Oracle addresses 183 CVEs in its third quarterly update of 2023 with 508 patches, including 76 critical updates.
Background
On July 18, Oracle released its Critical Patch Update (CPU) for July 2023, the third quarterly update of the year. This CPU contains fixes for 183 unique CVEs in 508 security updates across 32 Oracle product families. Out of the 508 security updates published this quarter, 15.0% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 48.4%, followed by medium severity patches at 31.9%.
This quarter’s update includes 76 critical patches across 28 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 76 | 28 |
| High | 246 | 67 |
| Medium | 162 | 74 |
| Low | 24 | 14 |
| Total | 508 | 183 |
Analysis
This quarter, the Oracle Construction and Engineering product family contained the highest number of patches at 147, accounting for 28.9% of the total patches, followed by Oracle TimeTen in-Memory Database at 77 patches, which accounted for 15.1% of the total patches.
Of the 508 patches in this update, 62 patches address 37 vulnerabilities identified during the period from 2018 - 2021. Of these, 9 patches address 8 CVEs that were given a CVSSv3 score greater than 9. This means legacy vulnerabilities accounted for 12.2% of the total patches and 11.8% of critical patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
|---|---|---|
| Oracle Construction and Engineering | 147 | 115 |
| Oracle TimesTen In-Memory Database | 77 | 57 |
| Oracle Enterprise Manager | 60 | 40 |
| Oracle Spatial Studio | 40 | 30 |
| Oracle Financial Services Applications | 32 | 23 |
| Oracle Insurance Applications | 24 | 11 |
| Oracle Siebel CRM | 14 | 12 |
| Oracle Policy Automation | 13 | 11 |
| Oracle MySQL | 11 | 8 |
| Oracle Hospitality Applications | 9 | 8 |
| Oracle Java SE | 9 | 8 |
| Oracle PeopleSoft | 9 | 9 |
| Oracle Secure Backup | 8 | 8 |
| Oracle Communications | 8 | 6 |
| Oracle Commerce | 6 | 5 |
| Oracle Database Server | 5 | 1 |
| Oracle Communications Applications | 5 | 3 |
| Oracle Hyperion | 4 | 3 |
| Oracle Supply Chain | 4 | 2 |
| Oracle Application Express | 3 | 1 |
| Oracle Analytics | 3 | 1 |
| Oracle Health Sciences Applications | 3 | 2 |
| Oracle Big Data Spatial and Graph | 2 | 0 |
| Oracle Essbase | 2 | 1 |
| Oracle Fusion Middleware | 2 | 2 |
| Oracle JD Edwards | 2 | 2 |
| Oracle GoldenGate | 1 | 1 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle NoSQL Database | 1 | 1 |
| Oracle E-Business Suite | 1 | 1 |
| Oracle Food and Beverage Applications | 1 | 0 |
| Oracle Retail Applications | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
Get more information
- Oracle Critical Patch Update Advisory - July 2023
- Oracle July 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
