Q2 2020 – Oracle JDE Critical Patch Update Advisory

Todd Thomsen | Manager – Client Success Managers

On Tuesday, July 14th, Oracle released the Oracle JDE Critical Patch Update for July 2020”.  This is update is part of a series of notifications that Oracle sends out approximately 2 weeks after the end of each calendar quarter which highlights noted vulnerabilities and shares the identified solution.  The information shared below is a summation of critical vulnerabilities outlined in July for GSI’s client running JD Edwards EnterpriseOne

JD Edwards EnterpriseOne

  • Supported Version Affected = 9.2; prior to Tools Release 9.2.4.2
    • CVE-2020-9546 – E1 IoT Orchestrator Security (HTTP Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8 (maximum possible score = 10.0)
      • EnterpriseOne Mobility Security (HTTP Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8
      • Monitoring and Diagnostics (HTTP Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8
      • Web Runtime (HTTP Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8
  • Supported Version Affected = 9.2; prior to Tools Release 9.2.3.3
    • CVE-2020-9488 – Installation SEC (SMTPS Protocol) – Remote Exploit without Authentication = Yes; Base Score 3.7
      • Monitoring and Diagnostics (SMTPS Protocol) – Remote Exploit without Authentication = Yes; Base Score 3.7

Oracle Java SE (Six others vulnerabilities exist with a risk score lower than 5.0)

  • Supported Version Affected = 8u251
    • CVE-2020-14664 – JavaFX (Multiple Protocols) – Remote Exploit without Authentication = Yes; Base Score 8.3
  • Supported Versions Affected = SE: 7u261, 8u251, 11.0.7, and 14.0.1; SE Embedded = 8u251
    • CVE-2020-14583 – Libraries (Multiple Protocols) – Remote Exploit without Authentication = Yes; Base Score 8.3
    • CVE-2020-14593 – 2D (Multiple Protocols) – Remote Exploit without Authentication = Yes; Base Score 7.4
    • CVE-2020-14621 – JAXP (Multiple Protocols) – Remote Exploit without Authentication = Yes; Base Score 5.3

Notes:

JDK 7 (aka 1.7) is the last JAVA release that is certified for WebLogic 10.3.6.0

            JDK 8 (aka 1.8) is the only JAVA release that is certified for Tools Release 9.2.4.3

Java Lifetime Support:

ReleaseGA DatePremier Support EndsExtended Support EndsSustaining Support Ends
JDK 1.8March 2014March 2022December 2030Indefinite
JDK 1.7July 2011July 2019July 2022Indefinite
JDK 1.6December 2006December 2015December 2018Indefinite

Oracle WebLogic Server (Several other vulnerabilities exist with a risk score lower than 9.0)

  • Supported Versions Affected = 12.2.1.3.0 and 12.2.1.4.0
    • CVE-2019-9546 – Centralized Thirdparty Jars (HTTP Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2020-14625 – Core (IIOP, T3) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2020-14644 – Core (IIOP, T3) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2020-14687 – Core (IIOP, T3) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2017-5645 – Centralized Thirdparty Jars (Multiple) – Remote Exploit without Authentication = Yes; Base Score 9.8
  • Supported Versions Affected = 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0
    • CVE-2018-11058 – Security Service (HTTPS Protocol) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2020-14645 – Core (IIOP, T3) – Remote Exploit without Authentication = Yes; Base Score 9.8
    • CVE-2017-5645 – Console (Multiple) – Remote Exploit without Authentication = Yes; Base