Oracle October 2023 Critical Patch Update Addresses 176 CVEs
Oracle addresses 176 CVEs in its fourth quarterly update of 2023 with 387 patches, including 46 critical updates.
Background
On October 17, Oracle released its Critical Patch Update (CPU) for October 2023, the fourth and final quarterly update of the year. This CPU contains fixes for 176 CVEs in 387 security updates across 30 Oracle product families. Out of the 387 security updates published this quarter, 11.9% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 48.8%, followed by high severity patches at 37.5%.
This quarter’s update includes 46 critical patches across 19 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 46 | 19 |
| High | 145 | 63 |
| Medium | 189 | 88 |
| Low | 7 | 6 |
| Total | 387 | 176 |
Analysis
This quarter, the Oracle Construction and Engineering product family contained the highest number of patches at 103, accounting for 26.6% of the total patches, followed by Oracle TimesTen In-Memory Database at 91 patches, which accounted for 23.5% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Construction and Engineering | 103 | 49 |
| Oracle TimesTen In-Memory Database | 91 | 60 |
| Oracle E-Business Suite | 46 | 35 |
| Oracle Insurance Applications | 37 | 9 |
| Oracle Enterprise Manager | 16 | 11 |
| Oracle JD Edwards | 15 | 9 |
| Oracle Database Server | 10 | 2 |
| Oracle Secure Backup | 9 | 4 |
| Oracle Essbase | 6 | 3 |
| Oracle REST Data Services | 6 | 5 |
| Oracle Communications | 5 | 5 |
| Oracle Hospitality Applications | 5 | 5 |
| Oracle Java SE | 5 | 3 |
| Oracle Commerce | 4 | 1 |
| Oracle Communications Applications | 4 | 3 |
| Oracle Retail Applications | 3 | 2 |
| Oracle Siebel CRM | 3 | 2 |
| Oracle Supply Chain | 3 | 0 |
| Oracle Financial Services Applications | 2 | 2 |
| Oracle Analytics | 2 | 0 |
| Oracle Health Sciences Applications | 2 | 1 |
| Oracle MySQL | 2 | 2 |
| Oracle Big Data Spatial and Graph | 1 | 1 |
| Oracle Global Lifecycle Management | 1 | 1 |
| Oracle GoldenGate | 1 | 0 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle Fusion Middleware | 1 | 0 |
| Oracle HealthCare Applications | 1 | 1 |
| Oracle Hyperion | 1 | 1 |
| Oracle PeopleSoft | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the October 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - October 2023
- Oracle October 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Exposure Management