Oracle Critical Patch Update, July 2024 Security Update Review
Last updated on: August 5, 2024
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware followed, with 60 and 41 security patches, respectively.
319 of the 386, i.e., about 83% of security patches, are for non-Oracle CVEs, which are security fixes for issues in third-party products such as open-source components included and exploitable in the context of their Oracle product distributions.
This month’s batch of security patches contains 15 updates for Oracle Database products. Product-wise distribution is as follows:
- 8 new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.5.
- 1 of these updates applies to client-only deployments of the Oracle Database.
- 1 new security update for Oracle Application Express with a maximum reported CVSS Base Score of 4.7.
- 2 new security updates for Oracle Essbase with a maximum reported CVSS Base Score of 6.7.
- 1 new security update for Oracle GoldenGate with a maximum reported CVSS Base Score of 5.9.
- 1 new security update for Oracle NoSQL Database with a maximum reported CVSS Base Score of 5.9.
- 1 new security update for Oracle REST Data Services with a maximum reported CVSS Base Score of 5.3.
- 1 new security update for Oracle TimesTen In-Memory Database with a maximum reported CVSS Base Score of 4.3.
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle Essbase, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle HealthCare Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, Oracle Virtualization.
Qualys QID Coverage
Qualys has released 12 QIDs mentioned in the table below:
| QIDs | Title |
| 20438 | Oracle MySQL JULY 2024 Critical Patch Update (CPUJUL2024)(CVE-2024-21185) |
| 380193 | Oracle Managed Virtualization (VM) VirtualBox Denial of Service (DoS) Vulnerability (CPUJUL2024) (CVE-2024-21161) |
| 380192 | Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUJUL2024) (CVE-2024-21141, CVE-2024-21164) |
| 380191 | Oracle Coherence April 2024 Critical Patch Update (CPUJUL2024) |
| 20437 | Oracle MySQL JULY 2024 Critical Patch Update (CPUJUL2024) |
| 380190 | Oracle Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (CPUJUL2024) |
| 296114 | Oracle Solaris 11.4 Support Repository Update (SRU) 71.170.2 Missing (CPUJUL2024) |
| 87557 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2024) |
| 380188 | Oracle Java Standard Edition (SE) Critical Patch Update – July 2024 (CPUJUL2024) |
| 20436 | Oracle Database 21c Critical Patch Update – July 2024 |
| 20435 | Oracle Database 19c Critical OJVM Patch Update – July 2024 |
| 20420 | Oracle Database 19c Critical Patch Update – July 2024 |
| 152029 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2024) |
Note: The table will be updated with the additional QIDs once released.
Notable Oracle Vulnerabilities Patched
Oracle Communications
This Critical Patch Update for Oracle Communications contains 95 security patches. Out of these, 84 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-23897, CVE-2023-37920, and CVE-2022-48174 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle Financial Services Applications
This Critical Patch Update for Oracle Financial Services Applications contains 60 new security patches. 44 of these vulnerabilities can be remotely exploitable without authentication.
CVE-2023-47248 and CVE-2022-36944 in different Oracle Financial Services Applications products have critical severity ratings and CVSS scores of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle Fusion Middleware
This Critical Patch Update for Oracle Fusion Middleware contains 41 new security patches. 32 of these vulnerabilities can be remotely exploitable without authentication.
CVE-2023-45853, CVE-2022-45378, CVE-2023-34034, and CVE-2024-21181 in different Oracle Communications products have critical severity ratings and CVSS scores of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle MySQL
This Critical Patch Update for Oracle MySQL contains 37 security patches. 11 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2023-37920 in the MySQL Cluster has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle Communications Applications
This Critical Patch Update for Oracle Communications Applications contains 20 security patches. 14 of these vulnerabilities may be exploited over a network without requiring user credentials.
CVE-2022-34381 in the Oracle Communications Billing and Revenue Management has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle Analytics
This Critical Patch Update for Oracle Analytics contains 17 security patches. 12 of these vulnerabilities may be exploited over a network without requiring user credentials.
CVE-2022-0239 and CVE-2022-21797 in the Oracle Business Intelligence Enterprise Edition have critical severity ratings and CVSS scores of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Oracle Siebel CRM
This Critical Patch Update for Oracle Analytics contains 12 security patches. 11 of these vulnerabilities may be exploited over a network without requiring user credentials.
CVE-2022-37434 in the Siebel CRM Deployment has a critical severity rating and CVSS score of 9.8. A remote attacker may exploit these vulnerabilities in a low-complexity network attack.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous Knowledgebase (KB) updates.
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid:`152029` OR qid:`20438` OR qid:`380193` OR qid:`380192` OR qid:`380191` OR qid:`20437` OR qid:`380190` OR qid:`296114` OR qid:`87557` OR qid:`380188` OR qid:`20436` OR qid:`20435` OR qid:`20434`)
Rapid Response with Patch Management (PM)
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
( qid:`152029` OR qid:`20438` OR qid:`380193` OR qid:`380192` OR qid:`380191` OR qid:`20437` OR qid:`380190` OR qid:`296114` OR qid:`87557` OR qid:`380188` OR qid:`20436` OR qid:`20435` OR qid:`20434`)
