Oracle released patches for 390 security vulnerabilities in April 2021. We analyzed these weaknesses and spotlighted important vulnerabilities that ought to be patched on priority.
Oracle’s April Patches Overview
In April, Oracle patched 390 vulnerabilities including 29 known exploits –
RCE/PE: Oracle has fixed –
1 CVE that has RCE capabilities
1 CVE with Privilege Escalation capabilities
12 CVEs with Cross Site Scripting vulnerabilities
4 CVEs with Prototype pollution.
Old Vulnerabilities: Oracle issued patches for 201 old vulnerabilities ranging from the year 2016 – 2020. These security updates include zerologon vulnerability (CVE-2020-1472) which was one of the actively exploited Privilege Escalation vulnerabilities associated with Cryptomix ransomware strain.
Four old vulnerabilities have been red flagged by CISA (CVE-2019-0228, CVE-2020-5421, CVE-2020-8203, CVE-2020-5421), therefore patching them would be essential. Among the 201 CVEs, 19 have rated critical and 108 are of high severity.
CISA Alerts: Eight CVEs have featured in CISA Alerts (CVE-2021-2207, CVE-2019-0228, CVE-2020-5421, CVE-2020-8203, CVE-2021-2200, CVE-2021-2183, CVE-2021-2206, CVE-2021-2259).
Two CVEs are rated critical, and two CVEs are of high severity with one weaponized vulnerability (CVE-2020-8203) among them.
CISA has issued a special alert for Oracle April 2021 Critical Patch Update to urge users and administrators to apply necessary patches.
The quarterly set of security patches addressed vulnerabilities in 32 Oracle products and Oracle E-Business Suite Risk Matrix accounted for 70 vulnerabilities in which 22 CVEs could be exploited remotely by unauthenticated attackers.
Table: Oracle Critical Patches April 2021
Interestingly, 99% of the weaponized vulnerabilities are older weaknesses and failure to patch them creates a path to malicious hackers. Therefore, it is crucial to apply critical patches and reduce the risk of an attack.