On January 18, Oracle unveiled its first quarterly Critical Patch Update Advisory of the year. This advisory, a pivotal resource for Oracle users, details an array of 389 new security patches across various Oracle product families. This update includes several high-severity vulnerabilities, notably those that can be exploited remotely over the network, with some having a CVSS rating of 9 or above. The complete advisory is accessible at CPU January 2024. In this post, I’ll delve into the updates pertinent to my current projects, offering insights on what to expect.
Oracle Database
This update contains security patches that fix 3 vulnerabilities in the Oracle database. These are not vulnerabilities that can be exploited remotely without authentication. It is important to note that these vulnerabilities do not affect client-only installations, i.e. the patches are specifically intended for the database server. The most critical of these vulnerabilities has a CVSS rating of 6.5, which classifies the update as non-urgent. Nevertheless, it is advisable to apply these patches promptly to ensure the continued security of the database.
The essential database patches and release updates:
- Database Release Update 21.13.0.0.0 Patch ID 36041222
- Oracle JDK Bundle Patch 21.0.0.0.240116 Patch ID 35949081
- Database Release Update 19.22.0.0.240116 Patch ID 35943157 for Linux
- OJVM Release Update 19.22.0.0.240116 Patch ID 35926646 for all platforms
- Oracle JDK Bundle Patch 19.0.0.0.240116 Patch ID 35949090
- Latest OPatch Version Patch ID 6880880 12.2.0.1.40 or higher
The patches for Oracle on Linux x86-64 are available immediately. For other operating systems like Linux ARM, Windows etc. the patches will be released step by step within the estimated time frame of the next days. A detailed schedule and more detailed information can be found in the Oracle support document 2986269.1 Critical Patch Update (CPU) Program Jan 2024 Patch Availability Document (DB-only)
A side note: Oracle Database 23c will also receive a targeted patch in this cycle. It is important to note that this patch is not a full release update. Instead, it specifically addresses the security fixes from the October 2023 and January 2024 advisories and currently only applies to the cloud database version of Oracle Database 23c.
Fusion Middlerware
As far as Fusion Middleware is concerned, the situation remains unchanged compared to previous updates. The current version fixes 39 vulnerabilities, 29 of which can be exploited remotely without any form of authentication. The urgency of installing these patches cannot be overstated.
I will focus here on the security updates for WebLogic Server. There is no security update for Oracle Unified Directory included in this Critical Patch Update. The full range of patches is listed in the Oracle support document 2806740.2.
- Oracle WebLogic Server Patch Bundle 14.1.1.0.240111 Patch ID 36178511
- Oracle WebLogic Server Patch Bundle 12.2.1.4.240111 Patch ID 36178496
- OPatch NextGen 13.9.4.2.14 Patch ID 28186730
What Else?
The update is very comprehensive and covers a wide range of Oracle products. While summaries, blog posts and reports provide an overview, it is essential to read the Oracle Critical Patch Update Advisory thoroughly and evaluate the patches relevant to your specific Oracle products. This is especially important for multi-component products such as Oracle Enterprise Manager where patch updates need to be applied to the base platform, WebLogic Server, repository database, etc.
Conclusion
Patches for Linux x86-64 are now available with the latest Oracle Critical Patch Update. Other platforms such as Linux ARM and Windows will receive the updates in the next few days (details in the Oracle support document 2986269.1). My tests confirm that these patches are successfully installed and ensure reliable updates.
The urgency of the Oracle Database patches is moderate, with the highest vulnerability rated CVSS 6.5, indicating a balanced approach to the updates. However, the patches for Oracle Fusion Middleware require immediate action due to their typical severity, underlining the importance of prioritizing these updates.
In summary, while the urgency varies by Oracle product, prompt and vigilant application of patches remains critical to maintaining secure and efficient Oracle environments.
The essential Links
- Oracle Critical Patch Update Advisory – January 2024
- Oracle Support Document 2980981.1 January 2024 Critical Patch Update – Executive Summary and Analysis
- Oracle Support Document 2986269.1 Critical Patch Update (CPU) Program Jan 2024 Patch Availability Document (DB-only)
- Oracle Support Document 2991923.2 Fusion Middleware Critical Patch Update (CPU) Program January 2024 Patch Availability Document (PAD)
- Oracle Support Document 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware – Updated for January 2024
- Critical Patch Updates, Security Alerts and Bulletins
- Use of Common Vulnerability Scoring System (CVSS) by Oracle