View all newsletters
Receive our newsletter – data, insights and analysis delivered to you

Oracle Users, Brace Yourselves for a Mammoth Patching Session

273 vulnerabilities are remotely exploitable without authentication...

By CBR Staff Writer

Oracle users, brace yourselves: an eye-watering 405 new security vulnerabilities need patching, with the avalanche of software updates arriving later today (April 14, 2020).

Over half of them, or a total of 273, are potentially remotely exploitable without authentication, Oracle warned – suggesting some major patching sessions ahead.

The release is part of the company’s quarterly set of security advisories, with initial details provided by the company so customers can assess whether they are impacted.

Among them, a chunky 34 new security patches for Oracle’s suite of financial services applications, 16 of could be abused over a network without requiring user credentials.

In a sign of how serious some of the financial services application vulnerabilities are likely to be, they include one with a CVSS score of a critical 9.8, suggesting both high impact and easy exploitability. More details are to follow from Oracle late today.

(CVSS, or the Common Vulnerability Scoring System is an open industry standard to assess the severity of computer system security vulnerabilities).

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

Oracle Security Patches

Among the ones to look out for:

A chunky 74 new security patches for the Oracle E-Business Suite, the vast majority of which (71) are potentially remotely exploitable without authentication.

Further, two remotely exploitable bugs in Oracle Support Tools with a highly critical CVSS score of 9.8. (Oracle provides hundreds of tools to automate and or optimise manual support processes/conduct diagnostics. Details on precisely which is effected will, again, be revealed when the patches land late April 14).

Also standing out: 45 new security patches for Oracle’s widely deployed MySQL database; nine of which are potentially remotely exploitable without authentication.

The worst, again, has a critical CVSS score of 9.8.


  • MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior
  • MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior
  • MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior
  • MySQL Enterprise Monitor, versions and prior, and prior
  • MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
  • MySQL Workbench, versions 8.0.19 and prior

With 56 new security patches for Oracle Fusion Middleware, 49 of which are again able to be abused by a bad actor over a network without authentication, ditto for 35 vulns in Oracle Communications Applications (spanning Services Gatekeeper, WebRTC Session Controller and more) sysadmins/IT teams look set for a busy Tuesday evening.

Computer Business Review will bring you more details when the full set of bug fixes lands. Here’s the full overview meanwhile for a quick assessment.

See also: Software Patch Management: Tips, Tricks and Stern Warnings

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy