Oracle Patch Update, April 2024 Security Update Review
2024-4-17 22:39:59 Author: blog.qualys.com(查看原文) 阅读量:10 收藏

Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products. 

In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications followed, with 51 and 49 security patches, respectively.

307 of the 441, i.e., about 70% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.

This month’s batch of security patches contains 12 updates for Oracle Database products. Product-wise distribution is as follows:

  • 8 new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 5.9.
    • None of these updates apply to client-only deployments of the Oracle Database. 
  • 1 new security update for Oracle Autonomous Health Framework with a maximum reported CVSS Base Score of 5.9.
  • 1 new security update for Oracle Big Data Spatial and Graph with a maximum reported CVSS Base Score of 7.5.
  • 1 new security update for Oracle Global Lifecycle Management with a maximum reported CVSS Base Score of 5.9.
  • 1 new security update for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.5.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Autonomous Health Framework, Oracle Big Data Spatial and Graph, Oracle Global Lifecycle Management, Oracle GoldenGate, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.

Qualys QID Coverage

Qualys has released 10 QIDs mentioned in the table below:

QIDTitle 
87553 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2024)  
379670 Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024)  
379669 Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024)  
379668 Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2024)  
379665 Oracle Coherence April 2024 Critical Patch Update (CPUAPR2024)  
379662 Oracle Java Standard Edition (SE) Critical Patch Update – April 2024 (CPUAPR2024)  
20418  Oracle Database 21c Critical Patch Update – April 2024  
20419 Oracle Database 19 Critical OJVM Patch Update – April 2024  
20420 Oracle Database 19c Critical Patch Update – April 2024  
296110 Oracle Solaris 11.4 Support Repository Update (SRU) 68.164.2 Missing (CPUAPR2024) 

Note: The table will be updated with the additional QIDs once released.

Notable Oracle Vulnerabilities Patched

Oracle Communications

This Critical Patch Update for Oracle Communications contains 93 security patches. Out of 93, 71 vulnerabilities can be exploited over a network without user credentials.

CVE-2023-47100 has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware contains 51 new security patches. 35 of these vulnerabilities can be remotely exploitable without authentication.

CVE-2022-46337, CVE-2024-1597, CVE-2022-34381, CVE-2019-13990, CVE-2022-1471, and CVE-2022-45378 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.8.

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications contains 49 new security patches. 30 of these vulnerabilities can be remotely exploitable without authentication.

None of the 49 vulnerabilities have been given critical severity ratings.

Oracle E-Business Suite

This Critical Patch Update for Oracle E-Business Suite contains 47 security patches. 40 vulnerabilities can be exploited over a network without requiring user credentials.

CVE-2024-21071 in the Admin Screens and Grants UI of Oracle Workflow has a critical severity rating and a CVSS score of 9.1. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.

Oracle MySQL

This Critical Patch Update for Oracle MySQL contains 36 security patches. 9 of these vulnerabilities may be remotely exploitable without authentication.

None of the 36 vulnerabilities have been given critical severity ratings.

Oracle Systems

This Critical Patch Update for Oracle Systems contains 22 security patches. 16 of these vulnerabilities may be exploited over a network without requiring user credentials.

CVE-2022-42920, CVE-2022-34381, and CVE-2020-35168 have critical severity ratings and a CVSS score of 9.8.


文章来源: https://blog.qualys.com/vulnerabilities-threat-research/2024/04/17/oracle-patch-update-april-2024-security-update-review
如有侵权请联系:admin#unsafe.sh