The January 2023 Oracle Critical Patch Update 

Last updated on: January 18, 2023

This Oracle Critical Patch Update contains a group of patches for multiple security vulnerabilities that address 327 new security patches. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. We urge customers to apply these time-sensitive Oracle Critical Patch Updates.

During Q1 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 79, constituting 24% of the total patches released. The Oracle Fusion Middleware and Oracle Communications Applications product lines followed, with 50 and 39 patches, respectively, representing 15% and 12% of the total patches issued. Also, Oracle MySQL receives 37 new security updates.

The 252 of the 327 or about 77% of security patches about 77% are for non-Oracle CVEs, which are security fixes for issues in third-party products (e.g., open-source components) that are included and exploitable in the context of their Oracle product distributions.

Oracle has released its first quarterly update of 2023, addressing 327 new security patches across 29 product families. These product families are included:

Oracle Database Server, Oracle Essbase, Oracle GoldenGate, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL.


Qualys QID Coverage 

Qualys has released eleven (11) QIDs, starting with IP scanning version VULNSIGS-2.5.678-3/VULNSIGS-2.5.680-2 and Linux Cloud Agent manifest version lx_manifest-2.5.678.3-2/lx_manifest-2.5.680.2-1. Should additional QIDs be released, they will be added to the table below as they become available:

QID Title
87530 Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2023)
20318 Oracle Database 19c Critical Patch Update – January 2023
20317 Oracle Database 21c Critical Patch Update – January 2023
20316 Oracle MySQL January 2023 Critical Patch Update (CPUJAN2023)
377904 Oracle Java Standard Edition (SE) Critical Patch Update – January 2023 (CPUJAN2023)
20319 Oracle Database 19c Critical OJVM Patch Update – January 2023
296093 Oracle Solaris 11.4 Support Repository Update (SRU) 53.132.2 Missing (CPUJAN2023)
377907 Oracle VM VirtualBox Linux Multiple Vulnerabilities (CPUJAN2023)
377908 Oracle Coherence January 2023 Critical Patch Update (CPUJAN2023)
377910 Oracle MySQL Connectors 8.0.x Denial of Service (DoS) Vulnerability (CPUJAN2023)
377911 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUJAN2023)

Customers can scan their network with QIDs 377911, 377910, 377908, 377907, 377904, 87530, 296093, 20319, 20318, 20317, and 20316 to detect vulnerable assets.

Notable Oracle Vulnerabilities Patched 

Oracle Database Server

The Critical Patch Update for Oracle Database Products contains 9 new security patches. One of these vulnerabilities may be remotely exploitable without authentication.

The vulnerability identified as CVE-2023-21893 with CVSS v3.1 7.5 in the Oracle Data Provider for .NET for Oracle Database Server may be remotely exploitable without authentication. The attacker with network access via TCPS to compromise Oracle Data Provider for .NET can exploit this vulnerability over a network without requiring user credentials. 

This is a challenging vulnerability to exploit, and successful attacks require human interaction from someone other than the attacker. Thriving attacks of this vulnerability can result in the takeover of Oracle Data Provider for .NET. The Oracle Database Server components and versions affected by the vulnerability Oracle Database Server, versions 19c, 21c. This applies to Database client-only on the Windows platform.

Oracle Essbase

The Critical Patch Update for Oracle Essbase Products contains 2 new security patches. One of these vulnerabilities may be remotely exploitable without authentication.

The critical vulnerability identified as CVE-2022-2274 with CVSS v3.1 9.8 in the Essbase Web Platform (OpenSSL) component for Oracle Essbase can be easily exploitable remotely without authentication. This means the attackers with network access via HTTPS to compromise Oracle Essbase can exploit this vulnerability over a network without requiring user credentials. Successful attacks of this vulnerability can result in a takeover of Oracle Essbase. The Oracle Essbase products and versions affected by the vulnerability are Oracle Essbase, version 21.4.

Oracle Commerce

The Critical Patch Update for Oracle Commerce contains 2 new security patches. Both these vulnerabilities may be remotely exploitable without authentication. 

