Oracle addresses 231 CVEs in its second quarterly update of 2023 with 433 patches, including 74 critical updates.
Background
On April 18, Oracle released its Critical Patch Update (CPU) for April 2023, the second quarterly update of the year. This CPU contains fixes for 231 CVEs in 433 security updates across 33 Oracle product families. Out of the 433 security updates published this quarter, 17.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 35.8%.
This quarter’s update includes 74 critical patches across 33 CVEs. The chart below details the severity and CVE counts for this quarter's security updates.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 74 | 33 |
| High | 193 | 85 |
| Medium | 155 | 103 |
| Low | 11 | 10 |
| Total | 433 | 231 |
Analysis
This quarter, the Oracle Commerce product family contained the highest number of patches at 77, accounting for 17.8% of the total patches, followed by Oracle E-Business Suite at 76 patches, which accounted for 17.6% of the total patches.
Of the 433 patches in this update, 80 patches cover 52 CVEs which were identified during the period from 2018 - 2021. Of these, 9 patches address 6 CVEs which were given a CVSSv3 score greater than 9. This means legacy vulnerabilities account for 18.5% of the total patches and 12.2% of critical patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remotely Exploitable without Authentication |
|---|---|---|
| Oracle Commerce | 77 | 65 |
| Oracle E-Business Suite | 76 | 59 |
| Oracle Enterprise Manager | 49 | 44 |
| Oracle Java SE | 34 | 11 |
| Oracle MySQL | 22 | 16 |
| Oracle Financial Services Applications | 20 | 12 |
| Oracle TimesTen In-Memory Database | 18 | 13 |
| Oracle Insurance Applications | 14 | 8 |
| Oracle Systems | 11 | 1 |
| Oracle Fusion Middleware | 10 | 3 |
| Oracle Analytics | 10 | 8 |
| Oracle JD Edwards | 10 | 8 |
| Oracle Hyperion | 9 | 9 |
| Oracle iLearning | 8 | 7 |
| Oracle Big Data Spatial and Graph | 7 | 5 |
| Oracle SQL Developer | 6 | 6 |
| Oracle PeopleSoft | 6 | 3 |
| Oracle Siebel CRM | 6 | 0 |
| Oracle Database Server | 5 | 0 |
| Oracle Blockchain Platform | 4 | 4 |
| Oracle Communications Applications | 4 | 3 |
| Oracle Communications | 4 | 0 |
| Oracle Construction and Engineering | 4 | 3 |
| Oracle Supply Chain | 4 | 3 |
| Oracle Hospitality Applications | 3 | 2 |
| Oracle Essbase | 2 | 1 |
| Oracle REST Data Services | 2 | 1 |
| Oracle HealthCare Applications | 2 | 1 |
| Oracle Retail Applications | 2 | 2 |
| Oracle GoldenGate | 1 | 0 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle NoSQL Database | 1 | 0 |
| Oracle Health Sciences Applications | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2023
- Oracle April 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about https://www.tenable.com/products/tenable-one">Tenable One, the Exposure Management Platform for the modern attack surface.
