Oracle July 2023 Critical Patch Update Addresses 183 CVEs


Oracle July 2023 Critical Patch Update Addresses 183 CVEs

Oracle addresses 183 CVEs in its third quarterly update of 2023 with 508 patches, including 76 critical updates.

Background

On July 18, Oracle released its Critical Patch Update (CPU) for July 2023, the third quarterly update of the year. This CPU contains fixes for 183 unique CVEs in 508 security updates across 32 Oracle product families. Out of the 508 security updates published this quarter, 15.0% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 48.4%, followed by medium severity patches at 31.9%.

This quarter’s update includes 76 critical patches across 28 CVEs.

Severity Issues Patched CVEs
Critical 76 28
High 246 67
Medium 162 74
Low 24 14
Total 508 183

Analysis

This quarter, the Oracle Construction and Engineering product family contained the highest number of patches at 147, accounting for 28.9% of the total patches, followed by Oracle TimeTen in-Memory Database at 77 patches, which accounted for 15.1% of the total patches.

Of the 508 patches in this update, 62 patches address 37 vulnerabilities identified during the period from 2018 – 2021. Of these, 9 patches address 8 CVEs that were given a CVSSv3 score greater than 9. This means legacy vulnerabilities accounted for 12.2% of the total patches and 11.8% of critical patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remote Exploit without Authentication
Oracle Construction and Engineering 147 115
Oracle TimesTen In-Memory Database 77 57
Oracle Enterprise Manager 60 40
Oracle Spatial Studio 40 30
Oracle Financial Services Applications 32 23
Oracle Insurance Applications 24 11
Oracle Siebel CRM 14 12
Oracle Policy Automation 13 11
Oracle MySQL 11 8
Oracle Hospitality Applications 9 8
Oracle Java SE 9 8
Oracle PeopleSoft 9 9
Oracle Secure Backup 8 8
Oracle Communications 8 6
Oracle Commerce 6 5
Oracle Database Server 5 1
Oracle Communications Applications 5 3
Oracle Hyperion 4 3
Oracle Supply Chain 4 2
Oracle Application Express 3 1
Oracle Analytics 3 1
Oracle Health Sciences Applications 3 2
Oracle Big Data Spatial and Graph 2 0
Oracle Essbase 2 1
Oracle Fusion Middleware 2 2
Oracle JD Edwards 2 2
Oracle GoldenGate 1 1
Oracle Graph Server and Client 1 0
Oracle NoSQL Database 1 1
Oracle E-Business Suite 1 1
Oracle Food and Beverage Applications 1 0
Oracle Retail Applications 1 0

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2023 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.



Source link