Tripwire's November 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, and Oracle.
First on the patch priority list this month are three vulnerabilities in Oracle WebLogic Server that have recently been included within the Metasploit exploit framework. Supported versions of Oracle WebLogic Server that are affected include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Up next on the patch priority list this month are patches for Microsoft Scripting Engine, Browser, and Microsoft Edge (Chromium-Based). These patches resolve 12 vulnerabilities that exist due to issues such as use after free, inappropriate implementation, insufficient policy enforcement, integer overflow, and memory corruption vulnerabilities.
Next on the list are patches for Microsoft Excel, Office, and Word, which resolve 7 vulnerabilities including remote code execution and security feature bypass.
Up next are patches for Adobe Reader and Acrobat that resolve 14 issues including heap-based buffer overflow, improper access control, improper input validation, security feature bypass, signature verification and validation bypass, out-of-bounds read and write, use-after-free, and race condition vulnerabilities.
Up next this month are patches that affect components of the Windows operating systems. These patches resolve more than 50 vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution, and memory corruption vulnerabilities. These vulnerabilities affect core Windows, GDI, Codecs Library, Remote Desktop, Kerberos, Error Reporting, Hyper-V, Network File System, Print Spooler, Remote Access, Defender, NDIS, Common Log File System Driver, and others.
Finally, administrators should focus on server-side patches for Microsoft, which resolve issues in Microsoft Dynamics, Microsoft Exchange, and Microsoft SharePoint. These patches resolve several issues, including cross-site scripting, information disclosure, spoofing, denial of service, and remote code execution vulnerabilities.
| BULLETIN | CVE |
| Exploit Framework - Metasploit: Oracle WebLogic Server | CVE-2020-14883, CVE-2020-14882, CVE-2020-14750 |
| Microsoft Scripting Engine | CVE-2020-17048, CVE-2020-17054, CVE-2020-17053, CVE-2020-17052 |
| Microsoft Browsers | CVE-2020-17058 |
| Microsoft Edge (Chromium-Based) | CVE-2020-16011, CVE-2020-16009, CVE-2020-16008, CVE-2020-16007, CVE-2020-16006, CVE-2020-16005, CVE-2020-16004 |
| Microsoft Office | CVE-2020-17019, CVE-2020-17066, CVE-2020-17064, CVE-2020-17065, CVE-2020-17067, CVE-2020-17062, CVE-2020-17020 |
| Adobe Reader and Acrobat | CVE-2020-24435, CVE-2020-24433, CVE-2020-24432, CVE-2020-24439, CVE-2020-24429, CVE-2020-24427, CVE-2020-24431, CVE-2020-24436, CVE-2020-24426, CVE-2020-24434, CVE-2020-24428, CVE-2020-24430, CVE-2020-24437, CVE-2020-24438 |
| Microsoft Windows | CVE-2020-17049, CVE-2020-17000, CVE-2020-16997, CVE-2020-17010, CVE-2020-17013, CVE-2020-17012, CVE-2020-17024, CVE-2020-17046, CVE-2020-17007, CVE-2020-17036, CVE-2020-17040, CVE-2020-17045, CVE-2020-17030, CVE-2020-17047, CVE-2020-17056, CVE-2020-17051, CVE-2020-17011, CVE-2020-17041, CVE-2020-17001, CVE-2020-17014, CVE-2020-17042, CVE-2020-17027, CVE-2020-17044, CVE-2020-17043, CVE-2020-17055, CVE-2020-17031, CVE-2020-17028, CVE-2020-17026, CVE-2020-17025, CVE-2020-17034, CVE-2020-17033, CVE-2020-17032, CVE-2020-1599 , CVE-2020-17057, CVE-2020-17090, CVE-2020-17113, CVE-2020-17071, CVE-2020-17075, CVE-2020-17070, CVE-2020-17073, CVE-2020-17074, CVE-2020-17076, CVE-2020-17077, CVE-2020-17035, CVE-2020-17087, CVE-2020-17037, CVE-2020-16999, CVE-2020-16998, CVE-2020-17038, CVE-2020-17029, CVE-2020-17068, CVE-2020-17004, CVE-2020-17069, CVE-2020-17088 |
| Microsoft Dynamics | CVE-2020-17005, CVE-2020-17006, CVE-2020-17018, CVE-2020-17021 |
| Microsoft Exchange Server | CVE-2020-17085, CVE-2020-17083, CVE-2020-17084 |
| Microsoft Office SharePoint | CVE-2020-17017, CVE-2020-16979, CVE-2020-17061, CVE-2020-17016, CVE-2020-17015, CVE-2020-17060 |
