Oracle has released its Critical Patch Update for April 2023 to include 433 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the April 2023 Critical Patch Update (CPU), Oracle has addressed 23 vulnerabilities across multiple Oracle Database products.
The Oracle Database update includes fixes for 5 vulnerabilities, all of them rated Medium severity. Oracle confirmed none of these vulnerabilities can be remotely exploitable without authentication (i.e., none may be exploited over a network without requiring user credentials).
In addition, Oracle patched 34 new vulnerabilities in Oracle MySQL, 11 of these vulnerabilities may be remotely exploitable without authentication.
One of the addressed issues was a Critical severity vulnerability (CVE-2022-37434) in MySQL Server InnoDB (zlib) component (CVSS score 9.8).
Ten (10) other High severity vulnerabilities were also patched.
Oracle Java patches
Oracle patched 8 vulnerabilities in Oracle Java SE, 7 of these vulnerabilities may be remotely exploitable without authentication.
One of these vulnerabilities, a High severity flaw (CVE-2023-21930) affects Oracle Java SE, Oracle GraalVM Enterprise Edition JSSE and has CVSS score of 7.4.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 4 new security vulnerabilities in Oracle Enterprise Manager, 3 of these can be exploited remotely without user credentials.
Two of the Oracle Enterprise Manager issues are rated High severity and affected the following products and components:
- CVE-2021-40690: Oracle Application Testing Suite Load Testing for Web Apps (Apache Santuario XML Security For Java).
- CVE-2022-41966 Oracle Enterprise Manager Ops Center Networking (XStream).
Each of these are rated CVSS of 7.5.
Oracle Communications Applications
Moreover, Oracle also addressed 18 new vulnerabilities in Oracle Communications Applications. Attackers could remotely exploit 13 of these vulnerabilities without user authentication.
Four of the Oracle Communications Applications vulnerabilities are rated Critical severity (along with affected product and component):
- CVE-2020-35168: Oracle Communications IP Service Activator Other (Dell BSAFE Micro Edition Suite), CVSS 9.8.
- CVE-2022-1471: Oracle Communications Unified Assurance Vision (SnakeYAML), CVSS 9.8.
- CVE-2022-1471: Oracle Communications Unified Inventory Management TMF APIs (SnakeYAML), CVSS 9.8.
- CVE-2022-36760: Oracle Communications Unified Assurance Core (Apache HTTP Server), CVSS 9.0.
Oracle Fusion Middleware patches
Also, Oracle has patched 5 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 4 of these vulnerabilities without user authentication.
In all, Oracle patched 3 Critical vulnerabilities (along with affected product and component):
Overall, the 433 April 2023 patches are up significantly from the 327 patches released in the January 2023 CPU.
Finally, check out the the Oracle April 2023 CPU for additional details on vulnerabilities that affect multiple other Oracle products.