Oracle Critical Patch Update Advisory - October 2024

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 334 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2024 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Autonomous Health Framework, versions prior to 24.9 Oracle Autonomous Health Framework
GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.9 Database
Management Cloud Engine, version 24.1.0.0.0 Management Cloud Engine
MySQL Client, versions 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior MySQL
MySQL Cluster, versions 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior MySQL
MySQL Connectors, versions 8.0.39 and prior, 9.0.0 and prior MySQL
MySQL Enterprise Backup, versions 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior MySQL
MySQL Enterprise Monitor, versions 8.0.39 and prior MySQL
MySQL Server, versions 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior MySQL
MySQL Shell, versions 8.0.38 and prior, 8.4.1 and prior, 9.0.1 and prior MySQL
MySQL Workbench, versions 8.0.38 and prior MySQL
Oracle Access Manager, version 12.2.1.4.0 Fusion Middleware
Oracle Agile PLM, version 9.3.6 Oracle Supply Chain Products
Oracle Application Express, versions 23.1, 23.2, 24.1 Database
Oracle Application Testing Suite, version 13.3.0.1 Oracle Enterprise Manager
Oracle Autovue for Agile Product Lifecycle Management, version 21.1.0 Oracle Supply Chain Products
Oracle Banking APIs, versions 19.2.0.0.0, 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0 Contact Support
Oracle Banking Cash Management, versions 14.7.4.0.0, 14.7.5.0.0 Contact Support
Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 Contact Support
Oracle Banking Digital Experience, versions 19.2.0.0.0, 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0 Contact Support
Oracle Banking Liquidity Management, versions 14.5.0.12.0, 14.7.0.6.0, 14.7.4.0.0, 14.7.5.0.0 Contact Support
Oracle Banking Supply Chain Finance, versions 14.7.4.0.0, 14.7.5.0.0 Contact Support
Oracle BI Publisher, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Blockchain Platform, version 21.1.2 Oracle Blockchain Platform
Oracle Business Activity Monitoring, version 12.2.1.4.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Commerce Guided Search, versions 11.3.2, 11.4.0 Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2 Oracle Commerce
Oracle Communications ASAP, version 7.4.3.0.2 Oracle Communications ASAP
Oracle Communications Cloud Native Core Automated Test Suite, versions 23.4.3, 23.4.4, 24.1.1, 24.2.2 Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function, versions 23.4.0-23.4.5 Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Certificate Management, versions 23.4.2, 23.4.3, 24.2.0 Oracle Communications Cloud Native Core Certificate Management
Oracle Communications Cloud Native Core Console, versions 23.4.2, 24.2.0 Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core DBTier, versions 24.1.0, 24.2.0 Oracle Communications Cloud Native Core DBTier
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.4.0, 24.1.0-24.2.0 Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, versions 23.4.4, 24.2.1 Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Network Slice Selection Function, versions 24.2.0, 24.2.1 Oracle Communications Cloud Native Core Network Slice Selection Function
Oracle Communications Cloud Native Core Policy, versions 23.4.0-23.4.6 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.2, 24.2.0 Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, versions 23.4.0, 24.1.0, 24.2.0 Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, version 24.2.0 Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 Oracle Communications Convergent Charging Controller
Oracle Communications Core Session Manager, version 9.1.5 Oracle Communications Core Session Manager
Oracle Communications EAGLE Application Processor, version 17.0.1 Oracle Communications EAGLE Application Processor
Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0 Oracle Communications IP Service Activator
Oracle Communications LSMS, version 14.0.0.1 Oracle Communications LSMS
Oracle Communications Messaging Server, version 8.1 Oracle Communications Messaging Server
Oracle Communications Network Analytics Data Director, versions 23.4.0, 24.1.0, 24.2.0 Oracle Communications Network Analytics Data Director
Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, versions 5.1, 5.2 Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0 Oracle Communications Order and Service Management
Oracle Communications Performance Intelligence Center, versions prior to 10.4.0.4 Oracle Communications Performance Intelligence Center
Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0 Oracle Communications Policy Management
Oracle Communications Session Border Controller, versions 9.1.0, 9.2.0, 9.3.0 Oracle Communications Session Border Controller
Oracle Communications Unified Assurance, versions 5.5.0-5.5.22, 6.0.0-6.0.5 Oracle Communications Unified Assurance
Oracle Communications User Data Repository, versions 12.11.0, 14.0 Oracle Communications User Data Repository
Oracle Data Integrator, version 12.2.1.4.0 Fusion Middleware
Oracle Database Server, versions 19.3-19.24, 21.3-21.15, 23.4-23.5 Database
Oracle E-Business Suite, versions 12.2.3-12.2.14, [ECC] 11-13 Oracle E-Business Suite
Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0 Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, version 12.2.1.4.0 Fusion Middleware
Oracle Enterprise Manager Base Platform, versions 12.2.1.4.0, 13.5.0.0 Oracle Enterprise Manager
Oracle Enterprise Manager for Fusion Middleware, version 12.2.1.4.0 Fusion Middleware
Oracle Enterprise Manager for Peoplesoft, version 13.5.1.1.0 Oracle Enterprise Manager
Oracle Enterprise Manager Fusion Middleware Control, version 12.2.1.4.0 Fusion Middleware
Oracle Enterprise Operations Monitor, versions 5.1, 5.2 Oracle Enterprise Operations Monitor
Oracle Essbase, version 21.6 Database
Oracle Financial Services Compliance Studio, versions 8.1.2.7, 8.1.2.8 Oracle Financial Services Compliance Studio
Oracle Financial Services Revenue Management and Billing, versions 3.0.0.0.0, 4.0.0.0.0, 5.0.0.0.0 Oracle Financial Services Revenue Management and Billing
Oracle Global Lifecycle Management FMW Installer, version 12.2.1.4.0 Fusion Middleware
Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.9 Database
Oracle GraalVM Enterprise Edition, versions 20.3.15, 21.3.11 Java SE
Oracle GraalVM for JDK, versions 17.0.12, 21.0.4, 23 Java SE
Oracle Graph Server and Client, versions 23.4.3, 24.3.0 Database
Oracle Hospitality Cruise Shipboard Property Management System, version 23.1.3 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality OPERA 5, versions 5.6.19.19, 5.6.25.8, 5.6.26.4 Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Simphony, versions 19.1.0-19.6.2 Oracle Hospitality Simphony
Oracle HTTP Server, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle Hyperion BI+, version 11.2.18.0.0 Oracle Enterprise Performance Management
Oracle Hyperion Financial Management, version 11.2.18.0.0 Oracle Enterprise Performance Management
Oracle Hyperion Infrastructure Technology, version 11.2.18.0.0 Oracle Enterprise Performance Management
Oracle Identity Manager Connector, versions 11.1.1.5.0, 12.2.1.3.0 Fusion Middleware
Oracle Java SE, versions 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23 Java SE
Oracle Managed File Transfer, version 12.2.1.4.0 Fusion Middleware
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 Fusion Middleware
Oracle NoSQL Database, versions 1.5.0, 20.3.40, 21.2.71, 22.3.45, 23.3.33, 24.1.17 NoSQL Database
Oracle Outside In Technology, version 8.5.7 Fusion Middleware
Oracle Retail Customer Management and Segmentation Foundation, version 19.0.0.10 Retail Applications
Oracle Retail EFTLink, versions 20.0.1, 21.0.0, 22.0.0, 23.0.0 Retail Applications
Oracle SD-WAN Aware, version 9.0.1.10.0 Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 9.1.1.3.0, 9.1.1.5.0-9.1.1.8.0, 9.1.1.9.0 Oracle SD-WAN Edge
Oracle Secure Backup, versions 18.1.0.1.0, 18.1.0.2.0, 19.1.0.0.0 Oracle Secure Backup
Oracle Service Bus, version 12.2.1.4.0 Fusion Middleware
Oracle Solaris Cluster, version 4 Systems
Oracle SQL Developer, versions 23.1.0, 24.3.0 Database
Oracle Utilities Application Framework, versions 4.0.0.0.0, 4.0.0.2.0, 4.0.0.3.0, 4.3.0.3.0-4.3.0.6.0, 4.5.0.0.0 Oracle Utilities Applications
Oracle Utilities Network Management System, versions 2.3.0.2.34, 2.4.0.1.25, 2.5.0.1.14, 2.5.0.2.8, 2.6.0.1.5 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 7.0.22, prior to 7.1.2 Virtualization
Oracle WebCenter Forms Recognition, version 14.1.1.0.0 Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.4.0 Fusion Middleware
Oracle WebCenter Sites, version 12.2.1.4.0 Fusion Middleware
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, version 9.2 PeopleSoft
PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2 PeopleSoft
PeopleSoft Enterprise FIN Expenses, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Core, versions 9.2.48-9.2.50 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61 PeopleSoft
Siebel Applications, versions 24.7 and prior Siebel

