Menu
Oracle releases security fixes for supported on-premises (non-cloud) products as part its regular Critical Patch Updates (CPUs) cycle. The current release schedule for CPUs is on the third Tuesday of January, April, July, and October each year. Additional security fixes are occasionally released outside of the normal cycle, but these are known as “out-of-band” security alerts and bulletins.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply all applicable security patches found within the Critical Patch Updates as soon as possible.
In this blog post, we will be summarising key details for the security patches contained within the latest product updates. The raw list can be viewed in full directly here: https://www.oracle.com/security-alerts/cpuoct2024.html. You can also access a list of historical CPUs here: https://www.oracle.com/security-alerts/.
A slightly smaller set of vulnerabilities to patch this quarter compared to Oracle’s last CPU advisory – but certain products have been hit especially hard. Oracle Communications (and Cloud Native Core in particular) was affected by vulnerabilities accounting for over 100 new security patches of the 334 released for Oracle products. 81 of these were remotely exploitable without authentication, and with the most serious having a maximum CVSS score of 9.8 out of 10. Many of the vulnerabilities in this quarter’s updates also lay in underlying third-party libraries from open-source projects, which Oracle products incorporate for delivering specific functionality. These included flaws in OpenSSL, Log4J, libexpat and Apache CXF.
The Oracle Critical Patch Updates for 17th July through 15th October 2024 also includes important updates for vulnerabilities in other products including: Analytics, Application Express, Commerce, Database Server, E-Business Suite, Essbase, Financial Services, Fusion, Hyperion, Java SE, MySQL, NoSQL, PeopleSoft, Retail Applications, Secure Backup, SQL Developer, and Siebel CRM.
The list of “Highly Exploitable” critical vulnerabilities below are those which have a ‘critical’ impact – rated as 9.0 or more out of 10 under the “CVSS” (Common Vulnerability) scoring system – but are also considered to be relatively trivial to exploit. They have (a) a network attack vector, (b) a low attack complexity, and (c) are remotely exploitable without authentication. This reflects those vulnerabilities that are believed to present the most critical risk to organisations, since they are both trivial to target, as well as having the potential to have significant impact (harm) if successfully exploited. “Highly exploitable” critical vulnerabilities are crucial to patch, and remediation is time sensitive – these type of vulnerabilities often feature in our “Known Exploited Vulnerabilities” (KEV) roundups as undergoing active exploitation if a threat group develops working exploit code and begins to actively target organisations. The vulnerabilities regarded as ‘highly exploitable’ criticals in Oracle products this month includes:
| Product | CVE | CVSS Score |
|---|---|---|
| Oracle Commerce Guided Search 11.3.2 | CVE-2022-46337 | 9.8 |
| Oracle Communications Unified Assurance 5.5.0-5.5.22, 6.0.0-6.0.4 | CVE-2024-45492 | 9.8 |
| Oracle Communications Cloud Native Core Unified Data Repository 24.2.0 | CVE-2024-45492 | 9.8 |
| Oracle Enterprise Communications Broker 4.1.0 | CVE-2023-38408 | 9.8 |
| Oracle SD-WAN Aware 9.0.1.10.0 | CVE-2024-4577 | 9.8 |
| Oracle SD-WAN Edge 9.1.1.5.0-9.1.1.8.0 | CVE-2023-6816 | 9.8 |
| Oracle SD-WAN Edge 9.1.1.3.0 | CVE-2022-2068 | 9.8 |
| Oracle SD-WAN Edge 23.4.0-23.4.5 | CVE-2022-2068 | 9.8 |
| Oracle Communications Cloud Native Core Binding Support Function 23.4.0-23.4.5 | CVE-2024-37371 | 9.1 |
| Oracle Communications Cloud Native Core Network Repository Function 23.4.4, 24.2.1 | CVE-2024-37371 | 9.1 |
| Oracle Communications Cloud Native Core Policy 23.4.0-23.4.6 | CVE-2024-37371 | 9.1 |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy 23.4.2, 24.2.0 | CVE-2024-37371 | 9.1 |
