Oracle consistently receives reports of attempted malicious exploits, with some attackers succeeding due to customers neglecting available security patches. The company urges customers to stay on supported versions and promptly apply Critical Patch Update fixes.
The latest Critical Patch Update includes 387 security patches for various product families. For a summary and more information, please refer to the October 2023 Critical Patch Update Executive Summary and Analysis on MOS.
Oracle Critical Security Update
Oracle assesses each security vulnerability in a Critical Patch Update but doesn’t share the detailed analysis. The Risk Matrix and accompanying documentation outline the vulnerability type, exploitation conditions, and potential impact, allowing customers to conduct their product-specific risk assessment.
The company includes updates for non-exploitable vulnerabilities in third-party components below the product’s risk matrix. A VEX justification is also provided starting from the July 2023 Critical Patch Update.
In light of the threat posed by potential attacks, Oracle urges customers to apply Critical Patch Update security patches promptly. Before patch application, risk reduction can be achieved by blocking necessary network protocols or revoking privileges and access to specific packages.
However, both methods may impact application functionality, so thorough testing on non-production systems is advised. It’s important to note that neither approach constitutes a long-term solution, as they don’t address the root issue.
Patches in the Critical Patch Update program are for Premier and Extended Support product versions. Oracle advises customers to upgrade for patch access.
Product releases outside these support phases aren’t tested for vulnerabilities, but earlier versions are likely affected. However, the company recommends upgrading to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager follow the Software Error Correction Support Policy (My Oracle Support Note 209768.1) for patching. The complete list of the patched vulnerabilities can be found here.
