Latest Critical Patch Updates from Oracle – January 2024

On January 18, Oracle unveiled its first quarterly Critical Patch Update Advisory of the year. This advisory, a pivotal resource for Oracle users, details an array of 389 new security patches across various Oracle product families. This update includes several high-severity vulnerabilities, notably those that can be exploited remotely over the network, with some having a CVSS rating of 9 or above. The complete advisory is accessible at CPU January 2024. In this post, I’ll delve into the updates pertinent to my current projects, offering insights on what to expect.

Oracle Database

This update contains security patches that fix 3 vulnerabilities in the Oracle database. These are not vulnerabilities that can be exploited remotely without authentication. It is important to note that these vulnerabilities do not affect client-only installations, i.e. the patches are specifically intended for the database server. The most critical of these vulnerabilities has a CVSS rating of 6.5, which classifies the update as non-urgent. Nevertheless, it is advisable to apply these patches promptly to ensure the continued security of the database.

The essential database patches and release updates:

The patches for Oracle on Linux x86-64 are available immediately. For other operating systems like Linux ARM, Windows etc. the patches will be released step by step within the estimated time frame of the next days. A detailed schedule and more detailed information can be found in the Oracle support document 2986269.1 Critical Patch Update (CPU) Program Jan 2024 Patch Availability Document (DB-only)

A side note: Oracle Database 23c will also receive a targeted patch in this cycle. It is important to note that this patch is not a full release update. Instead, it specifically addresses the security fixes from the October 2023 and January 2024 advisories and currently only applies to the cloud database version of Oracle Database 23c.

Fusion Middlerware

As far as Fusion Middleware is concerned, the situation remains unchanged compared to previous updates. The current version fixes 39 vulnerabilities, 29 of which can be exploited remotely without any form of authentication. The urgency of installing these patches cannot be overstated.

I will focus here on the security updates for WebLogic Server. There is no security update for Oracle Unified Directory included in this Critical Patch Update. The full range of patches is listed in the Oracle support document 2806740.2.

What Else?

The update is very comprehensive and covers a wide range of Oracle products. While summaries, blog posts and reports provide an overview, it is essential to read the Oracle Critical Patch Update Advisory thoroughly and evaluate the patches relevant to your specific Oracle products. This is especially important for multi-component products such as Oracle Enterprise Manager where patch updates need to be applied to the base platform, WebLogic Server, repository database, etc.

Conclusion

Patches for Linux x86-64 are now available with the latest Oracle Critical Patch Update. Other platforms such as Linux ARM and Windows will receive the updates in the next few days (details in the Oracle support document 2986269.1). My tests confirm that these patches are successfully installed and ensure reliable updates.

The urgency of the Oracle Database patches is moderate, with the highest vulnerability rated CVSS 6.5, indicating a balanced approach to the updates. However, the patches for Oracle Fusion Middleware require immediate action due to their typical severity, underlining the importance of prioritizing these updates.

In summary, while the urgency varies by Oracle product, prompt and vigilant application of patches remains critical to maintaining secure and efficient Oracle environments.

The essential Links

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.