Oracle Patch Update, April 2024 Security Update Review

Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.

In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications followed, with 51 and 49 security patches, respectively.

307 of the 441, i.e., about 70% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.

This month’s batch of security patches contains 12 updates for Oracle Database products. Product-wise distribution is as follows:

• 8 new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 5.9.
  • None of these updates apply to client-only deployments of the Oracle Database.
• 1 new security update for Oracle Autonomous Health Framework with a maximum reported CVSS Base Score of 5.9.
• 1 new security update for Oracle Big Data Spatial and Graph with a maximum reported CVSS Base Score of 7.5.
• 1 new security update for Oracle Global Lifecycle Management with a maximum reported CVSS Base Score of 5.9.
• 1 new security update for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.5.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Autonomous Health Framework, Oracle Big Data Spatial and Graph, Oracle Global Lifecycle Management, Oracle GoldenGate, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.

Qualys QID Coverage

Qualys has released 10 QIDs mentioned in the table below:

Note: The table will be updated with the additional QIDs once released.

Notable Oracle Vulnerabilities Patched

Oracle Communications

This Critical Patch Update for Oracle Communications contains 93 security patches.** **Out of 93, 71 vulnerabilities can be exploited over a network without user credentials.

CVE-2023-47100 has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit the vulnerability in a low-complexity network attack.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware contains 51 new security patches. 35 of these vulnerabilities can be remotely exploitable without authentication.

CVE-2022-46337, CVE-2024-1597, CVE-2022-34381, CVE-2019-13990, CVE-2022-1471, and CVE-2022-45378 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.8.

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications contains 49 new security patches. 30 of these vulnerabilities can be remotely exploitable without authentication.

None of the 49 vulnerabilities have been given critical severity ratings.

Oracle E-Business Suite

This Critical Patch Update for Oracle E-Business Suite contains 47 security patches. 40 vulnerabilities can be exploited over a network without requiring user credentials.

CVE-2024-21071 in the Admin Screens and Grants UI of Oracle Workflow has a critical severity rating and a CVSS score of 9.1. The vulnerability can be exploited remotely by an attacker in a low-complexity attack.

Oracle MySQL

This Critical Patch Update for Oracle MySQL contains 36 security patches.** **9 of these vulnerabilities may be remotely exploitable without authentication.

None of the 36 vulnerabilities have been given critical severity ratings.

Oracle Systems

This Critical Patch Update for Oracle Systems contains 22 security patches. 16 of these vulnerabilities may be exploited over a network without requiring user credentials.

CVE-2022-42920, CVE-2022-34381, and CVE-2020-35168 have critical severity ratings and a CVSS score of 9.8.

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous Knowledgebase (KB) updates.

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

_vulnerabilities.vulnerability: ( qid:`87553` OR qid:`379670` OR qid:`379669` OR qid:`379668` OR qid:`379665` OR qid:`379662` OR qid:`20418` OR qid:`20419` OR qid:`20420` OR qid:`296110` OR qid:`296111`) _

Rapid Response with Patch Management (PM)

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.

The following QQL will return the missing patches for this Patch Tuesday:

_( qid:`87553` OR qid:`379670` OR qid:`379669` OR qid:`379668` OR qid:`379665` OR qid:`379662` OR qid:`20418` OR qid:`20419` OR qid:`20420` OR qid:`296110` OR qid:`296111`) _