The October Oracle patch collection is out

Oracle's October 2019 Critical Patch Update is out, with administrators being urged to apply the security fixes as soon as poossible, due to the threat posed by a successful attack.

A total of 219 new bugs indexed in the Common Vulnerabilities and Exposures (CVE) data base are being fixed across a large number of Oracle products in the October CPU.

Many of the vulnerabilties that are being fixed are remotely exploitable with ease, Oracle warned.

The winner this quarter with a perfect base common vulnerabilties scoring system version 3.0 rating of 10.0 is CVE-2018-14721 for the FasterXML jackson-databind component in the Oracle NoSQL Database.

From July 2018, this flaw could allow remote attackers to conduct server-side request forgeries, by leveraging a failure to block the axis2-jaxws Simple Object Access Protocol web services engine from polymorphic deserialisation or type handling.

It ticks all the boxes, including being remotely exploitable without authentication over a network, low attack complexity, and no user interaction or elevated privileges required.

Oracle said the vulnerability is "easily exploitable" and a successful attack can result in the takeover of its NoSQL Database.

Supported Oracle NoSQL Database prior to version 19.3.12 are affected by CVE-2018-14721 which was fixed in August last year in the FasterXML jackson-databind component.

Multiple versions of Oracle's Banking Platform, and Financial Services Analytical Applications Infrastructure are also affected by the FasterXML jackson-databind vulnerability, with a CVSS 3.0 rating of 9.8, being remotely exploitable without any user authentication required.

An older bug, CVE-2017-6056 affecting the Apache Tomcat server in Oracle's Instantis EnterpriseTrack construction and engineering software rates 9.8 on the CVSS 3.0 scale, along with the CVE-2019-14379 bug in Primavera Gateway and Primavera Unifier.

The CVE-2016-4000 bug was published in June 2017, and allows attackers to remotely execute arbitrary code via a specially crafted serialised PyFynction object via the Jython command line.

Ten remotely exploitable, no authentication needed, vulnerabilties in Oracle's e-business range of products are being fixed in the October CPU.

On the hardware side, the cURL data fetching component in the XCP firmware for Fujitsu M10 and M12 SPARC servers gets the CVE-2018-1000007 remotely exploitable vulnerability fixed, along with glibc, NTP, NetSNMP, OpenSSL, OpenSSH, USB driver and and NSS flaws of varying severity.

Some 63 security researchers and firms made Oracle's bug hunting acknowledgement list for October 2019.