Oracle Critical Patch Update Advisory

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Critical Patch Update Advisory - July 2024

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 386 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2024 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.3	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.2	JD Edwards
JD Edwards World Security, version A9.4	JD Edwards
Management Pack for Oracle GoldenGate, version 12.2.1.2	Database
MySQL Cluster, versions 7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.1.0 and prior, 8.3.0 and prior, 8.4.0 and prior	MySQL
MySQL Connectors, versions 8.4.0 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.38 and prior	MySQL
MySQL Server, versions 8.0.37 and prior, 8.0.38, 8.2.0 and prior, 8.3.0 and prior, 8.4.0 and prior, 8.4.1, 9.0.0	MySQL
MySQL Workbench, versions 8.0.36 and prior	MySQL
Oracle Access Manager, version 12.2.1.4.0	Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.2.1.0-6.2.1.9	Oracle Supply Chain Products
Oracle Analytics Desktop, versions prior to 7.7.0, prior to 7.8.0	Oracle Analytics
Oracle Application Express, version 23.2	Database
Oracle Application Testing Suite, version 13.3.0.1	Oracle Enterprise Manager
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2	Oracle Supply Chain Products
Oracle Banking Branch, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Cash Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Credit Facilities Process Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0.0.0	Oracle Banking Deposits and Lines of Credit Servicing
Oracle Banking Liquidity Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Origination, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Banking Party Management, version 2.7.0.0.0	Oracle Banking Platform
Oracle Banking Platform, version 2.4.0.0.0	Oracle Banking Platform
Oracle Banking Virtual Account Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Big Data Spatial and Graph, version 3.0.6	Database
Oracle Business Activity Monitoring, version 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0	Oracle Analytics
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search, version 11.3.2	Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2	Oracle Commerce
Oracle Communications ASAP, version 7.4	Oracle Communications ASAP
Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 12.0.0.4-12.0.0.8, 15.0.0.0	Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.0, 23.4.0	Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function, versions 23.4.0-23.4.3	Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Console, versions 23.4.0, 23.4.1	Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0	Oracle Communications Cloud Native Core Network Data Analytics Function
Oracle Communications Cloud Native Core Network Exposure Function, version 23.4.3	Oracle Communications Cloud Native Core Network Exposure Function
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.4.0, 24.1.0	Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, version 23.4.2	Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, versions 23.4.0-23.4.4	Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.1.0	Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, versions 23.4.0, 23.4.1, 23.4.2, 24.1.0	Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.1, 23.4.2	Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Converged Charging System, versions 2.0.0.0.0, 2.0.0.1.0	Oracle Communications Converged Charging System
Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0	Oracle Communications Convergent Charging Controller
Oracle Communications Diameter Signaling Router, versions 8.6.0.4-8.6.0.8	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Element Management System, versions 46.6.4, 46.6.5	Oracle Communications EAGLE Element Management System
Oracle Communications Element Manager, versions 9.0.0-9.0.3	Oracle Communications Element Manager
Oracle Communications Network Analytics Data Director, versions 23.4.0, 24.1.0	Oracle Communications Network Analytics Data Director
Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0	Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, versions 5.1, 5.2	Oracle Communications Operations Monitor
Oracle Communications Performance Intelligence, versions 10.4.0.4.3 and prior	Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0	Oracle Communications Policy Management
Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0	Oracle Communications Pricing Design Center
Oracle Communications Service Catalog and Design, versions 7.4.0-7.4.2, 8.0.0	Oracle Communications Service Catalog and Design
Oracle Communications Session Border Controller, versions 4.1.0, 4.2.0, 9.2.0, 9.3.0	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 9.0.0-9.0.3	Oracle Communications Session Report Manager
Oracle Communications Unified Assurance, versions 5.5.0-5.5.21, 6.0.0-6.0.4	Oracle Communications Unified Assurance
Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2	Oracle Communications Unified Inventory Management
Oracle Communications User Data Repository, versions 12.11.0, 12.11.3, 12.11.4	Oracle Communications User Data Repository
Oracle Data Integrator, version 12.2.1.4.0	Fusion Middleware
Oracle Database Server, versions 19.3-19.23, 21.3-21.14, 23.4	Database
Oracle Documaker, versions 12.6.4, 12.7.1	Oracle Insurance Applications
Oracle E-Business Suite, versions 12.2.3-12.2.13	Oracle E-Business Suite
Oracle Enterprise Data Quality, version 12.2.1.4.0	Fusion Middleware
Oracle Enterprise Manager Base Platform, version 13.5.0.0	Oracle Enterprise Manager
Oracle Essbase, version 21.5.6	Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.1.1, 8.1.2	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.7.3, 8.0.8.3	Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.7.3, 8.0.8.3	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7	Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Compliance Studio, versions 8.1.2.6, 8.1.2.7	Oracle Financial Services Compliance Studio
Oracle Financial Services Enterprise Case Management, versions 8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3	Oracle Financial Services Enterprise Case Management
Oracle Financial Services Model Management and Governance, versions 8.1.2.5, 8.1.2.6	Oracle Financial Services Model Management and Governance
Oracle Financial Services Revenue Management and Billing, versions 6.0.0.0.0, 6.1.0.0.0	Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Investor Servicing, versions 14.5.0.0.0, 14.7.0.0.0	Contact Support
Oracle FLEXCUBE Universal Banking, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0	Contact Support
Oracle Fusion Middleware, version 12.2.1.4.0	Fusion Middleware
Oracle Global Lifecycle Management NextGen OUI Framework, version 12.2.1.4.0	Fusion Middleware
Oracle GoldenGate, versions 19.1.0.0.0-19.23.0.0.240716, 21.3-21.14	Database
Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3-21.14.0.0.0	Database
Oracle GoldenGate Studio, version 12.2.0.4.0	Database
Oracle GraalVM Enterprise Edition, versions 20.3.14, 21.3.10	Java SE
Oracle GraalVM for JDK, versions 17.0.11, 21.0.3, 22.0.1	Java SE
Oracle Graph Server and Client, versions 22.4.7 and prior, 23.4.2 and prior, 24.1.0 and prior	Database
Oracle Healthcare Data Repository, versions 8.1.4, 8.2.0	HealthCare Applications
Oracle Healthcare Foundation, versions 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4	HealthCare Applications
Oracle Healthcare Master Person Index, versions 5.0.0-5.0.9	HealthCare Applications
Oracle HTTP Server, version 12.2.1.4.0	Fusion Middleware
Oracle Hyperion Data Relationship Management, version 11.2.17.0.0	Oracle Enterprise Performance Management
Oracle Hyperion Financial Close Management, version 11.2.17.0.0	Oracle Enterprise Performance Management
Oracle Hyperion Infrastructure Technology, version 11.2.17.0.0	Oracle Enterprise Performance Management
Oracle Identity Manager, version 12.2.1.4.0	Fusion Middleware
Oracle Insurance Policy Administration J2EE, versions 11.2.11, 11.3.0-11.3.2	Oracle Insurance Applications
Oracle Java SE, versions 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1	Java SE
Oracle JDeveloper, version 12.2.1.4.0	Fusion Middleware
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0	Fusion Middleware
Oracle NoSQL Database, versions 1.4, 1.5, prior to 19.5.42, prior to 20.3.40, prior to 21.2.27, prior to 22.3.46, prior to 23.3.32	NoSQL Database
Oracle Outside In Technology, version 8.5.7	Fusion Middleware
Oracle Reports Developer, versions 12.2.1.4.0, 12.2.1.19.0	Fusion Middleware
Oracle REST Data Services, versions prior to 23.3.1, prior to 24.1.0	Database
Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1	Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Xstore Office, versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1	Retail Applications
Oracle Service Bus, version 12.2.1.4.0	Fusion Middleware
Oracle Solaris, version 11	Systems
Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.24.0	Database
Oracle Unified Directory, version 12.2.1.4.0	Fusion Middleware
Oracle Utilities Application Framework, versions 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 7.0.20	Virtualization
Oracle WebCenter Content, version 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, version 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Shared Components, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61	PeopleSoft
Primavera Gateway, versions 19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12	Oracle Construction and Engineering Suite
Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6	Oracle Construction and Engineering Suite
Siebel Applications, versions 22.12 and prior, 23.12 and prior, 24.6 and prior	Siebel

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE ID. A vulnerability that affects multiple products will appear with the same CVE ID in all risk matrices.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Vulnerabilities in third party components that are not exploitable through their inclusion in Oracle products are listed below the respective Oracle product's risk matrix. Starting with the July 2023 Critical Patch Update, a VEX justification is also provided.

The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy that further supplements the Lifetime Support Policy as explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Antonin B of NATO Cyber Security Centre (NCSC): CVE-2024-21132
Boogipop: CVE-2024-21181, CVE-2024-21182
Derek Schrock: CVE-2024-21161
Ido Hershkovitz: CVE-2021-24112
J0hNs0N of Qianxin wuji Lab: CVE-2024-21182
ja00see: CVE-2024-21183
Jie Liang of WingTecher Lab of Tsinghua University: CVE-2024-21171, CVE-2024-21177
Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2024-21171, CVE-2024-21177
Khang Phan of Viettel Cyber Security: CVE-2024-21141
L0ne1y: CVE-2024-21181, CVE-2024-21183
Louis Wolfers of synacktiv: CVE-2024-21136
Nguyen Quach Duy Anh: CVE-2024-21148
Quentin Roland of synacktiv: CVE-2024-21136
ruozhi: CVE-2024-21181
Sergey Bylokhov of Amazon: CVE-2024-21145
Stefano Brivio of Red Hat: CVE-2024-21161
Syed Faraz Abrar (Faith) of Zellic working with Trend Micro Zero Day Initiative: CVE-2024-21164
WHOAMI: CVE-2024-21181
Yakov Shafranovich of Amazon Web Services: CVE-2024-21144
yemoli: CVE-2024-21181, CVE-2024-21182
yulate: CVE-2024-21182
Zheyu Ma: CVE-2024-21164
Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2024-21171, CVE-2024-21177

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:

Emad Al-Mousa [2 reports]
Muhammet Ali of JUMPSEC
Sergey Bylokhov of Amazon
Zheyu Ma

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Aayush Kumar Gupta
ahmad alassaf of Theviperxx Sy
Aviv Keller (RedYetiDev) [2 reports]
Behnam Abbasi Vanda
Cuong Luu of Cuonng Luu
ferreiraklet
Filip Nyquist of Outpost24
Hanno Böck
Hannu Forsten [6 reports]
Joern of visibleIT GmbH
Lorenzo
Lucio Sá (Wordfence)
Merlin Kling
Nilabh Rajpoot [2 reports]
Omkar Chavhan
Pavitra Jha
Pim Dieleman
Rohith Darla
Sec1 Core Security Team [2 reports]
Shivam Dhingra
Stux
Wilson Tan

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

15 October 2024
21 January 2025
15 April 2025
15 July 2025

References

Modification History

Date	Note
2024-September-18	Rev 3. Updated the affected versions for Oracle Communications Performance Intelligence, Oracle Communications Cloud Native Core Security Edge Protection Proxy and Oracle Insurance Policy Administration J2EE
2024-July-24	Rev 2. Corrected additional CVE list and updated credit
2024-July-16	Rev 1. Initial Release

Oracle Database Products Risk Matrices

This Critical Patch Update contains 15 new security patches for Oracle Database Products divided as follows:

8 new security patches for Oracle Database Products
1 new security patch for Oracle Application Express
No new security patches for Oracle Big Data Spatial and Graph, but third party patches are provided
2 new security patches for Oracle Essbase
1 new security patch for Oracle GoldenGate
No new security patches for Oracle Graph Server and Client, but third party patches are provided
1 new security patch for Oracle NoSQL Database
1 new security patch for Oracle REST Data Services
1 new security patch for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 8 new security patches, plus additional third party patches noted below, for Oracle Database Products. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE ID	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-41881	Fleet Patching and Provisioning (Netty)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4
CVE-2024-21184	Oracle Database RDBMS Security	Execute on SYS.XS_DIAG	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	19.3-19.23
CVE-2024-21126	Oracle Database Portable Clusterware	None	DNS	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	19.3-19.23, 21.3-21.14
CVE-2024-4603	Oracle Database Core (OpenSSL)	None	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4
CVE-2024-21098	Multilingual Engine	Authenticated User	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	21.3-21.14, 23.4
CVE-2024-0397	OML4Py (Python)	Authenticated User	HTTPS	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	21.3-21.14, 23.4
CVE-2024-21174	Java VM	Create Session, Create Procedure	Oracle Net	No	3.1	Network	High	Low	None	Un- changed	None	None	Low	19.3-19.23, 21.3-21.14, 23.4
CVE-2024-21123	Oracle Database Core	SYSDBA	Oracle Net	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	19.3-19.23

Additional CVEs addressed are:

The patch for CVE-2022-41881 also addresses CVE-2022-41915.
The patch for CVE-2024-4603 also addresses CVE-2024-2511 and CVE-2024-4741.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Database Core (Intel(R) C++ Compiler Classic): CVE-2022-25987 [VEX Justification: vulnerable_code_not_present].
Oracle Database Core (Perl): CVE-2023-52425 and CVE-2023-52426 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
Oracle Database Core (Zlib): CVE-2023-45853 and CVE-2022-37434 [VEX Justification: vulnerable_code_not_present].
Oracle Database Workload Manager (Jetty): CVE-2024-22201 [VEX Justification: vulnerable_code_not_in_execute_path].
Oracle Spatial and Graph (curl): CVE-2024-0853 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2024-4603.

Oracle Application Express Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Application Express. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-29203	Oracle Application Express	General (TinyMCE)	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	23.2

Additional CVEs addressed are:

The patch for CVE-2024-29203 also addresses CVE-2024-29881.

Oracle Big Data Spatial and Graph Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Big Data Spatial and Graph. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Big Data Spatial and Graph. The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Big Data Spatial and Graph
- Big Data Graph (Apache Tomcat): CVE-2024-23672 and CVE-2024-24549 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Essbase Risk Matrix

This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle Essbase. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-37536	Oracle Essbase	Essbase Web Platform (Apache Xerces-C++)	None	No	6.7	Local	Low	High	None	Un- changed	High	High	High	21.5.6
CVE-2024-26308	Oracle Essbase	Essbase Web Platform (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	21.5.6

Additional CVEs addressed are:

The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Essbase
- Essbase Web Platform (Apache Xalan-Java): CVE-2022-34169 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
- Essbase Web Platform (OpenSSL): CVE-2023-6129, CVE-2023-5678 and CVE-2024-0727 [VEX Justification: component_not_present].
- Essbase Web Platform (curl): CVE-2024-0853 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-48795	Oracle GoldenGate	General (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	19.1.0.0.0-19.23.0.0.240716, 21.3-21.14

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Management Pack for Oracle GoldenGate
- Monitor - Java Agent (Spring Framework): CVE-2024-22243 [VEX Justification: vulnerable_code_not_in_execute_path].
Oracle GoldenGate Big Data and Application Adapters
- General (Apache Xerces-C++): CVE-2024-23807 [VEX Justification: vulnerable_code_not_in_execute_path].
- General (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_not_in_execute_path].
Oracle GoldenGate Studio
- Studio (Apache Derby): CVE-2022-46337 [VEX Justification: vulnerable_code_not_in_execute_path].
- Studio (Apache Xalan-Java): CVE-2022-34169 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Graph Server and Client. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for the Oracle Graph Server and Client. The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Graph Server and Client
- Install (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
- Install (Apache Tomcat): CVE-2024-23672 and CVE-2024-24549 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-48795	Oracle NoSQL Database	Administration (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Prior to 19.5.42, Prior to 20.3.40, Prior to 21.2.27, Prior to 22.3.46, Prior to 23.3.32

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle NoSQL Database
- Administration (Apache Commons Compress): CVE-2024-26308 and CVE-2024-25710 [VEX Justification: vulnerable_code_not_in_execute_path].
- Administration (Apache Hadoop): CVE-2023-26031 [VEX Justification: vulnerable_code_not_in_execute_path].
- Administration (Netty): CVE-2023-44487 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-4043	Oracle REST Data Services	ORDS (Eclipse Parsson)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 23.3.1

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle REST Data Services
- ORDS (Eclipse Jetty): CVE-2024-22201 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-29025	Oracle TimesTen In-Memory Database	TimesTen Install (Netty)	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	22.1.1.1.0-22.1.1.24.0

Oracle Commerce Risk Matrix

This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-22262	Oracle Commerce Guided Search	Content Acquisition System, Workbench (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3.2
CVE-2024-22262	Oracle Commerce Platform	Platform (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3.0, 11.3.1, 11.3.2
CVE-2023-24998	Oracle Commerce Guided Search	Workbench (Apache Commons FileUpload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.3.2
CVE-2022-34169	Oracle Commerce Guided Search	Workbench, Content Acquisition System, Platform Services (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.3.2
CVE-2024-24549	Oracle Commerce Guided Search	Workbench, Platform Services, Content Acquisition System (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.3.2
CVE-2024-28752	Oracle Commerce Platform	Endeca Integration (Apache CXF)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.3.0, 11.3.1, 11.3.2
CVE-2024-29025	Oracle Commerce Guided Search	Workbench (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.3.2

Additional CVEs addressed are:

The patch for CVE-2024-22262 also addresses CVE-2024-22243 and CVE-2024-22259.
The patch for CVE-2024-24549 also addresses CVE-2024-23672.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Commerce Guided Search
- Workbench (Quartz): CVE-2019-13990 [VEX Justification: vulnerable_code_not_present].

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 20 new security patches, plus additional third party patches noted below, for Oracle Communications Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-34381	Oracle Communications Billing and Revenue Management	Platform (BSAFE Crypto-J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
CVE-2024-22257	Oracle Communications Unified Inventory Management	Security (Spring Security)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	7.4.1, 7.4.2
CVE-2024-23807	Oracle Communications ASAP	Security (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.4
CVE-2024-23807	Oracle Communications Billing and Revenue Management	Platform (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
CVE-2024-22262	Oracle Communications BRM - Elastic Charging Engine	Orchestration (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	12.0.0.4-12.0.0.8, 15.0.0.0
CVE-2023-44487	Oracle Communications Converged Charging System	Installation (Nghttp2)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.0.0.0.0, 2.0.0.1.0
CVE-2024-27316	Oracle Communications Unified Assurance	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5.0-5.5.21, 6.0.0-6.0.4
CVE-2021-37533	Oracle Communications Billing and Revenue Management	JCA Adaptor (Apache Commons Net)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.0.4.0-12.0.0.8.0
CVE-2023-46218	Oracle Communications Converged Charging System	Installation (curl)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.0.0.0.0, 2.0.0.1.0
CVE-2023-5981	Oracle Communications Converged Charging System	Installation (GnuTLS)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	2.0.0.0.0, 2.0.0.1.0
CVE-2023-48795	Oracle Communications Converged Charging System	Installation (libssh)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	2.0.0.0.0, 2.0.0.1.0
CVE-2023-29081	Oracle Communications ASAP	Installation (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	7.4
CVE-2024-0232	Oracle Communications Convergent Charging Controller	Common fns (SQLite)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
CVE-2024-0232	Oracle Communications Network Charging and Control	Common fns (SQLite)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
CVE-2021-29489	Oracle Communications Unified Assurance	Core (Highcharts JS)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.5.0-5.5.21, 6.0.0-6.0.4
CVE-2024-29025	Oracle Communications Converged Charging System	Installation (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	2.0.0.0.0, 2.0.0.1.0
CVE-2020-13956	Oracle Communications Service Catalog and Design	Platform (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	7.4.0-7.4.2, 8.0.0
CVE-2024-29025	Oracle Communications Service Catalog and Design	Solution Designer Platform (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.0
CVE-2023-35116	Oracle Communications Pricing Design Center	REST Services Manager (jackson-databind)	None	No	4.7	Local	High	Low	None	Un- changed	None	None	High	12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
CVE-2024-29133	Oracle Communications BRM - Elastic Charging Engine	Security (Apache Commons Configuration)	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	12.0.0.4-12.0.0.8, 15.0.0.0

Additional CVEs addressed are:

The patch for CVE-2023-46218 also addresses CVE-2023-46219.
The patch for CVE-2023-48795 also addresses CVE-2023-6004 and CVE-2023-6918.
The patch for CVE-2024-27316 also addresses CVE-2023-38709 and CVE-2024-24795.
The patch for CVE-2024-29133 also addresses CVE-2024-29131.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Communications Service Catalog and Design
- Platform (Apache Axis): CVE-2023-40743 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Communications Risk Matrix

