This Oracle Critical Patch Update contains a group of patches for multiple security vulnerabilities that address 327 new security patches. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. We urge customers to apply these time-sensitive Oracle Critical Patch Updates.
During Q1 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 79, constituting 24% of the total patches released. The Oracle Fusion Middleware and Oracle Communications Applications product lines followed, with 50 and 39 patches, respectively, representing 15% and 12% of the total patches issued. Also, Oracle MySQL receives 37 new security updates.
The 252 of the 327 or about 77% of security patches about 77% are for non-Oracle CVEs, which are security fixes for issues in third-party products (e.g., open-source components) that are included and exploitable in the context of their Oracle product distributions.
Oracle has released its first quarterly update of 2023, addressing 327 new security patches across 29 product families. These product families are included:
Oracle Database Server, Oracle Essbase, Oracle GoldenGate, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL.
Qualys has released eleven (11) QIDs, starting with IP scanning version VULNSIGS-2.5.678-3/VULNSIGS-2.5.680-2 and Linux Cloud Agent manifest versionlx_manifest-2.5.678.3-2/lx_manifest-2.5.680.2-1. Should additional QIDs be released, they will be added to the table below as they become available:
QID | Title |
---|---|
87530 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2023) |
20318 | Oracle Database 19c Critical Patch Update - January 2023 |
20317 | Oracle Database 21c Critical Patch Update - January 2023 |
20316 | Oracle MySQL January 2023 Critical Patch Update (CPUJAN2023) |
377904 | Oracle Java Standard Edition (SE) Critical Patch Update - January 2023 (CPUJAN2023) |
20319 | Oracle Database 19c Critical OJVM Patch Update - January 2023 |
296093 | Oracle Solaris 11.4 Support Repository Update (SRU) 53.132.2 Missing (CPUJAN2023) |
377907 | Oracle VM VirtualBox Linux Multiple Vulnerabilities (CPUJAN2023) |
377908 | Oracle Coherence January 2023 Critical Patch Update (CPUJAN2023) |
377910 | Oracle MySQL Connectors 8.0.x Denial of Service (DoS) Vulnerability (CPUJAN2023) |
377911 | Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUJAN2023) |
Customers can scan their network with QIDs 377911, 377910, 377908, 377907, 377904, 87530, 296093, 20319, 20318, 20317, and 20316 to detect vulnerable assets.
The Critical Patch Update for Oracle Database Products contains 9 new security patches. One of these vulnerabilities may be remotely exploitable without authentication.
The vulnerability identified as CVE-2023-21893 with CVSS v3.1 7.5 in the Oracle Data Provider for .NET for Oracle Database Server may be remotely exploitable without authentication. The attacker with network access via TCPS to compromise Oracle Data Provider for .NET can exploit this vulnerability over a network without requiring user credentials.
This is a challenging vulnerability to exploit, and successful attacks require human interaction from someone other than the attacker. Thriving attacks of this vulnerability can result in the takeover of Oracle Data Provider for .NET. The Oracle Database Server components and versions affected by the vulnerability Oracle Database Server, versions 19c, 21c. This applies to Database client-only on the Windows platform.
The Critical Patch Update for Oracle Essbase Products contains 2 new security patches. One of these vulnerabilities may be remotely exploitable without authentication.
The critical vulnerability identified as CVE-2022-2274 with CVSS v3.1 9.8 in the Essbase Web Platform (OpenSSL) component for Oracle Essbase can be easily exploitable remotely without authentication. This means the attackers with network access via HTTPS to compromise Oracle Essbase can exploit this vulnerability over a network without requiring user credentials. Successful attacks of this vulnerability can result in a takeover of Oracle Essbase. The Oracle Essbase products and versions affected by the vulnerability are Oracle Essbase, version 21.4.
The Critical Patch Update for Oracle Commerce contains 2 new security patches. Both these vulnerabilities may be remotely exploitable without authentication.
The critical vulnerability recognized as CVE-2022-22965 with CVSS v3.1 9.8 in the Oracle Commerce Guided Search of Oracle Commerce can be easily exploited and allows unauthenticated attackers with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks of this vulnerability can result in Oracle Commerce Guided Search takeover. The Oracle Commerce products and versions affected by the vulnerability are Oracle Commerce Guided Search, version 11.3.2
The Critical Patch Update for Oracle Communications Applications contains 39 new security patches, and 31 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of these vulnerabilities concerning Oracle Communications Applications is 9.8.
