Oracle has released the second quarterly edition of Critical Patch Update, which contains a group of patches for 433 security vulnerabilities. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products. 

During Q2 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 77, constituting 17% of the total patches released. The Oracle Financial Services Applications and Oracle Fusion Middleware product lines followed, with 76 and 49 patches, respectively. Also, Oracle MySQL receives 34 new security updates. 

341 of the 433, i.e.,79% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions. 

In this security updates, Oracle has covered product families, including Oracle Database Server, Oracle Blockchain Platform, Oracle Essbase, Oracle GoldenGate, Oracle Graph Server and Client, Oracle NoSQL Database, Oracle REST Data Services, Oracle SQL Developer, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle iLearning, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Qualys QID Coverage 

Qualys has released 8 QIDs mentioned in the table below: 

QIDs	Title
87542	Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2023)
296097	Oracle Solaris 11.4 Support Repository Update (SRU) 55.138.3 Missing (CPUAPR2023)
296096	Oracle Solaris 11.4 Support Repository Update (SRU) 56.138.2 Missing (CPUAPR2023)
296095	Oracle Solaris 11.4 Support Repository Update (SRU) 54.138.1 Missing (CPUAPR2023)
296094	Oracle Solaris 11.3 Support Repository Update (SRU) 36.31.0 Missing (CPUAPR2023)
378425	Oracle Java Standard Edition (SE) Critical Patch Update – April 2023 (CPUAPR2023)
20343	Oracle Database 19c Critical OJVM Patch Update – April 2023
20342	Oracle Database 21c Critical Patch Update – April 2023

Note: The table will be updated with the additional QIDs once released. 

Notable Oracle Vulnerabilities Patched 

Oracle Communications 

The Critical Patch Update for Oracle Communications contains 77 new security patches for Oracle Communications. Out of which 65 vulnerabilities may be remotely exploitable without authentication.  

The CVE-2022-43401 and CVE-2022-43402 are the vulnerabilities in Oracle Communications Cloud Native Core Automated Test Suite of Oracle Communications that has the highest CVSS v3.1 Base Score of 9.9 in this group.  

These are sandbox bypass vulnerabilities that affect several Jenkins plugins. An authenticated attacker may execute arbitrary code within the Jenkins JVM controller by exploiting the vulnerabilities.  

Oracle Financial Services Applications 

This Critical Patch Update for Oracle Financial Services Applications contains 76 security patches. 59 of these vulnerabilities may be remotely exploitable without authentication. 

CVE-2022-22978 and CVE-2022-46364 have the highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications, 9.8.  

CVE-2022-22978 can be exploited by easy misconfiguration to bypass some servlet containers. 

CVE-2022-46364 exists in Apache CXF, which may allow an attacker to perform SSRF-style attacks on web services that take at least one parameter of any type. 

Oracle Fusion Middleware 

The Critical Patch Update for Oracle Fusion Middleware contains 49 new security patches. 44 of these vulnerabilities may be remotely exploitable without authentication.  

CVE-2022-45047, CVE-2022-22965, CVE-2022-37434, CVE-2022-22965, CVE-2022-33980, and CVE-2022-29599 have the highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 9.8. 

The Oracle Fusion Middleware products and versions affected by vulnerabilities are: 

• Oracle SOA Suite, version 12.2.1.4.0 
• Oracle JDeveloper, version 12.2.1.4.0 
• Oracle HTTP Server, version 12.2.1.4.0  
• Oracle Data Integrator, version 12.2.1.4.0 
• Oracle Access Manager, version 12.2.1.4.0 
• Oracle Identity Manager, version 12.2.1.4.0 
• Oracle Outside In Technology, version 8.5.6 
• Oracle WebCenter Portal, version 12.2.1.4.0 
• Oracle Managed File Transfer, version 12.2.1.4.0 
• Oracle Coherence, version 12.2.1.4.0 and 14.1.1.0.0 
• Oracle Business Process Management Suite, version 12.2.1.4.0 
• Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 
• Oracle WebLogic Server, version 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 

Oracle MySQL 

The Critical Patch Update contains 34 new security patches for Oracle MySQL. 11 vulnerabilities may be remotely exploitable without authentication. CVE-2022-37434 has the highest CVSSv3.1 Base Score of 9.8. 

The Oracle MySQL products and versions affected by vulnerabilities are: 

• MySQL Cluster, version 8.0.32 and prior 
• MySQL Connectors, version 8.0.32 and prior 
• MySQL Enterprise Monitor, version 8.0.32 and prior 
• MySQL Server, version 5.7.41 and prior, 8.0.32 and prior 

Oracle Communications Applications 

The Critical Patch Update for Oracle Communications Applications contains 18 new security patches, and 13 of these vulnerabilities may be remotely exploitable without authentication. 

CVE-2020-35168, CVE-2022-1471, and CVE-2022-36760 are the vulnerabilities with the CVSS v3.1 Base Score of 9.8. 

