View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 16, 2019updated 18 Oct 2019 9:58am

Oracle Patches 219 Security Vulnerabilities – 142 Remotely Exploitable

Quarterly patch release includes 34 fixes for the Oracle MySQL database

By CBR Staff Writer

Oracle has released a mighty 219 new security patches, including one for an “easily exploitable” Oracle NoSQL vulnerability that scored a maximum of 10 on the CVSS scale* and which could result in complete database takeover.

An alarming 142 of this week’s total Oracle patches – released to users under Redmond’s quarterly patch cycle – are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The Oracle NoSQL vulnerability affects versions up to 19.3.12.

While the vulnerability (given CVE-2018-14721) is in Oracle NoSQL Database, attacks may “significantly impact additional products”, Oracle said late Tuesday, adding that “successful attacks…  can result in takeover of Oracle NoSQL Database”.

The patch, based on the CVE, appears to be a belated fix of a well-known bug in jackson-databind, a widely used Java library to parse JSON and other data formats.

Issues with this library impacted a range of products from other vendors, with an upgrade of jackson-databind packages available since May. It was unclear, given its CVSS score, why this has only just been fixed in the NoSQL product.

*Oracle security vulnerabilities are scored using CVSS version 3.0

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?
Oracle patches

DBAs need to get wrenching. Credit: Matt Artz, Unsplash.

Oracle Patches 

Among the other patches are 34 for the widely used Oracle MySQL database.

These include nine for vulnerabilities that are remotely exploitable without authentication, including a 9.8-rated critical vulnerability in MySQL Workbench (an integrated development environment for the MySQL database system). No privileges are required to execute an attack based on this vuln, which affects versions up to 8.0.17.

This has the CVE-2019-8457 and, again, appears to be a fix for a bug in the open source SQLite3 (from 3.6.0 to and including 3.27.2) which is vulnerable to “heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.”

Other notable patches include 12 new security patches for Oracle Systems, with one, again, rated 9.8 that fixes a severe vulnerability in XCP Firmware (cURL).

The issue, given CVE-2018-1000007, affects Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2 and M12-2S Servers and can be remotely exploited over numerous protocols.

Another critical patch is for the Oracle Banking Platform. With the CVSS score of a critical 9.8 and remote exploitability without credentials, it has the CVE-2019-14379 and, again, related to a bug in jackson-databind that affected numerous other products.

The Oracle Patches, in Total 

The updates also include:

  • 11 new security patches for the Oracle Database Server
  • 13 new security patches for Oracle Construction and Engineering
  • 10 new security patches for the Oracle E-Business Suite
  • 7 new security patches for Oracle Enterprise Manager
  • 7 new security patches for Oracle Financial Services Applications.
  • 7 new security patches for Oracle Food and Beverage Applications
  • 37 new security patches for Oracle Fusion Middleware
  • 3 new security patches for Oracle GraalVM.
  • 2 new security patches for Oracle Health Sciences Applications.
  • 3 new security patches for Oracle Hospitality Applications
  • 3 new security patches for Oracle Hyperion
  • 20 new security patches for Oracle Java SE
  • 1 new security patch for Oracle JD Edwards.
  • 34 new security patches for Oracle MySQL
  • 3 new security patches for Oracle PeopleSoft
  • 4 new security patches for Oracle Policy Automation.
  • 12 new security patches for Oracle Retail Applications
  • 4 new security patches for Oracle Siebel CRM
  • 12 new security patches for Oracle Systems
  • 3 new security patches for Oracle Supply Chain
  • 2 new security patches for Oracle Support Tools
  • 11 new security patches for Oracle Virtualization

Among those with credits for the bug finds were Andrej Simko of Accenture with eight finds, Andrzej Dyjak of sigsegv.pl with six finds, anhdaden of Singapore’s STAR Labs with three finds and Alexander Kornbrust of Red Database Security with three finds.

See also: Amazon Kisses Goodbye to Last of 7,500 Oracle Databases

 

 

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU