What are some of the critical vulnerabilities fixed in Oracle's July 2024 CPU?

Some of the critical vulnerabilities fixed include CVE-2022-34381, CVE-2024-23897, CVE-2023-37920, and CVE-2022-48174, among others, with CVSS scores of 9.8.

Which versions of Oracle Communications Billing and Revenue Management are impacted by CVE-2022-34381?

Versions 12.0.0.4.0-12.0.0.8.0 and 15.0.0.0.0 of Oracle Communications Billing and Revenue Management are impacted by CVE-2022-34381.

What should customers do in response to the vulnerabilities addressed in the Oracle July 2024 CPU?

Oracle strongly advises customers to apply the patches promptly as threat actors often exploit known vulnerabilities for which patches have been released.

Which Oracle product received the most patches in the July 2024 CPU?

Oracle Communications received the most patches, with a total of 95 patches.

How many patches were released for Oracle Financial Services Applications?

A total of 60 patches were released for Oracle Financial Services Applications.

Which other products received patches in Oracle's July 2024 CPU?

Other products receiving patches include Fusion Middleware, MySQL, Communications Applications, Analytics, Siebel CRM, PeopleSoft, Insurance Applications, E-Business Suite, JD Edwards, Database Server, Commerce, Java SE, Supply Chain, Application Express, Essbase, GoldenGate, NoSQL Database, REST Data Services, TimesTen In-Memory Database, Construction and Engineering, Enterprise Manager, HealthCare Applications, Hyperion, Retail Applications, Systems, Utilities Applications, and Virtualization.

Advisory

Oracle releases hundreds of patches in a massive July 2024 Critical Patch Update

Q: How many of the vulnerabilities fixed by Oracle can be exploited remotely without authentication?

The update includes over 260 vulnerabilities that can be exploited remotely without authentication.

published: July 17, 2024

Take action: This is a massive patch release covering all products of Oracle. Make sure you review the list of products with critical vulnerabilities, then go through the full list. It's going to be a difficult patching process. Prioritize products with critical flaws and move onward. As usual, always make a backup before running a patch on Oracle product, it's rarely trivial.

Learn More

On Tuesday, Oracle released a substantial Critical Patch Update (CPU) for July 2024, addressing a total of 386 security vulnerabilities across its product range. This update includes over 260 vulnerabilities that can be exploited remotely without authentication, emphasizing the critical nature of these patches.

Critical vulnerabilities fixed:

Oracle Communications Billing and Revenue Management: CVE-2022-34381 (CVSS score 9.8), impacted versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
Oracle Communications Cloud Native Core Automated Test Suite: CVE-2024-23897 (CVSS score 9.8), impacted versions 23.1.0
Oracle Communications Cloud Native Core Binding Support Function: CVE-2023-37920 (CVSS score 9.8), impacted versions 23.4.0-23.4.3
Oracle Communications Cloud Native Core Binding Support Function: CVE-2024-23897 (CVSS score 9.8), impacted versions 23.4.0-23.4.3
Oracle Communications Cloud Native Core Network Function Cloud Native Environment: CVE-2022-48174 (CVSS score 9.8), impacted versions 23.4.0, 24.1.0
Oracle Communications Cloud Native Core Network Repository Function: CVE-2023-37920 (CVSS score 9.8), impacted versions 23.4.2
Oracle Communications Cloud Native Core Network Repository Function: CVE-2024-23897 (CVSS score 9.8), impacted versions 23.4.2
Oracle Communications Cloud Native Core Policy: CVE-2023-37920 (CVSS score 9.8), impacted versions 23.4.0-23.4.4
Oracle Communications Cloud Native Core Policy: CVE-2024-23897 (CVSS score 9.8), impacted versions 23.4.0-23.4.4
Oracle Communications Cloud Native Core Security Edge Protection Proxy (CVSS score 9.8), impacted versions 23.4.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy: CVE-2023-37920 (CVSS score 9.8), impacted versions 23.4.0
Oracle Communications Cloud Native Core Service Communication Proxy: CVE-2023-37920 (CVSS score 9.8), impacted versions 23.4.0, 24.1.0
Oracle Communications Operations Monitor: CVE-2023-37920 (CVSS score 9.8), impacted versions 5.1, 5.2
Oracle Financial Services Model Management and Governance: CVE-2023-47248 (CVSS score 9.8), impacted versions 8.1.2.5, 8.1.2.6
Oracle Financial Services Model Management and Governance: CVE-2022-36944 (CVSS score 9.8), impacted versions 8.1.2.5, 8.1.2.6
Oracle Fusion HTTP Server: CVE-2023-45853 (CVSS score 9.8), impacted versions 12.2.1.4.0
Oracle Fusion Outside In Technology: CVE-2023-45853 (CVSS score 9.8), impacted versions 8.5.7
Oracle Fusion WebCenter Portal: CVE-2022-45378 (CVSS score 9.8), impacted versions 12.2.1.4.0
Oracle Fusion WebCenter Sites: CVE-2023-34034 (CVSS score 9.8), impacted versions 12.2.1.4.0
Oracle Fusion WebLogic Server: CVE-2024-21181 (CVSS score 9.8), impacted versions 12.2.1.4.0, 14.1.1.0.0
Oracle Analytics Business Intelligence Enterprise Edition: CVE-2022-0239 (CVSS score 9.8), impacted versions 7.0.0.0.0
Oracle Analytics Business Intelligence Enterprise Edition: CVE-2022-21797 (CVSS score 9.8), impacted versions 7.0.0.0.0
Oracle Analytics Business Intelligence Enterprise Edition: CVE-2021-23926 (CVSS score 9.1), impacted versions 12.2.1.4.0
MySQL Cluster: CVE-2023-37920 (CVSS score 9.8), impacted versions 8.0.34 and prior, 8.1.0 and prior
Siebel CRM Deployment: CVE-2022-37434 (CVSS score 9.8), impacted versions 24.6 and prior

Summary of the total of 386 patches.

Products with Significant Updates:

Oracle Communications - Total Patches: 95
Financial Services Applications - Total Patches: 60
Fusion Middleware - Total Patches: 41
MySQL - Total Patches: 37
Communications Applications - Total Patches: 20
Analytics - Total Patches: 17
Siebel CRM - Total Patches: 12
PeopleSoft - Total Patches: 11
Insurance Applications - Total Patches: 10
E-Business Suite - Total Patches: 10
JD Edwards - Total Patches: 8
Database Server - Total Patches: 8
Commerce - Total Patches: 7
Java SE - Total Patches: 7
Supply Chain - Total Patches: 7

Other Products Receiving Patches: Application Express, Essbase, GoldenGate, NoSQL Database, REST Data Services, TimesTen In-Memory Database, Construction and Engineering, Enterprise Manager, HealthCare Applications, Hyperion, Retail Applications, Systems, Utilities Applications, and Virtualization.

Oracle strongly advises customers to apply patches promptly. The company notes that threat actors often exploit known vulnerabilities for which patches have been released.

Oracle releases hundreds of patches in a massive July 2024 Critical Patch Update

Read More
Preboot Execution Environment vulnerabilities dubbed PixieFail expose risks …
Researchers report critical flaws in CyberArk vaults
Hackers still target vulnerable Apache RocketMQ servers, 6 …
CISA warns of active explitation of Ivanti EPMM …
Critical vulnerability reported in Jinjava template engine, enables …