The Oracle Communications Applications products and versions affected by vulnerabilities that are addressed in Q1 Oracle Critical Patch Update are:
The Critical Patch Update for Oracle Communications contains 80 new security patches for Oracle Communications. Out of that, 64 of these vulnerabilities may be remotely exploitable without authentication.
The CVE-2022-43403 is a vulnerability in Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications. This has the highest CVSS v3.1 Base Score of 9.9 in this group, and it allows low-privileged attackers with network access via HTTP to easily compromise Oracle Communications Cloud Native Core Unified Data Repository. Since the scope has been changed in this security bug, attacks may significantly impact additional products. Thriving attacks of this security flaw can result in a takeover of Oracle Communications Cloud Native Core Unified Data Repository.
The Oracle Communications products and versions affected by vulnerabilities that are addressed in Q1 2023 Critical Patch Update are:
The Critical Patch Update for Oracle Construction and Engineering contains 7 new security patches which 4 of these vulnerabilities may be remotely exploitable without authentication.
The CVE-2022-42889, which has the highest CVSS v3.1 Base Score of 9.8 in this pack, allows unauthenticated attackers with network access via HTTP to compromise Primavera Gateway to easily exploited this vulnerability.
The Oracle Construction and Engineering products and versions affected by the vulnerability are Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10, 21.12.0-21.12.8 and Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12, 22.12.
This Critical Patch Update contains 12 new security patches for Oracle E-Business Suite. Ten of these vulnerabilities may be remotely exploitable without authentication.
The CVE-2023-21849 is a vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite. This has the highest CVSS v3.1 Base Score of 7.5 in this group, allowing unauthenticated attackers with network access via HTTP to easily compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data.
The Oracle E-Business Suite products and versions affected by vulnerabilities are Oracle E-Business Suite, versions 12.2.3-12.2.12.
The Critical Patch Update contains three new security patches for Oracle E-Business Suite. Two of these vulnerabilities may be remotely exploitable without authentication.
The CVE-2022-42889 is a vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager. This has the highest CVSS v3.1 Base Score of 9.8 in this group, and it allows unauthenticated attackers with network access via HTTP to easily compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in a takeover of the Enterprise Manager Base Platform.
The Oracle Enterprise Manager products and versions affected by vulnerabilities are Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0 and Enterprise Manager Ops Center, version 12.4.0.0.
These Critical Patch Update for Oracle Financial Services Applications contains 12 new security patches. Eight of these vulnerabilities may be remotely exploitable without authentication.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications is 9.8.
The Oracle Financial Services Applications products and versions affected by vulnerabilities are Oracle Banking Enterprise Default Management, versions 2.6.2, 2.7.1, 2.12.0, Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0, Oracle Banking Party Management, version 2.7.0, Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.12.0, Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.1.
These Critical Patch Update for Oracle Food and Beverage Applications contains seven new security patches. Two of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Food and Beverage Applications is 8.3.
The Oracle Food and Beverage Applications products and versions affected by vulnerabilities are Oracle Hospitality Gift and Loyalty, version 9.1.0, Oracle Hospitality Labor Management, version 9.1.0, Oracle Hospitality Reporting and Analytics, version 9.1.0, Oracle Hospitality Simphony, versions 18.2.11, 19.3.4.
The Critical Patch Update for Oracle Fusion Middleware contains 50 new security patches. Forty of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 9.8.
The Oracle Fusion Middleware products and versions affected by vulnerabilities are:
The Critical Patch Update contains 37 new security patches for Oracle MySQL. Seven of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.
The Oracle MySQL products and versions affected by vulnerabilities are:
The rest of the Oracle products, with their number of new security updates along with their highest CVSS v3.1 scores, are as follows:
Note that later today we will update this blog with our QID coverage, Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR) and Rapid Response with Patch Management (PM) content.
We at Qualys and Oracle instruct customers to stay on actively supported versions and apply all security patches promptly.