Oracle April 2024 Critical Patch Update Addresses 239 CVEs
Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Background
On April 16, Oracle released its Critical Patch Update (CPU) for April 2024, the second quarterly update of the year. This CPU contains fixes for 239 CVEs in 441 security updates across 30 Oracle product families. Out of the 441 security updates published this quarter, 8.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 44.4%, followed by high severity patches at 42.6%.
This quarter’s update includes 38 critical patches across 21 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 38 | 21 |
| High | 188 | 79 |
| Medium | 196 | 122 |
| Low | 19 | 17 |
| Total | 441 | 239 |
Analysis
This quarter, the Oracle Commerce product family contained the highest number of patches at 93, accounting for 21.1% of the total patches, followed by Oracle Financial Services Applications at 51 patches, which accounted for 11.6% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
|---|---|---|
| Oracle Commerce | 93 | 71 |
| Oracle Financial Services Applications | 51 | 35 |
| Oracle E-Business Suite | 49 | 30 |
| Oracle Communications | 47 | 43 |
| Oracle Insurance Applications | 36 | 9 |
| Oracle Supply Chain | 22 | 16 |
| Oracle TimesTen In-Memory Database | 14 | 10 |
| Oracle Hyperion | 13 | 10 |
| Oracle Systems | 13 | 1 |
| Oracle Food and Beverage Applications | 12 | 5 |
| Oracle Construction and Engineering | 11 | 7 |
| Oracle Java SE | 10 | 5 |
| Oracle MySQL | 10 | 9 |
| Oracle Database Server | 8 | 3 |
| Oracle GoldenGate | 8 | 6 |
| Oracle Communications Applications | 7 | 4 |
| Oracle Hospitality Applications | 6 | 2 |
| Oracle Retail Applications | 6 | 3 |
| Oracle Siebel CRM | 6 | 6 |
| Oracle Enterprise Manager | 4 | 2 |
| Oracle Analytics | 3 | 1 |
| Oracle Fusion Middleware | 2 | 0 |
| Oracle HealthCare Applications | 2 | 0 |
| Oracle Support Tools | 2 | 2 |
| Oracle Autonomous Health Framework | 1 | 1 |
| Oracle Big Data Spatial and Graph | 1 | 1 |
| Oracle Essbase | 1 | 1 |
| Oracle Global Lifecycle Management | 1 | 1 |
| Oracle Health Sciences Applications | 1 | 1 |
| Oracle PeopleSoft | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2024 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2024
- Oracle April 2024 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
- Exposure Management
- Vulnerability Management
- Exposure Management