Oracle releases Security/Critical Patch Updates every quarter in January, April, July, and October for the full range of its offerings including Database, E-Business Suite, Fusion Middleware, and Java.
The product patches are typically cumulative in that the latest version of the CPU patch for each product contains all fixes released in previous patches as well as any new changes.
Any new security issue is giving a risk rating based on Oracle’s Common Vulnerability Scoring System (CVSS), with a range from 0 to 10. This rating is based on factors such as how easy the security flaw can be exploited and the impact that it would have on the system.
The latest security update (CPUApr2020) includes fixes for 399 new security problems since CPUJan2020, several which have a CVSS rating of 9.0 or higher including:
- CVE-2020-2961 for Enterprise Manager Base Platform (CVSS rating 9.8)
- CVE-2020-2950 and CVE-2016-1000031 for Oracle Business Intelligence Enterprise Edition (CVSS rating 9.8)
- CVE-2019-17571, CVE-2019-16943, CVE-2020-2801, CVE-2020-2883 and CVE-2020-2884 for Weblogic Server (CVSS rating 9.8)
It is best practice and Oracle strongly recommends that every Critical Patch Update is applied as soon as possible but this is particularly relevant when a product has a new security patch fix with high CVSS ratings