Oracle Releases massive critical patch update for April 2024 for 372 flaws, 15 critical

Oracle has announced the release of its April 2024 Critical Patch Update (CPU), securing numerous Oracle products against a wide array of vulnerabilities.

This update resolves 372 security issues, including at least 15 rated with a critical severity that could potentially allow remote code execution, data manipulation, and unauthorized access.

Affected Oracle Products:

1. Oracle Database
2. Oracle Fusion Middleware
3. Oracle PeopleSoft
4. Oracle Siebel CRM
5. Oracle Java SE
6. Oracle MySQL
7. Oracle Retail Applications
8. Oracle Financial Services Applications

Details of the critical vulnerabilities

Oracle Commerce

• CVE-2022-46364 (CVSS score 9.8): Oracle Commerce Platform - Endeca Integration (Apache CXF) over HTTP. Remote exploitation without authentication possible. Affected versions: 11.3.0, 11.3.1, 11.3.2.

Oracle Communications Applications

• CVE-2023-47100 (CVSS score 9.8): Oracle Communications Billing and Revenue Management - Platform (Perl) over HTTP. Remote exploitation without authentication possible. Affected versions: 12.0.0.4-12.0.0.8, 15.0.0.0.

• CVE-2022-34381 (CVSS score 9.8): Oracle Communications Network Integrity - Platform (BSAFE Crypto-J) over HTTP and Oracle Communications Unified Inventory Management - Security (BSAFE Crypto-J) over HTTPS. Remote exploitation without authentication possible. Affected versions: Network Integrity 7.3.6.4, Unified Inventory Management 7.4.0-7.4.2, 7.5.0, 7.5.1.

Oracle Enterprise Manager

• CVE-2022-42920 (CVSS score 9.8): Oracle Application Testing Suite - Load Testing for Web Apps (Apache Commons BCEL) over HTTP. Remote exploitation without authentication possible. Affected version: 13.3.0.1.

• CVE-2022-46337 (CVSS score 9.8): Oracle Application Testing Suite - Load Testing for Web Apps (Apache Derby) over HTTP. Remote exploitation without authentication possible. Affected version: 13.3.0.1.

• CVE-2022-34381 (CVSS score 9.8): Oracle Application Testing Suite - Load Testing for Web Apps (BSAFE Crypto-J) over HTTP. Remote exploitation without authentication possible. Affected version: 13.3.0.1.

• CVE-2022-42920 (CVSS score 9.8): Oracle Enterprise Manager for Fusion Middleware - Enterprise Manager Install (Apache Commons BCEL) over HTTP. Remote exploitation without authentication possible. Affected version: 13.5.0.0.

Oracle Food and Beverage Applications

• CVE-2024-20997 (CVSS score 9.9): Oracle Hospitality Simphony - Simphony Enterprise Server over HTTP. Remote exploitation not mentioned. Affected versions: 19.1.0-19.5.4.

• CVE-2024-21010 (CVSS score 9.9): Oracle Hospitality Simphony - Simphony Enterprise Server over HTTP. Remote exploitation not mentioned. Affected versions: 19.1.0-19.5.4.

• CVE-2024-21014 (CVSS score 9.8): Oracle Hospitality Simphony - Simphony Enterprise Server over HTTP. Remote exploitation without authentication possible. Affected versions: 19.1.0-19.5.4.

Oracle Fusion Middleware

• CVE-2022-46337 (CVSS score 9.8): Oracle Enterprise Data Quality, MapViewer, and Middleware Common Libraries and Tools - Third Party (Apache Derby) over HTTP. Remote exploitation without authentication possible. Affected version: 12.2.1.4.0.

• CVE-2024-1597 (CVSS score 9.8): Oracle Enterprise Data Quality - Third Party (PostgreSQL JDBC Driver) over HTTP. Remote exploitation without authentication possible. Affected version: 12.2.1.4.0.

• CVE-2022-34381 (CVSS score 9.8): Oracle HTTP Server - Plugins (BSAFE Crypto-J) over TLS. Remote exploitation without authentication possible. Affected versions: 12.2.1.4.0, 14.1.1.0.0.

• CVE-2019-13990 (CVSS score 9.8): Oracle Identity Manager and Oracle Internet Directory - Third Party (Quartz) over HTTP. Remote exploitation without authentication possible. Affected version: 12.2.1.4.0.

• CVE-2022-1471 (CVSS score 9.8): Oracle SOA Suite - Third Party (SnakeYAML) over HTTP. Remote exploitation without authentication possible.