Oracle Critical Patch Update for July 2020 Tops Previous Record with 443 Security Updates

On July 14, Oracle released the Critical Patch Update (CPU) Advisory for July 2020 as part of their quarterly release of security patches. This update contains fixes for 284 CVEs in 443 security patches across 29 Oracle product families. This quarter’s update continues an upward trend, overtaking the previous Oracle CPU patch record set by April 2020's update.

This quarter’s CPU includes more than 30 critically rated CVEs across a wide range of Oracle products. Included in that list are a few notable CVE’s including CVE-2020-14701 and CVE-2020-14706. These are vulnerabilities in the User Interface component of the Oracle Communications Applications SD-WAN Aware and SD-WAN Edge products respectively. Oracle has highlighted these vulnerabilities as “easily exploitable” and both vulnerabilities received a CVSSv3.1 score of 10.0, the highest score possible. These 2 vulnerabilities can be exploited over HTTP by an unauthenticated attacker, making them important vulnerabilities to prioritize patching.

In addition, Oracle released several critical fixes for WebLogic Server. CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, and CVE-2020-14687 are vulnerabilities in the Core component of the Oracle WebLogic product of Oracle Fusion Middleware. Oracle has highlighted these vulnerabilities as “easily exploitable” as they allow an unauthenticated attacker with network access via Oracle’s T3 and Internet Inter-ORB Protocol (IIOP) to compromise the server. Oracle has assigned these vulnerabilities a critical CVSSv3.1 score of 9.8. 

You can read more about these CVEs and our analysis of other important vulnerabilities patched by Oracle in the July 2020 Critical Patch Update (CPU) in our blog.