Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle Critical Patch Update For April Contains 297 Fixes

Oracle fixes nearly 300 vulnerabilities in second Critical Patch Update for 2019, including bugs in WebLogic, Java SE and several product components.

Background

On April 16, Oracle released its Critical Patch Update for April 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains 297 fixes across a number of Oracle products.

Analysis

In its Critical Patch Update for April 2019, Oracle addressed several vulnerabilities (CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648, CVE-2019-2649, CVE-2019-2650) in Oracle WebLogic Server’s WLS Core Components and Web Services that were reported by security researcher Matthias Kaiser and could be exploited remotely without authentication.

This month’s release contains five security fixes for Oracle Java SE components like Windows DLL (CVE-2019-2699), 2D (CVE-2019-2697, CVE-2019-2698) as well as Oracle Java SE and Oracle Java SE Embedded libraries (CVE-2019-2602) and Remote Method Invocation (RMI) (CVE-2019-2684).

Additionally, this month’s release contains fixes for critical vulnerabilities in components including:

Once again, this quarter’s Critical Patch Update contained fixes for CVE-2016-1000031, the Apache Commons FileUpload Remote Code Execution vulnerability discovered by Tenable Research. This vulnerability was fixed across 10 different products/applications suites, including Oracle Communications Applications, Oracle Enterprise Manager Products Suite, and Oracle Fusion Middleware.

The following is a full list of products/applications with vulnerabilities addressed in the April 2019 Critical Patch Update:

  • Oracle Database Server
  • Oracle Berkeley DB
  • Oracle Commerce
  • Oracle Communications Applications
  • Oracle Construction and Engineering Suite
  • Oracle E-Business Suite
  • Oracle Enterprise Manager Products Suite
  • Oracle Financial Services Applications
  • Oracle Food and Beverage Applications
  • Oracle Fusion Middleware
  • Oracle Health Sciences Applications
  • Oracle Hospitality Applications
  • Oracle Java SE
  • Oracle JD Edwards Products
  • Oracle MySQL
  • Oracle PeopleSoft Products
  • Oracle Retail Applications
  • Oracle Siebel CRM
  • Oracle Sun Systems Products
  • Oracle Supply Chain Products
  • Oracle Support Tools
  • Oracle Utilities Applications
  • Oracle Virtualization 

Solution

Customers are advised to apply all relevant patches provided by Oracle in this Critical Patch Update. Please refer to the April 2019 advisory for full details.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.