On October 17, Oracle released its quarterly Critical Patch Update Advisory. This comprehensive advisory contains details about 387 new security patches for various Oracle product families. Among them are some serious vulnerabilities that can be exploited remotely over the network, i.e. with a CVSS rating of 9 or more. The entire advisory can be found at CPU October 2023. In this blog, we will focus on the products that are relevant to my ongoing projects. Let’s take a closer look at them.
Oracle Database
For the Oracle database there are security patches for 10 vulnerabilities in the current update. Two of these vulnerabilities can be exploited remotely without authentication. None of the vulnerabilities affect the client-only installations, i.e. the security patches only affect the database server. The highest CVSS rating is 6.5, so this patch update is moderately rated. Nevertheless, it makes sense to patch the database environments promptly.
The essential database patches and release updates:
- Database Release Update 21.12.0.0.231017 Patch 35740258
- Oracle 21c JDK8u391Patch 35638302
- Database Release Update 19.21.0.0.231017 Patch 35643107 for Linux
- OJVM Release Update 19.21.0.0.231017 Patch 35648110 for all platforms
- Oracle 19c JDK8u391Patch 35638318
Fusion Middleware
Do I really need to mention Fusion Middleware? As always, there are relatively many and very critical security vulnerabilities. There are 46 in total, and 35 of these vulnerabilities can be exploited remotely without authentication. So better patch yesterday than tomorrow.
For me, the security updates for the Weblogic Server and Oracle Unified directory are particularly relevant in this context. The whole bouquet of patches can be found in the Oracle Support Document 2806740.2.
- Oracle Unified Directory 12.2.1.4.0 Expected to be released on October 20. See Oracle Support Document 2640772.1
- Oracle WebLogic Server 14.1.1.0 and 12.2.1.4 see Oracle Support Document 2806740.2
What Else?
As always, the list is very long. Despite all kinds of summaries, blog posts, reports, etc., you can’t avoid studying the Oracle Critical Patch Update Advisory and checking the patches for your specific products. Especially with products like Oracle Enterprise Manager, which combines several products, you have to be careful. You have to apply patch updates for Oracle Enterprise Manager Base Platform as well as for Weblogic Server, Repository Database etc.
Conclusion
Is it necessary to consider the Critical Patch Update and install the patches? In short, yes. As Miss Sophie used to say in Dinner for One, ‘Same procedure as every year, James.’
Cheerio, and happy patching!
The essential Links
- Oracle Critical Patch Update Advisory – October 2023
- Oracle Support Document 2962256.1 October 2023 Critical Patch Update – Executive Summary and Analysis
- Oracle Support Document 2966413.1 Critical Patch Update (CPU) Program Oct 2023 Patch Availability Document (DB-only)
- Oracle Support Document 2978467.2 Fusion Middleware Critical Patch Update (CPU) Program October 2023 Patch Availability Document (PAD)
- Oracle Support Document 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware – Updated for October 2023
- Critical Patch Updates, Security Alerts and Bulletins
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- CVE ID’s by MITRE
- Wikipedia Dinner for One “Same procedure as every year, James” Somehow a very popular catchphrase in Germany, Switherland,…