TGG Advisory – Oracle January 2020 CPU

Late last week Oracle released its January Critical Patch Update (CPU) and advisory. This CPU addresses 334 vulnerabilities, which ties Oracle’s record for most patched vulnerabilities in a single CPU. The following will provide a high-level summary excerpt of Oracle Hyperion EPM (on-premise) related security vulnerabilities and their associated severity rating contained in the broader Oracle January 2020 CPU:

  • Oracle Database
    • 12 new security patches
    • 3 may be remotely exploitable without authentication
  • Oracle Hyperion
    • 2 new security patches
    • 1 may be remotely exploitable without authentication
    • 1 with a CVSS of 9.8/10
  • Oracle Fusion Middleware (Includes WebLogic)
    • 38 new security patches
    • 30 may be remotely exploitable without authentication
    • 3 with a CVSS of 9.8/10
  • Oracle Java SE
    • 12 new security patches
    • All may be remotely exploitable without authentication

* For information on Oracle’s CVSS rating system (note: at a minimum, items with CVSS ratings of 9.5+ should be assessed) 
* Some of the vulnerabilities listed above impact multiple products

For all critical security patches related to Oracle products and versions that a customer owns/in current use, we advise that these be carefully assessed and applied where possible/practical in adherence to industry leading practices in IT Change Management and Controls processes.

Common elements of industry leading practices in IT Change Management and Controls include, but are not limited to:

  • Tried and proven rollback procedures (e.g., ability to fully restore from full back-ups)
  • Broader information security impact assessment (e.g., measures outside of the platform could be taken to mitigate / contain exposure)
  • Routine monitoring and proactive assessment of high severity rated vulnerabilities from Oracle (and other related components such as Operating System, database, firewall, web browser, etc.)
  • An agreed upon cadence between IT and the application owners as to when non-urgent patching can be applied (e.g., annual or semi annual review)
  • Post-patch regression testing procedures to test for loss of current functionality or new issues occurring (note: testing automation techniques can potentially help in this regard)

For purposes of orchestrating roll out of applicable patches, TGG suggests the following prioritization classification and suggested actions thereto:

  • Urgent: any patches that Oracle releases (whether one-off or part of its regular release cycle – Jan, Apr, Jul, Oct) that contain vulnerabilities with a with a CVSS rating of 9.5+ and can be exploited remotely without authentication — immediate remedial action recommended.
  • High: any patches that Oracle releases that contain vulnerabilities with a CVSS rating of 9.5+ but cannot be remotely exploitable without authentication — if perimeter / end point security is sound, take remedial action at next convenient maintenance window
  • Medium to Low: all other patches that Oracle releases — prioritization classification between medium and low will be based on the likelihood of the risk materializing — take remedial action on best efforts basis, or maintain well documented justification where no action will be taken

Please reach out to support@goalgetters.com should you have any questions.