Oracle releases October 2024 Security Update, patches 334 flaws
Take action: A huge patch release, with a lot of products being fixed for critical flaws. It's time to sit down and read through the advisories in detail. We can't even give you a priority, there are too many options of used products. Best advice - do the work of proper analysis. Very soon.
Learn More
Oracle released the Critical Patch Update (CPU) for October 2024, addressing a total of 334 security vulnerabilities across 28 product families.
Out of these patches, 35 patches addressed critical severity vulnerabilities across 16 CVEs, and 44.6% of the patches are high-severity. Non-Oracle CVEs represent a major portion of the vulnerabilities, as Oracle incorporates numerous third-party components like Apache Derby and LibExpat.
- 334 security patches were issued.
- 186 vulnerabilities can be exploited remotely without authentication.
- 244 patches were issued for third-party (non-Oracle) components used within Oracle products, highlighting the security risks of open-source dependencies.
- Oracle Communications had the highest number of patches, with 100 updates, representing 30% of the total.
Key product patches
-
Oracle Communications:
- 100 patches, with 81 vulnerabilities remotely exploitable without user credentials.
- Critical vulnerabilities include:
- CVE-2024-45492, CVE-2023-38408, CVE-2024-4577, CVE-2023-6816, CVE-2022-2068, CVE-2024-37371, CVE-2024-29736, and CVE-2022-36760.
- The flaws are mostly network-exploitable, allow for attacks with no privileges in a low-complexity environment.
-
Oracle MySQL:
- 45 security patches, 12 of which are exploitable over a network without credentials.
- Critical vulnerabilities:
- CVE-2024-37371 and CVE-2024-5535 (CVSS score: 9.1). These can be exploited by remote attackers without privileges in low-complexity attacks.
-
Oracle Fusion Middleware:
- 32 patches, 12 of which address remotely exploitable vulnerabilities.
- Critical vulnerabilities:
- CVE-2024-28752, CVE-2024-21216, CVE-2024-45492. These allow network-based attacks without user credentials, posing serious risks.
-
Oracle Financial Services Applications:
- 20 patches, with 15 addressing network-exploitable vulnerabilities.
- Critical vulnerability:
- CVE-2024-5535, affecting Oracle Banking Cash Management and Oracle Banking Supply Chain Finance (CVSS score: 9.1). It can be exploited by attackers without privileges.
-
Oracle Communications Applications:
- 13 patches, with 10 addressing network-exploitable flaws.
- Critical vulnerability:
- CVE-2024-45492 in the Core (LibExpat) component of Oracle Communications Unified Assurance (CVSS score: 9.8).
-
Oracle Commerce:
- 9 security patches, with 5 being remotely exploitable.
- Critical vulnerability:
- CVE-2022-46337 in the Workbench (Apache Derby) component of Oracle Commerce Guided Search (CVSS score: 9.8).
-
Oracle Enterprise Manager:
- 7 patches, 3 addressing network-exploitable issues.
- Critical vulnerability:
- CVE-2022-34381 in the Agent Next Gen (BSAFE Crypto-J) component (CVSS score: 9.8).
-
Oracle Analytics:
- 12 patches, 7 addressing remote vulnerabilities.
- Critical vulnerabilities:
- CVE-2022-23305 and CVE-2023-38545 in Oracle Business Intelligence Enterprise Edition (CVSS score: 9.8).
-
Oracle Systems:
- 7 patches, 5 addressing network-exploitable issues.
- Critical vulnerability:
- CVE-2022-46337 in Tools (Apache Derby) of Oracle Solaris Cluster (CVSS score: 9.8).
Oracle’s October 2024 CPU also included fixes for Oracle Database, Blockchain, NoSQL Database, and other critical enterprise applications, further emphasizing the importance of prompt security patching across Oracle environments.
Oracle urges users to apply patches promptly, as attackers have exploited unpatched Oracle vulnerabilities in the past.
