Oracle Patch Update, January 2024 Security Update Review

Qualys Security Advisory

Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.

In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications followed, with 55 and 43 security patches, respectively.

297 of the 389, i.e.,76% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.

This month’s batch of security patches contains 15 updates for Oracle Database products. Product-wise distribution is as follows:

  • Three new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 6.5.
  • None of these updates apply to client-only deployments of the Oracle Database. 
  • Five new security updates for Oracle Audit Vault and Database Firewall with a maximum reported CVSS Base Score of 7.6.
  • One new security update for Oracle Big Data Spatial and Graph with a maximum reported CVSS Base Score of 7.5.
  • Three new security updates for Oracle Essbase with a maximum reported CVSS Base Score of 9.8.
  • One new security update for Oracle GoldenGate with a maximum reported CVSS Base Score of 3.7.
  • One new security update for Oracle Graph Server and Client with a maximum reported CVSS Base Score of 7.5.
  • One new security update for Oracle NoSQL Database with a maximum reported CVSS Base Score of 6.5.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Audit Vault and Database Firewall, Oracle Big Data Spatial and Graph, Oracle Essbase, Oracle GoldenGate, Oracle Graph Server and Client, Oracle NoSQL Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Hyperion, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications.

Notable Oracle Vulnerabilities Patched

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications contains 71 security patches. Out of 71, 54 vulnerabilities can be exploited over a network without user credentials.

CVE-2023-46604, CVE-2022-36944, CVE-2023-34034, CVE-2022-31692, and CVE-2022-42920 have critical severity ratings and CVSS score of 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.

Oracle Communications

This Critical Patch Update for Oracle Communications contains 55 new security patches plus additional third-party patches. 43 of these vulnerabilities can be remotely exploitable without authentication.

CVE-2022-48174, CVE-2023-34034, CVE-2023-46604, CVE-2023-50164, CVE-2023-44981, and CVE-2021-46848 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.1 and 9.8.

Oracle Communications Applications

This Critical Patch Update for Oracle Communications Applications contains 43 new security patches. 25 of these vulnerabilities can be remotely exploitable without authentication.

CVE-2022-36944, CVE-2022-42920, CVE-2022-1471, CVE-2023-34034, and CVE-2023-44981 in Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Service Catalog and Design, and Oracle Communications Unified Inventory Management have critical severity ratings and CVSS scores of 9.1 and 9.8.

Oracle MySQL

This Critical Patch Update for Oracle MySQL contains 40 security patches. 12 vulnerabilities can be exploited over a network without requiring user credentials.

CVE-2023-38545 and CVE-2023-50164in the MySQL Cluster and MySQL Enterprise Monitor have the critical severity rating and the highest CVSS score of 9.8. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware contains 39 security patches plus additional third-party patches. 29 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2023-46604, CVE-2023-38545, and CVE-2022-23221 in Oracle Enterprise Data Quality, Oracle HTTP Server, and Oracle SOA Suite have critical severity ratings and CVSS score of 9.8.

Oracle Retail Applications

This Critical Patch Update for the Oracle Database Server contains six security patches. Five of these vulnerabilities may be exploited over a network without requiring user credentials.

CVE-2022-42920 in the Oracle Retail Advanced Inventory Planning has critical severity ratings and a CVSS score of 9.8.

Visit the Oracle Critical Patch Update January 2024 (CPUJAN2024) page to describe each vulnerability and the systems it affects.

Customers can scan their network with QIDs 87550, 378947, 296107, 20401, 20398, and 379266 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References:
https://www.oracle.com/security-alerts/cpujan2024.html

READ MORE