This Critical Patch Update contains 95 new security patches, plus additional third party patches noted below, for Oracle Communications. 84 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-23897	Oracle Communications Cloud Native Core Automated Test Suite	Automated Test Suite Framework (Jenkins)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.1.0
CVE-2023-37920	Oracle Communications Cloud Native Core Binding Support Function	Install (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0-23.4.3
CVE-2024-23897	Oracle Communications Cloud Native Core Binding Support Function	Install (Jenkins)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0-23.4.3
CVE-2022-48174	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	OSO (BusyBox)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0, 24.1.0
CVE-2023-37920	Oracle Communications Cloud Native Core Network Repository Function	Install (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.2
CVE-2024-23897	Oracle Communications Cloud Native Core Network Repository Function	Install (Jenkins)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.2
CVE-2023-37920	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0-23.4.4
CVE-2024-23897	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (Jenkins)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0-23.4.4
CVE-2024-23897	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Automated Test Suite Framework (Jenkins)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0
CVE-2023-37920	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Configuration (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0
CVE-2023-37920	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	23.4.0, 24.1.0
CVE-2023-37920	Oracle Communications Operations Monitor	Mediation Engine (Certifi)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2
CVE-2024-2961	Oracle Communications Cloud Native Core Unified Data Repository	Signaling (glibc)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	23.4.1
CVE-2024-22257	Oracle Communications Cloud Native Core Network Repository Function	Install (Spring Security)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	23.4.2
CVE-2024-22262	Oracle Communications Cloud Native Core Binding Support Function	Install (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.0-23.4.3
CVE-2024-22262	Oracle Communications Cloud Native Core Network Data Analytics Function	Automated Test Suite (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	24.2.0
CVE-2024-22262	Oracle Communications Cloud Native Core Network Exposure Function	Signaling (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.3
CVE-2024-22262	Oracle Communications Cloud Native Core Network Repository Function	Install (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.2
CVE-2024-22262	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.0-23.4.4
CVE-2024-22262	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Signaling (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.0
CVE-2024-22262	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	23.4.2
CVE-2024-23807	Oracle Communications Diameter Signaling Router	Patches (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.6.0.4-8.6.0.8
CVE-2024-22262	Oracle Communications EAGLE Element Management System	Security (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	46.6.4, 46.6.5
CVE-2024-23807	Oracle Communications User Data Repository	Security (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.11.3, 12.11.4
CVE-2023-52425	Oracle Communications Cloud Native Core Automated Test Suite	Automated Test Suite Framework (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0
CVE-2023-51775	Oracle Communications Cloud Native Core Automated Test Suite	Automated Test Suite Framework (jose4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.1.0
CVE-2023-52425	Oracle Communications Cloud Native Core Binding Support Function	Install (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.3
CVE-2024-6162	Oracle Communications Cloud Native Core Binding Support Function	Install (Undertow)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.3
CVE-2023-5685	Oracle Communications Cloud Native Core Binding Support Function	Install (XNIO)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.3
CVE-2024-25062	Oracle Communications Cloud Native Core Binding Support Function	Install (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.3
CVE-2024-27316	Oracle Communications Cloud Native Core Network Data Analytics Function	Automated Test Suite (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	24.2.0
CVE-2024-24549	Oracle Communications Cloud Native Core Network Data Analytics Function	Automated Test Suite (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	24.2.0
CVE-2024-34069	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Install (Werkzeug)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	23.4.0, 24.1.0
CVE-2024-26130	Oracle Communications Cloud Native Core Network Repository Function	Install (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.2
CVE-2023-51775	Oracle Communications Cloud Native Core Network Repository Function	Install (jose4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.2
CVE-2024-22201	Oracle Communications Cloud Native Core Network Repository Function	Install (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.2
CVE-2023-46589	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	23.4.0-23.4.4
CVE-2024-26130	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.4
CVE-2023-52425	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.4
CVE-2024-25062	Oracle Communications Cloud Native Core Policy	Alarms, KPI, and Measurements (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.4
CVE-2024-6162	Oracle Communications Cloud Native Core Policy	Install (Undertow)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.4
CVE-2023-5685	Oracle Communications Cloud Native Core Policy	Install (XNIO)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0-23.4.4
CVE-2024-26130	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Automated Test Suite (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0
CVE-2023-52425	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Oracle Linux (LibExpat)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2024-26130	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2023-52425	Oracle Communications Cloud Native Core Service Communication Proxy	Install (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2023-51775	Oracle Communications Cloud Native Core Service Communication Proxy	Install (jose4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.1
CVE-2024-22201	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.2
CVE-2024-23672	Oracle Communications Diameter Signaling Router	Patches (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.6.0.4-8.6.0.6
CVE-2022-42890	Oracle Communications EAGLE Element Management System	Security (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	46.6.4, 46.6.5
CVE-2023-24998	Oracle Communications EAGLE Element Management System	Security (Apache Commons FileUpload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	46.6.4, 46.6.5
CVE-2024-24549	Oracle Communications EAGLE Element Management System	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	46.6.4, 46.6.5
CVE-2022-34169	Oracle Communications EAGLE Element Management System	Security (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	46.6.4, 46.6.5
CVE-2024-22201	Oracle Communications EAGLE Element Management System	Security (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	46.6.4, 46.6.5
CVE-2023-51775	Oracle Communications EAGLE Element Management System	Security (jose4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	46.6.4, 46.6.5
CVE-2024-26130	Oracle Communications Network Analytics Data Director	Install (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2023-51775	Oracle Communications Network Analytics Data Director	Install (jose4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2023-52425	Oracle Communications Network Analytics Data Director	Platform (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2024-26130	Oracle Communications Operations Monitor	Mediation Engine (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.1, 5.2
CVE-2023-44487	Oracle Communications Performance Intelligence	Management (Nghttp2)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.4.0.4.3 and prior
CVE-2022-34169	Oracle Communications Policy Management	CMP (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.6.1.0.0, 15.0.0.0.0
CVE-2023-44487	Oracle Communications Session Border Controller	Routing (Nghttp2)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.1.0, 4.2.0, 9.2.0, 9.3.0
CVE-2024-22019	Oracle Communications User Data Repository	Platform (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.11.0
CVE-2024-24549	Oracle Communications User Data Repository	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.11.3
CVE-2024-28752	Oracle Communications Cloud Native Core Unified Data Repository	Install (Apache CXF)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	23.4.1
CVE-2024-28752	Oracle Communications Element Manager	Security (Apache CXF)	SOAP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	9.0.0-9.0.3
CVE-2024-28752	Oracle Communications Session Report Manager	General (Apache CXF)	SOAP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	9.0.0-9.0.3
CVE-2019-10086	Oracle Communications EAGLE Element Management System	Security (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	46.6.4, 46.6.5
CVE-2024-22234	Oracle Communications Cloud Native Core Policy	Install (Spring Security)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	23.4.0-23.4.4
CVE-2021-37533	Oracle Communications EAGLE Element Management System	Security (Apache Commons Net)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	46.6.4, 46.6.5
CVE-2024-28849	Oracle Communications Network Analytics Data Director	Configuration (follow-redirects)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	23.4.0, 24.1.0
CVE-2024-0450	Oracle Communications Cloud Native Core Automated Test Suite	Automated Test Suite Framework (Python)	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	23.1.0
CVE-2024-0450	Oracle Communications Network Analytics Data Director	Install (Python)	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	23.4.0, 24.1.0
CVE-2021-41184	Oracle Communications EAGLE Element Management System	Security (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	46.6.4, 46.6.5
CVE-2022-36033	Oracle Communications EAGLE Element Management System	Security (jsoup)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	46.6.4, 46.6.5
CVE-2023-48795	Oracle Communications Cloud Native Core Binding Support Function	Install/Upgrade (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	23.4.0-23.4.3
CVE-2024-26308	Oracle Communications Cloud Native Core Network Exposure Function	Install (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.3
CVE-2024-26308	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Configuration (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	24.1.0, 23.4.0
CVE-2024-26308	Oracle Communications Cloud Native Core Network Repository Function	Install (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.2
CVE-2024-26308	Oracle Communications Cloud Native Core Policy	Install (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.0
CVE-2024-26308	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Signaling (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.0
CVE-2024-26308	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.2
CVE-2024-25710	Oracle Communications Cloud Native Core Unified Data Repository	Signaling (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	23.4.1
CVE-2024-34064	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Install (Jinja2)	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	23.4.0, 24.1.0
CVE-2024-29025	Oracle Communications Cloud Native Core Binding Support Function	Install (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.0-23.4.3
CVE-2024-29025	Oracle Communications Cloud Native Core Console	Configuration (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.1
CVE-2024-29025	Oracle Communications Cloud Native Core Network Exposure Function	Platform (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.3
CVE-2024-29025	Oracle Communications Cloud Native Core Network Repository Function	Install (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.2
CVE-2024-29025	Oracle Communications Cloud Native Core Policy	Install (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.0-23.4.4
CVE-2024-29025	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Signaling (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.0
CVE-2024-29025	Oracle Communications Cloud Native Core Service Communication Proxy	Install (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.0, 24.1.0
CVE-2024-28182	Oracle Communications Cloud Native Core Unified Data Repository	Install (Nghttp2)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.2
CVE-2023-33201	Oracle Communications EAGLE Element Management System	Security (Bouncy Castle Java Library)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	46.6.4, 46.6.5
CVE-2024-29025	Oracle Communications Network Analytics Data Director	Install (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	23.4.0, 24.1.0
CVE-2021-29425	Oracle Communications EAGLE Element Management System	Security (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	46.6.4, 46.6.5