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE ID. A vulnerability that affects multiple products will appear with the same CVE ID in all risk matrices.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Vulnerabilities in third party components that are not exploitable through their inclusion in Oracle products are listed below the respective Oracle product's risk matrix. Starting with the July 2023 Critical Patch Update, a VEX justification is also provided.

The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy that further supplements the Lifetime Support Policy as explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • aftersnow: CVE-2024-21260
  • Alberto Bruscino: CVE-2024-21195
  • Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2024-21206
  • An Anonymous researcher working with Trend Micro's Zero Day Initiative: CVE-2024-21248
  • Andy Boothe: CVE-2024-21208
  • AWS Security of Amazon: CVE-2024-21247
  • bluE0 and 4ra1n: CVE-2024-21190
  • Cen Zhang of Cyber Security Lab of NTU: CVE-2024-21263
  • Emad Al-Mousa: CVE-2024-21233
  • enivS0rt: CVE-2024-21234
  • Haoran Zhao of Secsys Lab of Fudan University: CVE-2024-21215
  • HoraceYang of Tencent Security YUNDING LAB: CVE-2024-21200, CVE-2024-21201
  • Janis Krusts: CVE-2024-21214
  • Jie Liang of WingTecher Lab of Tsinghua University: CVE-2024-21194, CVE-2024-21196, CVE-2024-21230
  • Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2024-21194, CVE-2024-21196, CVE-2024-21230
  • Keke Lian of Secsys Lab of Fudan University: CVE-2024-21215
  • Kush Jijania: CVE-2024-21261
  • Marcos Díaz Castiñeiras: CVE-2024-21172
  • Markus Wulftange of CODE WHITE GmbH: CVE-2024-21216
  • Meshari Mahdi of Haboob Cyber Security Services: CVE-2024-21257
  • Pharkphoom Phongnusont of Secure D Center Cybersecurity Team: CVE-2024-21206
  • Phudq from Viettel cyber security working with Trend Micro Zero Day Initiative: CVE-2024-21273
  • realalphaman: CVE-2024-21254
  • ruozhi: CVE-2024-21216
  • spoic: CVE-2024-21216
  • Suparak Promdee of Secure D Center Cybersecurity Team: CVE-2024-21206
  • Tobias Clarke of Aon's Cyber Labs: CVE-2024-21242
  • Venenof7: CVE-2024-21216
  • WHOAMI: CVE-2024-21216
  • Xiaodong Qi of Shui Mu Yu Lin: CVE-2024-21200, CVE-2024-21201
  • Ye Jie: CVE-2024-21216
  • yemoli: CVE-2024-21216
  • YingMuo working with DEVCORE Internship Program, working with Trend Micro Zero Day Initiative: CVE-2024-21259
  • Yongheng Liu of Secsys Lab of Fudan University: CVE-2024-21215
  • Yuanyi Li of Shui Mu Yu Lin: CVE-2024-21200, CVE-2024-21201
  • yulate: CVE-2024-21216
  • Zheyu Ma: CVE-2024-21253
  • Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2024-21194, CVE-2024-21196, CVE-2024-21230
  • Zong Cao of Cyber Security Lab of NTU: CVE-2024-21263
  • Zongrui Peng of WingTecher Lab of Tsinghua University: CVE-2024-21230

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:

  • azraelxuemo
  • Joseph Beeton
  • Juraj Somorovsky of Paderborn University
  • Marcel Maehren of Ruhr-University Bochum
  • Nurullah Erinola of Ruhr-University Bochum
  • Robert Merget of Technology Innovation Institute

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abdulrahman Aldossary
  • Ankit Warbhe
  • Hannu Forsten
  • Hritom Bhattacharya [2 reports]
  • Ibrahim AKA Exzandar
  • Jasmin VS
  • Joel Aviad Ossi (Websec)
  • Kamaldeep Singh
  • Keval Gada
  • Milan Katwal [2 reports]
  • Pim Dieleman
  • Shahithyakumar Mahendran
  • Shawkat Abdelhaq
  • Shruti Patil [2 reports]
  • Siddesh Ningappa
  • Steve Freegard
  • Ubaid Ahmed
  • Vade Secure
  • Vemula Vamshi
  • Vishnu AR
  • Yassine Triki
  • Yogesh Bhandage

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 21 January 2025
  • 15 April 2025
  • 15 July 2025
  • 21 October 2025

References

 

Modification History

Date Note
2024-November-25 Rev 2. Updated the MySQL Connectors versions.
2024-October-15 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 25 new security patches for Oracle Database Products divided as follows:

  • 6 new security patches for Oracle Database Products
  • 3 new security patches for Oracle Application Express
  • No new security patches for Oracle Autonomous Health Framework, but third party patches are provided
  • 7 new security patches for Oracle Blockchain Platform
  • 1 new security patch for Oracle Essbase
  • 4 new security patches for Oracle GoldenGate
  • No new security patches for Oracle Graph Server and Client, but third party patches are provided
  • 1 new security patch for Oracle NoSQL Database
  • 2 new security patches for Oracle Secure Backup
  • 1 new security patch for Oracle SQL Developer

Oracle Database Server Risk Matrix

This Critical Patch Update contains 6 new security patches, plus additional third party patches noted below, for Oracle Database Products.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-6119 Oracle Database Security (OpenSSL) None Multiple Yes 5.3 Network Low None None Un-
changed
None None Low 23.4-23.5  
CVE-2024-7264 Oracle Spatial and Graph (libcurl2) None HTTP Yes 5.3 Network High None Required Un-
changed
None None High 19.3-19.24, 21.3-21.15, 23.4-23.5  
CVE-2024-29025 Fleet Patching and Provisioning - Micronaut (Netty) Authenticated User HTTP No 4.3 Network Low Low None Un-
changed
None None Low 23.4-23.5  
CVE-2024-21233 Oracle Database Core Create Session Oracle Net No 4.3 Network Low Low None Un-
changed
None Low None 19.3-19.24, 21.3-21.15, 23.4-23.5  
CVE-2024-21242 XML Database Create Session HTTP No 3.5 Network Low Low Required Un-
changed
None None Low 19.3-19.24, 21.3-21.15, 23.4-23.5  
CVE-2024-21251 Java VM Create Session, Create Procedure Oracle Net No 3.1 Network High Low None Un-
changed
None Low None 19.3-19.24, 21.3-21.15, 23.4-23.5  

