Oracle July 2023 Critical Patch Update Addresses 183 CVEs
Oracle addresses 183 CVEs in its third quarterly update of 2023 with 508 patches, including 76 critical updates.
Background
On July 18, Oracle released its Critical Patch Update (CPU) for July 2023, the third quarterly update of the year. This CPU contains fixes for 183 unique CVEs in 508 security updates across 32 Oracle product families. Out of the 508 security updates published this quarter, 15.0% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 48.4%, followed by medium severity patches at 31.9%.
This quarter’s update includes 76 critical patches across 28 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 76 | 28 |
| High | 246 | 67 |
| Medium | 162 | 74 |
| Low | 24 | 14 |
| Total | 508 | 183 |
Analysis
This quarter, the Oracle Construction and Engineering product family contained the highest number of patches at 147, accounting for 28.9% of the total patches, followed by Oracle TimeTen in-Memory Database at 77 patches, which accounted for 15.1% of the total patches.
Of the 508 patches in this update, 62 patches address 37 vulnerabilities identified during the period from 2018 - 2021. Of these, 9 patches address 8 CVEs that were given a CVSSv3 score greater than 9. This means legacy vulnerabilities accounted for 12.2% of the total patches and 11.8% of critical patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
|---|---|---|
| Oracle Construction and Engineering | 147 | 115 |
| Oracle TimesTen In-Memory Database | 77 | 57 |
| Oracle Enterprise Manager | 60 | 40 |
| Oracle Spatial Studio | 40 | 30 |
| Oracle Financial Services Applications | 32 | 23 |
| Oracle Insurance Applications | 24 | 11 |
| Oracle Siebel CRM | 14 | 12 |
| Oracle Policy Automation | 13 | 11 |
| Oracle MySQL | 11 | 8 |
| Oracle Hospitality Applications | 9 | 8 |
| Oracle Java SE | 9 | 8 |
| Oracle PeopleSoft | 9 | 9 |
| Oracle Secure Backup | 8 | 8 |
| Oracle Communications | 8 | 6 |
| Oracle Commerce | 6 | 5 |
| Oracle Database Server | 5 | 1 |
| Oracle Communications Applications | 5 | 3 |
| Oracle Hyperion | 4 | 3 |
| Oracle Supply Chain | 4 | 2 |
| Oracle Application Express | 3 | 1 |
| Oracle Analytics | 3 | 1 |
| Oracle Health Sciences Applications | 3 | 2 |
| Oracle Big Data Spatial and Graph | 2 | 0 |
| Oracle Essbase | 2 | 1 |
| Oracle Fusion Middleware | 2 | 2 |
| Oracle JD Edwards | 2 | 2 |
| Oracle GoldenGate | 1 | 1 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle NoSQL Database | 1 | 1 |
| Oracle E-Business Suite | 1 | 1 |
| Oracle Food and Beverage Applications | 1 | 0 |
| Oracle Retail Applications | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2023 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
Get more information
- Oracle Critical Patch Update Advisory - July 2023
- Oracle July 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Context Is King: From Vulnerability Management to Exposure Management
November 7, 2024Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Cybersecurity Snapshot: CISA Warns of Global Spear-Phishing Threat, While OWASP Releases AI Security Resources
November 8, 2024CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.
Context Is King: From Vulnerability Management to Exposure Management
November 7, 2024Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.
- Exposure Management