Oracle just released a whopping 334 security fixes in critical patch update

Oracle patches over 100 flaws that can be remotely exploited without credentials.
Written by Liam Tung, Contributing Writer

On the heels of Microsoft's first Patch Tuesday for 2020, Oracle has pushed out a dizzying 334 security patches for its first critical patch update (CPU) of the year. 

Oracle's January 2020 CPU matches its largest CPU on record, which happened in the July 2018 CPU. In total, the January 2020 CPU addresses flaws in 94 products.  

Two bugs affecting Oracle Human Resources have a severity rating of 9.9 out of 10. However, the bugs cannot be exploited remotely without authentication. 

SEE: 10 tips for new cybersecurity pros (free PDF)

An additional 31 flaws have severity rating of 9.8 affecting Oracle WebLogic Server, Oracle Communications Instant Messaging Server, Enterprise Manager Ops Center, Oracle Application Testing Suite, Hyperion Planning, and JD Edwards Enterprise One Orchestrator.

Oracle is urging all customers to apply its critical patch updates immediately because of ongoing customer reports of successful attacks on systems that had not been updated with available patches. 

There are a dozen patches for Oracle Database Server of which three can be remotely exploited without authentication. However, the highest severity rating for these set of bugs is 7.7. 

The update fixes 25 vulnerabilities in Oracle Communications Applications, including 23 that can be remotely exploited without authentication. 

The 23 patches for Oracle E-Business suite address 21 bugs that could be exploited by an attacker without requiring authentication. 

Across all products, there are 191 flaws that can be exploited remotely without authentication. 

Oracle Fusion Middleware got a big security update with patches for 38 vulnerabilities, of which 30 could be remotely exploitable without requiring user credentials. 

SEE: Oracle updates Enterprise Manager with a focus on hybrid deployments

Oracle's Java SE also got a dozen fixes in this update and all of them address bugs that can be remotely exploited without user credentials. 

Oracle's next CPU is scheduled for 14 July, followed by a final 2020 patch update on 20 October. 

Editorial standards