Additional CVEs addressed are:

  • The patch for CVE-2024-6119 also addresses CVE-2024-5535.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Authonomous Health Framework (Python): CVE-2024-7592 and CVE-2024-6232 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Multilingual Engine (GraalVM): CVE-2024-27983, CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145 and CVE-2024-21147 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Core (Intel C++ Compiler Classic): CVE-2022-41342, CVE-2022-38136 and CVE-2022-40196 [VEX Justification: inline_mitigations_already_exist].
  • Oracle Database Core (Intel Integrated Performance Primitives): CVE-2024-28887 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Core (libexpat): CVE-2024-45492, CVE-2024-45490 and CVE-2024-45491 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Core (Nhttp2): CVE-2024-28182 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Grid (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Database Security (Kerberos): CVE-2024-37371 and CVE-2024-37370 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph (RequireJS): CVE-2024-38999 and CVE-2024-38998 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle SQLcl (Eclipse Parsson): CVE-2023-4043 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Database Server Client-Only Installations

  • The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2024-6119.

 

Oracle Application Express Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Application Express.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45801 Oracle Application Express General (DOMPurify) HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 23.2, 24.1  
CVE-2024-38357 Oracle Application Express General (TinyMCE) HTTP Yes 6.1 Network Low None Required Changed Low Low None 23.1, 23.2, 24.1  
CVE-2024-21261 Oracle Application Express General HTTP No 4.9 Network High Low None Changed Low Low None 23.2, 24.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-38357 also addresses CVE-2024-38356.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Application Express
    • General (RequireJS): CVE-2024-38999 and CVE-2024-38998 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Autonomous Health Framework Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Autonomous Health Framework.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Autonomous Health Framework.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Autonomous Health Framework
    • Command Line Interface and SDK (OpenSSL): CVE-2024-5535 and CVE-2024-6119 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Blockchain Platform Risk Matrix

This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Blockchain Platform.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-44487 Oracle Blockchain Platform Blockchain Cloud Service Console (Netty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 21.1.2  
CVE-2023-45288 Oracle Blockchain Platform Blockchain Cloud Service Console (Golang Go) Multiple Yes 7.5 Network Low None None Un-
changed
None None High 21.1.2  
CVE-2024-22020 Oracle Blockchain Platform Blockchain Cloud Service Console (Node.js) HTTP Yes 7.1 Network High None Required Un-
changed
Low High High 21.1.2  
CVE-2024-28849 Oracle Blockchain Platform Blockchain Cloud Service Console (follow-redirects) HTTP No 6.5 Network Low Low None Un-
changed
High None None 21.1.2  
CVE-2023-2976 Oracle Blockchain Platform Blockchain Cloud Service Console (Google Guava) None No 6.0 Local Low High None Un-
changed
High High None 21.1.2  
CVE-2023-48795 Oracle Blockchain Platform Blockchain Cloud Service Console (OpenSSH) SSH Yes 5.9 Network High None None Un-
changed
None High None 21.1.2  
CVE-2024-26308 Oracle Blockchain Platform Blockchain Cloud Service Console (Apache Commons Compress) None No 5.0 Local Low Low Required Un-
changed
None None High 21.1.2  

Additional CVEs addressed are:

  • The patch for CVE-2023-48795 also addresses CVE-2023-51384 and CVE-2023-51385.
  • The patch for CVE-2024-22020 also addresses CVE-2024-22018, CVE-2024-36137, CVE-2024-36138, and CVE-2024-37372.
  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Blockchain Platform
    • Blockchain Cloud Service Console (Apache ZooKeeper): CVE-2023-44981 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Blockchain Cloud Service Console (Certifi): CVE-2023-37920 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Blockchain Cloud Service Console (Cryptography): CVE-2023-49083 and CVE-2024-26130 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (JSON-java): CVE-2023-5072 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (LibExpat): CVE-2023-52425 and CVE-2023-52426 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (NTP): CVE-2023-26555, CVE-2023-26551, CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (Python): CVE-2022-45061, CVE-2022-37454 and CVE-2022-42919 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (SnakeYAML): CVE-2022-1471 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (libwebp): CVE-2023-4863 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (libxml2): CVE-2023-28484 and CVE-2023-29469 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (nginx): CVE-2024-32760, CVE-2024-24989, CVE-2024-24990, CVE-2024-31079, CVE-2024-34161 and CVE-2024-35200 [VEX Justification: vulnerable_code_not_present].

 

Oracle Essbase Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Essbase.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-7264 Oracle Essbase Essbase Web Platform (curl) Multiple Yes 6.5 Network Low None Required Un-
changed
None None High 21.6  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Essbase
    • Essbase Web Platform (Apache HTTP Server): CVE-2024-40898 and CVE-2024-40725 [VEX Justification: component_not_present].
    • Essbase Web Platform (Apache Xerces-C++): CVE-2024-23807 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Essbase Web Platform (OpenSSL): CVE-2024-2511, CVE-2024-4603 and CVE-2024-4741 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 4 new security patches, plus additional third party patches noted below, for Oracle GoldenGate.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-23944 GoldenGate Stream Analytics Spark (Apache ZooKeeper) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 19.1.0.0.0-19.1.0.0.9  
CVE-2024-26308 GoldenGate Stream Analytics Security (Apache Commons Compress) Multiple No 5.0 Local Low Low Required Un-
changed
None None High 19.1.0.0.0-19.1.0.0.9  
CVE-2023-39410 GoldenGate Stream Analytics Spark (Apache Avro Java) Multiple No 5.0 Local Low Low Required Un-
changed
None None High 19.1.0.0.0-19.1.0.0.9  
CVE-2023-39410 Oracle GoldenGate Big Data and Application Adapters Application Adapters (Apache Avro Java) HTTP No 2.4 Network Low High Required Un-
changed
None None Low 19.1.0.0.0-19.1.0.0.9  

Additional CVEs addressed are:

