Oracle Critical Patch Update, October 2024 Security Update Review

Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.

In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.

244 of the 334 security patches provided by the October Critical Patch Update (about 73%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions. This batch of security patches contains 26 updates for Oracle Database products. The following is the product-wise distribution:

  • Six new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 5.3.
      • One of these updates applies to client-only deployments of the Oracle Database.
  • Three new security updates for Oracle Application Express with a maximum reported CVSS Base Score of 6.3.
  • Seven new security updates for the Oracle Blockchain Platform with a maximum reported CVSS Base Score of 7.5.
  • One new security update for Oracle Essbase with a maximum reported CVSS Base Score of 6.5.
  • Four new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 5.3.
  • One new security update for Oracle NoSQL Database with a maximum reported CVSS Base Score of 4.3.
  • Two new security updates for Oracle Secure Backup with a maximum reported CVSS Base Score of 7.5.
  • One new security update for Oracle SQL Developer with a maximum reported CVSS Base Score of 5.9.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle Essbase, Oracle GoldenGate, Oracle NoSQL Database, Oracle Secure Backup, Oracle SQL Developer, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Hospitality Applications, Oracle Hyperion, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.

Qualys QID Coverage

Qualys has released five QIDs mentioned in the table below:

QIDs Title
20449 Oracle MySQL Server October 2024 Critical Patch Update (CPUOCT2024)
20447 Oracle Database 21c Critical Patch Update – October 2024
20446 Oracle Database 19c Critical OJVM Patch Update – October 2024
20445 Oracle Database 19c Critical Patch Update – October 2024
87559 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2024)
380714 Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUOCT2024)
380712 Oracle MySQL Connectors Multiple Vulnerabilities (CPUOCT2024)
380710 Oracle Hypertext Transfer Protocol (HTTP) Server Denial of Service (DoS) Vulnerabilities (CPUOCt2024)
380707 Oracle Java Standard Edition (SE) Critical Patch Update – October 2024 (CPUOCT2024)
296118 Oracle Solaris 11.4 Support Repository Update (SRU) 74.176.3 Missing (CPUOCT2024)

Note: The table will be updated with the additional QIDs once released.

Notable Oracle Vulnerabilities Patched

Oracle Communications

This Critical Patch Update for Oracle Communications contains 100 security patches. Out of these, 81 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-45492, CVE-2023-38408, CVE-2024-4577, CVE-2023-6816, CVE-2022-2068, CVE-2024-37371, CVE-2024-29736, and CVE-2022-36760 in different Oracle Communications products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle MySQL

This Critical Patch Update for Oracle MySQL contains 45 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-37371 and CVE-2024-5535 in different Oracle MySQL products have critical severity ratings with a CVSS score of 9.1. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware contains 32 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-28752, CVE-2024-21216, and CVE-2024-45492 in different Oracle Fusion Middleware products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges. 

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications contains 20 security patches. Out of these, 15 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-5535 in Oracle Banking Cash Management and Oracle Banking Supply Chain Finance have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Communications Applications

This Critical Patch Update for Oracle Communications Applications contains 13 security patches. Out of these, 10 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-45492 in the Core (LibExpat) component of Oracle Communications Unified Assurance has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack. 

Oracle Commerce

This Critical Patch Update for Oracle Commerce contains nine security patches. Out of these, five vulnerabilities can be exploited over a network without user credentials.

CVE-2022-46337 in the Workbench (Apache Derby) component of Oracle Commerce Guided Search has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Enterprise Manager

This Critical Patch Update for Oracle Enterprise Manager contains seven security patches. Out of these, three vulnerabilities can be exploited over a network without user credentials.

CVE-2022-34381 in the Agent Next Gen (BSAFE Crypto-J) component of the Oracle Enterprise Manager Base Platform has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Analytics

This Critical Patch Update for Oracle Analytics contains 12 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.

CVE-2022-23305 and CVE-2023-38545 in different components of Oracle Business Intelligence Enterprise Edition have critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Systems

This Critical Patch Update for Oracle Systems contains seven security patches. Out of these, five vulnerabilities can be exploited over a network without user credentials.

CVE-2022-46337 in Tools (Apache Derby) of Oracle Solaris Cluster has critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability.qid: 20449 or 20447 or 20446 or 20445 or 87559 or 380714 or 380712 or 380710 or 380707 or 296118

Visit the Oracle Critical Patch Update October 2024 (CPUOCT2024) page to describe each vulnerability and the systems it affects.

Customers can scan their network with QIDs 20449, 20447, 20446, 20445, 87559, 380712, 380710, 380707, 296118, and 380714 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References:

https://www.oracle.com/security-alerts/cpuoct2024.html

Leave a Reply

Your email address will not be published. Required fields are marked *