Oracle addresses 191 CVEs in its first quarterly update of 2024 with 389 patches, including 37 critical updates.
Background
On January 16, Oracle released its Critical Patch Update (CPU) for January 2024, the first quarterly update of the year. This CPU contains fixes for 191 CVEs in 389 security updates across 26 Oracle product families. Out of the 389 security updates published this quarter, 9.5% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 49.4%, followed by medium severity patches at 36.2%.
This quarter’s update includes 37 critical patches across 17 CVEs.
Severity | Issues Patched | CVEs |
---|---|---|
Critical | 37 | 17 |
High | 192 | 67 |
Medium | 141 | 91 |
Low | 19 | 16 |
Total | 389 | 191 |
Analysis
This quarter, the Oracle Communications Applications product family contained the highest number of patches at 71, accounting for 18.3% of the total patches, followed by Oracle Secure Backup at 55 patches, which accounted for 14.1% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family | Number of Patches | Remote Exploit without Auth |
---|---|---|
Oracle Communications Applications | 71 | 54 |
Oracle Secure Backup | 55 | 43 |
Oracle REST Data Services | 43 | 25 |
Oracle Fusion Middleware | 40 | 12 |
Oracle Communications | 39 | 29 |
Oracle TimesTen In-Memory Database | 19 | 14 |
Oracle Construction and Engineering | 17 | 11 |
Oracle Enterprise Manager | 13 | 11 |
Oracle Commerce | 12 | 11 |
Oracle E-Business Suite | 11 | 10 |
Oracle Financial Services Applications | 9 | 6 |
Oracle MySQL | 9 | 3 |
Oracle PeopleSoft | 7 | 3 |
Oracle SQL Developer | 6 | 2 |
Oracle Hyperion | 6 | 5 |
Oracle JD Edwards | 6 | 4 |
Oracle Audit Vault and Database Firewall | 5 | 1 |
Oracle NoSQL Database | 5 | 4 |
Oracle Analytics | 4 | 2 |
Oracle Database Server | 3 | 0 |
Oracle Essbase | 3 | 2 |
Oracle Java SE | 2 | 2 |
Oracle Big Data Spatial and Graph | 1 | 1 |
Oracle Global Lifecycle Management | 1 | 1 |
Oracle GoldenGate | 1 | 1 |
Oracle Graph Server and Client | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2024 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - January 2024
- Oracle January 2024 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.