  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • GoldenGate Stream Analytics
    • General (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • General (Apache Derby): CVE-2022-46337 [VEX Justification: vulnerable_code_not_in_execute_path].
    • General (Apache Hadoop): CVE-2023-26031 [VEX Justification: vulnerable_code_not_present].
    • Security (Apache Xalan-Java): CVE-2022-34169 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Security (Eclipse Jetty): CVE-2024-22201 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Spark (jsoup): CVE-2022-36033 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Graph Server and Client.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for the Oracle Graph Server and Client.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Graph Server and Client
    • Install (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle NoSQL Database.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-29025 Oracle NoSQL Database Administration (Netty) HTTP No 4.3 Network Low Low None Un-
changed
None None Low 20.3.40, 21.2.71, 22.3.45, 23.3.33, 24.1.17  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle NoSQL Database
    • Administration (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle Secure Backup.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38476 Oracle Secure Backup Oracle Secure Backup (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 18.1.0.1.0, 18.1.0.2.0  
CVE-2024-4741 Oracle Secure Backup PHP and EM GUI (OpenSSL) TLS Yes 5.3 Network Low None None Un-
changed
None None Low 18.1.0.1.0, 18.1.0.2.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-38476 also addresses CVE-2024-36387, CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38477, CVE-2024-39573, CVE-2024-39884, CVE-2024-40725, and CVE-2024-40898.
  • The patch for CVE-2024-4741 also addresses CVE-2024-2511 and CVE-2024-4603.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Secure Backup
    • Oracle Secure Backup (PHP): CVE-2024-4577, CVE-2024-1874, CVE-2024-2408, CVE-2024-5458 and CVE-2024-5585 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle SQL Developer.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-48795 Oracle SQL Developer Install (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None 23.1.0  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle SQL Developer
    • Install (Apache Commons Compress): CVE-2024-26308 and CVE-2024-25710 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Install (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Install (Bouncy Castle Java Library): CVE-2023-33201 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Install (Eclipse Parsson): CVE-2023-4043 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Install (Google Guava): CVE-2023-2976 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Installation (Eclipse JGit): CVE-2023-4759 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Commerce Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Commerce.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-46337 Oracle Commerce Guided Search Workbench (Apache Derby) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.3.2  
CVE-2024-34750 Oracle Commerce Guided Search Experience Manager (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 11.3.2, 11.4.0  
CVE-2019-10172 Oracle Commerce Platform Dynamo Application Framework (jackson-mapper-asl) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 11.3.0, 11.3.1, 11.3.2  
CVE-2021-23358 Oracle Commerce Platform Business Control Center (underscore) HTTP No 7.2 Network Low High None Un-
changed
High High High 11.3.0, 11.3.1, 11.3.2  
CVE-2023-2976 Oracle Commerce Platform Dynamo Application Framework (Google Guava) None No 7.1 Local Low Low None Un-
changed
High High None 11.3.0, 11.3.1, 11.3.2  
CVE-2023-20863 Oracle Commerce Guided Search Endeca Application Controller (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed
None None High 11.3.2  
CVE-2024-26308 Oracle Commerce Guided Search Content Acquisition System (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 11.3.2  
CVE-2021-28170 Oracle Commerce Platform Dynamo Application Framework (Jakarta Expression Language) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 11.3.0, 11.3.1, 11.3.2  
CVE-2020-13956 Oracle Commerce Platform Endeca Integration (Apache HttpClient) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 11.3.0, 11.3.1, 11.3.2  

Additional CVEs addressed are:

  • The patch for CVE-2023-2976 also addresses CVE-2020-8908.
  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

 

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Communications Applications.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45492 Oracle Communications Unified Assurance Core (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 5.5.0-5.5.22, 6.0.0-6.0.4  
CVE-2024-5585 Oracle Communications Unified Assurance Core (PHP) HTTP No 8.8 Network Low Low None Un-
changed
High High High 6.0.0-6.0.4  
CVE-2024-23807 Oracle Communications Convergent Charging Controller Common functions (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0  
CVE-2024-23807 Oracle Communications IP Service Activator Policy Server, UI (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 7.4.0, 7.5.0  
CVE-2024-23807 Oracle Communications Messaging Server Security (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.1  
CVE-2024-23807 Oracle Communications Network Charging and Control Common functions (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0  
CVE-2024-41817 Oracle Communications Unified Assurance Core (ImageMagick) None No 7.8 Local Low Low None Un-
changed
High High High 5.5.0-5.5.22, 6.0.0-6.0.4  
CVE-2024-22201 Oracle Communications ASAP Broadband Solution (Eclipse Jetty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 7.4.3.0.2  
CVE-2024-40898 Oracle Communications Unified Assurance Core (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 5.5.0-5.5.22, 6.0.0-6.0.4  
CVE-2021-37137 Oracle Communications Unified Assurance Core (Snappy) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 5.5.0-5.5.22, 6.0.0-6.0.3  
CVE-2024-24549 Oracle Communications Unified Assurance Core (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 5.5.0-5.5.22, 6.0.0-6.0.4  
CVE-2024-7264 Oracle Communications Unified Assurance Core (curl) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 5.5.0-5.5.22, 6.0.0-6.0.5  
CVE-2024-29133 Oracle Communications Order and Service Management Security (Apache Commons Configuration) None No 4.4 Local Low Low None Un-
changed
None Low Low 7.4.0, 7.4.1, 7.5.0  

Additional CVEs addressed are:

  • The patch for CVE-2021-37137 also addresses CVE-2021-37136.
  • The patch for CVE-2024-24549 also addresses CVE-2024-23672.
  • The patch for CVE-2024-29133 also addresses CVE-2024-29131.
  • The patch for CVE-2024-40898 also addresses CVE-2024-40725.
  • The patch for CVE-2024-45492 also addresses CVE-2024-45490 and CVE-2024-45491.
  • The patch for CVE-2024-5585 also addresses CVE-2024-1874, CVE-2024-4577, and CVE-2024-5458.

 

