Oracle July 2023 Critical Patch Update: Overview

Oracle has released its July 2023 Critical Patch Update (CPU), which includes a staggering 508 new security patches. This update is significant due to the sheer volume of patches and the critical nature of many of the vulnerabilities addressed. In this blog post, we will delve into the specifics of this CPU, focusing on the remotely exploitable vulnerabilities and providing a detailed breakdown of the most critical issues.

Overview of the CPU

The July 2023 CPU addresses vulnerabilities across a wide range of Oracle products, with 33% of the security fixes being related to remotely exploitable vulnerabilities. The Oracle Communications suite has the highest number of remotely exploitable vulnerabilities, with 37 out of 44 being exploitable without user interaction. Other products with a significant number of remotely exploitable vulnerabilities include Oracle MySQL, Oracle Fusion Middleware, and Oracle Retail Applications.

Detailed Breakdown of Remotely Exploitable Vulnerabilities

Here is a detailed analysis of some of the most critical remotely exploitable vulnerabilities addressed in this CPU:

  1. Oracle Database Server: The vulnerability identified as CVE-2023-21893 (NVD) with CVSS v3.1 7.5 in the Oracle Data Provider for .NET for Oracle Database Server may be remotely exploitable without authentication. Successful attacks of this vulnerability can result in the takeover of Oracle Data Provider for .NET.
  2. Oracle Essbase: The critical vulnerability identified as CVE-2022-2274 (NVD) with CVSS v3.1 9.8 in the Essbase Web Platform (OpenSSL) component for Oracle Essbase can be easily exploitable remotely without authentication. Successful attacks of this vulnerability can result in a takeover of Oracle Essbase.
  3. Oracle Commerce: The critical vulnerability recognised as CVE-2022-22965 (NVD) with CVSS v3.1 9.8 in the Oracle Commerce Guided Search of Oracle Commerce can be easily exploited and allows unauthenticated attackers with network access via HTTP to compromise Oracle Commerce Guided Search.
  4. Oracle Communications Applications: The Critical Patch Update for Oracle Communications Applications contains 39 new security patches, and 31 of these vulnerabilities may be remotely exploitable without authentication.
  5. Oracle Communications: The CVE-2022-43403 (NVD) is a vulnerability in Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications. Successful attacks of this security flaw can result in a takeover of Oracle Communications Cloud Native Core Unified Data Repository.
  6. Oracle Construction and Engineering: The CVE-2022-42889 (NVD) allows unauthenticated attackers with network access via HTTP to compromise Primavera Gateway to easily exploited this vulnerability.
  7. Oracle E-Business Suite: The CVE-2023-21849 (NVD) is a vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorised creation, deletion or modification access to critical data or all Oracle Marketing accessible data.
  8. Oracle Enterprise Manager: The CVE-2022-42889 (NVD) is a vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager. Successful attacks of this vulnerability can result in a takeover of the Enterprise Manager Base Platform.
  9. Oracle MySQL: The Critical Patch Update contains 37 new security patches for Oracle MySQL. Seven of these vulnerabilities may be remotely exploitable without authentication.
  10. Oracle Fusion Middleware: The Critical Patch Update for Oracle Fusion Middleware contains 50 new security patches. Forty of these vulnerabilities may be remotely exploitable without authentication.

Summary:

The Oracle July 2023 CPU is a significant update that addresses a large number of vulnerabilities across a wide range of products. It is highly recommended for all Oracle customers to apply these patches as soon as possible to mitigate the risk of these vulnerabilities being exploited.

Further Reading:

For more detailed information on the Oracle July 2023 CPU, please refer to the following resources:

  1. Oracle’s Official Advisory
  2. SecurityWeek’s Coverage of the CPU
  3. Qualys Blog Post on Oracle Patch Tuesday April 2023
  4. Qualys Blog Post on Oracle January 2023 CPU