Oracle released April critical patch updates for multiple Oracle products that include 405 patches. Oracle revealed 286 of those vulnerabilities are remotely exploitable across nearly two dozen product lines. Impacted with multiple critical flaws, rated 9.8 CVSS in severity, are 13 key Oracle products including Oracle Financial Services Applications, Oracle MySQL, Oracle Retail Applications and Oracle WebLogic Server, according to the Oracle April Critical Patch Update Pre-Release Announcement.
Important note Oracle released a critical remote code execution flaws in Oracle WebLogic Server (CVE-2020-2801, CVE-2020-2883, CVE-2020-2884, etc). Most of the vulnerabilities are related to the T3 protocol and XML deserialization and rated 9.8 CVSS in severity. In the past TechCERT observed that Oracle T3 deserialization security flaws were widely used for delivering ransomware and other malware to Sri Lankan and South Asian region organizations. Although there are no publicly available exploits, Oracle states that there are exploit attempts to exploit the vulnerabilities. It is only a matter of time to develop exploits by attackers.
TechCERT strongly recommends using on actively-supported versions and apply Critical Patch Update security patches without delay for Oracle Products.
TechCERT recommends applying patches in the following manner.
Additionally, TechCERT strongly suggests administrators, to go through Oracle Critical Patch Update Advisory – April 2020.
Oracle Critical Patch Update Advisory – April 2020: https://www.oracle.com/security-alerts/cpuapr2020.html