Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications followed, with 51 and 49 security patches, respectively.
307 of the 441, i.e., about 70% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.
This month’s batch of security patches contains 12 updates for Oracle Database products. Product-wise distribution is as follows:
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Autonomous Health Framework, Oracle Big Data Spatial and Graph, Oracle Global Lifecycle Management, Oracle GoldenGate, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.
Qualys has released 10 QIDs mentioned in the table below:
QIDs | Title |
87553 | Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2024) |
379670 | Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024) |
379669 | Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024) |
379668 | Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024) |
379665 | Oracle Coherence April 2024 Critical Patch Update (CPUAPR2024) |
379662 | Oracle Java Standard Edition (SE) Critical Patch Update – April 2024 (CPUAPR2024) |
20418 | Oracle Database 21c Critical Patch Update – April 2024 |
20419 | Oracle Database 19 Critical OJVM Patch Update – April 2024 |
20420 | Oracle Database 19c Critical Patch Update – April 2024 |
296110 | Oracle Solaris 11.4 Support Repository Update (SRU) 68.164.2 Missing (CPUAPR2024) |
Note: The table will be updated with the additional QIDs once released.
This Critical Patch Update for Oracle Communications contains 93 security patches. Out of 93, 71 vulnerabilities can be exploited over a network without user credentials.
CVE-2023-47100 has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.
This Critical Patch Update for Oracle Fusion Middleware contains 51 new security patches. 35 of these vulnerabilities can be remotely exploitable without authentication.
CVE-2022-46337, CVE-2024-1597, CVE-2022-34381, CVE-2019-13990, CVE-2022-1471, and CVE-2022-45378 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.8.
This Critical Patch Update for Oracle Financial Services Applications contains 49 new security patches. 30 of these vulnerabilities can be remotely exploitable without authentication.
None of the 49 vulnerabilities have been given critical severity ratings.
This Critical Patch Update for Oracle E-Business Suite contains 47 security patches. 40 vulnerabilities can be exploited over a network without requiring user credentials.
CVE-2024-21071 in the Admin Screens and Grants UI of Oracle Workflow has a critical severity rating and a CVSS score of 9.1. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.
This Critical Patch Update for Oracle MySQL contains 36 security patches. 9 of these vulnerabilities may be remotely exploitable without authentication.
None of the 36 vulnerabilities have been given critical severity ratings.
This Critical Patch Update for Oracle Systems contains 22 security patches. 16 of these vulnerabilities may be exploited over a network without requiring user credentials.
CVE-2022-42920, CVE-2022-34381, and CVE-2020-35168 have critical severity ratings and a CVSS score of 9.8.