Oracle Releases Critical Security Updates October 2024 – Patch Now!

Oracle has released its Critical Patch Update (CPU) for October 2024, containing 334 new security patches across various product families, including Oracle Database Server, Oracle MySQL, Oracle Communications, Oracle E-Business Suite, Oracle Fusion Middleware, and more. This update addresses vulnerabilities in both Oracle code and third-party components. Oracle recommends applying these patches immediately to mitigate risks, especially remotely exploitable ones without authentication.

Oracle Database Server Risk Matrix

This Critical Patch Update contains six new security patches for Oracle Database Products, two of which may be remotely exploitable without authentication. Additionally, one patch applies to client-only installations. The following products and components are affected:

• Products: Oracle Database Security (OpenSSL), Oracle Spatial and Graph (libcurl2), Fleet Patching and Provisioning – Micronaut (Netty), Oracle Database Core, XML Database, Java VM
• Affected Components: None, None, Authenticated User, Create Session, Create Session, Create Session, Create Procedure
• CVE IDs: CVE-2024-6119, CVE-2024-7264, CVE-2024-29025, CVE-2024-21233, CVE-2024-21242, CVE-2024-21251

Additional CVEs addressed: The patch for CVE-2024-6119 also addresses CVE-2024-5535.

Oracle Application Express Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Application Express. One of these vulnerabilities may be remotely exploitable without authentication.

• Products: Oracle Application Express
• Affected Components: General (DOMPurify), General (TinyMCE), General
• CVE IDs: CVE-2024-45801, CVE-2024-38357, CVE-2024-21261

Oracle Blockchain Platform Risk Matrix

Oracle Blockchain Platform received seven new security patches, of which four vulnerabilities are remotely exploitable without authentication. The following products and components are affected:

• Products: Oracle Blockchain Platform
• Affected Components: Blockchain Cloud Service Console (Netty), Blockchain Cloud Service Console (Golang Go), Blockchain Cloud Service Console (Node.js), Blockchain Cloud Service Console (follow-redirects), Blockchain Cloud Service Console (Google Guava), Blockchain Cloud Service Console (OpenSSH), Blockchain Cloud Service Console (Apache Commons Compress)
• CVE IDs: CVE-2023-44487, CVE-2023-45288, CVE-2024-22020, CVE-2024-28849, CVE-2023-2976, CVE-2023-48795, CVE-2024-26308

Additional CVEs addressed: The patch for CVE-2023-48795 also addresses CVE-2023-51384 and CVE-2023-51385. The patch for CVE-2024-22020 also addresses CVE-2024-22018, CVE-2024-36137, CVE-2024-36138, and CVE-2024-37372. The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle Essbase Risk Matrix

This Critical Patch Update contains one new security patch for Oracle Essbase. The vulnerability, CVE-2024-7264, is remotely exploitable without authentication.

• Products: Oracle Essbase
• Affected Components: Essbase Web Platform (curl)
• CVE IDs: CVE-2024-7264

Oracle GoldenGate Risk Matrix

Oracle GoldenGate received four new security patches, of which one vulnerability may be remotely exploitable without authentication.

• Products: GoldenGate Stream Analytics, Oracle GoldenGate Big Data and Application Adapters
• Affected Components: Spark (Apache ZooKeeper), Security (Apache Commons Compress), Spark (Apache Avro Java), Application Adapters (Apache Avro Java)
• CVE IDs: CVE-2024-23944, CVE-2024-26308, CVE-2023-39410, CVE-2023-39410

Additional CVEs addressed: The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains one new security patch for Oracle NoSQL Database. The vulnerability is not remotely exploitable without authentication.

• Products: Oracle NoSQL Database
• Affected Components: Administration (Netty)
• CVE IDs: CVE-2024-29025

Oracle Secure Backup Risk Matrix

Oracle Secure Backup received two new security patches, both remotely exploitable without authentication.

• Products: Oracle Secure Backup
• Affected Components: Oracle Secure Backup (Apache HTTP Server), PHP and EM GUI (OpenSSL)
• CVE IDs: CVE-2024-38476, CVE-2024-4741

Additional CVEs addressed: The patch for CVE-2024-38476 also addresses CVE-2024-36387, CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38477, CVE-2024-39573, CVE-2024-39884, CVE-2024-40725, and CVE-2024-40898. The patch for CVE-2024-4741 also addresses CVE-2024-2511 and CVE-2024-4603.

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains one new security patch for Oracle SQL Developer, which can be remotely exploited without authentication.