Additional CVEs addressed are:

The patch for CVE-2021-41184 also addresses CVE-2021-41182 and CVE-2021-41183.
The patch for CVE-2022-42890 also addresses CVE-2020-11987, CVE-2022-38398, CVE-2022-38648, CVE-2022-40146, and CVE-2022-41704.
The patch for CVE-2023-44487 also addresses CVE-2024-28182.
The patch for CVE-2023-52425 also addresses CVE-2023-52426, CVE-2023-52426, CVE-2023-52426, CVE-2023-52426, and CVE-2023-52426.
The patch for CVE-2024-0450 also addresses CVE-2023-6597.
The patch for CVE-2024-22019 also addresses CVE-2024-21892 and CVE-2024-22025.
The patch for CVE-2024-22262 also addresses CVE-2024-22243 and CVE-2024-22259.
The patch for CVE-2024-23672 also addresses CVE-2024-24549.
The patch for CVE-2024-23897 also addresses CVE-2024-23898, CVE-2024-23898, CVE-2024-23898, CVE-2024-23898, and CVE-2024-23898.
The patch for CVE-2024-24549 also addresses CVE-2024-23672, CVE-2024-23672, and CVE-2024-23672.
The patch for CVE-2024-26308 also addresses CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, and CVE-2024-25710.
The patch for CVE-2024-27316 also addresses CVE-2023-38709 and CVE-2024-24795.
The patch for CVE-2024-28849 also addresses CVE-2024-29041.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Communications Cloud Native Core Console
- Configuration (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
- Configuration (jose4j): CVE-2023-51775 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
- Configuration (libxml2): CVE-2024-25062 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
Oracle Communications Cloud Native Core Policy
- Install (jose4j): CVE-2023-51775 [VEX Justification: vulnerable_code_not_present].
Oracle Communications Cloud Native Core Service Communication Proxy
- Install (Apache Kafka): CVE-2023-34040 [VEX Justification: inline_mitigations_already_exist].

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Construction and Engineering. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-22262	Primavera Gateway	Admin (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12
CVE-2024-21742	Primavera Unifier	Integration (Apache James MIME4J)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6
CVE-2024-22262	Primavera Unifier	Document Management (Spring Framework)	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	22.12.0-22.12.13, 23.12.0-23.12.6
CVE-2024-23944	Primavera Unifier	Document Management (Apache ZooKeeper)	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2024 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2024), My Oracle Support Note 2484000.1.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-21149	Oracle Enterprise Asset Management	Work Definition Issues	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.11-12.2.13
CVE-2024-21152	Oracle Process Manufacturing Financials	Allocation Rules	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.12-12.2.13
CVE-2024-21153	Oracle Process Manufacturing Product Development	Quality Management Specs	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.13
CVE-2024-21146	Oracle Trade Management	GL Accounts	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.13
CVE-2024-21167	Oracle Trading Community	Party Search UI	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.13
CVE-2024-21169	Oracle Marketing	Partners	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	12.2.3-12.2.13
CVE-2024-21128	Oracle Application Object Library	APIs	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.6-12.2.13
CVE-2024-21132	Oracle Purchasing	Approvals	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.3-12.2.13
CVE-2024-21143	Oracle iStore	User Management	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.3-12.2.13
CVE-2024-21148	Oracle Applications Framework	Personalization	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	12.2.3-12.2.13

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Enterprise Manager. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2024 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2024 Patch Availability Document for Oracle Products, My Oracle Support Note 3027815.1.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-1370	Oracle Enterprise Manager Base Platform	Install (json-smart)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.5.0.0
CVE-2021-37533	Oracle Enterprise Manager Base Platform	Install (Apache Commons Net)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.5.0.0
CVE-2023-48795	Oracle Application Testing Suite	Install (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	13.3.0.1
CVE-2023-48795	Oracle Enterprise Manager Base Platform	Agent Next Gen (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	13.5.0.0
CVE-2023-40167	Oracle Enterprise Manager Base Platform	Agent Next Gen (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	13.5.0.0

Additional CVEs addressed are:

The patch for CVE-2023-40167 also addresses CVE-2023-36479 and CVE-2023-41900.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 60 new security patches for Oracle Financial Services Applications. 44 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-47248	Oracle Financial Services Model Management and Governance	Installer (PyArrow)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.2.5, 8.1.2.6
CVE-2022-36944	Oracle Financial Services Model Management and Governance	Installer (Scala)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.2.5, 8.1.2.6
CVE-2024-32114	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache ActiveMQ)	HTTP	Yes	8.5	Adjacent Network	Low	None	Required	Changed	High	None	High	8.1.1, 8.1.2
CVE-2023-50447	Oracle Banking Branch	Reports (Pillow)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Branch	Reports (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-50447	Oracle Banking Cash Management	Accessibility (Pillow)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Cash Management	Accessibility (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-50447	Oracle Banking Corporate Lending Process Management	Base (Pillow)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Corporate Lending Process Management	Base (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-50447	Oracle Banking Credit Facilities Process Management	Common (Pillow)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Credit Facilities Process Management	Common (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Liquidity Management	Common (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-50447	Oracle Banking Origination	Basic Config/Maintenances (Pillow)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Origination	Basic Config/Maintenances (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-22262	Oracle Banking Virtual Account Management	Common (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-23807	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.1.1, 8.1.2
CVE-2024-22262	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.7, 8.0.8, 8.1.1, 8.1.2
CVE-2024-23807	Oracle Financial Services Basel Regulatory Capital Basic	Platform (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.7.3, 8.0.8.3
CVE-2024-23807	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	Platform (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.7.3, 8.0.8.3
CVE-2024-23807	Oracle Financial Services Behavior Detection Platform	Platform (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
CVE-2024-22262	Oracle Financial Services Behavior Detection Platform	Platform (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
CVE-2024-22262	Oracle Financial Services Compliance Studio	Reports (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.1.2.6, 8.1.2.7
CVE-2024-22262	Oracle Financial Services Enterprise Case Management	Installer (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3
CVE-2024-22262	Oracle Financial Services Model Management and Governance	Installer (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.1.2.5, 8.1.2.6
CVE-2024-23807	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition	Platform (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.8.0
CVE-2024-22262	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition	Platform (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.8.0
CVE-2024-22262	Oracle FLEXCUBE Universal Banking	Infrastructure (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-25062	Oracle Banking Virtual Account Management	Common (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-2511	Oracle Banking Virtual Account Management	Common (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-52425	Oracle Financial Services Behavior Detection Platform	Platform (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
CVE-2024-22201	Oracle Financial Services Compliance Studio	Reports (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1.2.6, 8.1.2.7
CVE-2023-26031	Oracle Financial Services Model Management and Governance	Installer (Apache Hadoop)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	8.1.2.5, 8.1.2.6
CVE-2024-24549	Oracle Financial Services Model Management and Governance	Installer (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1.2.5, 8.1.2.6
CVE-2023-52425	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition	Platform (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.8.0
CVE-2023-6129	Oracle Banking Branch	Reports (OpenSSL)	TLS	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-6129	Oracle Banking Liquidity Management	Common (OpenSSL)	TLS	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-44483	Oracle Financial Services Model Management and Governance	Installer (Apache Santuario XML Security For Java)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.2.5, 8.1.2.6
CVE-2023-34055	Oracle Financial Services Model Management and Governance	Installer (Spring Boot)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.1.2.5, 8.1.2.6
CVE-2024-24816	Oracle Banking Deposits and Lines of Credit Servicing	Web UI (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.12.0.0.0
CVE-2024-21188	Oracle Financial Services Revenue Management and Billing	Chatbot	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0.0.0.0, 6.1.0.0.0
CVE-2024-26308	Oracle Banking Branch	Reports (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Banking Cash Management	Accessibility (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Banking Corporate Lending Process Management	Base (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Banking Credit Facilities Process Management	Common (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Banking Liquidity Management	Common (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Banking Origination	Basic Config/Maintenances (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-26308	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.7, 8.0.8, 8.1.1, 8.1.2
CVE-2024-26308	Oracle Financial Services Behavior Detection Platform	Platform (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
CVE-2024-26308	Oracle Financial Services Model Management and Governance	Installer (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1.2.5, 8.1.2.6
CVE-2024-26308	Oracle FLEXCUBE Investor Servicing	Infrastructure Code (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.5.0.0.0, 14.7.0.0.0
CVE-2024-29025	Oracle Banking Branch	Reports (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-29025	Oracle Banking Credit Facilities Process Management	Common (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-29025	Oracle Banking Liquidity Management	Common (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-29025	Oracle Banking Platform	Security (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	2.4.0.0.0
CVE-2024-29025	Oracle Banking Virtual Account Management	Common (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2023-51074	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (JsonPath)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.7, 8.0.8, 8.1.1, 8.1.2
CVE-2024-29025	Oracle FLEXCUBE Universal Banking	Infrastructure (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
CVE-2024-29133	Oracle Banking Party Management	Web UI (Apache Commons Configuration)	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	2.7.0.0.0
CVE-2024-29133	Oracle Financial Services Compliance Studio	Reports (Apache Commons Configuration)	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	8.1.2.6, 8.1.2.7
CVE-2024-29133	Oracle Financial Services Model Management and Governance	Installer (Apache Commons Configuration)	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	8.1.2.5, 8.1.2.6

