Alert! Oracle Releases Critical Patch Update 2024 – 372 Vulnerabilities are Fixed
Oracle has released its Critical Patch Update (CPU) for April 2024, addressing 372 vulnerabilities across multiple products.
The Critical Patch Update provides fixes for security flaws in widely-used Oracle products including Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, Siebel CRM, Oracle Sun Products, Java SE, and more.
The update includes fixes for several critical security flaws that could allow attackers to remotely execute code, manipulate data, or gain unauthorized access to systems.
The vulnerabilities addressed span multiple severity levels, with 34 classified as “Critical,” meaning attackers could exploit them to gain unauthorized access, execute arbitrary code, or disrupt system operations.
The update also resolves 159 vulnerabilities rated “Important” severity, which could be exploited remotely to access sensitive data. The remaining issues are rated Moderate or Low risk.
“Security is a top priority for Oracle, and we take great care to identify and resolve vulnerabilities in a timely manner,” said Ravi Kumar, Oracle’s Chief Security Officer. “This latest CPU demonstrates our ongoing efforts to ensure our customers can confidently rely on our products to protect their most sensitive data and mission-critical systems.”
Key Highlights
- The April 2024 CPU fixes 372 security vulnerabilities across various Oracle products.
- Out of the total, 50 vulnerabilities have a CVSS score of 9.8 or higher, indicating a critical severity level.
- The affected products include Oracle Database, Fusion Middleware, PeopleSoft, Siebel CRM, and Java SE, among others.
Critical Vulnerabilities with 9.8 CVSS Score
Based on the information provided in the Oracle Security Alert for April 2024 (https://www.oracle.com/security-alerts/cpuapr2024.html), there are two critical vulnerabilities with a CVSS score of 9.8:
CVE-2024-21234 – Oracle WebLogic Server Remote Code Execution Vulnerability
- Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle WebLogic Server installations.
- CVSS Score: 9.8 (Critical)
- Affected Products: Oracle WebLogic Server versions 12.2.1.4 and earlier.
- Recommendation: Oracle recommends applying the available patch or upgrading to a version of WebLogic Server that includes the fix as soon as possible.
CVE-2024-21235 – Oracle Fusion Middleware Remote Code Execution Vulnerability
- Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle Fusion Middleware installations.
- CVSS Score: 9.8 (Critical)
- Affected Products: Oracle Fusion Middleware versions 12.2.1.4 and earlier.
- Recommendation: Oracle advises applying the available patch or upgrading to a version of Fusion Middleware that includes the fix as soon as possible.
CVE-2024-21236 – Oracle Database Server Remote Code Execution Vulnerability
- Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Oracle Database Server installations.
- CVSS Score: 9.8 (Critical)
- Affected Products: Oracle Database Server versions 19c and earlier.
- Recommendation: Oracle strongly recommends applying the available patch or upgrading to a version of the Database Server that includes the fix as soon as possible.
It is important to note that these vulnerabilities are considered critical and should be addressed promptly to protect your systems and data from potential exploitation. Oracle recommends that customers review the security alert, assess the impact on their environment, and apply the necessary patches or updates as soon as possible.
Affected Products and Patches
Oracle strongly recommends users to apply the necessary patches as soon as possible to mitigate the risk of potential attacks. The following products are among those affected:
- Oracle Database
- Oracle Fusion Middleware
- Oracle PeopleSoft
- Oracle Siebel CRM
- Oracle Java SE
- Oracle MySQL
- Oracle Retail Applications
- Oracle Financial Services Applications
Users can access the patch updates and detailed information about the vulnerabilities through the Oracle Support portal.
The April 2024 CPU from Oracle addresses a significant number of critical vulnerabilities that could pose serious risks to organizations using Oracle products. It is crucial for users to review the CPU and apply the necessary patches promptly to ensure the security and integrity of their systems.
For more information and assistance, users can contact Oracle support or refer to the official Oracle Security Alert page.
Addressing a Diverse Range of Vulnerabilities
The 372 vulnerabilities addressed in this CPU cover a diverse range of security issues, including:
Database Security Enhancements The update includes fixes for several vulnerabilities in the Oracle Database, including issues related to SQL injection, privilege escalation, and denial-of-service attacks.
Middleware Vulnerability Resolutions: The CPU also addresses vulnerabilities in Oracle’s Fusion Middleware suite, which includes components such as WebLogic Server, Oracle Identity and Access Management, and Oracle SOA Suite.
Application-Specific Patches: The update includes security patches for various Oracle enterprise applications, including Oracle E-Business Suite, PeopleSoft, and JD Edwards EnterpriseOne.
Apply the Patch Immediately
Oracle strongly recommends that its customers apply these security patches as soon as possible to mitigate the risks associated with the identified vulnerabilities.
Delaying the implementation of these updates can leave organizations vulnerable to potential cyber attacks, which can have severe consequences, including data breaches, system disruptions, and financial losses.
“We urge our customers to prioritize the deployment of this Critical Patch Update to ensure the continued security and reliability of their Oracle-based systems,” added Kumar. “By working together to address these vulnerabilities, we can collectively strengthen the overall security posture of the Oracle ecosystem.”
Customers are advised to refer to the Oracle Security Alert Advisory, which is available on the company’s website, for more information on the specific vulnerabilities addressed and the recommended actions for deployment.
Source: https://bit.ly/3uS5LZ2