Tripwire's January 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, VMware and Linux.
Exploit Alert: Metasploit
Up first on the Patch Priority Index this month are vulnerabilities that have been recently added to Metasploit. Two vulnerabilities identified by CVE-2019-9213 and CVE-2018-5333 affect the Linux kernel. Also, exploits for CVE-2019-19781 that affect the Citrix Application Delivery Controller (ADC) and Gateway have been added to Metasploit.
Exploit Alert: Canvas
Next on the Patch Priority Index this month are vulnerabilities that have been recently added to Canvas. In particular, exploits for CVE-2019-5512 that affect VMware Workstation and for CVE-2019-2725 that affect Oracle Weblogic Server have been added to Canvas. Administrators should ensure patches for vulnerabilities included recently in Metasploit or Canvas are patched as soon as possible.
Other Patch Priorities
Up next are patches for Microsoft Browser. January was a slow month for the Microsoft Browser with a single CVE for Internet Explorer that resolves a memory corruption vulnerability. Next on the list are patches for Microsoft Excel and Office. These patches resolve two remote code execution and one memory corruption vulnerabilities. Up next on our Patch Priority Index are patches for Oracle Java. These patches address numerous vulnerabilities within Java at or below versions 7u241, 8u231, 11.0.5 and 13.0.1 Next this month are fixes that affect components of the Windows operating systems. These patches resolve numerous vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution and security feature bypass. These vulnerabilities affect Hyper-V, cryptographic services, graphics components, remote desktop client, win32k, common log file system driver, GDI+, remote desktop gateway, search indexer and windows subsystem for Linux. Next, this month are patches for the Microsoft .NET Framework. These patches resolve three remote code execution vulnerabilities. Lastly on this month's Patch Priority Index, administrators should focus on server-side patches available for Microsoft Office Online Server and Oracle Database Server. CVE-2020-0647 resolves a spoofing vulnerability in Office Online Server. Oracle has released numerous patches for the Oracle Database Server that affect versions at or below 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c Database.
BULLETIN |
CVE |
Oracle Java |
CVE-2020-2593, CVE-2020-2585, CVE-2020-2604, CVE-2020-2659, CVE-2020-2601, CVE-2020-2583, CVE-2020-2654, CVE-2020-2655, CVE-2020-2590, CVE-2019-13118, CVE-2019-13117, CVE-2019-16168 |
Exploit Alert: Metasploit |
CVE-2019-19781, CVE-2019-9213, CVE-2018-5333 |
Exploit Alert: Canvas |
CVE-2019-5512, CVE-2019-2725 |
Microsoft Browser |
CVE-2020-0640 |
Microsoft Office Online Server |
CVE-2020-0647 |
Microsoft Office |
CVE-2020-0650, CVE-2020-0651, CVE-2020-0652 |
Microsoft Windows |
CVE-2020-0617, CVE-2020-0620, CVE-2020-0622, CVE-2020-0607, CVE-2020-0616, CVE-2020-0641, CVE-2020-0611, CVE-2020-0637, CVE-2020-0638, CVE-2020-0624, CVE-2020-0642, CVE-2020-0608, CVE-2020-0634, CVE-2020-0639, CVE-2020-0615, CVE-2020-0601, CVE-2020-0644, CVE-2020-0635, CVE-2020-0643, CVE-2020-0612, CVE-2020-0609, CVE-2020-0610, CVE-2020-0626, CVE-2020-0625, CVE-2020-0623, CVE-2020-0629, CVE-2020-0633, CVE-2020-0628, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0614, CVE-2020-0627, CVE-2020-0613, CVE-2020-0621, CVE-2020-0636 |
Microsoft .NET |
CVE-2020-0646, CVE-2020-0605, CVE-2020-0606 |
Oracle Database Server |
CVE-2020-2512, CVE-2020-2511, CVE-2020-2510, CVE-2020-2517, CVE-2020-2516, CVE-2020-2515, CVE-2020-2527, CVE-2020-2731, CVE-2020-2518, CVE-2019-10072, CVE-2020-2568, CVE-2020-2569, CVE-2018-11784, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232 |
To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its Patch Priority Index, click here. Or for PPI and more, you can follow VERT on Twitter: @tripwirevert.