Oracle addresses 176 CVEs in its fourth quarterly update of 2023 with 387 patches, including 46 critical updates.
Background
On October 17, Oracle released its Critical Patch Update (CPU) for October 2023, the fourth and final quarterly update of the year. This CPU contains fixes for 176 CVEs in 387 security updates across 30 Oracle product families. Out of the 387 security updates published this quarter, 11.9% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 48.8%, followed by high severity patches at 37.5%.
This quarter’s update includes 46 critical patches across 19 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 46 | 19 |
| High | 145 | 63 |
| Medium | 189 | 88 |
| Low | 7 | 6 |
| Total | 387 | 176 |
Analysis
This quarter, the Oracle Construction and Engineering product family contained the highest number of patches at 103, accounting for 26.6% of the total patches, followed by Oracle TimesTen In-Memory Database at 91 patches, which accounted for 23.5% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Construction and Engineering | 103 | 49 |
| Oracle TimesTen In-Memory Database | 91 | 60 |
| Oracle E-Business Suite | 46 | 35 |
| Oracle Insurance Applications | 37 | 9 |
| Oracle Enterprise Manager | 16 | 11 |
| Oracle JD Edwards | 15 | 9 |
| Oracle Database Server | 10 | 2 |
| Oracle Secure Backup | 9 | 4 |
| Oracle Essbase | 6 | 3 |
| Oracle REST Data Services | 6 | 5 |
| Oracle Communications | 5 | 5 |
| Oracle Hospitality Applications | 5 | 5 |
| Oracle Java SE | 5 | 3 |
| Oracle Commerce | 4 | 1 |
| Oracle Communications Applications | 4 | 3 |
| Oracle Retail Applications | 3 | 2 |
| Oracle Siebel CRM | 3 | 2 |
| Oracle Supply Chain | 3 | 0 |
| Oracle Financial Services Applications | 2 | 2 |
| Oracle Analytics | 2 | 0 |
| Oracle Health Sciences Applications | 2 | 1 |
| Oracle MySQL | 2 | 2 |
| Oracle Big Data Spatial and Graph | 1 | 1 |
| Oracle Global Lifecycle Management | 1 | 1 |
| Oracle GoldenGate | 1 | 0 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle Fusion Middleware | 1 | 0 |
| Oracle HealthCare Applications | 1 | 1 |
| Oracle Hyperion | 1 | 1 |
| Oracle PeopleSoft | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the October 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - October 2023
- Oracle October 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
