====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN586
_____________________________________________________________________

DATE                : 21/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Oracle Database Server,
                     Oracle Big Data Graph, Oracle REST Data Services,
                     Oracle TimesTen In-Memory Database,
                     Oracle Communications Applications,
             Oracle Communications, Oracle Construction and Engineering,
                     Oracle E-Business Suite, Oracle Enterprise Manager,
                    Oracle Financial Services Applications,
                    Oracle Food and Beverage Applications,
                    Oracle Fusion Middleware, Oracle GraalVM,
                    Oracle Health Sciences Applications,
                    Oracle Hospitality Applications, Oracle Hyperion,
                    Oracle Insurance Applications, Oracle Java SE,
                    Oracle MySQL, Oracle PeopleSoft,
                  Oracle Policy Automation, Oracle Retail Applications,
                    Oracle Siebel CRM, Oracle Supply Chain,
                    Oracle Systems, Oracle Utilities Applications,
                    Oracle Virtualization..

=====================================================================
https://blogs.oracle.com/security/october-2020-critical-patch-update-released
_____________________________________________________________________

October 2020 Critical Patch Update Released
Eric Maurice
Director of Security Assurance


Oracle today released the October 2020 Critical Patch Update.  Note that
with this Critical Patch Update release, Oracle is introducing certain
changes in the format of the Advisory in order to simplify its
interpretation.

This Critical Patch Update provides security updates for a wide range of
product families, including: Oracle Database Server, Oracle Big Data
Graph, Oracle REST Data Services, Oracle TimesTen In-Memory Database,
Oracle Communications Applications, Oracle Communications, Oracle
Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise
Manager, Oracle Financial Services Applications, Oracle Food and
Beverage Applications, Oracle Fusion Middleware, Oracle GraalVM, Oracle
Health Sciences Applications, Oracle Hospitality Applications, Oracle
Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle MySQL,
Oracle PeopleSoft, Oracle Policy Automation, Oracle Retail Applications,
Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities
Applications, Oracle Virtualization.

Introduced in January 2005 after extensive consultation with Oracle
customers, the Critical Patch Update (CPU) program is the primary
mechanism for the backport of security bug fixes for most Oracle
products.  The CPU program was designed to provide a predictable
schedule for customers to perform security maintenance activities.

Oracle products frequently include third-party components, typically
open source libraries.  Oracle has found that many vulnerabilities in
third-party components are not exploitable in the context of the Oracle
product distributions that contain them.  CPU releases include updates
for third-party components even when the updates contain no fixes for
security problems that affect Oracle products.  Including these updates
for third-party components can silence scanning tools that assess the
security of a system purely by looking for older versions of third-party
components.

Until now, CPU advisories distinguished vulnerabilities for
non-exploitable issues in third-party components from other
vulnerabilities solely by reporting a CVSS Base Score of 0.0 for these
non-exploitable issues.  There were downsides with this approach: not
only were the total number of vulnerabilities in the advisories inflated
because they included non-exploitable issues (contributing to the
complexity of the CPU Advisory), the advisories’ risk matrices ended up
containing information that did not clearly help customers make patch
prioritization decisions.

With the October 2020 Critical Patch Update, Oracle is changing the
format of the advisory to make it easier for customers to accurately
determine which vulnerabilities are not exploitable in the context of
any given Oracle product distribution.  Oracle’s goal is to simplify the
interpretation of the advisory and enable customers to clearly identify
issues that are potentially exploitable. Patching activities can then be
accurately prioritized according to the potential severity of the issues
addressed in each CPU release and their potential exploitability in
customers’ environments. Starting with the October 2020 Critical Patch
Update, non-exploitable vulnerabilities in each product family will be
identified separately under each risk matrix, and the total
vulnerability counts will no longer include non-exploitable
vulnerabilities in third-party components.

Note that each CPU release will continue to include updates for known
issues in third-party components even though the vulnerabilities
addressed in the updates may not be exploitable in the context of the
Oracle product distributions that include the affected component.
Oracle will continue to disclose the CVE identifiers for these issues so
that customers can accurately determine that they have been addressed
(for example to address possible findings as a result of a security
audit or security scan).  This change will not affect Oracle’s reporting
practices in regards to the publication of CVE Identifiers and CVSS Base
Scores.

Oracle will publish the Advisory for the October 2020 Critical Patch
Update in two different formats: the traditional format (following the
existing template of the CPU Advisory) and the updated format (which
will separately list the third-party issues that have been found to be
not exploitable in an Oracle product distribution).  The advisories for
future Critical Patch Update releases will use the updated format.



For more information:

The October 2020 Critical Patch Update: Executive Summary and Analysis
(Doc ID 2712240.1) provides a summary of the content of this Critical
Patch Update release as well as more information about the change in the
format of the CPU Advisory.


The October 2020 Critical Patch Update advisories are located at:

-  Traditional format:
https://www.oracle.com/security-alerts/cpuoct2020traditional.html

-   Updated format: https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle has published a page “Announcements of Third-Party Component
Updates” at
https://www.oracle.com/security-alerts/thirdpartycomponents.html

For more information about the Critical Patch Update program, see the
security vulnerability remediation practices page located on Oracle’s
corporate security practices site.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================