The critical vulnerability recognized as CVE-2022-22965 with CVSS v3.1 9.8 in the Oracle Commerce Guided Search of Oracle Commerce can be easily exploited and allows unauthenticated attackers with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks of this vulnerability can result in Oracle Commerce Guided Search takeover. The Oracle Commerce products and versions affected by the vulnerability are Oracle Commerce Guided Search, version 11.3.2

Oracle Communications Applications

The Critical Patch Update for Oracle Communications Applications contains 39 new security patches, and 31 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of these vulnerabilities concerning Oracle Communications Applications is 9.8.

The Oracle Communications Applications products and versions affected by vulnerabilities that are addressed in Q1 Oracle Critical Patch Update are:

  • Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
  • Oracle Communications Calendar Server, version 8.0.0.6.0
  • Oracle Communications Contacts Server, version 8.0.0.7.0
  • Oracle Communications Convergence, version 3.0.3.1.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
  • Oracle Communications Instant Messaging Server, version 10.0.1.6.0
  • Oracle Communications Messaging Server, version 8.1.0.20.0
  • Oracle Communications MetaSolv Solution, version 6.3.1
  • Oracle Communications Order and Service Management, version 7.4.0
  • Oracle Communications Pricing Design Center, versions 12.0.0.5.0-12.0.0.7.0
  • Oracle Communications Unified Assurance, versions 5.5.0-5.5.9, 6.0.0-6.0.1
  • Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0

Oracle Communications

The Critical Patch Update for Oracle Communications contains 80 new security patches for Oracle Communications. Out of that, 64 of these vulnerabilities may be remotely exploitable without authentication. 

The CVE-2022-43403 is a vulnerability in Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications. This has the highest CVSS v3.1 Base Score of 9.9 in this group, and it allows low-privileged attackers with network access via HTTP to easily compromise Oracle Communications Cloud Native Core Unified Data Repository. Since the scope has been changed in this security bug, attacks may significantly impact additional products. Thriving attacks of this security flaw can result in a takeover of Oracle Communications Cloud Native Core Unified Data Repository.

The Oracle Communications products and versions affected by vulnerabilities that are addressed in Q1 2023 Critical Patch Update are:

  • Management Cloud Engine, version 22.1.0.0.0
  • Oracle Communications Cloud Native Core Automated Test Suite, versions 22.2.2, 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.0, 22.1.1, 22.2.0, 22.2.1, 22.2.2, 22.2.4, 22.3.0-22.4.0
  • Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Network Data Analytics Function, version 22.0.0.0.0
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.3.0
  • Oracle Communications Cloud Native Core Network Repository Function, versions 22.3.0, 22.3.2
  • Oracle Communications Cloud Native Core Network Slice Selection Function, versions 22.3.1, 22.4.1
  • Oracle Communications Cloud Native Core Policy, versions 1.11.0, 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 22.2.2, 22.2.3, 22.3.3, 22.3.4, 22.4.0
  • Oracle Communications Converged Application Server, versions 7.1.0, 8.0.0
  • Oracle Communications Diameter Intelligence Hub, version 8.2.3.0
  • Oracle Communications Diameter Signaling Router, version 8.6.0.0
  • Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.4.1

Oracle Construction and Engineering

The Critical Patch Update for Oracle Construction and Engineering contains 7 new security patches which 4 of these vulnerabilities may be remotely exploitable without authentication. 

The CVE-2022-42889, which has the highest CVSS v3.1 Base Score of 9.8 in this pack, allows unauthenticated attackers with network access via HTTP to compromise Primavera Gateway to easily exploited this vulnerability.

The Oracle Construction and Engineering products and versions affected by the vulnerability are Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10, 21.12.0-21.12.8 and Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12, 22.12.

Oracle E-Business Suite 

This Critical Patch Update contains 12 new security patches for Oracle E-Business Suite. Ten of these vulnerabilities may be remotely exploitable without authentication.

The CVE-2023-21849 is a vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite. This has the highest CVSS v3.1 Base Score of 7.5 in this group, allowing unauthenticated attackers with network access via HTTP to easily compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Marketing accessible data.

The Oracle E-Business Suite products and versions affected by vulnerabilities are Oracle E-Business Suite, versions 12.2.3-12.2.12.

