975

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

5.1-19.2

CVE-2019-17569

Workload Manager (Apache Tomcat)

None

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

12.2.0.1, 18c, 19c

CVE-2020-2977

Oracle Application Express

Valid User Account

HTTP

No

4.6

Network

Low

Low

Required

Un-
changed

Low

Low

None

5.1-19.2

CVE-2020-2978

Oracle Database - Enterprise Edition

DBA role account

Oracle Net

No

4.1

Network

Low

High

None

Changed

None

Low

None

12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2019-13990

MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)

Local Logon

None

No

0.0

Local

Low

Low

Required

Un-
changed

None

None

None

12.2.0.1, 18c, 19c

See Note 2

CVE-2018-18314

Oracle Database (Perl)

Local Logon

None

No

0.0

Local

High

High

None

Un-
changed

None

None

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

See Note 3

CVE-2019-10086

Spatial Studio (Apache Commons Beanutils)

Local Logon

None

No

0.0

Local

Low

Low

None

Un-
changed

None

None

None

Spatial Studio: Prior to 19.2.1

See Note 4

CVE-2019-16943

TFA (jackson-databind)

Local Logon

None

No

0.0

Local

High

High

None

Un-
changed

None

None

None

12.2.0.1, 18c, 19c

See Note 5

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req'd

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14705

Oracle GoldenGate

Process Management

TCP

Yes

9.6

Adjacent
Network

Low

None

None

Changed

High

High

High

Prior to 19.1.0.0.0

CVE-2019-0222

GoldenGate Stream Analytics

Security (ActiveMQ)

TCP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

Prior to 19.1.0.0.1

CVE-2019-14379

GoldenGate Stream Analytics

Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark)

None

No

0.0

Local

Low

Low

None

Un-
changed

None

None

None

Prior to 19.1.0.0.1

See Note 1

欢迎光临重庆思庄Oracle、Redhat认证学习论坛 (http://bbs.cqsztech.com/)

Powered by Discuz! X3.2