Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Background
On April 16, Oracle released its Critical Patch Update (CPU) for April 2024, the second quarterly update of the year. This CPU contains fixes for 239 CVEs in 441 security updates across 30 Oracle product families. Out of the 441 security updates published this quarter, 8.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 44.4%, followed by high severity patches at 42.6%.
This quarter’s update includes 38 critical patches across 21 CVEs.
Severity | Issues Patched | CVEs |
---|---|---|
Critical | 38 | 21 |
High | 188 | 79 |
Medium | 196 | 122 |
Low | 19 | 17 |
Total | 441 | 239 |
Analysis
This quarter, the Oracle Commerce product family contained the highest number of patches at 93, accounting for 21.1% of the total patches, followed by Oracle Financial Services Applications at 51 patches, which accounted for 11.6% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
---|---|---|
Oracle Commerce | 93 | 71 |
Oracle Financial Services Applications | 51 | 35 |
Oracle E-Business Suite | 49 | 30 |
Oracle Communications | 47 | 43 |
Oracle Insurance Applications | 36 | 9 |
Oracle Supply Chain | 22 | 16 |
Oracle TimesTen In-Memory Database | 14 | 10 |
Oracle Hyperion | 13 | 10 |
Oracle Systems | 13 | 1 |
Oracle Food and Beverage Applications | 12 | 5 |
Oracle Construction and Engineering | 11 | 7 |
Oracle Java SE | 10 | 5 |
Oracle MySQL | 10 | 9 |
Oracle Database Server | 8 | 3 |
Oracle GoldenGate | 8 | 6 |
Oracle Communications Applications | 7 | 4 |
Oracle Hospitality Applications | 6 | 2 |
Oracle Retail Applications | 6 | 3 |
Oracle Siebel CRM | 6 | 6 |
Oracle Enterprise Manager | 4 | 2 |
Oracle Analytics | 3 | 1 |
Oracle Fusion Middleware | 2 | 0 |
Oracle HealthCare Applications | 2 | 0 |
Oracle Support Tools | 2 | 2 |
Oracle Autonomous Health Framework | 1 | 1 |
Oracle Big Data Spatial and Graph | 1 | 1 |
Oracle Essbase | 1 | 1 |
Oracle Global Lifecycle Management | 1 | 1 |
Oracle Health Sciences Applications | 1 | 1 |
Oracle PeopleSoft | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2024 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2024
- Oracle April 2024 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.