Oracle April 2023 Critical Patch Update Addresses 231 CVEs


Oracle April 2023 Critical Patch Update Addresses 231 CVEs

Oracle addresses 231 CVEs in its second quarterly update of 2023 with 433 patches, including 74 critical updates.

Background

On April 18, Oracle released its Critical Patch Update (CPU) for April 2023, the second quarterly update of the year. This CPU contains fixes for 231 CVEs in 433 security updates across 33 Oracle product families. Out of the 433 security updates published this quarter, 17.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 35.8%.

This quarter’s update includes 74 critical patches across 33 CVEs. The chart below details the severity and CVE counts for this quarter’s security updates.

Severity Issues Patched CVEs
Critical 74 33
High 193 85
Medium 155 103
Low 11 10
Total 433 231

Analysis

This quarter, the Oracle Commerce product family contained the highest number of patches at 77, accounting for 17.8% of the total patches, followed by Oracle E-Business Suite at 76 patches, which accounted for 17.6% of the total patches.

Of the 433 patches in this update, 80 patches cover 52 CVEs which were identified during the period from 2018 – 2021. Of these, 9 patches address 6 CVEs which were given a CVSSv3 score greater than 9. This means legacy vulnerabilities account for 18.5% of the total patches and 12.2% of critical patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remotely Exploitable without Authentication
Oracle Commerce 77 65
Oracle E-Business Suite 76 59
Oracle Enterprise Manager 49 44
Oracle Java SE 34 11
Oracle MySQL 22 16
Oracle Financial Services Applications 20 12
Oracle TimesTen In-Memory Database 18 13
Oracle Insurance Applications 14 8
Oracle Systems 11 1
Oracle Fusion Middleware 10 3
Oracle Analytics 10 8
Oracle JD Edwards 10 8
Oracle Hyperion 9 9
Oracle iLearning 8 7
Oracle Big Data Spatial and Graph 7 5
Oracle SQL Developer 6 6
Oracle PeopleSoft 6 3
Oracle Siebel CRM 6 0
Oracle Database Server 5 0
Oracle Blockchain Platform 4 4
Oracle Communications Applications 4 3
Oracle Communications 4 0
Oracle Construction and Engineering 4 3
Oracle Supply Chain 4 3
Oracle Hospitality Applications 3 2
Oracle Essbase 2 1
Oracle REST Data Services 2 1
Oracle HealthCare Applications 2 1
Oracle Retail Applications 2 2
Oracle GoldenGate 1 0
Oracle Graph Server and Client 1 0
Oracle NoSQL Database 1 0
Oracle Health Sciences Applications 1 0

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2023 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about https://www.tenable.com/products/tenable-one“>Tenable One, the Exposure Management Platform for the modern attack surface.



Source link