Oracle has released a giant October 2019 Critical Patch Update (CPU) containing fixes for 219 security flaws affecting 23 products, many of which stem from flaws in open source components.
The major bug in this quarterly security update, CVE-2018-14721, affects the Oracle NoSQL Database and has a CVSS v3 score of 10 out of 10.
The bug is in the jackson-databind Java library component of Oracle NoSQL Database and affects versions prior to 19.3.12. According to Oracle, the flaw is “easily exploitable” by an unauthenticated attacker over the internet.
“While the vulnerability is in Oracle NoSQL Database, attacks may significantly impact additional products,” Oracle notes. “Successful attacks of this vulnerability can result in takeover of Oracle NoSQL Database.”
While this CPU is massive, Oracle has issued a larger set of patches to fix 276 security flaws affecting 80 products in 2016. Oracle as usual recommends its CPU patches “without delay” due to consistent reports of attacks on systems after it releases CPU patches.
The October 2019 CPU also contains fixes for 15 more security flaws with a CVSS v3 score of between 9.8, some with very old CVE identifiers that have previously been patched by Oracle in other products. In total there are 18 with a CVSS v3 score of at least 9.