Oracle April 2023 Critical Patch Update Addresses 231 CVEs
Oracle addresses 231 CVEs in its second quarterly update of 2023 with 433 patches, including 74 critical updates.
On April 18, Oracle released its Critical Patch Update (CPU) for April 2023, the second quarterly update of the year. This CPU contains fixes for 231 CVEs in 433 security updates across 33 Oracle product families. Out of the 433 security updates published this quarter, 17.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 35.8%.
This quarter’s update includes 74 critical patches across 33 CVEs. The chart below details the severity and CVE counts for this quarter's security updates.
This quarter, the Oracle Commerce product family contained the highest number of patches at 77, accounting for 17.8% of the total patches, followed by Oracle E-Business Suite at 76 patches, which accounted for 17.6% of the total patches.
Of the 433 patches in this update, 80 patches cover 52 CVEs which were identified during the period from 2018 - 2021. Of these, 9 patches address 6 CVEs which were given a CVSSv3 score greater than 9. This means legacy vulnerabilities account for 18.5% of the total patches and 12.2% of critical patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
|Oracle Product Family||Number of Patches||Remotely Exploitable without Authentication|
|Oracle E-Business Suite||76||59|
|Oracle Enterprise Manager||49||44|
|Oracle Java SE||34||11|
|Oracle Financial Services Applications||20||12|
|Oracle TimesTen In-Memory Database||18||13|
|Oracle Insurance Applications||14||8|
|Oracle Fusion Middleware||10||3|
|Oracle JD Edwards||10||8|
|Oracle Big Data Spatial and Graph||7||5|
|Oracle SQL Developer||6||6|
|Oracle Siebel CRM||6||0|
|Oracle Database Server||5||0|
|Oracle Blockchain Platform||4||4|
|Oracle Communications Applications||4||3|
|Oracle Construction and Engineering||4||3|
|Oracle Supply Chain||4||3|
|Oracle Hospitality Applications||3||2|
|Oracle REST Data Services||2||1|
|Oracle HealthCare Applications||2||1|
|Oracle Retail Applications||2||2|
|Oracle Graph Server and Client||1||0|
|Oracle NoSQL Database||1||0|
|Oracle Health Sciences Applications||1||0|
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2023 advisory for full details and patching instructions.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2023
- Oracle April 2023 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about https://www.tenable.com/products/tenable-one">Tenable One, the Exposure Management Platform for the modern attack surface.
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.