Additional CVEs addressed are:

The patch for CVE-2023-52425 also addresses CVE-2023-52426 and CVE-2023-52426.
The patch for CVE-2023-6129 also addresses CVE-2023-2975, CVE-2023-3446, CVE-2023-3817, CVE-2023-5363, CVE-2023-5678, CVE-2023-5678, CVE-2024-0727, and CVE-2024-0727.
The patch for CVE-2024-22262 also addresses CVE-2024-22243.
The patch for CVE-2024-24549 also addresses CVE-2024-23672.
The patch for CVE-2024-24816 also addresses CVE-2024-24815.
The patch for CVE-2024-2511 also addresses CVE-2024-4603 and CVE-2024-4741.
The patch for CVE-2024-26308 also addresses CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, CVE-2024-25710, and CVE-2024-25710.
The patch for CVE-2024-29133 also addresses CVE-2024-29131, CVE-2024-29131, and CVE-2024-29131.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle Fusion Middleware. 32 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID 2806740.2.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-45853	Oracle HTTP Server	SSL Module (zlib)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2023-45853	Oracle Outside In Technology	Outside In Filters (zlib)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.7
CVE-2022-45378	Oracle WebCenter Portal	Portal Core (Apache SOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2023-34034	Oracle WebCenter Sites	WebCenter Sites (Spring Security)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2024-21181	Oracle WebLogic Server	Core	T3, IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0, 14.1.1.0.0
CVE-2023-4759	Oracle Global Lifecycle Management NextGen OUI Framework	NextGen Installer (Eclipse JGit)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2024-22259	Oracle Identity Manager	Third Party (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	12.2.1.4.0
CVE-2024-22243	Oracle Middleware Common Libraries and Tools	Third Party (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	12.2.1.4.0
CVE-2024-22262	Oracle WebLogic Server	Core (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	12.2.1.4.0, 14.1.1.0.0
CVE-2024-22201	Oracle Coherence	Third Party (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0, 14.1.1.0.0
CVE-2024-29857	Oracle Global Lifecycle Management NextGen OUI Framework	NextGen Installer (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-52425	Oracle HTTP Server	SSL Module (LibExpat)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2024-25062	Oracle HTTP Server	SSL Module (libxml2)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2022-40152	Oracle JDeveloper	Oracle JDeveloper (Woodstox)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-52425	Oracle Outside In Technology	DC-Specific Component (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.7
CVE-2023-24998	Oracle Service Bus	Centralized Thirdparty Jars (Apache Commons FileUpload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-36478	Oracle Unified Directory	Containers (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-5072	Oracle WebCenter Portal	Discussion Forums (JSON-java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2024-21175	Oracle WebLogic Server	Core	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.4.0, 14.1.1.0.0
CVE-2024-21182	Oracle WebLogic Server	Core	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.4.0, 14.1.1.0.0
CVE-2024-21183	Oracle WebLogic Server	Core	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.4.0, 14.1.1.0.0
CVE-2023-2976	Oracle Global Lifecycle Management NextGen OUI Framework	NextGen Installer (Google Guava)	None	No	7.1	Local	Low	Low	None	Un- changed	High	High	None	12.2.1.4.0
CVE-2023-2976	Oracle WebCenter Sites	WebCenter Sites (Google Guava)	None	No	7.1	Local	Low	Low	None	Un- changed	High	High	None	12.2.1.4.0
CVE-2021-37533	Oracle Data Integrator	Rest Service (Apache Commons Net)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.2.1.4.0
CVE-2023-6129	Oracle HTTP Server	SSL Module (OpenSSL)	TLS	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	12.2.1.4.0
CVE-2021-37533	Oracle WebCenter Content	Content Server (Apache Commons Net)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.2.1.4.0
CVE-2020-1945	Oracle Middleware Common Libraries and Tools	Third Party (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	12.2.1.4.0
CVE-2024-21133	Oracle Reports Developer	Servlet	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 12.2.1.19.0
CVE-2023-46750	Oracle WebCenter Sites	WebCenter Sites (Apache Shiro)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0
CVE-2023-48795	Oracle Data Integrator	Runtime Java agent for ODI (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	12.2.1.4.0
CVE-2023-48795	Oracle Enterprise Data Quality	General (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	12.2.1.4.0
CVE-2023-2976	Oracle Fusion Middleware	Oracle Database Client for Fusion Middleware (Google Guava)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.4.0
CVE-2024-26308	Oracle Middleware Common Libraries and Tools	Third Party (Jython)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-29081	Oracle WebCenter Content	Content Integration Suite (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2024-26308	Oracle WebCenter Portal	Security Framework (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.4.0
CVE-2024-26308	Oracle WebLogic Server	Centralized Thirdparty Jars (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.4.0, 14.1.1.0.0
CVE-2020-13956	Oracle Access Manager	Third Party (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.4.0
CVE-2020-13956	Oracle Business Activity Monitoring	BAM (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.4.0
CVE-2024-29025	Oracle Coherence	Third Party (Netty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.1.4.0, 14.1.1.0.0
CVE-2024-0853	Oracle HTTP Server	SSL Module (curl)	TLS	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.4.0
CVE-2021-29425	Oracle Service Bus	OSB Security (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.1.4.0

Additional CVEs addressed are:

The patch for CVE-2020-1945 also addresses CVE-2021-36373 and CVE-2021-36374.
The patch for CVE-2023-2976 also addresses CVE-2023-35116.
The patch for CVE-2023-36478 also addresses CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900.
The patch for CVE-2023-52425 also addresses CVE-2023-52426, CVE-2023-52426, and CVE-2024-28757.
The patch for CVE-2023-6129 also addresses CVE-2023-5678 and CVE-2024-0727.
The patch for CVE-2024-22243 also addresses CVE-2022-22950, CVE-2022-22965, CVE-2022-22968, CVE-2022-22970, CVE-2023-20861.
The patch for CVE-2024-22259 also addresses CVE-2024-22243 and CVE-2024-22262.
The patch for CVE-2024-22262 also addresses CVE-2024-22243 and CVE-2024-22259.
The patch for CVE-2024-25062 also addresses CVE-2024-34459.
The patch for CVE-2024-26308 also addresses CVE-2024-25710 and CVE-2024-25710.
The patch for CVE-2024-29857 also addresses CVE-2024-30171, CVE-2024-30172, and CVE-2024-34447.

