Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.

During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with 91 and 46 security patches, respectively.

311 of the 387, i.e.,80% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.

This month’s batch of security patches contains 20 updates for Oracle Database products. Product-wise distribution is as follows:

• 10 new security patches for Oracle Database Products
• There are no new security patches for Oracle Big Data Spatial and Graph, but third-party patches are provided
• One new security patch for Oracle Essbase
• There are no new security patches for Oracle Global Lifecycle Management, but third-party patches are provided
• Six new security patches for Oracle GoldenGate
• No new security patches for Oracle Graph Server and Client, but third-party patches are provided
• One new security patch for Oracle REST Data Services
• One new security patch for Oracle Secure Backup
• One new security patch for Oracle TimesTen In-Memory Database

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Essbase, Oracle GoldenGate, Oracle REST Data Services, Oracle Secure Backup, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Qualys QID Coverage

Qualys has released seven QIDs mentioned in the table below:

Note: The table will be updated with the additional QIDs once released.

Notable Oracle Vulnerabilities Patched

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications contains 103 security patches. 49 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2023-22946, CVE-2022-1471, and CVE-2023-20873 in Oracle Financial Services Model Management and Governance have critical severity ratings and CVSS scores of 9.9 and 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.

Oracle Communications

This Critical Patch Update for Oracle Communications contains 91 security patches. 60 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2023-34034, CVE-2023-38408, CVE-2023-3824, CVE-2022-42920, CVE-2022-36944, and CVE-2021-41945 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.1 and 9.8.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware contains 46 security patches. 35 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-42920, CVE-2023-39022, CVE-2022-29599, CVE-2023-22069, CVE-2023-22072, and CVE-2023-22089 in different Oracle Fusion Middleware products have critical severity ratings and CVSS score of 9.8.

Oracle MySQL

This Critical Patch Update for Oracle MySQL contains 37 security patches. Nine of these vulnerabilities may be remotely exploitable without authentication.

CVE-2023-34034 in the Monitoring component of MySQL Enterprise Monitor has been given the critical severity rating and the highest CVSS score of 9.8. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.

Oracle Analytics

This Critical Patch Update for Oracle Analytics contains 16 security patches. 11 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2023-22946, CVE-2022-26612, and CVE-2022-33980 in Oracle Business Intelligence Enterprise Edition have been given critical severity ratings and CVSS scores of 9.9 and 9.8.

Oracle Retail Applications

This Critical Patch Update for Oracle Retail Applications contains 15 security patches. Nine of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-42920, CVE-2023-39017, and CVE-2022-1471 in different products of Oracle Retail Applications have been given critical severity ratings and CVSS scores of 9.9 and 9.8.

Oracle Database Server

This Critical Patch Update for the Oracle Database Server contains 10 security patches. Two of these vulnerabilities may be remotely exploitable without authentication.

The Oracle Database Server products and versions affected by vulnerabilities are:

• OML4Py (cryptography), version 21.3 through 21.11
• PL/SQL, version 19.3 through 19.20 and 21.3 through 21.11
• Java VM, version 19.3 through 19.20 and 21.3 through 21.11
• Oracle Database Sharding, version 19.3 through 19.20 and 21.3 through 21.11
• Oracle Notification Server, version 19.3 through 19.20 and 21.3 through 21.11
• Oracle Spatial and Graph (cURL), version 19.3 through 19.20 and 21.3 through 21.11
• Oracle Database Recovery Manager, version 19.3 through 19.20 and 21.3 through 21.11 
• Oracle Database Fleet Patching and Provisioning (jackson-databind), version 19.3 through 19.20 and 21.3 through 21.11