Oracle Critical Patch Update Advisory - April 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

• Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 397 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Application Performance Management, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Application Service Level Management, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Hyperion Financial Management, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Identity Manager Connector, version 9.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
Java Advanced Management Console, version 2.16	Java SE
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MICROS Relate CRM Software, version 11.4	Retail Applications
MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior	MySQL
MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.11.5331 and prior, 8.0.18.1217 and prior	MySQL
MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior	MySQL
MySQL Workbench, versions 8.0.19 and prior	MySQL
Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Express, versions prior to 19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle Banking Enterprise Collections, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Originations, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Product Manufacturing, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0	Oracle Banking Platform
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, version 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications ASAP Cartridges, versions 7.2, 7.3	Oracle Communications ASAP Cartridges
Oracle Communications Calendar Server, versions 8.0.0.2.0, 8.0.0.3.0	Oracle Communications Calendar Server
Oracle Communications Converged Application Server - Service Controller, version 6.1	Oracle Communications Converged Application Server - Service Controller
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0, 8.1.0, 8.2.0, 8.2.1	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0	Oracle Communications Operations Monitor
Oracle Communications Service Broker, versions 6.0, 6.1	Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, versions 6.0, 6.1	Oracle Communications Services Gatekeeper
Oracle Communications Session Report Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2	Oracle Communications WebRTC Session Controller
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Server, version 7.7.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Data Foundation, versions 8.0.6-8.0.9	Oracle Financial Services Data Foundation
Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7, 8.0.8	Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, version 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.6, 2.7, 2.8	Oracle Financial Services Revenue Management and Billing Analytics
Oracle FLEXCUBE Core Banking, version 4.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0, 12.1	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle Global Lifecycle Management NextGen OUI Framework, versions 12.2.1.3.0, 12.2.1.4.0, 13.9.4.2.2	Fusion Middleware
Oracle Global Lifecycle Management OPatch, versions prior to 11.2.0.3.23, prior to 12.2.0.1.19, prior to 13.9.4.2.1	Global Lifecycle Management
Oracle GraalVM Enterprise Edition, versions 19.3.1, 20.0.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Information Manager, version 3.0	Health Sciences
Oracle Healthcare Data Repository, version 7.0	Health Sciences
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 11.1.1.9.0	Fusion Middleware
Oracle In-Memory Performance-Driven Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Java SE, versions 7u251, 8u241, 11.0.6, 14	Java SE
Oracle Java SE Embedded, version 8u241	Java SE
Oracle Knowledge, versions 8.6.0-8.6.3	Oracle Knowledge
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Real User Experience Insight, versions 13.1.2.1, 13.2.3.1, 13.3.1.0	Enterprise Manager
Oracle Retail Advanced Inventory Planning, versions 14.0, 15.0, 16.0	Retail Applications
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Merchandising System, version 16.0	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Store Inventory Management, version 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 18.0.1	Retail Applications
Oracle SD-WAN Edge, versions 7.3, 8.0, 8.1, 8.2	Oracle SD-WAN Edge
Oracle Secure Backup, versions prior to 18.1	Oracle Secure Backup
Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2, 4.2.0.3, 4.3.0.2-4.3.0.6, 4.4.0.0, 4.4.0.2	Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.1, 2.3.0.2, 2.4.0.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.40, prior to 6.0.20, prior to 6.1.6	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
OSS Support Tools, versions 20.0, 20.1	Support Tools
PeopleSoft Enterprise CS Campus Community, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Absence Management, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.6, 18.8.0-18.8.8, 19.12.0	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.2.0.0-16.2.19.3, 17.12.0.0-17.12.17.0, 18.8.0.0-18.8.18.0, 19.12.1.0-19.12.3.0, 20.1.0.0-20.2.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 20.2 and prior	Siebel
StorageTek Tape Analytics SW Tool, version 2.3.0	Systems
Sun ZFS Storage Appliance Kit, version 8.8	Systems

Note:

• Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
• Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
• Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