Oracle Communications Risk Matrix

This Critical Patch Update contains 100 new security patches, plus additional third party patches noted below, for Oracle Communications.  81 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45492 Oracle Communications Cloud Native Core Unified Data Repository Install/Upgrade (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 24.2.0  
CVE-2023-38408 Oracle Enterprise Communications Broker System (OpenSSH) TLS Yes 9.8 Network Low None None Un-
changed
High High High 4.1.0  
CVE-2024-4577 Oracle SD-WAN Aware Web UI (PHP) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.0.1.10.0  
CVE-2023-6816 Oracle SD-WAN Edge Platform (Python) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.1.1.5.0-9.1.1.8.0  
CVE-2022-2068 Oracle SD-WAN Edge Platform (OpenSSL) TLS Yes 9.8 Network Low None None Un-
changed
High High High 9.1.1.3.0  
CVE-2024-37371 Oracle Communications Cloud Native Core Binding Support Function Configuration (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.0-23.4.5  
CVE-2024-37371 Oracle Communications Cloud Native Core Network Repository Function Signaling (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.4, 24.2.1  
CVE-2024-37371 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.0-23.4.6  
CVE-2024-37371 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.2, 24.2.0  
CVE-2024-37371 Oracle Communications Cloud Native Core Service Communication Proxy Configuration (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.0, 24.1.0, 24.2.0  
CVE-2024-29736 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Apache CXF) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 24.2.0  
CVE-2024-37371 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 24.2.0  
CVE-2024-37371 Oracle Communications Network Analytics Data Director Third Party (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 23.4.0, 24.1.0, 24.2.0  
CVE-2022-36760 Oracle SD-WAN Edge Platform (Apache HTTP Server) HTTP Yes 9.0 Network High None None Changed High High High 9.1.1.5.0-9.1.1.8.0  
CVE-2024-43044 Oracle Communications Cloud Native Core Automated Test Suite ATS Framework (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 23.4.3, 24.1.1, 24.2.2  
CVE-2024-43044 Oracle Communications Cloud Native Core Binding Support Function Configuration (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 23.4.0-23.4.5  
CVE-2024-43044 Oracle Communications Cloud Native Core Network Repository Function Signaling (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 24.2.1, 23.4.4  
CVE-2024-43044 Oracle Communications Cloud Native Core Network Slice Selection Function Automated Test Suite (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 24.2.0  
CVE-2024-43044 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 23.4.0-23.4.6  
CVE-2024-43044 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 23.4.2, 24.2.0  
CVE-2024-33602 Oracle Communications Cloud Native Core Binding Support Function Management Service (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 23.4.0-23.4.5  
CVE-2024-2398 Oracle Communications Cloud Native Core Certificate Management Configuration (curl) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 23.4.3, 24.2.0  
CVE-2024-2398 Oracle Communications Cloud Native Core Console Configuration (libcurl) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 23.4.2, 24.2.0  
CVE-2024-33602 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 23.4.0-23.4.6  
CVE-2024-33602 Oracle Communications Cloud Native Core Service Communication Proxy Configuration (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 23.4.0, 24.1.0, 24.2.0  
CVE-2024-33602 Oracle Communications Core Session Manager Routing (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 9.1.5  
CVE-2024-33602 Oracle Communications Session Border Controller Routing (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 9.1.0, 9.2.0, 9.3.0  
CVE-2024-33602 Oracle Enterprise Communications Broker System (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 4.1.0, 4.2.0  
CVE-2024-33602 Oracle Enterprise Operations Monitor Mediation Engine (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 5.1, 5.2  
CVE-2024-33602 Oracle SD-WAN Edge Platform (glibc) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 9.1.1.8.0  
CVE-2022-2601 Oracle SD-WAN Edge Platform (grub2) None No 8.6 Local Low None Required Changed High High High 9.1.1.5.0-9.1.1.8.0  
CVE-2024-22257 Oracle SD-WAN Edge Internal Tools (Spring Security) HTTP Yes 8.2 Network Low None None Un-
changed
High Low None 9.1.1.8.0  
CVE-2024-22262 Management Cloud Engine BEServer (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 24.1.0.0.0  
CVE-2024-38816 Oracle Communications Cloud Native Core DBTier Configuration (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 24.1.0, 24.2.0  
CVE-2024-6387 Oracle Communications Session Border Controller Patch (OpenSSH) HTTPS Yes 8.1 Network High None None Un-
changed
High High High 9.3.0  
CVE-2024-22262 Oracle SD-WAN Edge User Interface (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 9.1.1.8.0  
CVE-2024-34750 Management Cloud Engine BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.1.0.0.0  
CVE-2023-4043 Management Cloud Engine BEServer (Eclipse Parsson) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.1.0.0.0  
CVE-2024-40898 Oracle Communications Cloud Native Core Automated Test Suite ATS Framework (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 23.4.4, 24.1.1, 24.2.2  
CVE-2023-46136 Oracle Communications Cloud Native Core Automated Test Suite ATS Framework (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.3, 24.1.1, 24.2.2  
CVE-2024-31744 Oracle Communications Cloud Native Core Binding Support Function Configuration (JasPer) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.5  
CVE-2023-46136 Oracle Communications Cloud Native Core Binding Support Function Configuration (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.5  
CVE-2024-5971 Oracle Communications Cloud Native Core Binding Support Function Management Service (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.5  
CVE-2023-51775 Oracle Communications Cloud Native Core Binding Support Function Management Service (jose4j) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.5  
CVE-2024-6162 Oracle Communications Cloud Native Core Certificate Management Configuration (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.2  
CVE-2024-5971 Oracle Communications Cloud Native Core Console Configuration (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.2, 24.2.0  
CVE-2023-46136 Oracle Communications Cloud Native Core Network Repository Function Configuration (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.4, 24.2.1  
CVE-2024-5971 Oracle Communications Cloud Native Core Network Repository Function Discovery Microservice (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.4, 24.2.1  
CVE-2024-29857 Oracle Communications Cloud Native Core Network Repository Function Discovery Microservice (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 23.4.4, 24.2.1  
CVE-2024-31744 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (JasPer) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.6  
CVE-2023-46136 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.6  
CVE-2023-51775 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (jose4j) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.6  
CVE-2024-5971 Oracle Communications Cloud Native Core Policy Policy Control Function (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0-23.4.6  
CVE-2024-31744 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite (JasPer) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.2, 24.2.0  
CVE-2023-46136 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.2, 24.2.0  
CVE-2023-46136 Oracle Communications Cloud Native Core Service Communication Proxy Configuration (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0, 24.1.0  
CVE-2024-7254 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0, 24.1.0, 24.2.0  
CVE-2023-3635 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Okio) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-6162 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-2398 Oracle Communications Cloud Native Core Unified Data Repository Signaling (curl) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.2.0  
CVE-2023-46136 Oracle Communications Network Analytics Data Director Configuration (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.4.0, 24.1.0, 24.2.0  
CVE-2023-46136 Oracle Communications Operations Monitor Mediation Engine (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 5.1  
CVE-2024-30251 Oracle Communications Operations Monitor Probe (AIOHTTP) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 5.2  
CVE-2024-23672 Oracle Communications Policy Management CMP (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.6.1.0.0, 15.0.0.0.0  
CVE-2024-34750 Oracle Communications User Data Repository Platform (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.0,12.11.0  
CVE-2024-25062 Oracle Communications User Data Repository Platform (libxml2) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.0  
CVE-2024-31080 Oracle SD-WAN Edge Platform (X.Org Server) None No 7.3 Local Low Low None Un-
changed
High Low High 9.1.1.9.0  
CVE-2023-2953 Oracle Communications Cloud Native Core Certificate Management Configuration (OpenLDAP) HTTP Yes 7.1 Network Low None Required Un-
changed
None Low High 23.4.3, 24.2.0  
CVE-2023-2953 Oracle Communications Cloud Native Core Console Configuration (OpenLDAP) HTTP Yes 7.1 Network Low None Required Un-
changed
None Low High 23.4.2, 24.2.0  
CVE-2023-2953 Oracle Communications Cloud Native Core Security Edge Protection Proxy Configuration (OpenLDAP) HTTP Yes 7.1 Network Low None Required Un-
changed
None Low High 23.4.2, 24.2.0  
CVE-2024-22020 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Node.js) None No 6.5 Local High None Required Un-
changed
Low High High 23.4.0, 24.1.0-24.2.0  
CVE-2022-23437 Oracle Communications LSMS Web UI (Apache Xerces2 Java) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 14.0.0.1  
CVE-2024-28849 Oracle Communications Network Analytics Data Director Third Party (follow-redirects) HTTP No 6.5 Network Low Low None Un-
changed
High None None 23.4.0, 24.1.0, 24.2.0  
CVE-2024-32760 Oracle Communications Operations Monitor Mediation Engine (nginx) HTTP Yes 6.5 Network Low None None Un-
changed
None Low Low 5.1, 5.2  
CVE-2024-0450 Oracle Communications Cloud Native Core DBTier Configuration (Python) None No 6.2 Local Low None None Un-
changed
None None High 24.1.0, 24.2.0  
CVE-2024-0450 Oracle Communications Session Border Controller Routing (Python) None No 6.2 Local Low None None Un-
changed
None None High 9.2.0, 9.3.0  
CVE-2024-0450 Oracle Enterprise Communications Broker System (Python) None No 6.2 Local Low None None Un-
changed
None None High 4.1.0, 4.2.0  
CVE-2023-48795 Management Cloud Engine BEServer (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None 24.1.0.0.0  
CVE-2023-5685 Oracle Communications Cloud Native Core Service Communication Proxy Configuration (XNIO) HTTP Yes 5.9 Network High None None Un-
changed
None None High 23.4.0, 24.1.0  
CVE-2023-48795 Oracle Communications EAGLE Application Processor Platform (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None 17.0.1  
CVE-2023-48795 Oracle SD-WAN Edge Publications (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None 9.1.1.9.0  
CVE-2023-6597 Oracle Communications Cloud Native Core Binding Support Function Configuration (Python) None No 5.6 Local High High Required Un-
changed
High High None 23.4.0-23.4.5  
CVE-2023-6597 Oracle Communications Cloud Native Core Policy Configuration (Python) None No 5.6 Local High High Required Un-
changed
High High None 23.4.0-23.4.6  
CVE-2024-26308 Oracle Communications Cloud Native Core Console Configuration (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 23.4.2, 24.2.0  
CVE-2024-28182 Oracle Communications Cloud Native Core Binding Support Function Security Framework (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.0-23.4.5  
CVE-2024-28182 Oracle Communications Cloud Native Core Certificate Management Configuration (Nghttp2) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.3, 24.2.0  
CVE-2024-4603 Oracle Communications Cloud Native Core Certificate Management Configuration (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.3, 24.2.0  
CVE-2024-28182 Oracle Communications Cloud Native Core Console Configuration (Nghttp2) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.2, 24.2.0  
CVE-2024-28182 Oracle Communications Cloud Native Core Network Repository Function Configuration (Nghttp2) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.2.1, 23.4.4  
CVE-2024-29025 Oracle Communications Cloud Native Core Network Slice Selection Function Signaling (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.2.0  
CVE-2024-28182 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.0-23.4.6  
CVE-2024-28182 Oracle Communications Cloud Native Core Security Edge Protection Proxy Configuration (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.2, 24.2.0  
CVE-2024-28182 Oracle Communications Cloud Native Core Service Communication Proxy Configuration (Nghttp2) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.0, 24.1.0, 24.2.0  
CVE-2024-28182 Oracle Communications Network Analytics Data Director Third Party (Nghttp2) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 23.4.0, 24.1.0, 24.2.0  
CVE-2024-28182 Oracle Communications Performance Intelligence Center Management (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low Prior to 10.4.0.4  
CVE-2024-28182 Oracle Communications Session Border Controller Routing (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 9.2.0, 9.3.0  
CVE-2024-28182 Oracle Enterprise Communications Broker System (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 4.1.0, 4.2.0  
CVE-2024-25638 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (dnsjava) HTTP No 5.1 Adjacent
Network
High High None Changed Low Low Low 23.4.0, 24.1.0, 24.2.0  
CVE-2024-37891 Oracle Communications Cloud Native Core Binding Support Function Alarms, KPI, and Measurements (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 23.4.0-23.4.5  
CVE-2024-37891 Oracle Communications Cloud Native Core Policy Policy Control Function (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 23.4.0-23.4.6  

