Oracle April 2020 Critical Patch Update Includes Record-Breaking 397 Security Updates
Oracle’s second Critical Patch Update of 2020 addresses 450 CVEs across a record-breaking 397 security patches, including critical vulnerabilities in Oracle Fusion Middleware products.
Background
On April 14, Oracle released its Critical Patch Update (CPU) Advisory for April 2020 as part of its quarterly release of security patches. This update contains fixes for 450 CVEs in 397 security patches across multiple Oracle products. This quarter’s update smashes the previous records of 334 patches, with January 2020 and July 2018 in a tie for the previous record.
Analysis
This quarter’s CPU includes more than 30 critically rated CVEs across a wide range of Oracle products. The following is the full list of product families with vulnerabilities addressed in this month’s release along with the number of patches released.
| Oracle Product Family | Number of Patches |
|---|---|
| Oracle E-Business Suite | 74 |
| Oracle Fusion Middleware | 51 |
| Oracle MySQL | 45 |
| Oracle Communications Applications | 39 |
| Oracle Financial Services Applications | 35 |
| Oracle Retail Applications | 27 |
| Oracle Virtualization | 19 |
| Oracle Knowledge | 16 |
| Oracle Java SE | 15 |
| Oracle PeopleSoft | 14 |
| Oracle Construction and Engineering | 12 |
| Oracle Systems | 9 |
| Oracle Database Server | 8 |
| Oracle Enterprise Manager | 7 |
| Oracle GraalVM | 5 |
| Oracle JD Edwards | 4 |
| Oracle Supply Chain | 4 |
| Oracle Hyperion | 3 |
| Oracle Health Sciences Applications | 2 |
| Oracle Support Tools | 2 |
| Oracle Utilities Applications | 2 |
| Oracle Food and Beverage Applications | 1 |
| Oracle Siebel CRM | 1 |
| Oracle Global Lifecycle Management | 1 |
| Oracle Secure Backup | 1 |
Solution
Customers are advised to apply all relevant patches provided by Oracle in this CPU. Please refer to the April 2020 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- Oracle Critical Patch Update Advisory - April 2020
- Oracle Advisory to CVE Map
- Oracle April 2020 CPU Risk Matrices
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 19, 2024Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
- Vulnerability Management