Tripwire's April 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, and VMware. Up first on the patch priority list this month is a patch for VMware vCenter Server. This patch resolves an information disclosure vulnerability. This patch has highest priority as proof-of-concept code to exploit the vulnerability exists on the Web as well as in Metasploit. Up next on the patch priority list this month are patches for Microsoft Scripting Engine. These patches resolve 6 vulnerabilities, including remote code execution and memory corruption vulnerabilities. Next on the list are patches for Oracle Java, which resolve vulnerabilities related to concurrency, scripting, serialization, JavaFX, JSSE, libraries, and lightweight HTTP server. Next on the list are patches for Microsoft Office, Excel, Word, and Visual Studio. These patches resolve 6 vulnerabilities, including remote code execution and elevation of privilege. Next this month are patches that affect components of the Windows operating systems. These patches resolve more than 60 vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution, and memory corruption. These vulnerabilities affect Connected User Experiences and Telemetry Service, core Windows, Codecs Library, Push Notification Service, DNS, Jet Database Engine, Adobe Font Manager Library, DirectX, GDI+, Graphics Component, Kernel, Media Foundation, and Windows Update. Next are patches for Hyper-V that resolve 2 elevation of privilege vulnerabilities along with a remote code execution vulnerability. Finally, administrators should focus on server-side patches available for Microsoft Dynamics and SharePoint. These patches resolve remote code execution, cross-site scripting, information disclosure, and spoofing vulnerabilities.
BULLETIN |
CVE |
VMSA-2020-0006 |
CVE-2020-3952 |
Microsoft Scripting Engine |
CVE-2020-0969, CVE-2020-0970, CVE-2020-0968, CVE-2020-0966, CVE-2020-0967, CVE-2020-0895 |
Oracle Java |
CVE-2020-2830, CVE-2020-2755, CVE-2020-2754, CVE-2020-2757, CVE-2020-2756, CVE-2019-18197, CVE-2020-2816, CVE-2020-2803, CVE-2020-2781, CVE-2020-2805, CVE-2020-2778, CVE-2020-2764, CVE-2020-2800, CVE-2020-2773, CVE-2020-2767 |
Microsoft Office |
CVE-2020-0961, CVE-2020-0760, CVE-2020-0991 |
Microsoft Excel |
CVE-2020-0906 |
Microsoft Word |
CVE-2020-0980 |
Visual Studio |
CVE-2020-0900 |
Microsoft Windows I |
CVE-2020-0942, CVE-2020-0944, CVE-2020-1029, CVE-2020-0965, CVE-2020-0794, CVE-2020-1011, CVE-2020-1009, CVE-2020-0934, CVE-2020-1017, CVE-2020-1001, CVE-2020-1006, CVE-2020-0940, CVE-2020-1016, CVE-2020-0981, CVE-2020-1094, CVE-2020-0993, CVE-2020-0988, CVE-2020-1008, CVE-2020-0953, CVE-2020-0889, CVE-2020-0992, CVE-2020-0959, CVE-2020-0960, CVE-2020-0995, CVE-2020-0994, CVE-2020-0999, CVE-2020-0938, CVE-2020-1020, CVE-2020-0784, CVE-2020-0964, CVE-2020-0987, CVE-2020-0982 |
Microsoft Windows II |
CVE-2020-1005, CVE-2020-0907, CVE-2020-0687, CVE-2020-0958, CVE-2020-0952, CVE-2020-1004, CVE-2020-0937, CVE-2020-0946, CVE-2020-0947, CVE-2020-0945, CVE-2020-0939, CVE-2020-0950, CVE-2020-0948, CVE-2020-0949, CVE-2020-0888, CVE-2020-0957, CVE-2020-0956, CVE-2020-0699, CVE-2020-0962, CVE-2020-1015, CVE-2020-1000, CVE-2020-1027, CVE-2020-0913, CVE-2020-1003, CVE-2020-0821, CVE-2020-1007, CVE-2020-0955, CVE-2020-0936, CVE-2020-1014, CVE-2020-0983, CVE-2020-0985, CVE-2020-0996 |
Windows Hyper-V |
CVE-2020-0918, CVE-2020-0917, CVE-2020-0910 |
Microsoft Dynamics |
CVE-2020-1022, CVE-2020-1050, CVE-2020-1049, CVE-2020-1018 |
Microsoft Office SharePoint |
CVE-2020-0933, CVE-2020-0930, CVE-2020-0924, CVE-2020-0925, CVE-2020-0978, CVE-2020-0926, CVE-2020-0927, CVE-2020-0923, CVE-2020-0954, CVE-2020-0973, CVE-2020-0932, CVE-2020-0920, CVE-2020-0929, CVE-2020-0974, CVE-2020-0971, CVE-2020-0977, CVE-2020-0976, CVE-2020-0975, CVE-2020-0972, CVE-2020-0931 |
To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its Patch Priority Index, click here. Or for PPI and more, you can follow VERT on Twitter: @tripwirevert.