Oracle's April 2023 Security Update Review for Patch Tuesday

Oracle has released its Q2 2023 Critical Patch Update, focusing on addressing vulnerabilities in various Oracle products. This update includes a total of 433 security patches, with a significant number of them addressing issues in third-party components.

One of the products with the most updates is Oracle Communications, which contains 77 patches, accounting for 17% of the total. Within Oracle Communications, the IP Service Activator, Order and Service Management, Unified Assurance, Unified Inventory Management, Convergent Charging Controller, and Network Charging and Control are among the affected versions. Notably, CVE-2022-43401 and CVE-2022-43402 in Oracle Communications have the highest CVSS v3.1 Base Score of 9.9.

Oracle Database Server products and versions affected by vulnerabilities include Java VM, OML4PY (Python), Recovery Manager, Workload Manager (Apache Commons FileUpload), Spatial and Graph (Apache Commons Fileupload), and various versions. Oracle Database Server contains five new security patches, one of which may be remotely exploitable without authentication.

Oracle Fusion Middleware products with vulnerabilities include SOA Suite, JDeveloper, HTTP Server, Data Integrator, Access Manager, Identity Manager, Outside In Technology, WebCenter Portal, Managed File Transfer, Coherence, Business Process Management Suite, Middleware Common Libraries and Tools, WebLogic Server, and various versions. CVE-2022-45047, CVE-2022-22965, CVE-2022-37434, CVE-2022-22965, CVE-2022-33980, and CVE-2022-29599 in Oracle Fusion Middleware have the highest CVSS v3.1 Base Score of 9.8.

The Oracle E-Business Suite products and versions affected by vulnerabilities include Oracle iReceivables, version 12.2.3-12.2.12, Oracle iProcurement, version 12.2.3-12.2.12, Oracle User Management, version 12.2.3-12.2.12, and Oracle Application Object Library, version 12.2.3-12.2.11. The Critical Patch Update for Oracle E-Business Suite contains four new security patches, none of which may be remotely exploitable without authentication, and the highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 6.5.

Oracle Essbase contains four new security patches, all of which may be remotely exploitable without authentication. CVE-2022-37434 in Oracle MySQL has the highest CVSSv3.1 Base Score of 9.8. Oracle MySQL products and versions affected by vulnerabilities include MySQL Cluster, Connectors, Enterprise Monitor, Server, and various versions. Oracle MySQL receives 34 new security updates.

Oracle Essbase Build (OpenSSL), version 21.4, and Oracle Essbase Security and Provisioning, version 21.4, are affected by vulnerabilities in the Oracle Essbase products. The Critical Patch Update for Oracle Essbase does not specify the affected versions.

The Critical Patch Update for Oracle Enterprise Manager contains four new security patches, three of which may be remotely exploitable without authentication, and the highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 7.5. The Oracle Enterprise Manager products and versions affected by vulnerabilities are Oracle Application Testing Suite, version 13.3.0.1, and Oracle Enterprise Manager Ops Center, version 12.4.0.0.

The Critical Patch Update for Oracle Commerce contains six new security patches, all of which may be remotely exploitable without authentication. The Oracle Commerce products and versions affected by vulnerabilities are Oracle Commerce Guided Search, version 11.3.2, and Oracle Commerce Platform, version 11.3.0, 11.3.1, and 11.3.2.

The Critical Patch Update for Oracle Construction and Engineering contains four new security patches, three of which may be remotely exploitable without authentication, and the highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Construction and Engineering is 9.8, with CVE-2022-27404 having the highest CVSSv3.1 Base Score that can be exploited in low-complexity attacks with network access via HTTP.

79% of the security patches are for non-Oracle CVEs. It's important to note that none of the available search results provide specific details about the number of Oracle products listed in the Q2 2023 Oracle Critical Patch Update that include at least one security update with a CVSS v3.1 Base Score of 9.8 or higher.

Oracle Financial Services Applications and Oracle Fusion Middleware have 76 and 49 patches, respectively. However, the specific Oracle Financial Services Applications products and versions affected by vulnerabilities, as well as the Oracle Communications product suite's affected versions, are not specified in the update.

Users are advised to apply these updates as soon as possible to mitigate potential risks. For more detailed information and instructions, users should refer to the Oracle Critical Patch Update documentation.