• Products: Oracle SQL Developer
• Affected Components: Install (Apache Mina SSHD)
• CVE IDs: CVE-2023-48795

Oracle Communications Risk Matrix

Oracle Communications Risk Matrix
This Critical Patch Update contains hundred new security patches for Oracle Communications and additional third-party patches noted below. Eighty-one of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Communications Cloud Native Core Unified Data Repository, Oracle Enterprise Communications Broker, Oracle SD-WAN Aware, Oracle SD-WAN Edge, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Network Analytics Data Director, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Communications Cloud Native Core Certificate Management, Oracle Communications Cloud Native Core Console, Oracle Communications Core Session Manager, Oracle Communications Session Border Controller, Oracle Enterprise Operations Monitor, Management Cloud Engine, Oracle Communications Cloud Native Core DBTier, Oracle Communications Operations Monitor, Oracle Communications Policy Management, Oracle Communications User Data Repository, Oracle Communications LSMS, Oracle Communications Performance Intelligence Center, Oracle Communications EAGLE Application Processor.

Affected Components: Install/Upgrade (LibExpat), System (OpenSSH), Web UI (PHP), Platform (Python), Platform (OpenSSL), Configuration (Kerberos), Signaling (Kerberos), Alarms, KPI, and Measurements (Kerberos), Automated Test Suite (Kerberos), Configuration (Kerberos), Signaling (Apache CXF), Signaling (Kerberos), Third Party (Kerberos), Platform (Apache HTTP Server), ATS Framework (Jenkins), Configuration (Jenkins), Signaling (Jenkins), Automated Test Suite (Jenkins), Alarms, KPI, and Measurements (Jenkins), Automated Test Suite (Jenkins), Management Service (glibc), Configuration (curl), Configuration (libcurl), Alarms, KPI, and Measurements (glibc), Configuration (glibc), Routing (glibc), Routing (glibc), System (glibc), Mediation Engine (glibc), Platform (glibc), Platform (grub2), Internal Tools (Spring Security), BEServer (Spring Framework), Configuration (Spring Framework), Patch (OpenSSH), User Interface (Spring Framework), BEServer (Apache Tomcat), BEServer (Eclipse Parsson), ATS Framework (Apache HTTP Server), ATS Framework (Werkzeug), Configuration (JasPer), Configuration (Werkzeug), Management Service (Undertow), Management Service (jose4j), Configuration (Undertow), Configuration (Undertow), Configuration (Werkzeug), Discovery Microservice (Undertow), Discovery Microservice (Bouncy Castle Java Library), Alarms, KPI, and Measurements (JasPer), Alarms, KPI, and Measurements (Werkzeug), Alarms, KPI, and Measurements (jose4j), Policy Control Function (Undertow), Automated Test Suite (JasPer), Automated Test Suite (Werkzeug), Configuration (Werkzeug), Signaling (Google Protobuf-Java), Signaling (Okio), Signaling (Undertow), Signaling (curl), Configuration (Werkzeug), Mediation Engine (Werkzeug), Probe (AIOHTTP), CMP (Apache Tomcat), Platform (Apache Tomcat), Platform (libxml2), Platform (X.Org Server), Configuration (OpenLDAP), Configuration (OpenLDAP), Configuration (OpenLDAP), Configuration (Node.js), Web UI (Apache Xerces2 Java), Third Party (follow-redirects), Mediation Engine (nginx), Configuration (Python), Routing (Python), System (Python), BEServer (Apache Mina SSHD), Configuration (XNIO), Platform (Apache Mina SSHD), Publications (Apache Mina SSHD), Configuration (Python), Configuration (Python), Configuration (Apache Commons Compress), Security Framework (Nghttp2), Configuration (Nghttp2), Configuration (OpenSSL), Configuration (Nghttp2), Configuration (Nghttp2), Signaling (Netty), Alarms, KPI, and Measurements (Nghttp2), Configuration (Nghttp2), Configuration (Nghttp2), Third Party (Nghttp2), Management (Nghttp2), Routing (Nghttp2), System (Nghttp2), Signaling (dnsjava), Alarms, KPI, and Measurements (urllib3), Policy Control Function (urllib3)