• 21superman: CVE-2020-2828
• Abdullah H. AlJaber: CVE-2020-2753
• Abdulrahman Nour of Redforce: CVE-2020-2865
• Add of STAR Labs working with Trend Micro's Zero Day Initiative: CVE-2020-2894
• Alexander Kornbrust of Red Database Security: CVE-2020-2737, CVE-2020-2946
• Alves Christopher: CVE-2020-2752
• Andrej Simko of Accenture: CVE-2020-2794, CVE-2020-2796, CVE-2020-2810
• Andrew Hess: CVE-2020-2910
• anhdaden of STAR Labs working with Trend Micro's Zero Day Initiative: CVE-2020-2748, CVE-2020-2902, CVE-2020-2911
• Anil Aravind: CVE-2020-2864
• Bao Zhen: CVE-2020-2926
• Barakat Soror: CVE-2020-2913, CVE-2020-2914
• Barakat Soror working with Trend Micro Zero Day Initiative: CVE-2020-2907, CVE-2020-2958
• Bengt Jonsson of Uppsala University: CVE-2020-2767
• Bui Duong from Viettel Cyber Security: CVE-2020-2883, CVE-2020-2884
• Bui Quang: CVE-2020-2933
• Calvin Fong (Lord_Idiot) of STAR Labs working with Trend Micro Zero Day Initiative: CVE-2020-2748, CVE-2020-2758
• Christian Freudigmann of Daimler TSS: CVE-2020-2738
• Damian Bury: CVE-2020-2769, CVE-2020-2777
• Dan Amodio of Contrast Security: CVE-2020-2800
• Daniel Martinez Adan (aDoN90): CVE-2020-2738
• elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2741
• Esteban Montes Morales of Accenture: CVE-2020-2813
• Fangrun Li of Cloud Security Team at Qihoo 360: CVE-2020-2798, CVE-2020-2801, CVE-2020-2963
• Fatih Çelik: CVE-2020-2909
• Florian Ohlms of Daimler TSS: CVE-2020-2738
• GreenDog working with Trend Micro Zero Day Initiative: CVE-2020-2950
• JanatiIdrissi Zouhair: CVE-2020-2752
• Jang of VNPT ISC: CVE-2020-2883, CVE-2020-2884
• John Simpson of Trend Micro's Zero Day Initiative: CVE-2020-2882, CVE-2020-2956
• Julien Ahrens of RCE Security: CVE-2020-2870, CVE-2020-2871, CVE-2020-2872, CVE-2020-2873, CVE-2020-2874, CVE-2020-2876, CVE-2020-2877, CVE-2020-2878, CVE-2020-2879, CVE-2020-2880, CVE-2020-2881
• Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2767
• Kaki King: CVE-2020-2883
• Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2783, CVE-2020-2784, CVE-2020-2785, CVE-2020-2786, CVE-2020-2787
• Khaled Sakr: CVE-2019-2899
• khuyenn of Viettel Cyber Security: CVE-2020-2820, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2871
• Kostis Sagonas of Uppsala University: CVE-2020-2767
• Longofo of Knownsec 404 Team: CVE-2020-2798, CVE-2020-2949, CVE-2020-2963
• lufei from 0vul Team of Butian at Qi'anxin Group: CVE-2020-2869, CVE-2020-2883
• Maoxin Lin of Dbappsecurity Team: CVE-2020-2869
• Marc Durdin: CVE-2020-2930
• Marco Ivaldi of Media Service: CVE-2020-2771, CVE-2020-2851, CVE-2020-2944
• Marek Cybul: CVE-2020-2766
• Martin Doyhenard of Onapsis: CVE-2020-2750
• Matei "Mal" Badanoiu: CVE-2020-2869, CVE-2020-2875
• Mauro Leggieri of TRAPMINE Inc.: CVE-2020-2895
• Michal Bogdanowicz of STM Solutions: CVE-2020-2811
• Minle Chen of PingAn Galaxy Lab: CVE-2020-2798
• Nils Emmerich of ERNW : CVE-2020-2803, CVE-2020-2805
• Owais Zaman of Sabic: CVE-2020-2594, CVE-2020-2706
• Paul Fiterau Brostean of Uppsala University: CVE-2020-2767
• Pavel Cheremushkin: CVE-2020-2929, CVE-2020-2951
• Peter Dettman of cryptoworkshop.com: CVE-2020-2778
• Philippe Antoine (Telecom Nancy): CVE-2020-2752
• Piotr Domirski: CVE-2020-2745
• Quynh Le of VNPT ISC: CVE-2020-2798
• Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2883
• r00t4dm from A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-2798, CVE-2020-2829, CVE-2020-2963
• Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-2742, CVE-2020-2743, CVE-2020-2908
• Robert Merget of Ruhr-University Bochum: CVE-2020-2767
• Roger Meyer: CVE-2020-2514
• RunOu of Bangcle Security: CVE-2020-2798
• Rémi Badonnel (Telecom Nancy): CVE-2020-2752
• Samrat Das of Emirates NBD: CVE-2020-2772
• Sebastian Fuchs of NTT Security: CVE-2020-2744
• Sebastian Wlodarczyk of Optima Partners: CVE-2020-2747
• Simone Bordet of Webtide: CVE-2020-2781
• Tarun Sehgal of eSec Forte Technologies: CVE-2020-2782
• Tomasz Wisniewski: CVE-2020-2793
• Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-2789, CVE-2020-2807, CVE-2020-2808, CVE-2020-2809, CVE-2020-2815, CVE-2020-2817, CVE-2020-2818, CVE-2020-2819, CVE-2020-2820, CVE-2020-2821, CVE-2020-2822, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2833, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2837, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2843, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2858, CVE-2020-2860, CVE-2020-2861, CVE-2020-2863, CVE-2020-2871
• Vaibhav Shukla: CVE-2020-2955
• Venustech ADLab: CVE-2020-2798, CVE-2020-2801
• Victor Rodriguez: CVE-2020-2739
• Vishnu Dev TJ working with Trend Micro's Zero Day Initiative: CVE-2020-2929
• Xingwei Lin of Ant-financial Light-Year Security Lab: CVE-2020-2905
• Xinlei Ying of Ant-financial Light-Year Security Lab: CVE-2020-2905
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-2869, CVE-2020-2934
• ZeddYu Lu: CVE-2020-2867
• Zhan Julien: CVE-2020-2752
• Ziming Zhang from Codesafe Team of Legendsec at Qi'anxin Group: CVE-2020-2959
• Zohaib Tasneem of Sabic: CVE-2020-2594, CVE-2020-2706

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

• Abdullah H. AlJaber
• Andrej Simko of Accenture working with iDefense Labs
• ICHIHARA Ryohei of DMM.com LLC
• Jayson Grace of Sandia National Laboratories
• KeChen Lin of Ping An Bank Security Team
• Markus Loewe
• Mathieu Deous of Datadoghq
• Mehdi Benkaddour
• MengLiang Ji of CICITLab
• Michael Miller of Integrigy
• Raju Mogulapalli of Rheem Manufacturing
• tint0 of Viettel Cyber Security working with iDefense Labs
• Tuan Anh Nguyen of Viettel Cyber Security

link https://www.oracle.com/security-alerts/cpuapr2020.html