Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications followed, with 55 and 43 security patches, respectively.
297 of the 389, i.e.,76% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.
This month’s batch of security patches contains 15 updates for Oracle Database products. Product-wise distribution is as follows:
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Audit Vault and Database Firewall, Oracle Big Data Spatial and Graph, Oracle Essbase, Oracle GoldenGate, Oracle Graph Server and Client, Oracle NoSQL Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Hyperion, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications.
Qualys has released 6 QIDs mentioned in the table below:
QIDs | Title |
87550 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2024) |
378947 | Oracle Java Standard Edition (SE) Critical Patch Update – January 2024 (CPUJAN2024) |
296107 | Oracle Solaris 11.4 Support Repository Update (SRU) 65.157.1 Missing (CPUJAN2024) |
20401 | Oracle Database 21c Critical Patch Update – January 2024 |
20398 | Oracle MySQL JAN 2024 Critical Patch Update (CPUJAN2024) |
379266 | Oracle Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (CPUJAN2024) |
Note: The table will be updated with the additional QIDs once released.
This Critical Patch Update for Oracle Financial Services Applications contains 71 security patches. Out of 71, 54 vulnerabilities can be exploited over a network without user credentials.
CVE-2023-46604, CVE-2022-36944, CVE-2023-34034, CVE-2022-31692, and CVE-2022-42920 have critical severity ratings and CVSS score of 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.
This Critical Patch Update for Oracle Communications contains 55 new security patches plus additional third-party patches. 43 of these vulnerabilities can be remotely exploitable without authentication.
CVE-2022-48174, CVE-2023-34034, CVE-2023-46604, CVE-2023-50164, CVE-2023-44981, and CVE-2021-46848 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.1 and 9.8.
This Critical Patch Update for Oracle Communications Applications contains 43 new security patches. 25 of these vulnerabilities can be remotely exploitable without authentication.
CVE-2022-36944, CVE-2022-42920, CVE-2022-1471, CVE-2023-34034, and CVE-2023-44981 in Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Service Catalog and Design, and Oracle Communications Unified Inventory Management have critical severity ratings and CVSS scores of 9.1 and 9.8.
This Critical Patch Update for Oracle MySQL contains 40 security patches. 12 vulnerabilities can be exploited over a network without requiring user credentials.
CVE-2023-38545 and CVE-2023-50164in the MySQL Cluster and MySQL Enterprise Monitor have the critical severity rating and the highest CVSS score of 9.8. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.
This Critical Patch Update for Oracle Fusion Middleware contains 39 security patches plus additional third-party patches. 29 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2023-46604, CVE-2023-38545, and CVE-2022-23221 in Oracle Enterprise Data Quality, Oracle HTTP Server, and Oracle SOA Suite have critical severity ratings and CVSS score of 9.8.
This Critical Patch Update for the Oracle Database Server contains six security patches. Five of these vulnerabilities may be exploited over a network without requiring user credentials.
CVE-2022-42920 in the Oracle Retail Advanced Inventory Planning has critical severity ratings and CVSS score of 9.8.