CVE IDs: CVE-2024-45492, CVE-2023-38408, CVE-2024-4577, CVE-2023-6816, CVE-2022-2068, CVE-2024-37371, CVE-2024-37371, CVE-2024-37371, CVE-2024-37371, CVE-2024-37371, CVE-2024-29736, CVE-2024-37371, CVE-2024-37371, CVE-2022-36760, CVE-2024-43044, CVE-2024-43044, CVE-2024-43044, CVE-2024-43044, CVE-2024-43044, CVE-2024-43044, CVE-2024-33602, CVE-2024-2398, CVE-2024-2398, CVE-2024-33602, CVE-2024-33602, CVE-2024-33602, CVE-2024-33602, CVE-2024-33602, CVE-2024-33602, CVE-2024-33602, CVE-2022-2601, CVE-2024-22257, CVE-2024-22262, CVE-2024-38816, CVE-2024-6387, CVE-2024-22262, CVE-2024-34750, CVE-2023-4043, CVE-2024-40898, CVE-2023-46136, CVE-2024-31744, CVE-2023-46136, CVE-2024-5971, CVE-2023-51775, CVE-2024-6162, CVE-2024-5971, CVE-2023-46136, CVE-2024-5971, CVE-2024-29857, CVE-2024-31744, CVE-2023-46136, CVE-2023-51775, CVE-2024-5971, CVE-2024-31744, CVE-2023-46136, CVE-2023-46136, CVE-2024-7254, CVE-2023-3635, CVE-2024-6162, CVE-2024-2398, CVE-2023-46136, CVE-2023-46136, CVE-2024-30251, CVE-2024-23672, CVE-2024-34750, CVE-2024-25062, CVE-2024-31080, CVE-2023-2953, CVE-2023-2953, CVE-2023-2953, CVE-2024-22020, CVE-2022-23437, CVE-2024-28849, CVE-2024-32760, CVE-2024-0450, CVE-2024-0450, CVE-2024-0450, CVE-2023-48795, CVE-2023-5685, CVE-2023-48795, CVE-2023-48795, CVE-2023-6597, CVE-2023-6597, CVE-2024-26308, CVE-2024-28182, CVE-2024-28182, CVE-2024-4603, CVE-2024-28182, CVE-2024-28182, CVE-2024-29025, CVE-2024-28182, CVE-2024-28182, CVE-2024-28182, CVE-2024-28182, CVE-2024-28182, CVE-2024-28182, CVE-2024-28182, CVE-2024-25638, CVE-2024-37891, CVE-2024-37891.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains eighteen new security patches for Oracle E-Business Suite. one of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Advanced Pricing, Oracle Applications Manager, Oracle Common Applications Calendar, Oracle Contract Lifecycle Management for Public Sector, Oracle Cost Management, Oracle Field Service, Oracle Financials, Oracle Incentive Compensation, Oracle MES for Process Manufacturing, Oracle Process Manufacturing Product Development, Oracle Product Hub, Oracle Quoting, Oracle Service Contracts, Oracle Site Hub, Oracle Sourcing, Oracle Work in Process, Oracle Installed Base, Oracle Enterprise Command Center Framework.

Affected Components: Price List, Diagnostics, Tasks, Award Processes, Cost Planning, Field Service Engineer Portal, Common Components, Compensation Plan, Device Integration, Quality Manager Specification, Item Catalog, User Interface, Authoring, Site Hierarchy Flows, Auctions, Messages, User Interface, Diagnostics

CVE IDs: CVE-2024-21266, CVE-2024-21268, CVE-2024-21270, CVE-2024-21278, CVE-2024-21267, CVE-2024-21271, CVE-2024-21282, CVE-2024-21269, CVE-2024-21277, CVE-2024-21250, CVE-2024-21252, CVE-2024-21275, CVE-2024-21280, CVE-2024-21265, CVE-2024-21279, CVE-2024-21276, CVE-2024-21258, CVE-2024-21206

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains seven new security patches for Oracle Enterprise Manager and additional third-party patches noted below. Three of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Enterprise Manager Base Platform, Oracle Enterprise Manager for Peoplesoft, Oracle Application Testing Suite.

Affected Components: Agent Next Gen (BSAFE Crypto-J), Agent Next Gen (Eclipse Jetty), Install (Integrated Performance Primitives), PSEM Plugin (Apache Santuario XML Security for Java), Load Testing for Web Apps (Apache Commons Compress), Install (Apache Commons Compress), Job System (Netty)

CVE IDs: CVE-2022-34381, CVE-2024-22201, CVE-2023-28823, CVE-2023-44483, CVE-2024-26308, CVE-2024-26308, CVE-2024-29025

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains Twenty new security patches for Oracle Financial Services Applications and additional third-party patches noted below. Fifteen of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Banking Cash Management, Oracle Banking Supply Chain Finance, Oracle Banking APIs, Oracle Banking Digital Experience, Oracle Financial Services Compliance Studio, Oracle Banking Liquidity Management, Oracle Financial Services Revenue Management and Billing, Oracle Banking Corporate Lending Process Management.