Additional CVEs addressed are:

  • The patch for CVE-2022-2068 also addresses CVE-2022-1292.
  • The patch for CVE-2023-38408 also addresses CVE-2020-14145, CVE-2020-15778, and CVE-2021-36368.
  • The patch for CVE-2023-48795 also addresses CVE-2023-6004 and CVE-2023-6918.
  • The patch for CVE-2023-6816 also addresses CVE-2024-0229, CVE-2024-21885, and CVE-2024-21886.
  • The patch for CVE-2024-0450 also addresses CVE-2023-6597.
  • The patch for CVE-2024-22020 also addresses CVE-2024-22018, CVE-2024-36137, CVE-2024-36138, and CVE-2024-37372.
  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.
  • The patch for CVE-2024-29736 also addresses CVE-2024-32007.
  • The patch for CVE-2024-30251 also addresses CVE-2024-27306.
  • The patch for CVE-2024-31080 also addresses CVE-2024-31083.
  • The patch for CVE-2024-32760 also addresses CVE-2024-24989, CVE-2024-24990, CVE-2024-31079, CVE-2024-34161, and CVE-2024-35200.
  • The patch for CVE-2024-33602 also addresses CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, and CVE-2024-33601.
  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.
  • The patch for CVE-2024-40898 also addresses CVE-2024-40725.
  • The patch for CVE-2024-43044 also addresses CVE-2024-43045.
  • The patch for CVE-2024-4577 also addresses CVE-2024-1874, CVE-2024-2408, CVE-2024-5458, and CVE-2024-5585.
  • The patch for CVE-2024-5971 also addresses CVE-2024-3653.
  • The patch for CVE-2024-6162 also addresses CVE-2024-3653, CVE-2024-5971, and CVE-2024-7885.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Communications Cloud Native Core Binding Support Function
    • Management Service (LibExpat): CVE-2024-45492, CVE-2024-45490 and CVE-2024-45491 [VEX Justification: vulnerable_code_not_present].
    • Management Service (OpenLDAP): CVE-2023-2953 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Security (Certifi): CVE-2024-39689 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core Certificate Management
    • Configuration (Google Protobuf-Java): CVE-2024-7254 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core Console
    • Configuration (Kerberos): CVE-2024-37371 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Configuration (XNIO): CVE-2023-5685 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core DBTier
    • Configuration (Apache Tomcat): CVE-2024-34750 [VEX Justification: component_not_present].
    • Configuration (Netty): CVE-2024-29025 [VEX Justification: component_not_present].
    • Configuration (Spring Security): CVE-2024-22257 [VEX Justification: component_not_present].
  • Oracle Communications Cloud Native Core Network Slice Selection Function
    • Install/Upgrade (Undertow): CVE-2024-5971 [VEX Justification: inline_mitigations_already_exist].
    • Install/Upgrade (glibc): CVE-2024-33602 [VEX Justification: inline_mitigations_already_exist].
    • Install/Upgrade (Bouncy Castle Java Library): CVE-2024-29857 [VEX Justification: inline_mitigations_already_exist].
  • Oracle Communications Cloud Native Core Policy
    • Security (Certifi): CVE-2024-39689 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Security (LibExpat): CVE-2024-45492 [VEX Justification: vulnerable_code_not_present].
    • Security (Nimbus JOSE+JWT): CVE-2023-52428 [VEX Justification: vulnerable_code_not_present].
    • Security (OpenLDAP): CVE-2023-2953 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Security (Snappy): CVE-2023-43642, CVE-2023-34453, CVE-2023-34454 and CVE-2023-34455 [VEX Justification: vulnerable_code_not_present].
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy
    • Configuration (Certifi): CVE-2024-39689 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle SD-WAN Edge
    • User Interface (OpenSSH): CVE-2023-48795 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 18 new security patches for Oracle E-Business Suite.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2024 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2024), My Oracle Support Note 2484000.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-21266 Oracle Advanced Pricing Price List HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21268 Oracle Applications Manager Diagnostics HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.11-12.2.13  
CVE-2024-21270 Oracle Common Applications Calendar Tasks HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.6-12.2.13  
CVE-2024-21278 Oracle Contract Lifecycle Management for Public Sector Award Processes HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21267 Oracle Cost Management Cost Planning HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.12-12.2.13  
CVE-2024-21271 Oracle Field Service Field Service Engineer Portal HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21282 Oracle Financials Common Components HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21269 Oracle Incentive Compensation Compensation Plan HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21277 Oracle MES for Process Manufacturing Device Integration HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21250 Oracle Process Manufacturing Product Development Quality Manager Specification HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.13-12.2.14  
CVE-2024-21252 Oracle Product Hub Item Catalog HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21275 Oracle Quoting User Interface HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.7-12.2.13  
CVE-2024-21280 Oracle Service Contracts Authoring HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.5-12.2.13  
CVE-2024-21265 Oracle Site Hub Site Hierarchy Flows HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21279 Oracle Sourcing Auctions HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21276 Oracle Work in Process Messages HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2024-21258 Oracle Installed Base User Interface HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.2.3-12.2.14  
CVE-2024-21206 Oracle Enterprise Command Center Framework Diagnostics HTTP No 4.3 Network Low Low None Un-
changed
Low None None ECC:11-13  

