April, 2018: Patch Monday: April Oracle Critical Patch Update

Welcome to this April Patch Monday bulletin. This month we have patches from Adobe, Mozilla, Apple and Google. None of the listed products reported active attacks against the listed vulnerabilities this month. Adobe had a new entry into their monthly update with PhoneGap Push. Please take time to review the environment for this software and your software review capabilities in general. This month start with Adobe Flash Player and ColdFusion. Both are longtime targets for exploitation and have Critical Priority 2 releases. ColdFusion often has insecure configurations associated with it, so this might be a good opportunity to review those as well. This month was the April Critical Patch Update for Oracle so test and apply Java patches. Follow up with Chrome updates since there were a large quantity of vulnerabilities identified this month. Review the environment for iTunes installations and update. Finally, update the remaining Adobe products released this month which include Digital Editions, InDesign, and Experience Manager.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2018-4943

Adobe PhoneGap Push Plugin

1.8.0 and earlier versions

4/10/2018

Code Execution

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe ColdFusion

CF 2016 Update 5 and earlier

CF 11 Update 13 and earlier

4/10/2018

Remote Code Execution, Privilege Escalation, Information Disclosure

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Digital Editions

4.5.7 and below

4/10/2018

Information Disclosure

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe InDesign CC

13.0 and below

4/10/2018

Remote Code Execution, Privilege Escalation

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Experience Manager

6.0-6.3

4/10/2018

Cross Site Scripting

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Flash Player

29.0.0.113 and earlier versions

4/10/2018

Remote Code Execution, Information Disclosure

Critical Priority 2: Update within 30 days

Multiple CVE’s

Apple iTunes

Before 12.7.4

4/10/2018

Remote Code Execution, Denial of Service, Information Disclosure

Update after testing

Multiple CVE’s

Google Chrome

Before 66.0.3359.117

4/17/2018

Denial of Service, Security Bypass, Spoofing,

Update after testing

Multiple CVE’s

Oracle Java

6u181, 7u161, 7u171, 8u152, 8u162, 10

4/17/2018

Denial of Service, Information Disclosure

Update after testing


Send me this chart next Patch Tuesday.
Email:
We will not share your address. Unsubscribe anytime.