Oracle Analytics Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle Analytics. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-0239	Oracle Business Intelligence Enterprise Edition	Analytics Server (Stanford CoreNLP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0.0.0.0
CVE-2022-21797	Oracle Business Intelligence Enterprise Edition	Pipeline Test Failures (Joblib)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0.0.0.0
CVE-2021-23926	Oracle Business Intelligence Enterprise Edition	BI FNDN (Apache XMLBeans)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	12.2.1.4.0
CVE-2023-26031	Oracle Analytics Desktop	Analytics Server (Apache Hadoop)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	Prior to 7.7.0
CVE-2023-46589	Oracle Analytics Desktop	Analytics Visualization (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 7.8.0
CVE-2022-40152	Oracle Business Intelligence Enterprise Edition	Analytics Server (Woodstox)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0.0.0.0
CVE-2023-1436	Oracle Business Intelligence Enterprise Edition	Analytics Server (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-1370	Oracle Business Intelligence Enterprise Edition	Analytics Server (json-smart)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0.0.0.0, 12.2.1.4.0
CVE-2023-1436	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Jettison)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2023-49083	Oracle Business Intelligence Enterprise Edition	Pipeline Test Failures (Cryptography)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0.0.0.0
CVE-2023-52428	Oracle Business Intelligence Enterprise Edition	Storage Service Integration (Nimbus JOSE+JWT)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2021-37533	Oracle Analytics Desktop	Mapviewer (Apache Commons FileUpload)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	Prior to 7.8.0
CVE-2023-48795	Oracle Analytics Desktop	Analytics Visualization (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Prior to 7.8.0
CVE-2024-25710	Oracle Analytics Desktop	Analytics Server (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	Prior to 7.8.0
CVE-2023-33202	Oracle Analytics Desktop	Analytics Server (Bouncy Castle Java Library)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	Prior to 7.8.0
CVE-2024-0727	Oracle Business Intelligence Enterprise Edition	Analytics Server (OpenSSL)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0
CVE-2024-21139	Oracle Business Intelligence Enterprise Edition	Analytics Web Answers	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0

Additional CVEs addressed are:

The patch for CVE-2022-0239 also addresses CVE-2021-44550.
The patch for CVE-2023-1370 also addresses CVE-2021-27568.
The patch for CVE-2023-1436 also addresses CVE-2022-40149, CVE-2022-40150, CVE-2022-45685, and CVE-2022-45693.
The patch for CVE-2024-0727 also addresses CVE-2022-1292.
The patch for CVE-2024-25710 also addresses CVE-2024-26308.

Oracle HealthCare Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle HealthCare Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-22262	Oracle Healthcare Data Repository	FHIR Server (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.1.4, 8.2.0
CVE-2024-22262	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	5.0.0-5.0.9
CVE-2023-2976	Oracle Healthcare Foundation	Core (Google Guava)	None	No	7.1	Local	Low	Low	None	Un- changed	High	High	None	8.2.0, 8.2.1, 8.2.2, 8.2.3
CVE-2024-26308	Oracle Healthcare Data Repository	FHIR CLI (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1.4, 8.2.0
CVE-2022-33879	Oracle Healthcare Foundation	Upload Services (Apache Tika)	None	No	3.3	Local	Low	None	Required	Un- changed	None	None	Low	8.2.0, 8.2.1, 8.2.2, 8.2.4

Additional CVEs addressed are:

The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-29081	Oracle Hyperion Data Relationship Management	Installation and Configuration (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.2.17.0.000
CVE-2023-29081	Oracle Hyperion Financial Close Management	Close Manager (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.2.17.0.000
CVE-2023-29081	Oracle Hyperion Infrastructure Technology	Installation and Configuration (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.2.17.0.000

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle Insurance Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-22257	Oracle Insurance Policy Administration J2EE	Architecture (Spring Security)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	11.2.11, 11.3.0-11.3.2
CVE-2024-22262	Oracle Documaker	Docupresentment IDS Server (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	12.6.4, 12.7.1
CVE-2024-22262	Oracle Insurance Policy Administration J2EE	Architecture (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.2.11, 11.3.0-11.3.2
CVE-2022-34169	Oracle Documaker	Development Tools (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.6.4, 12.7.1
CVE-2022-34169	Oracle Insurance Policy Administration J2EE	Architecture (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.2.11, 11.3.0-11.3.2
CVE-2024-23635	Oracle Insurance Policy Administration J2EE	Architecture (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.11
CVE-2023-29081	Oracle Documaker	Transall (InstallShield)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	12.7.1
CVE-2024-26308	Oracle Insurance Policy Administration J2EE	Architecture (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	11.2.11, 11.3.0-11.3.2
CVE-2023-21036	Oracle Insurance Policy Administration J2EE	Architecture (aCropalypse)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.2.11, 11.3.0-11.3.2
CVE-2020-13956	Oracle Documaker	Enterprise Edition (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.6.4, 12.7.1

Additional CVEs addressed are:

The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-27983	Oracle GraalVM for JDK	Node (Node.js)	HTTP/2	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1
CVE-2024-21147	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 1
CVE-2024-21145	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition	2D	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 1
CVE-2024-21140	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 1
CVE-2024-21144	Oracle Java SE, Oracle GraalVM Enterprise Edition	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 2
CVE-2024-21131	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 1
CVE-2024-21138	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10	See Note 1

Notes:

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Additional CVEs addressed are:

The patch for CVE-2024-27983 also addresses CVE-2024-27980 and CVE-2024-27982.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle JD Edwards. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-38552	JD Edwards EnterpriseOne Tools	E1 Dev Platform Tech - Cloud (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 9.2.8.2
CVE-2024-21168	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	Prior to 9.2.8.3
CVE-2023-6129	JD Edwards World Security	World Software Security (OpenSSL)	HTTPS	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	A9.4
CVE-2024-21150	JD Edwards EnterpriseOne Tools	Web Runtime SEC	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 9.2.8.2
CVE-2022-31160	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 9.2.8.2
CVE-2023-33201	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (Bouncy Castle Java Library)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 9.2.8.2
CVE-2023-3817	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 9.2.8.2
CVE-2023-35887	JD Edwards EnterpriseOne Tools	Business Logic Infra SEC (Apache Mina SSHD)	SSH	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	Prior to 9.2.8.2

Additional CVEs addressed are:

