Corporate Security Blog

July 2020 Critical Patch Update Released

Eric Maurice
Director of Security Assurance

Oracle today released the July 2020 Critical Patch Update.

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Berkeley DB, Oracle Global Lifecycle Management, Oracle GoldenGate, Oracle TimesTen In-Memory Database, Oracle Industry Applications (Communications, Construction and Engineering, Financial Services, Health Sciences, Food & Beverage, Retail, Utilities), Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Hyperion, Oracle JD Edwards, Oracle Enterprise Manager, Oracle Java SE, Oracle Fusion Middleware, Oracle MySQL, Oracle Systems, Oracle Virtualization and Graal VM

The July 2020 Critical Patch Update is the first Critical Patch Update release to leverage version 3.1 of the Common Vulnerability Scoring System (CVSS), which supersedes version 3.0 which has been used in Oracle’s security advisories since April 2016.  The most significant difference between CVSS versions 3.0 and 3.1 is a change in the definition of ‘Attack Complexity.’ In version 3.0, Attack Complexity considered whether a vulnerability could only be exploited against the system being attacked in a certain configuration. If so, Attack Complexity was rated ‘High.’  In CVSS version 3.1, if a specific configuration is required for an attack to succeed, the system being attacked is assumed to be in that configuration for the purposes of scoring the vulnerability.  As a result, a vulnerability with a CVSS version 3.0 score that has an Attack Complexity of High purely because a specific configuration was required for the attack to succeed will now have an Attack Complexity of Low when scored with CVSS version 3.1, thus resulting in a higher Base Score.

For more information about Oracle’s use of the Common Vulnerability Scoring System, please refer to https://www.oracle.com/security-alerts/cvssscoringsystem.html.   

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at  https://oracle.com/security-alerts/cpujul2020.html and the executive summary published on My Oracle Support (Doc ID 2684313.1)

For more information about the Critical Patch Update program, see the security vulnerability remediation practices page located on Oracle’s corporate security practices site.