Affected Components: Accessibility (OpenSSL), Security (OpenSSL), Authentication (Apache ActiveMQ), UI General (Apache ActiveMQ), Authentication (Spring Framework), Reports (Pillow), Accessibility (Apache CXF), Common (Apache CXF), Common (OpenSSL), Security (Apache CXF), Reports, Reports, Reports (Spring Boot), Authentication (CKEditor), UI General (CKEditor), Installation (jQueryUI), Reports (SQLite), Authentication (Netty), Base (Netty), Infrastructure

CVE IDs: CVE-2024-5535, CVE-2024-5535, CVE-2024-32114, CVE-2024-32114, CVE-2024-22262, CVE-2023-50447, CVE-2024-32007, CVE-2024-32007, CVE-2024-2511, CVE-2024-32007, CVE-2024-21285, CVE-2024-21284, CVE-2023-34055, CVE-2024-43407, CVE-2024-43407, CVE-2022-31160, CVE-2024-0232, CVE-2024-29025, CVE-2024-29025, CVE-2024-21281

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Food and Beverage Applications. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Hospitality Simphony, Oracle Hospitality Simphony, Oracle Hospitality Simphony

Affected Components: Engagement (Moment.js), Engagement (DataTables), Engagement (jQueryUI)

CVE IDs: CVE-2022-31129, CVE-2021-36713, CVE-2022-31160

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains thirty-two new security patches for Oracle Fusion Middleware and additional third-party patches noted below. twenty-five of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Outside In Technology, Oracle WebLogic Server, Oracle WebCenter Forms Recognition, Oracle Data Integrator, Oracle Business Activity Monitoring, Oracle Business Process Management Suite, Oracle Enterprise Data Quality, Oracle Access Manager, Oracle Middleware Common Libraries and Tools, Oracle Enterprise Manager Fusion Middleware Control, Oracle Global Lifecycle Management FMW Installer, Oracle HTTP Server, Oracle Managed File Transfer, Oracle Service Bus, Oracle WebCenter Sites, Oracle WebCenter Portal, Oracle Identity Manager Connector, Oracle Enterprise Manager for Fusion Middleware.

Affected Components: DC-Specific Component (LibExpat), Core, Fusion Apps (Apache CXF), Centralized Thirdparty Jars (Eclipse JGit), Centralized Thirdparty Jars (Jython), Composer (RequireJS), Composer (RequireJS), Centralized Thirdparty Jars (RequireJS), Web Server Plugin (Apache Xerces-C++), Third Party (Spring Framework), Fusion Apps (Spring Framework), FMW Control Plugin, Cloning, Web Listener (OpenSSL), MFT Runtime Server (Apache Tomcat), Third Party (Eclipse Jetty), DC-Specific Component (libheif), DC-Specific Component (unrar), OSB Core Functionality, Console, Core, Core, Core, Third Party (Apache Commons Configuration), OSB Core Functionality, WebCenter Sites (jose4j), Security Framework (jQuery), Connectors and Connector Server (Apache Groovy), Plugins (Nghttp2), Outside In Maintenance (lrzip-next), Runtime Java agent (jackson-databind), WebLogic Mgmt

CVE IDs: CVE-2024-45492, CVE-2024-21216, CVE-2024-28752, CVE-2023-4759, CVE-2024-6345, CVE-2024-38999, CVE-2024-38999, CVE-2024-38999, CVE-2024-23807, CVE-2024-22262, CVE-2024-22262, CVE-2024-21191, CVE-2024-21190, CVE-2024-2511, CVE-2024-24549, CVE-2024-22201, CVE-2024-25269, CVE-2024-36052, CVE-2024-21246, CVE-2024-21274, CVE-2024-21215, CVE-2024-21234, CVE-2024-21260, CVE-2024-29131, CVE-2024-21205, CVE-2023-51775, CVE-2020-11023, CVE-2020-17521, CVE-2024-28182, CVE-2023-39743, CVE-2023-35116, CVE-2024-21192

Oracle Analytics Risk Matrix

This Critical Patch Update contains twelve new security patches for Oracle Analytics and additional third-party patches noted below. seven of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Business Intelligence Enterprise Edition, Oracle BI Publisher.