The patch for CVE-2023-3817 also addresses CVE-2023-3446.
The patch for CVE-2023-38552 also addresses CVE-2023-39331, CVE-2023-39332, CVE-2023-44487, and CVE-2024-27983.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-37920	MySQL Cluster	Cluster: General (Certifi)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.34 and prior, 8.1.0 and prior
CVE-2024-22257	MySQL Enterprise Monitor	Monitoring: General (Spring Security)	Multiple	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	8.0.38 and prior
CVE-2021-24112	MySQL Connectors	Connector/Net (.NET Core)	MySQL Protocol	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.4.0 and prior
CVE-2024-22262	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.38 and prior
CVE-2023-52425	MySQL Cluster	Cluster: General (LibExpat)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.36 and prior, 8.3.0 and prior
CVE-2024-25062	MySQL Cluster	Cluster: General (libxml2)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-24549	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.38 and prior
CVE-2024-25062	MySQL Workbench	MySQL Workbench (libxml2)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.36 and prior
CVE-2024-21177	MySQL Cluster	Cluster: General	Multiple	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.4.0 and prior
CVE-2024-21171	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21177	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2023-6129	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	8.0.36 and prior
CVE-2024-21170	MySQL Connectors	Connector/Python	MySQL Protocol	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	8.4.0 and prior
CVE-2024-0450	MySQL Workbench	MySQL Workbench (Python)	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	8.0.36 and prior
CVE-2023-48795	MySQL Cluster	Cluster: General (libssh)	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21166	MySQL Server	InnoDB	MySQL Protocol	No	5.9	Network	High	High	None	Un- changed	None	High	High	8.0.36 and prior, 8.3.0 and prior
CVE-2023-48795	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	8.0.36 and prior
CVE-2024-21163	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21176	MySQL Server	Server: Thread Pooling	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.4.0 and prior
CVE-2024-21125	MySQL Cluster	Cluster: General	Multiple	No	4.9	Network	Low	High	None	Un- changed	None	None	High	7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.4.0 and prior
CVE-2024-20996	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21157	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.36 and prior, 8.4.0 and prior
CVE-2024-21159	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.36 and prior, 8.3.0 and prior
CVE-2024-21160	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.36 and prior, 8.3.0 and prior
CVE-2024-21173	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21179	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21185	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.38, 8.4.1, 9.0.0
CVE-2024-21127	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21129	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21125	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21130	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21135	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.36 and prior, 8.3.0 and prior
CVE-2024-21137	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.35 and prior, 8.2.0 and prior
CVE-2024-21162	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21165	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior
CVE-2024-21142	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.37 and prior, 8.4.0 and prior
CVE-2024-21134	MySQL Server	Server: Connection Handling	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	8.0.37 and prior, 8.4.0 and prior

Additional CVEs addressed are:

The patch for CVE-2023-48795 also addresses CVE-2023-6004, CVE-2023-6004, CVE-2023-6918, and CVE-2023-6918.
The patch for CVE-2023-52425 also addresses CVE-2023-52426.
The patch for CVE-2023-6129 also addresses CVE-2023-5678 and CVE-2024-0727.
The patch for CVE-2024-0450 also addresses CVE-2023-6597.
The patch for CVE-2024-24549 also addresses CVE-2024-23672.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-21158	PeopleSoft Enterprise PeopleTools	Portal	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	8.59, 8.60, 8.61
CVE-2024-21178	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.59, 8.60, 8.61
CVE-2023-48795	PeopleSoft Enterprise PeopleTools	Web Server (Apache Mina SSHD)	SSH	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	8.60, 8.61
CVE-2024-26308	PeopleSoft Enterprise PeopleTools	OpenSearch (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.59, 8.60, 8.61
CVE-2024-26308	PeopleSoft Enterprise PeopleTools	Web Server (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.59, 8.60, 8.61
CVE-2023-42503	PeopleSoft Enterprise PeopleTools	Webserver (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.59, 8.60, 8.61
CVE-2024-0232	PeopleSoft Enterprise PeopleTools	XML Publisher (SQLite)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.59
CVE-2024-21122	PeopleSoft Enterprise HCM Shared Components	Text Catalog	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2
CVE-2023-28756	PeopleSoft Enterprise PeopleTools	PeopleSoft CDA (Ruby)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.59, 8.60, 8.61
CVE-2024-21154	PeopleSoft Enterprise HCM Human Resources	Human Resources	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2024-21180	PeopleSoft Enterprise PeopleTools	OpenSearch Dashboards	HTTP	No	4.1	Network	Low	Low	Required	Changed	Low	None	None	8.59, 8.60, 8.61

Additional CVEs addressed are:

The patch for CVE-2023-28756 also addresses CVE-2023-28755.
The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Retail Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-21136	Oracle Retail Xstore Office	Security	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1
CVE-2024-22262	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2024-22262	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2024-22262	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2024-26308	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	15.0.3, 16.0.3

Additional CVEs addressed are:

The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Siebel CRM. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-37434	Siebel CRM Deployment	Repository Utilities (zlib)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	24.6 and prior
CVE-2023-5764	Siebel CRM Cloud Applications	Siebel Cloud Manager (Ansible)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	24.3 and prior
CVE-2023-47627	Siebel CRM Cloud Applications	Siebel Cloud Manager (AIOHTTP)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	24.1 and prior
CVE-2023-41105	Siebel CRM Cloud Applications	Siebel Cloud Manager (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	23.11 and prior
CVE-2021-36090	Siebel CRM Deployment	Installation (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	22.3 and prior
CVE-2022-42003	Siebel CRM Deployment	Installation (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	24.4 and prior
CVE-2022-34169	Siebel CRM Deployment	Server Infrastructure (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	22.12 and prior
CVE-2023-46589	Siebel CRM End User	EAI, UI (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	24.2 and prior
CVE-2023-5072	Siebel CRM Integration	EAI (JSON-java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	23.12 and prior
CVE-2023-22081	Siebel CRM Deployment	Installation (Oracle Java SE)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	24.6 and prior
CVE-2023-5678	Siebel CRM Deployment	Server Infrastructure (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	24.2 and prior
CVE-2023-33201	Siebel CRM Integration	AI (Bouncy Castle Java Library)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	24.4 and prior

Additional CVEs addressed are:

The patch for CVE-2022-42003 also addresses CVE-2019-17267.
The patch for CVE-2023-47627 also addresses CVE-2023-49081 and CVE-2023-49082.
The patch for CVE-2023-5678 also addresses CVE-2022-3786.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Supply Chain. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-37536	Oracle Agile Engineering Data Management	Core (Apache Xerces-C++)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	6.2.1.0-6.2.1.9
CVE-2023-37536	Oracle Autovue for Agile Product Lifecycle Management	Installation (Apache Xerces-C++)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	21.0.2
CVE-2022-34169	Oracle Agile Engineering Data Management	Core (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.2.1.0-6.2.1.7
CVE-2023-24998	Oracle Agile Engineering Data Management	File Upload (Apache Commons FileUpload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.2.1.0-6.2.1.9
CVE-2023-46589	Oracle Agile Engineering Data Management	Installation (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.2.1.0-6.2.1.9
CVE-2022-34169	Oracle Autovue for Agile Product Lifecycle Management	Installation (Apache Xalan-Java)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	21.0.2
CVE-2023-44487	Oracle Autovue for Agile Product Lifecycle Management	Core (Eclipse Jetty)	HTTP/2	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.0.2

Oracle Systems Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-21155	Oracle ZFS Storage Appliance Kit	User Interface	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	8.8
CVE-2024-21151	Oracle Solaris	Filesystem	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	11

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2023-52428	Oracle Utilities Application Framework	General (Nimbus JOSE+JWT)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0
CVE-2024-29857	Oracle Utilities Application Framework	General (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0

Additional CVEs addressed are:

The patch for CVE-2024-29857 also addresses CVE-2024-30171 and CVE-2024-30172.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-21141	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 7.0.20
CVE-2024-21161	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 7.0.20	See Note 1
CVE-2024-21164	Oracle VM VirtualBox	Core	None	No	2.5	Local	High	High	None	Changed	Low	None	None	Prior to 7.0.20

Notes:

This vulnerability applies to Linux hosts only.