Oracle April 2023 Critical Patch Update Addresses 231 CVEs
Oracle addresses 231 CVEs in its second quarterly update of 2023 with 433 patches, including 74 critical updates.
Background
On April 18, Oracle released its Critical Patch Update (CPU) for April 2023, the second quarterly update of the year. This CPU contains fixes for 231 CVEs in 433 security updates across 33 Oracle product families. Out of the 433 security updates published this quarter, 17.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 35.8%.
This quarter’s update includes 74 critical patches across 33 CVEs. The chart below details the severity and CVE counts for this quarter’s security updates.
Issues Patched
CVEs
Critical
74
33
High
193
85
Medium
155
103
Low
11
10
Total
433
231
Analysis
This quarter, the Oracle Commerce product family contained the highest number of patches at 77, accounting for 17.8% of the total patches, followed by Oracle E-Business Suite at 76 patches, which accounted for 17.6% of the total patches.
Of the 433 patches in this update, 80 patches cover 52 CVEs which were identified during the period from 2018 – 2021. Of these, 9 patches address 6 CVEs which were given a CVSSv3 score greater than 9. This means legacy vulnerabilities account for 18.5% of the total patches and 12.2% of critical patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Number of Patches
Remotely Exploitable without Authentication
Oracle Commerce
77
65
Oracle E-Business Suite
76
59
Oracle Enterprise Manager
49
44
Oracle Java SE
34
11
Oracle MySQL
22
16
Oracle Financial Services Applications
20
12
Oracle TimesTen In-Memory Database
18
13
Oracle Insurance Applications
14
8
Oracle Systems
11
1
Oracle Fusion Middleware
10
3
Oracle Analytics
10
8
Oracle JD Edwards
10
8
Oracle Hyperion
9
9
Oracle iLearning
8
7
Oracle Big Data Spatial and Graph
7
5
Oracle SQL Developer
6
6
Oracle PeopleSoft
6
3
Oracle Siebel CRM
6
0
Oracle Database Server
5
0
Oracle Blockchain Platform
4
4
Oracle Communications Applications
4
3
Oracle Communications
4
0
Oracle Construction and Engineering
4
3
Oracle Supply Chain
4
3
Oracle Hospitality Applications
3
2
Oracle Essbase
2
1
Oracle REST Data Services
2
1
Oracle HealthCare Applications
2
1
Oracle Retail Applications
2
2
Oracle GoldenGate
1
0
Oracle Graph Server and Client
1
0
Oracle NoSQL Database
1
0
Oracle Health Sciences Applications
1
0
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Oracle Critical Patch Update Advisory – April 2023
Oracle April 2023 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about https://www.tenable.com/products/tenable-one“>Tenable One, the Exposure Management Platform for the modern attack surface.
Cyber Exposure Alerts