Affected Components: BI Application Archive (Apache Log4j), Analytics Server (curl), Development Operations (Apache CXF), Web Server, BI Platform Security, Analytics Web Answers (RequireJS), Layout Templates, Installation, BI Platform Security (OpenSSL), Analytics Server, Content Storage Service (Apache Commons Compress), XML Services (Spring Framework), Analytics Server (OpenSSL), Analytics Admin Tool, Content Storage Service (jackson-databind), BI Application Archive (Apache Commons Configuration)

CVE IDs: CVE-2022-23305, CVE-2023-38545, CVE-2024-29736, CVE-2024-21254, CVE-2024-38999, CVE-2024-21195, CVE-2023-0401, CVE-2024-26308, CVE-2024-38809, CVE-2023-5678, CVE-2023-35116, CVE-2024-29133

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Hospitality Applications. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Hospitality OPERA 5, Oracle Hospitality Cruise Shipboard Property Management System.

Affected Components: Opera Servlet, Next-Gen SPMS (Apache Tomcat), Next-Gen SPMS (Apache Commons Configuration)

CVE IDs: CVE-2024-21172, CVE-2024-34750, CVE-2024-29131

Oracle Hyperion Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Hyperion. one of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Products: Oracle Hyperion Financial Management, Oracle Hyperion Infrastructure Technology, Oracle Hyperion BI+

Affected Components: Security (Apache Xerces-C++), Installation and Configuration (Apache Commons Compress), UI and Visualization

CVE IDs: CVE-2024-23807, CVE-2024-26308, CVE-2024-21257

Oracle Java SE Risk Matrix

This Critical Patch Update contains eight new security patches for Oracle Java SE and additional third-party patches noted below. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third-party libraries used by your Java programs. Existing Java Management Service users can click here to log in to your dashboard. The Java Management Service Documentation lists features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java installations.

• Products: Oracle GraalVM for JDK, Oracle Java SE, Oracle GraalVM Enterprise Edition.
• Affected Components: Node (Node.js), JavaFX (WebKitGTK), JavaFX (libxml2), Hotspot, Hotspot, Compiler, Networking, Serialization.
• CVE IDs: CVE-2024-36138, CVE-2023-42950, CVE-2024-25062, CVE-2024-21235, CVE-2024-21210, CVE-2024-21211, CVE-2024-21208, CVE-2024-21217.

Oracle MySQL Risk Matrix

This Critical Patch Update contains forty five new security patches for Oracle MySQL and additional third-party patches noted below. Twelve vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: MySQL Cluster, MySQL Connectors, MySQL Enterprise Backup, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench, MySQL Client.
• Affected Components: Cluster: General (Kerberos), Cluster: Packaging (OpenSSL), Connector/C++ (OpenSSL), Connector/ODBC (OpenSSL), Enterprise Backup (OpenSSL), Monitoring: General (OpenSSL), Server: Packaging (OpenSSL), MySQL Workbench (OpenSSL), Connector/Python, Cluster: General, Connector/ODBC, Enterprise Backup (curl), Server: Optimizer, Server: Packaging (curl), Server: X Plugin, Cluster: General, Cluster: General (Nghttp2), Server: Thread Pooling, Cluster: General, Cluster: General, InnoDB, InnoDB, InnoDB, InnoDB, InnoDB, InnoDB, Server: DDL, Server: DML, Server: FTS, Server: Information Schema, Server: Optimizer, Server: Optimizer, Server: Optimizer, Server: PS, Server: PS, Server: Health Monitor, InnoDB, Client: mysqldump, Cluster: General, Client programs, Server: Components Services, Server: Group Replication GCS, Server: Telemetry, Server: Telemetry, Client: mysqldump
• CVE IDs: CVE-2024-37371, CVE-2024-5535, CVE-2024-5535, CVE-2024-5535, CVE-2024-5535, CVE-2024-5535, CVE-2024-5535, CVE-2024-5535, CVE-2024-21272, CVE-2024-21230, CVE-2024-21262, CVE-2024-7264, CVE-2024-21230, CVE-2024-7264, CVE-2024-21196, CVE-2024-21238, CVE-2024-28182, CVE-2024-21238, CVE-2024-21218, CVE-2024-21203, CVE-2024-21194, CVE-2024-21199, CVE-2024-21207, CVE-2024-21218, CVE-2024-21236, CVE-2024-21239, CVE-2024-21198, CVE-2024-21219, CVE-2024-21203, CVE-2024-21197, CVE-2024-21200, CVE-2024-21201, CVE-2024-21241, CVE-2024-21193, CVE-2024-21204, CVE-2024-21212, CVE-2024-21213, CVE-2024-21247, CVE-2024-21247, CVE-2024-21231, CVE-2024-21232, CVE-2024-21237, CVE-2024-21243, CVE-2024-21244, CVE-2024-21209

