10/16/2024 | News release | Distributed by Public on 10/16/2024 09:06
Oracle released the last quarterly edition of this year's Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.
244 of the 334 security patches provided by the October Critical Patch Update (about 73%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions.
This batch of security patches contains 26 updates for Oracle Database products. The following is the product-wise distribution:
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle Essbase, Oracle GoldenGate, Oracle NoSQL Database, Oracle Secure Backup, Oracle SQL Developer, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Hospitality Applications, Oracle Hyperion, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.
Qualys QID Coverage
Qualys has released five QIDs mentioned in the table below:
Note: The table will be updated with the additional QIDs once released.
Notable Oracle Vulnerabilities Patched
Oracle Communications
This Critical Patch Update for Oracle Communications contains 100 security patches. Out of these, 81 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-45492, CVE-2023-38408, CVE-2024-4577, CVE-2023-6816, CVE-2022-2068, CVE-2024-37371, CVE-2024-29736, and CVE-2022-36760 in different Oracle Communications products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle MySQL
This Critical Patch Update for Oracle MySQL contains 45 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-37371 and CVE-2024-5535 in different Oracle MySQL products have critical severity ratings with a CVSS score of 9.1. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle Fusion Middleware
This Critical Patch Update for Oracle Fusion Middleware contains 32 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-28752, CVE-2024-21216, and CVE-2024-45492 in different Oracle Fusion Middleware products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle Financial Services Applications
This Critical Patch Update for Oracle Financial Services Applications contains 20 security patches. Out of these, 15 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-5535 in Oracle Banking Cash Management and Oracle Banking Supply Chain Finance have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Communications Applications
This Critical Patch Update for Oracle Communications Applications contains 13 security patches. Out of these, 10 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-45492 in the Core (LibExpat) component of Oracle Communications Unified Assurance has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Commerce
This Critical Patch Update for Oracle Commerce contains nine security patches. Out of these, five vulnerabilities can be exploited over a network without user credentials.
CVE-2022-46337 in the Workbench (Apache Derby) component of Oracle Commerce Guided Search has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Enterprise Manager
This Critical Patch Update for Oracle Enterprise Manager contains seven security patches. Out of these, three vulnerabilities can be exploited over a network without user credentials.
CVE-2022-34381 in the Agent Next Gen (BSAFE Crypto-J) component of the Oracle Enterprise Manager Base Platform has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Analytics
This Critical Patch Update for Oracle Analytics contains 12 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.
CVE-2022-23305 and CVE-2023-38545 in different components of Oracle Business Intelligence Enterprise Edition have critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Systems
This Critical Patch Update for Oracle Systems contains seven security patches. Out of these, five vulnerabilities can be exploited over a network without user credentials.
CVE-2022-46337 in Tools (Apache Derby) of Oracle Solaris Cluster has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Related