Business software giant Oracle released its quarterly Critical Patch Update (CPU), which addresses over 400 vulnerabilities across various product lines, with more than half of bugs allowing remote code execution without authentication.
Critical Patch Update brings fixes for multiple high risk flaws in Oracle Financial Services Applications, Oracle WebLogic Server, Oracle BI Publisher, Oracle WebCenter Portal, Oracle Banking Platform, Oracle Business Process Management Suite, and other product families.
Organizations are advised to apply patches as soon as possible considering that hackers have already started to search the internet for Oracle WebLogic servers vulnerable to CVE-2020-14882.
NVIDIA released patches to fix a total of nine vulnerabilities in NVIDIA DGX servers designed for enterprise AI applications. One of the most severe bugs (CVE-2020-11483) is related to the presence of hardcoded credentials in the AMI BMC firmware of NVIDIA DGX servers, which could lead to elevation of privileges or information leakage. Another high risk issue is CVE-2020-11486, which could allow a remote attacker to compromise vulnerable system. The rest of the bugs deemed medium and low risk could be exploited by attacker to perform cross-site request forgery attacks, or gain access to sensitive data.
Foxit Studio Photo application contains multiple issues half of which are high risk flaws (CVE-2020-17419, CVE-2020-17421, CVE-2020-17423, CVE-2020-17424, CVE-2020-17425, CVE-2020-17426, CVE-2020-17430, CVE-2020-17431, CVE-2020-27857, and CVE-2020-17418). If exploited, these flaws could give a remote attacker an opportunity to compromise the vulnerable system.
SonicWall Global VPN client contains a high risk vulnerability (CVE-2020-5145), which allows an attacker to compromise the vulnerable system. The vulnerability exists because the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system. The issue affects SonicWall Global VPN client version 4.10.4.0314 and earlier.
HPE StoreServ Management Console 3.7.0.0 is vulnerable to remote authentication bypass (CVE-2020-7197). The issue stems from an error which occurs when processing authentication requests in HPE 3PAR StoreServ Management and Core Software Media. A remote attacker can bypass authentication process and gain unauthorized access to the application.