 

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Enterprise Manager.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2024 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2024 Patch Availability Document for Oracle Products, My Oracle Support Note 3036947.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-34381 Oracle Enterprise Manager Base Platform Agent Next Gen (BSAFE Crypto-J) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.5.0.0  
CVE-2024-22201 Oracle Enterprise Manager Base Platform Agent Next Gen (Eclipse Jetty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 13.5.0.0  
CVE-2023-28823 Oracle Enterprise Manager Base Platform Install (Integrated Performance Primitives) None No 7.3 Local Low Low Required Un-
changed
High High High 12.2.1.4.0  
CVE-2023-44483 Oracle Enterprise Manager for Peoplesoft PSEM Plugin (Apache Santuario XML Security For Java) HTTP No 6.5 Network Low Low None Un-
changed
High None None 13.5.1.1.0  
CVE-2024-26308 Oracle Application Testing Suite Load Testing for Web Apps (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 13.3.0.1  
CVE-2024-26308 Oracle Enterprise Manager Base Platform Install (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 13.5.0.0  
CVE-2024-29025 Oracle Enterprise Manager Base Platform Job System (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 13.5.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2023-28823 also addresses CVE-2023-27391.
  • The patch for CVE-2024-26308 also addresses CVE-2023-42503 and CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Enterprise Manager Base Platform
    • Install (Certifi): CVE-2023-37920 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 20 new security patches, plus additional third party patches noted below, for Oracle Financial Services Applications.  15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-5535 Oracle Banking Cash Management Accessibility (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 14.7.4.0.0  
CVE-2024-5535 Oracle Banking Supply Chain Finance Security (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 14.7.4.0.0  
CVE-2024-32114 Oracle Banking APIs Authentication (Apache ActiveMQ) HTTP Yes 8.5 Adjacent
Network
Low None Required Changed High None High 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-32114 Oracle Banking Digital Experience UI General (Apache ActiveMQ) HTTP Yes 8.5 Adjacent
Network
Low None Required Changed High None High 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-22262 Oracle Banking APIs Authentication (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 22.1.0.0.0, 22.2.0.0.0  
CVE-2023-50447 Oracle Financial Services Compliance Studio Reports (Pillow) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.1.2.7, 8.1.2.8  
CVE-2024-32007 Oracle Banking Cash Management Accessibility (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.7.5.0.0  
CVE-2024-32007 Oracle Banking Liquidity Management Common (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.7.5.0.0  
CVE-2024-2511 Oracle Banking Liquidity Management Common (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 14.7.4.0.0  
CVE-2024-32007 Oracle Banking Supply Chain Finance Security (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.7.5.0.0  
CVE-2024-21285 Oracle Banking Liquidity Management Reports HTTP No 7.1 Network High Low Required Un-
changed
High High High 14.5.0.12.0  
CVE-2024-21284 Oracle Banking Liquidity Management Reports HTTP No 7.1 Network High Low Required Un-
changed
High High High 14.5.0.12.0  
CVE-2023-34055 Oracle Financial Services Compliance Studio Reports (Spring Boot) HTTP No 6.5 Network Low Low None Un-
changed
None None High 8.1.2.7, 8.1.2.8  
CVE-2024-43407 Oracle Banking APIs Authentication (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 19.2.0.0.0, 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-43407 Oracle Banking Digital Experience UI General (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 19.2.0.0.0, 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2022-31160 Oracle Financial Services Revenue Management and Billing Installation (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.0.0.0.0, 4.0.0.0.0, 5.0.0.0.0  
CVE-2024-0232 Oracle Financial Services Compliance Studio Reports (SQLite) None No 5.5 Local Low None Required Un-
changed
None None High 8.1.2.7, 8.1.2.8  
CVE-2024-29025 Oracle Banking APIs Authentication (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 19.2.0.0.0, 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-29025 Oracle Banking Corporate Lending Process Management Base (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0  
CVE-2024-21281 Oracle Banking Liquidity Management Infrastructure HTTP No 5.3 Network High High Required Un-
changed
Low High Low 14.7.0.6.0  

Additional CVEs addressed are:

  • The patch for CVE-2022-31160 also addresses CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184.
  • The patch for CVE-2024-2511 also addresses CVE-2024-4603 and CVE-2024-4741.
  • The patch for CVE-2024-32007 also addresses CVE-2024-29736 and CVE-2024-41172.
  • The patch for CVE-2024-43407 also addresses CVE-2024-43411.
  • The patch for CVE-2024-5535 also addresses CVE-2024-6119.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Financial Services Compliance Studio
    • Reports (Certifi): CVE-2023-37920 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Food and Beverage Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-31129 Oracle Hospitality Simphony Engagement (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 19.1.0-19.6.2  
CVE-2021-36713 Oracle Hospitality Simphony Engagement (DataTables) HTTP Yes 6.1 Network Low None Required Changed Low Low None 19.1.0-19.6.2  
CVE-2022-31160 Oracle Hospitality Simphony Engagement (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None 19.1.0-19.6.2  

Additional CVEs addressed are:

  • The patch for CVE-2022-31160 also addresses CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184.

 

