Tripwire Patch Priority Index for April 2020

Tripwire's April 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, and VMware. Up first on the patch priority list this month is a patch for VMware vCenter Server. This patch resolves an information disclosure vulnerability. This patch has highest priority as proof-of-concept code to exploit the vulnerability exists on the Web as well as in Metasploit. Up next on the patch priority list this month are patches for Microsoft Scripting Engine. These patches resolve 6 vulnerabilities, including remote code execution and memory corruption vulnerabilities. Next on the list are patches for Oracle Java, which resolve vulnerabilities related to concurrency, scripting, serialization, JavaFX, JSSE, libraries, and lightweight HTTP server. Next on the list are patches for Microsoft Office, Excel, Word, and Visual Studio. These patches resolve 6 vulnerabilities, including remote code execution and elevation of privilege. Next this month are patches that affect components of the Windows operating systems. These patches resolve more than 60 vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution, and memory corruption. These vulnerabilities affect Connected User Experiences and Telemetry Service, core Windows, Codecs Library, Push Notification Service, DNS, Jet Database Engine, Adobe Font Manager Library, DirectX, GDI+, Graphics Component, Kernel, Media Foundation, and Windows Update. Next are patches for Hyper-V that resolve 2 elevation of privilege vulnerabilities along with a remote code execution vulnerability. Finally, administrators should focus on server-side patches available for Microsoft Dynamics and SharePoint. These patches resolve remote code execution, cross-site scripting, information disclosure, and spoofing vulnerabilities.

BULLETIN	CVE
VMSA-2020-0006	CVE-2020-3952
Microsoft Scripting Engine	CVE-2020-0969, CVE-2020-0970, CVE-2020-0968, CVE-2020-0966, CVE-2020-0967, CVE-2020-0895
Oracle Java	CVE-2020-2830, CVE-2020-2755, CVE-2020-2754, CVE-2020-2757, CVE-2020-2756, CVE-2019-18197, CVE-2020-2816, CVE-2020-2803, CVE-2020-2781, CVE-2020-2805, CVE-2020-2778, CVE-2020-2764, CVE-2020-2800, CVE-2020-2773, CVE-2020-2767
Microsoft Office	CVE-2020-0961, CVE-2020-0760, CVE-2020-0991
Microsoft Excel	CVE-2020-0906
Microsoft Word	CVE-2020-0980
Visual Studio	CVE-2020-0900
Microsoft Windows I	CVE-2020-0942, CVE-2020-0944, CVE-2020-1029, CVE-2020-0965, CVE-2020-0794, CVE-2020-1011, CVE-2020-1009, CVE-2020-0934, CVE-2020-1017, CVE-2020-1001, CVE-2020-1006, CVE-2020-0940, CVE-2020-1016, CVE-2020-0981, CVE-2020-1094, CVE-2020-0993, CVE-2020-0988, CVE-2020-1008, CVE-2020-0953, CVE-2020-0889, CVE-2020-0992, CVE-2020-0959, CVE-2020-0960, CVE-2020-0995, CVE-2020-0994, CVE-2020-0999, CVE-2020-0938, CVE-2020-1020, CVE-2020-0784, CVE-2020-0964, CVE-2020-0987, CVE-2020-0982
Microsoft Windows II	CVE-2020-1005, CVE-2020-0907, CVE-2020-0687, CVE-2020-0958, CVE-2020-0952, CVE-2020-1004, CVE-2020-0937, CVE-2020-0946, CVE-2020-0947, CVE-2020-0945, CVE-2020-0939, CVE-2020-0950, CVE-2020-0948, CVE-2020-0949, CVE-2020-0888, CVE-2020-0957, CVE-2020-0956, CVE-2020-0699, CVE-2020-0962, CVE-2020-1015, CVE-2020-1000, CVE-2020-1027, CVE-2020-0913, CVE-2020-1003, CVE-2020-0821, CVE-2020-1007, CVE-2020-0955, CVE-2020-0936, CVE-2020-1014, CVE-2020-0983, CVE-2020-0985, CVE-2020-0996
Windows Hyper-V	CVE-2020-0918, CVE-2020-0917, CVE-2020-0910
Microsoft Dynamics	CVE-2020-1022, CVE-2020-1050, CVE-2020-1049, CVE-2020-1018
Microsoft Office SharePoint	CVE-2020-0933, CVE-2020-0930, CVE-2020-0924, CVE-2020-0925, CVE-2020-0978, CVE-2020-0926, CVE-2020-0927, CVE-2020-0923, CVE-2020-0954, CVE-2020-0973, CVE-2020-0932, CVE-2020-0920, CVE-2020-0929, CVE-2020-0974, CVE-2020-0971, CVE-2020-0977, CVE-2020-0976, CVE-2020-0975, CVE-2020-0972, CVE-2020-0931

To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its Patch Priority Index, click here. Or for PPI and more, you can follow VERT on Twitter: @tripwirevert.