Skip to content ↓ | Skip to navigation ↓

Tripwire’s January 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, VMware and Linux.

Exploit Alert: Metasploit

Up first on the Patch Priority Index this month are vulnerabilities that have been recently added to Metasploit. Two vulnerabilities identified by CVE-2019-9213 and CVE-2018-5333 affect the Linux kernel. Also, exploits for CVE-2019-19781 that affect the Citrix Application Delivery Controller (ADC) and Gateway have been added to Metasploit.

Exploit Alert: Canvas

Next on the Patch Priority Index this month are vulnerabilities that have been recently added to Canvas. In particular, exploits for CVE-2019-5512 that affect VMware Workstation and for CVE-2019-2725 that affect Oracle Weblogic Server have been added to Canvas. Administrators should ensure patches for vulnerabilities included recently in Metasploit or Canvas are patched as soon as possible.

Other Patch Priorities

Up next are patches for Microsoft Browser. January was a slow month for the Microsoft Browser with a single CVE for Internet Explorer that resolves a memory corruption vulnerability.

Next on the list are patches for Microsoft Excel and Office. These patches resolve two remote code execution and one memory corruption vulnerabilities.

Up next on our Patch Priority Index are patches for Oracle Java. These patches address numerous vulnerabilities within Java at or below versions 7u241, 8u231, 11.0.5 and 13.0.1

Next this month are fixes that affect components of the Windows operating systems. These patches resolve numerous vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution and security feature bypass. These vulnerabilities affect Hyper-V, cryptographic services, graphics components, remote desktop client, win32k, common log file system driver, GDI+, remote desktop gateway, search indexer and windows subsystem for Linux.

Next, this month are patches for the Microsoft .NET Framework. These patches resolve three remote code execution vulnerabilities.

Lastly on this month’s Patch Priority Index, administrators should focus on server-side patches available for Microsoft Office Online Server and Oracle Database Server. CVE-2020-0647 resolves a spoofing vulnerability in Office Online Server. Oracle has released numerous patches for the Oracle Database Server that affect versions at or below 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c Database.

 

BULLETIN
CVE
Oracle Java
CVE-2020-2593, CVE-2020-2585, CVE-2020-2604, CVE-2020-2659, CVE-2020-2601, CVE-2020-2583, CVE-2020-2654, CVE-2020-2655, CVE-2020-2590, CVE-2019-13118, CVE-2019-13117, CVE-2019-16168
Exploit Alert: Metasploit
CVE-2019-19781, CVE-2019-9213, CVE-2018-5333
Exploit Alert: Canvas
CVE-2019-5512, CVE-2019-2725
Microsoft Browser
CVE-2020-0640
Microsoft Office Online Server
CVE-2020-0647
Microsoft Office
CVE-2020-0650, CVE-2020-0651, CVE-2020-0652
Microsoft Windows
CVE-2020-0617, CVE-2020-0620, CVE-2020-0622, CVE-2020-0607, CVE-2020-0616, CVE-2020-0641, CVE-2020-0611, CVE-2020-0637, CVE-2020-0638, CVE-2020-0624, CVE-2020-0642, CVE-2020-0608, CVE-2020-0634, CVE-2020-0639, CVE-2020-0615, CVE-2020-0601, CVE-2020-0644, CVE-2020-0635, CVE-2020-0643, CVE-2020-0612, CVE-2020-0609, CVE-2020-0610, CVE-2020-0626, CVE-2020-0625, CVE-2020-0623, CVE-2020-0629, CVE-2020-0633, CVE-2020-0628, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0614, CVE-2020-0627, CVE-2020-0613, CVE-2020-0621, CVE-2020-0636
Microsoft .NET
CVE-2020-0646, CVE-2020-0605, CVE-2020-0606
Oracle Database Server
CVE-2020-2512, CVE-2020-2511, CVE-2020-2510, CVE-2020-2517, CVE-2020-2516, CVE-2020-2515, CVE-2020-2527, CVE-2020-2731, CVE-2020-2518, CVE-2019-10072, CVE-2020-2568, CVE-2020-2569, CVE-2018-11784, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232

 

To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its Patch Priority Index, click here.

Or for PPI and more, you can follow VERT on Twitter: @tripwirevert.

The Executive's Guide to the Top 20 Critical Security Controls