Oracle Enterprise Manager

The Critical Patch Update contains three new security patches for Oracle E-Business Suite. Two of these vulnerabilities may be remotely exploitable without authentication.

The CVE-2022-42889 is a vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager. This has the highest CVSS v3.1 Base Score of 9.8 in this group, and it allows unauthenticated attackers with network access via HTTP to easily compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in a takeover of the Enterprise Manager Base Platform.

The Oracle Enterprise Manager products and versions affected by vulnerabilities are Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0 and Enterprise Manager Ops Center, version 12.4.0.0.

Oracle Financial Services Applications

These Critical Patch Update for Oracle Financial Services Applications contains 12 new security patches. Eight of these vulnerabilities may be remotely exploitable without authentication.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications is 9.8.

The Oracle Financial Services Applications products and versions affected by vulnerabilities are Oracle Banking Enterprise Default Management, versions 2.6.2, 2.7.1, 2.12.0, Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0, Oracle Banking Party Management, version 2.7.0, Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.12.0, Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.1.

Oracle Food and Beverage Applications

These Critical Patch Update for Oracle Food and Beverage Applications contains seven new security patches. Two of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Food and Beverage Applications is 8.3.

The Oracle Food and Beverage Applications products and versions affected by vulnerabilities are Oracle Hospitality Gift and Loyalty, version 9.1.0, Oracle Hospitality Labor Management, version 9.1.0, Oracle Hospitality Reporting and Analytics, version 9.1.0, Oracle Hospitality Simphony, versions 18.2.11, 19.3.4.

Oracle Fusion Middleware

The Critical Patch Update for Oracle Fusion Middleware contains 50 new security patches. Forty of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 9.8.

The Oracle Fusion Middleware products and versions affected by vulnerabilities are:

  • Oracle Access Manager, version 12.2.1.4.0
  • Oracle BI Publisher, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0
  • Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.11
  • Oracle HTTP Server, version 12.2.1.4.0
  • Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
  • Oracle Outside In Technology, version 8.5.6
  • Oracle Web Services Manager, version 12.2.1.4.0
  • Oracle WebCenter Content, version 12.2.1.4.0
  • Oracle WebCenter Sites, version 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle MySQL

The Critical Patch Update contains 37 new security patches for Oracle MySQL. Seven of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

The Oracle MySQL products and versions affected by vulnerabilities are:

  • MySQL Cluster, versions 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior, 8.0.31 and prior
  • MySQL Connectors, versions 8.0.31 and prior
  • MySQL Enterprise Monitor, versions 8.0.32 and prior
  • MySQL Server, versions 5.7.40 and prior, 8.0.31 and prior
  • MySQL Shell, versions 8.0.31 and prior
  • MySQL Workbench, versions 8.0.31 and prior

The rest of the Oracle products, with their number of new security updates along with their highest CVSS v3.1 scores, are as follows:

  • Oracle PeopleSoft: 12 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Supply Chain: 8 new security patches and the highest CVSS v3.1 Base Score of 7.8
  • Oracle Utilities Applications: 7 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Support Tools: 6 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Virtualization: 6 new security patches and the highest CVSS v3.1 Base Score of 8.1
  • Oracle HealthCare Applications: 4 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Java SE: 4 new security patches and the highest CVSS v3.1 Base Score of 8.1
  • Oracle Health Sciences Applications: 2 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Hyperion: 2 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle JD Edwards: 2 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Siebel CRM: 2 new security patches and the highest CVSS v3.1 Base Score of 9.8
  • Oracle Hospitality Applications: 1 new security patch and the highest CVSS v3.1 Base Score of 8.8
  • Oracle Insurance Applications: 1 new security patch and the highest CVSS v3.1 Base Score of 6.5
  • Oracle Retail: 1 new security patch and the highest CVSS v3.1 Base Score of 7.5
  • Oracle Systems: 1 new security patch and the highest CVSS v3.1 Base Score of 9.8

Note that later today we will update this blog with our QID coverage, Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR) and Rapid Response with Patch Management (PM) content.

Conclusion

We at Qualys and Oracle instruct customers to stay on actively supported versions and apply all security patches promptly.

This post was first first published on Qualys Security Blog’ website by Saeed Abbasi. You can view it by clicking here