Oracle consistently receives reports of attempted malicious exploits, with some attackers succeeding due to customers neglecting available security patches. The company urges customers to stay on supported versions and promptly apply Critical Patch Update fixes.
The latest Critical Patch Update includes 387 security patches for various product families. For a summary and more information, please refer to the October 2023 Critical Patch Update Executive Summary and Analysis on MOS.
Oracle Critical Security Update
Oracle assesses each security vulnerability in a Critical Patch Update but doesn’t share the detailed analysis. The Risk Matrix and accompanying documentation outline the vulnerability type, exploitation conditions, and potential impact, allowing customers to conduct their product-specific risk assessment.
The company includes updates for non-exploitable vulnerabilities in third-party components below the product’s risk matrix. A VEX justification is also provided starting from the July 2023 Critical Patch Update.
The protocol in the risk matrix covers all its secure variants, with specific listings only if a secure variant is exclusively affected, as in the case of HTTPS with vulnerabilities in SSL and TLS.
In light of the threat posed by potential attacks, Oracle urges customers to apply Critical Patch Update security patches promptly. Before patch application, risk reduction can be achieved by blocking necessary network protocols or revoking privileges and access to specific packages.
However, both methods may impact application functionality, so thorough testing on non-production systems is advised. It’s important to note that neither approach constitutes a long-term solution, as they don’t address the root issue.
Patches in the Critical Patch Update program are for Premier and Extended Support product versions. Oracle advises customers to upgrade for patch access.
Product releases outside these support phases aren’t tested for vulnerabilities, but earlier versions are likely affected. However, the company recommends upgrading to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager follow the Software Error Correction Support Policy (My Oracle Support Note 209768.1) for patching. The complete list of the patched vulnerabilities can be found here.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.