Oct 21: CSW Patch Watch & Security Updates

Highlights of Patch Watch Issue 5

• Oracle rolls out 402 security updates including 82 critical bugs.
• Adobe, Dell, Check Point, Palo Alto, FortiGuard, NetApp, RedHat, Siemens, VMware, HP, Oracle has published patches for 664 vulnerabilities (22 vulnerabilities are weaponized previously)
• CISA has issued alerts for 10 CVE’s.
• 199 old vulnerabiliites have been fixed. 

1. Oracle killed 402 bugs by releasing this year’s final batch of security updates.

• 272 vulnerabilities are remotely exploitable flaws with no authentication.
• 82 vulnerabilities have critical severity, in which two CVEs rank with CVSS V3 score of 10.
• 65 CVEs have CVSS V3 score between 9.4 and 9.8.
• In the quarterly patch bundle, oracle has released two advisories: a new one which details patches for security gaps in third-party components that are not exploitable as implemented in Oracle products and the traditional advisory.

2. Our findings on 664 patched vulnerabilities reveal –

• 7 Hotfixes, 417 Patches and, 240 Updates in this week
• 641 vulnerabilities are yet to be weaponized.
• 22 vulnerabilities have known exploits and are weaponized.
• Exploited vulnerabilities are associated with Remote Code Evaluation (RCE), WEB APP exploits, DoS/RCE, Privilege Execution, Denial of Service, and  LOCAL Exploits.

3. Furthermore, we have 199 old vulnerabilities ranging from 2015 to 2019 with 43 CVEs critical and 31 with high severity rating.

Table 1: Old Vulnerabilities

4. CISA has published alerts and security advisory for 10 CVE’s containing all the technical details and mitigations.

Table 2: CISA Alerts

5. The following CVEs have been issued security patches and updates for the second time in the same month. Know more about the previous updates –

Patch Watch Issue 3 CVEs

CVE-2020-5422, CVE-2020-15095, CVE-2020-25220, and CVE-2019-17638

Patch Watch Issue 4 CVEs

CVE-2020-24750, CVE-2020-8201, CVE-2020-8252, CVE-2020-1728, CVE-2019-19242, CVE-2020-11023, and CVE-2020-11022

Fixing weaponized vulnerabilities is essential as these vulnerabiliites have many known exploits and can be exploited easily.Table 3: Weaponized Vulnerabilities

Based on a security survey, 11,121 vulnerabilities has been disclosed in first half of this year in which Microsoft and Oracle are responsible for 818 vulnerabilities.

Table 4 Vulnerabilities yet to Be Weaponized

Threat actors this year have consistently gone after old vulnerabilities to deliver ransomware and malware infections which makes patching optimal to cyber hygiene.

Happy Patching!

Team CSW