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains Twelve new security patches for Oracle PeopleSoft and additional third-party patches noted below. Two of these vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise HCM Global Payroll Core, PeopleSoft Enterprise CC Common Application Objects, PeopleSoft Enterprise ELM Enterprise Learning Management, PeopleSoft Enterprise FIN Expenses.
• Affected Components: XMLPublisher, Global Payroll for Core, Query, Porting (Cryptography), Porting (Python), PIA Core Technology, Porting (SQLite), Security, Porting, Cloud Deployment Architecture (OpenSSL), Activity Guide Composer, Enterprise Learning Management, Expenses, Porting (pip)
• CVE IDs: CVE-2024-21255, CVE-2024-21283, CVE-2024-21214, CVE-2024-26130, CVE-2024-0450, CVE-2024-21202, CVE-2024-0232, CVE-2024-0727, CVE-2024-21264, CVE-2024-21286, CVE-2024-21249, CVE-2023-5752

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains four new security patches for Oracle Retail Applications. These vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: Oracle Retail EFTLink, Oracle Retail Customer Management and Segmentation Foundation.
• Affected Components: Core/Plugin (Eclipse Parsson), Framework (Eclipse Jetty), Internal Operations (Apache Mina SSHD), Internal Operations (Spring Framework)
• CVE IDs: CVE-2023-4043, CVE-2024-22201, CVE-2024-41909, CVE-2024-38808

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Siebel CRM. These vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: Siebel CRM Integration, Siebel Apps – Marketing
• Affected Components: EAI (Apache Tomcat), User Interface (CKEditor)
• CVE IDs: CVE-2024-24549, CVE-2023-28439

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Supply Chain. These vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: Oracle Autovue for Agile Product Lifecycle Management, Oracle Agile PLM.
• Affected Components: Core (Apache Xerces-C++), File Manager (Apache Tomcat), Core (Eclipse Jetty)
• CVE IDs: CVE-2024-23807, CVE-2024-24549, CVE-2024-22201

Oracle Systems Risk Matrix

This Critical Patch Update contains seven new security patches for Oracle Systems. Five of these vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: Oracle Solaris Cluster.
• Affected Components: Tools (Apache Derby), Tools (Spring Framework), Tools (JSON-java), Tools (Google Guava), Tools (Apache Santuario XML Security For Java), Tools (AntiSamy), Tools (Bouncy Castle Java Library)
• CVE IDs: CVE-2022-46337, CVE-2024-22262, CVE-2023-5072, CVE-2023-2976, CVE-2023-44483, CVE-2024-23635, CVE-2023-33201

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains three new security patches for Oracle Utilities Applications and additional third-party patches noted below. These vulnerabilities may be remotely exploitable without authentication, i.e., they can be exploited over a network without requiring user credentials.

• Products: Oracle Utilities Application Framework, Oracle Utilities Network Management System
• Affected Components: General (jQuery), General (jQueryUI), System Wide (Netty)
• CVE IDs: CVE-2020-11022, CVE-2021-41184, CVE-2024-29025

Oracle Virtualization Risk Matrix

This Critical Patch Update contains five new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none can be exploited over a network without requiring user credentials.

• Products: Oracle VM VirtualBox.
• Affected Components: Core, Core, Core, Core, Core
• CVE IDs: CVE-2024-21259, CVE-2024-21263, CVE-2024-21273, CVE-2024-21248, CVE-2024-21253

Conclusion

Oracle strongly recommends applying these security patches without delay to address these vulnerabilities and to secure the affected products. Failing to apply these updates may open systems to attacks exploiting the identified vulnerabilities. Organizations must perform thorough testing before implementing the patches in production environments.

The next Critical Patch Update is scheduled for January 21, 2025. Visit Oracle’s official security advisory page to stay updated and ensure that your systems are protected from emerging threats.

SanerNow VM and SanerNow PM can detect and automatically fix these vulnerabilities by applying security updates. Therefore, use SanerNow and keep your systems secure and updated.