| Oracle Communications Cloud Native Core Service Communication Proxy 23.4.0, 24.1.0, 24.2.0 | CVE-2024-37371 | 9.1 |
| Oracle Communications Cloud Native Core Unified Data Repository 24.2.0 | CVE-2024-29736 | 9.1 |
| Oracle Communications Cloud Native Core Unified Data Repository 24.2.0 | CVE-2024-37371 | 9.1 |
| Oracle Communications Network Analytics Data Director 23.4.0, 24.1.0, 24.2.0 | CVE-2024-37371 | 9.1 |
| Oracle Enterprise Manager Base Platform 13.5.0.0 | CVE-2022-34381 | 9.8 |
| Oracle Financial Services (Oracle Banking Cash Management 14.7.4.0.0) | CVE-2024-5535 | 9.1 |
| Oracle Financial Services (Oracle Banking Supply Chain Finance 14.7.4.0.0) | CVE-2024-5535 | 9.1 |
| Oracle Fusion Middleware (Oracle Outside In Technology 8.5.7) | CVE-2024-45492 | 9.8 |
| Oracle Fusion Middleware (Oracle WebLogic Server 12.2.1.4.0, 14.1.1.0.0) | CVE-2024-21216 | 9.8 |
| Oracle Fusion Middleware (Oracle WebCenter Forms Recognition 14.1.1.0.0) | CVE-2024-28752 | 9.3 |
| Oracle Analytics (Oracle Business Intelligence Enterprise Edition 7.0.0.0.0) | CVE-2022-23305 | 9.8 |
| Oracle Analytics (Oracle Business Intelligence Enterprise Edition 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0) | CVE-2023-38545 | 9.8 |
| Oracle Analytics (Oracle BI Publisher 7.0.0.0.0, 7.6.0.0.0) | CVE-2024-29736 | 9.1 |
| Oracle MySQL (MySQL Cluster 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior) | CVE-2024-37371 | 9.1 |
| Oracle MySQL (MySQL Cluster 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Connectors 9.0.0 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Connectors 9.0.0 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Enterprise Backup 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Enterprise Monitor 8.0.39 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Server 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior) | CVE-2024-5535 | 9.1 |
| Oracle MySQL (MySQL Workbench 8.0.38 and prior) | CVE-2024-5535 | 9.1 |
| Oracle Solaris Cluster 4 | CVE-2022-46337 | 9.8 |
Although Oracle considers all 334 vulnerabilities in their update to be critical, the list of “Critical” vulnerabilities below are those that Oracle have assigned a CVSS score of 9.0 or more, the threshold for ‘critical’ risk under the CVSS scoring system. Unlike the ‘highly exploitable’ vulnerabilities listed above, these vulnerabilities may be slightly more difficult for attackers to leverage. They may, for instance, not be remotely exploitable, or may require authentication in order to access. Potential exploit is still possible, especially as part of an exploit chain of multiple vulnerabilities. However, although the risk remains extremely high, it is slightly lower than that of the “highly exploitable” vulnerabilities listed above. Additional critical vulnerabilities highlighted by Oracle this month include:
| Oracle SD-WAN Edge 9.1.1.5.0-9.1.1.8.0 | CVE-2022-36760 | 9.1 |
| Oracle Hospitality OPERA 5.6.19.19, 5.6.25.8, 5.6.26.4 | CVE-2024-21172 | 9.0 |
Total Oracle CVEs: 329
Highly Exploitable Critical Vulnerabilities: 34
Total Critical Vulnerabilities: 36
We recommend scanning your entire estate using the AppCheck vulnerability scanner regularly – both server systems and networking infrastructure, as well as end-user machines running desktop operating systems. Contact your account manager now if you are not already licensed for ‘internal scan hubs’ to cover scanning of your entire technical estate.
The next four dates for Critical Patch Updates will be on:
* 21 January 2025
* 15 April 2025
* 15 July 2025
* 21 October 2025
Add them to your calendar now!
Also keep an eye on our blog for coverage of other critical vulnerability updates including:
* Our weekly roundup of ‘Known exploited vulnerabilities’ from across all vendors, published weekly each Friday.
* Our monthly coverage of the ‘Patch Tuesday’ updates from Microsoft and several other major vendors – next due on 12th November 2024
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
