Oracle has rolled out a large number of security updates across its range of products. A total of 334 security issues were addressed by the updates.
The updates are spread across 93 products in the company’s portfolio. For example, there are updates for Database Server, which addresses 12 security issues. Three of the problems were remotely exploitable by external malicious parties, including a vulnerability in Apache Tomcat, a weakness in the database gateway, and a problem in the Core RDMBS product.
A number of serious security problems were also discovered in Oracle’s communication apps. 23 of the 25 CVE-listed bugs can be exploited remotely, without malicious parties needing any form of authentication.
Then, there is the Fusion Middleware, in which 38 bugs were discovered that could be abused remotely in 30 cases. Three of these bugs received a score of 9.8 on the CVSS scale, namely CVE-2020-2555, CVE-2020-2551 and CVE-2020-2546. It is highly recommended to patch these bugs directly.
The Solaris operating system was given 10 patches, 2 of which were remotely abusable. The Register reports that CVE-2019-9636 is in particular a problematic RCE bug; it can be found in the Sun ZFS Storage Appliance Kit.
There was also a bug called CVE-2020-2696, a privilege error in Solaris 10 Common Desktop Environment. The bug was discovered by Marco Ivaldi, security consultant at Mediaservice.net. Ivaldi described the bug as “cute straight-out-of-the-manual memory corruption”, and suggested that a number of similar bugs probably still exist.
“During my audit, many other potentially exploitable bugs have surfaced in dtsession and in the Common Desktop Environment in general,” Ivaldi said . “Therefore, regardless of patches released by vendors, you should really consider removing the setuid bit from all CDE binaries.”