Tripwire's October 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Apple, Adobe, and Oracle.
First on the patch priority list this month is a very high priority vulnerability in Oracle WebLogic Server. The vulnerability is within the Console component of Oracle WebLogic Server, and it can be exploited without authentication and requires no user interaction. Proof-of-concept code is available and does not require significant expertise in order to exploit a vulnerable server. Supported versions of Oracle WebLogic Server that are affected include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Next on the list are 3 vulnerabilities that have recently been included within the Metasploit exploit framework. First is a patch for Microsoft SharePoint (CVE-2020-16952). It is a remote code execution vulnerability that exists due to a server-side include (SSI) weakness. The next are two vulnerabilities that impact Apple software. CVE-2020-9856 is a vulnerability that exists in the CVMS component of macOS Catalina 10.15.5. The second (CVE-2020-9850) is a vulnerability that exists in WebKit for various Apple products, and it is addressed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19.
Up next on the patch priority list this month are patches for Microsoft Edge (Chromium-Based). These patches resolve 24 vulnerabilities that exist due to issues such as use after free, inappropriate implementation, insufficient policy enforcement, and integer overflow
Up next is a patch for Adobe Flash Player, which resolves an arbitrary code execution vulnerability due to a NULL pointer dereference.
Next are patches for Oracle Java, which resolve 8 vulnerabilities related to Libraries, JNDI, Serialization, and Hotspot.
Next on the list are patches for Microsoft Excel, Office, Outlook, and Word, which resolve 8 vulnerabilities including remote code execution, denial of service, and security feature bypass.
Up next this month are patches that affect components of the Windows operating systems. These patches resolve more than 50 vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution, and memory corruption vulnerabilities. These vulnerabilities affect core Windows, Jet Database Engine, GDI, Storage Services, Codecs Library, Hyper-V, COM Server, Remote Desktop, KernelStream, Group Policy, TCP/IP, iSCSI Target Service, NAT, Error Reporting, and others.
Up next is are patches for Visual Studio and .NET that resolve information disclosure and remote code execution vulnerabilities.
Finally, administrators should focus on server-side patches for Microsoft and Oracle, which resolve issues in Oracle Database, Microsoft Dynamics, Microsoft Exchange, and Microsoft SharePoint. These patches resolve over 60 issues, including cross-site scripting, information disclosure, and remote code execution vulnerabilities.
| BULLETIN |
CVE |
| Oracle WebLogic |
CVE-2020-14882 |
| Exploit Framework - Metasploit: Microsoft Sharepoint |
CVE-2020-16952 |
| Exploit Framework - Metasploit: macOS Catalina 10.15.5 CVMS |
CVE-2020-9856 |
| Exploit Framework - Metasploit: Apple WebKit |
CVE-2020-9850 |
| ADV200002 | Chromium Security Updates for Microsoft Edge (Chromium-Based) |
CVE-2020-15999, CVE-2020-16003, CVE-2020-16002, CVE-2020-16001, CVE-2020-16000, CVE-2020-15987, CVE-2020-15985, CVE-2020-15982, CVE-2020-15981, CVE-2020-15989, CVE-2020-15988, CVE-2020-15979, CVE-2020-15972, CVE-2020-15973, CVE-2020-15971, CVE-2020-15977, CVE-2020-15974, CVE-2020-15975, CVE-2020-15990, CVE-2020-15991, CVE-2020-15992, CVE-2020-15969, CVE-2020-15968, CVE-2020-6557 |
| APSB20-58: Adobe Flash Player |
CVE-2020-9746 |
| Oracle Java |
CVE-2020-14782, CVE-2020-14781, CVE-2020-14779, CVE-2020-14797, CVE-2020-14796, CVE-2020-14798, CVE-2020-14803, CVE-2020-14792 |
| Microsoft Office |
CVE-2020-16929, CVE-2020-16932, CVE-2020-16931, CVE-2020-16930, CVE-2020-16954, CVE-2020-16949, CVE-2020-16947, CVE-2020-16933 |
| Microsoft Windows |
CVE-2020-16924,CVE-2020-16897,CVE-2020-16907,CVE-2020-16940,CVE-2020-16920,CVE-2020-16876,CVE-2020-16936,CVE-2020-16973,CVE-2020-16972,CVE-2020-16976,CVE-2020-16975,CVE-2020-16974,CVE-2020-16912,CVE-2020-16935,CVE-2020-16877,CVE-2020-16919,CVE-2020-16909,CVE-2020-16895,CVE-2020-16900,CVE-2020-1080, CVE-2020-16901,CVE-2020-16887,CVE-2020-16922,CVE-2020-0764,CVE-2020-16885,CVE-2020-16899,CVE-2020-16898,CVE-2020-16921,CVE-2020-16980,CVE-2020-16939,CVE-2020-16915,CVE-2020-16968,CVE-2020-16967,CVE-2020-1243, CVE-2020-16891,CVE-2020-16894,CVE-2020-16938,CVE-2020-16905,CVE-2020-16913,CVE-2020-1047, CVE-2020-16892,CVE-2020-16889,CVE-2020-16910,CVE-2020-16911,CVE-2020-16923,CVE-2020-1167, CVE-2020-16914,CVE-2020-16916,CVE-2020-16927,CVE-2020-16896,CVE-2020-16863,CVE-2020-16902,CVE-2020-16890,CVE-2020-17022 |
| Visual Studio |
CVE-2020-17023 |
| .NET Framework |
CVE-2020-16937 |
| Microsoft Dynamics |
CVE-2020-16956, CVE-2020-16978 |
| Microsoft Exchange Server |
CVE-2020-16969 |
| Microsoft Office SharePoint |
CVE-2020-16946, CVE-2020-16945, CVE-2020-16942, CVE-2020-16941, CVE-2020-16948, CVE-2020-16950, CVE-2020-16953, CVE-2020-16944, CVE-2020-16951 |