The Oracle Communications Applications products and versions affected by vulnerabilities are: 

• Oracle Communications IP Service Activator, version 7.4.0 and 7.5.0 
• Oracle Communications Unified Assurance, version 5.5.0-5.5.10 and 6.0.0-6.0.2 
• Oracle Communications Unified Inventory Management, version 7.4.0, 7.4.1, 7.4.2, and 7.5.0 
• Oracle Communications Convergent Charging Controller, version 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, and 12.0.4-12.0.6 
• Oracle Communications Network Charging and Control, version 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, and 12.0.4-12.0.6 
• Oracle Communications Order and Service Management, version 7.4.1 

Oracle Database Server 

The Critical Patch Update for Oracle Database Products contains five new security patches. One of these vulnerabilities may be remotely exploitable without authentication.   

The Oracle Database Server products and versions affected by vulnerabilities are: 

•  Java VM, version 19c, 21c 
• OML4PY (Python), version 21c 
• Oracle Database Recovery Manager, version 19c, 21c 
• Oracle Database Spatial and Graph (Apache Commons Fileupload), version 19c, 21c 
• Oracle Database Workload Manager (Apache Commons FileUpload), version 21c 

Oracle Essbase 

The Critical Patch Update for Oracle Essbase Products contains four new security patches. All of these vulnerabilities may be remotely exploitable without authentication. 

The Oracle Essbase products and versions affected by vulnerabilities are: 

• Oracle Essbase Build (OpenSSL), version 21.4 
• Oracle Essbase Security and Provisioning, version 21.4 

Oracle Commerce 

The Critical Patch Update for Oracle Commerce contains six new security patches. All of these vulnerabilities may be remotely exploitable without authentication. 

CVE-2021-42575 is rated as critical and has a CVSSv3 Base Score of 9.8. The vulnerability exists in the Oracle Communications platform OWASP Java HTML Sanitizer. The vulnerability arises due to the improper enforcement of policies associated with the SELECT, STYLE, and OPTION elements. 

The Oracle Commerce products and versions affected by vulnerabilities are: 

• Oracle Commerce Guided Search, version 11.3.2 
• Oracle Commerce Platform, version 11.3.0, 11.3.1, and 11.3.2 

Oracle E-Business Suite 

The Critical Patch Update contains four new security patches for Oracle E-Business Suite. None of these vulnerabilities may be remotely exploitable without authentication.  

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 6.5. 

The Oracle E-Business Suite products and versions affected by vulnerabilities are: 

• Oracle iReceivables, version 12.2.3-12.2.12 
• Oracle iProcurement, version 12.2.3-12.2.12  
• Oracle User Management, version 12.2.3-12.2.12 
• Oracle Application Object Library, version 12.2.3-12.2.11 

Oracle Enterprise Manager 

The Critical Patch Update contains four new security patches for Oracle Enterprise Manager. Three of the vulnerabilities may be remotely exploitable without authentication.   

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 7.5. 

The Oracle Enterprise Manager products and versions affected by vulnerabilities are: 

• Oracle Application Testing Suite, version 13.3.0.1 
• Oracle Enterprise Manager Ops Center, version 12.4.0.0 

Oracle Construction and Engineering 

The Critical Patch Update contains four new security patches for Oracle Construction and Engineering. Three of the vulnerabilities may be remotely exploitable without authentication.   

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Construction and Engineering is 9.8. CVE-2022-27404 has the highest CVSSv3.1 Base Score that can be exploited in low-complexity attacks with network access via HTTP. 

The Oracle Construction and Engineering products and versions affected by vulnerabilities are: 

• Primavera Unifier, version 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, and 22.12.0-22.12.3 
• Primavera P6 Enterprise Project Portfolio Management, version 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, and 22.12.0-22.12.3 

Oracle Retail Applications 

The Critical Patch Update contains 22 new security patches for Oracle Retail Applications. 16 of the vulnerabilities may be remotely exploitable without authentication. 

The highest CVSSv3.1 Base Score for Oracle Retail Applications vulnerabilities is 9.8. 

The Oracle Retail Applications products and versions affected by vulnerabilities are: 

• Oracle Retail Fiscal Management, version 14.2 
• Oracle Retail Merchandising System, version 15.0.3.1 
• Oracle Retail Invoice Matching, version 15.0.3 and 16.0.3 
• Oracle Retail Merchandising System, version 16.0.2 and 16.0.3 
• Oracle Retail Predictive Application Server, version 15.0.3 and 16.0.3 
• Oracle Retail Price Management, version 14.1.3.2, 15.0.3.1, and 16.0.3 
• Oracle Retail Xstore Office Cloud Service, version 18.0.5, 19.0.4, 20.0.3, and 21.0.2  
• Oracle Retail Xstore Point of Service, version 17.0.6, 18.0.5, 19.0.4, 20.0.3, and 21.0.2 
• Oracle Retail Customer Management and Segmentation Foundation, version 18.0.0.12 and 19.0.0.6 

Note that we will update this blog later tomorrow with our QID coverage, Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR), and Rapid Response with Patch Management (PM) content.