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 32 new security patches, plus additional third party patches noted below, for Oracle Fusion Middleware.  25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID 2806740.2.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45492 Oracle Outside In Technology DC-Specific Component (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.5.7  
CVE-2024-21216 Oracle WebLogic Server Core T3, IIOP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-28752 Oracle WebCenter Forms Recognition Fusion Apps (Apache CXF) HTTP Yes 9.3 Network Low None Required Changed High High None 14.1.1.0.0  
CVE-2023-4759 Oracle Data Integrator Centralized Thirdparty Jars (Eclipse JGit) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.2.1.4.0  
CVE-2024-6345 Oracle WebLogic Server Centralized Thirdparty Jars (Jython) HTTP Yes 8.8 Network Low None Required Un-
changed
High High High 14.1.1.0.0  
CVE-2024-38999 Oracle Business Activity Monitoring Composer (RequireJS) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 12.2.1.4.0  
CVE-2024-38999 Oracle Business Process Management Suite Composer (RequireJS) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 12.2.1.4.0  
CVE-2024-38999 Oracle Enterprise Data Quality Centralized Thirdparty Jars (RequireJS) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 12.2.1.4.0  
CVE-2024-23807 Oracle Access Manager Web Server Plugin (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 12.2.1.4.0  
CVE-2024-22262 Oracle Middleware Common Libraries and Tools Third Party (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 12.2.1.4.0  
CVE-2024-22262 Oracle WebCenter Forms Recognition Fusion Apps (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 14.1.1.0.0  
CVE-2024-21191 Oracle Enterprise Manager Fusion Middleware Control FMW Control Plugin HTTP No 7.6 Network Low Low Required Changed High Low None 12.2.1.4.0  
CVE-2024-21190 Oracle Global Lifecycle Management FMW Installer Cloning SFTP Yes 7.5 Network Low None None Un-
changed
None High None 12.2.1.4.0  
CVE-2024-2511 Oracle HTTP Server Web Listener (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-24549 Oracle Managed File Transfer MFT Runtime Server (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-22201 Oracle Middleware Common Libraries and Tools Third Party (Eclipse Jetty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-25269 Oracle Outside In Technology DC-Specific Component (libheif) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.5.7  
CVE-2024-36052 Oracle Outside In Technology DC-Specific Component (unrar) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 8.5.7  
CVE-2024-21246 Oracle Service Bus OSB Core Functionality HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.1.4.0  
CVE-2024-21274 Oracle WebLogic Server Console HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-21215 Oracle WebLogic Server Core HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-21234 Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-21260 Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-29131 Oracle Middleware Common Libraries and Tools Third Party (Apache Commons Configuration) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.2.1.4.0  
CVE-2024-21205 Oracle Service Bus OSB Core Functionality HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.2.1.4.0  
CVE-2023-51775 Oracle WebCenter Sites WebCenter Sites (jose4j) HTTP No 6.5 Network Low Low None Un-
changed
None None High 12.2.1.4.0  
CVE-2020-11023 Oracle WebCenter Portal Security Framework (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0  
CVE-2020-17521 Oracle Identity Manager Connector Connectors and Connector Server (Apache Groovy) None No 5.5 Local Low Low None Un-
changed
High None None 11.1.1.5.0, 12.2.1.3.0  
CVE-2024-28182 Oracle HTTP Server Plugins (Nghttp2) HTTP/2 Yes 5.3 Network Low None None Un-
changed
None None Low 14.1.1.0.0  
CVE-2023-39743 Oracle Outside In Technology Outside In Maintenance (lrzip-next) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.5.7  
CVE-2023-35116 Oracle Data Integrator Runtime Java agent (jackson-databind) None No 4.7 Local High Low None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-21192 Oracle Enterprise Manager for Fusion Middleware WebLogic Mgmt None No 4.4 Local Low High None Un-
changed
High None None 12.2.1.4.0  

Additional CVEs addressed are:

  • The patch for CVE-2020-11023 also addresses CVE-2020-11022.
  • The patch for CVE-2024-24549 also addresses CVE-2024-23672.
  • The patch for CVE-2024-2511 also addresses CVE-2024-4603 and CVE-2024-4741.
  • The patch for CVE-2024-29131 also addresses CVE-2024-29133.
  • The patch for CVE-2024-36052 also addresses CVE-2024-33899.
  • The patch for CVE-2024-38999 also addresses CVE-2024-38998.
  • The patch for CVE-2024-45492 also addresses CVE-2024-45490 and CVE-2024-45491.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Data Integrator
    • Market Place (SnakeYAML): CVE-2022-1471 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Runtime Java agent for ODI (Eclipse Jetty): CVE-2024-22201 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Analytics Risk Matrix

This Critical Patch Update contains 12 new security patches, plus additional third party patches noted below, for Oracle Analytics.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-23305 Oracle Business Intelligence Enterprise Edition BI Application Archive (Apache Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 7.0.0.0.0  
CVE-2023-38545 Oracle Business Intelligence Enterprise Edition Analytics Server (curl) SOCKS5 Yes 9.8 Network Low None None Un-
changed
High High High 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-29736 Oracle BI Publisher Development Operations (Apache CXF) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 7.0.0.0.0, 7.6.0.0.0  
CVE-2024-21254 Oracle BI Publisher Web Server HTTP No 8.8 Network Low Low None Un-
changed
High High High 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-38999 Oracle Business Intelligence Enterprise Edition BI Platform Security, Analytics Web Answers (RequireJS) HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-21195 Oracle BI Publisher Layout Templates HTTP No 7.6 Network Low Low None Un-
changed
High Low Low 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2023-0401 Oracle Business Intelligence Enterprise Edition Installation, BI Platform Security (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-26308 Oracle Business Intelligence Enterprise Edition Analytics Server, Content Storage Service (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 7.0.0.0.0  
CVE-2024-38809 Oracle BI Publisher XML Services (Spring Framework) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 7.0.0.0.0, 7.6.0.0.0  
CVE-2023-5678 Oracle Business Intelligence Enterprise Edition Analytics Server (OpenSSL) TLS Yes 5.3 Network Low None None Un-
changed
None None Low 7.0.0.0.0, 7.6.0.0.0  
CVE-2023-35116 Oracle Business Intelligence Enterprise Edition Analytics Admin Tool, Content Storage Service (jackson-databind) None No 4.7 Local High Low None Un-
changed
None None High 7.0.0.0.0  
CVE-2024-29133 Oracle Business Intelligence Enterprise Edition BI Application Archive (Apache Commons Configuration) None No 4.4 Local Low Low None Un-
changed
None Low Low 7.0.0.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2022-23305 also addresses CVE-2020-9493, CVE-2022-23302, CVE-2022-23307, and CVE-2023-26464.
  • The patch for CVE-2023-0401 also addresses CVE-2022-3996, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0286.
  • The patch for CVE-2024-29133 also addresses CVE-2024-29131.
  • The patch for CVE-2024-29736 also addresses CVE-2024-32007.
  • The patch for CVE-2024-38999 also addresses CVE-2024-38998.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Business Intelligence Enterprise Edition
    • BI Platform Security (Certifi): CVE-2024-39689 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-21172 Oracle Hospitality OPERA 5 Opera Servlet HTTP Yes 9.0 Network High None None Changed High High High 5.6.19.19, 5.6.25.8, 5.6.26.4  
CVE-2024-34750 Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.1.3  
CVE-2024-29131 Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS (Apache Commons Configuration) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 23.1.3  

Additional CVEs addressed are:

  • The patch for CVE-2024-29131 also addresses CVE-2024-29025 and CVE-2024-29133.

 

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-23807 Oracle Hyperion Financial Management Security (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.2.18.0.000  
CVE-2024-26308 Oracle Hyperion Infrastructure Technology Installation and Configuration (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 11.2.18.0.000  
CVE-2024-21257 Oracle Hyperion BI+ UI and Visualization HTTP No 3.0 Adjacent
Network
Low Low Required Un-
changed
Low None None 11.2.18.0.000  

Additional CVEs addressed are:

  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

 

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security patches, plus additional third party patches noted below, for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-36138 Oracle GraalVM for JDK Node (Node.js) Multiple Yes 8.1 Network High None None Un-
changed
High High High Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23  
CVE-2023-42950 Oracle Java SE, Oracle GraalVM Enterprise Edition JavaFX (WebKitGTK) Multiple Yes 7.5 Network High None Required Un-
changed
High High High Oracle Java SE: 8u421; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 1
CVE-2024-25062 Oracle Java SE, Oracle GraalVM Enterprise Edition JavaFX (libxml2) Multiple Yes 7.5 Network Low None None Un-
changed
None None High Oracle Java SE: 8u421; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 1
CVE-2024-21235 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Hotspot Multiple Yes 4.8 Network High None None Un-
changed
Low Low None Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 2
CVE-2024-21210 Oracle Java SE Hotspot Multiple Yes 3.7 Network High None None Un-
changed
None Low None Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23 See Note 2
CVE-2024-21211 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Compiler Multiple Yes 3.7 Network High None None Un-
changed
None Low None Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 2
CVE-2024-21208 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Networking Multiple Yes 3.7 Network High None None Un-
changed
None None Low Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 1
CVE-2024-21217 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Serialization Multiple Yes 3.7 Network High None None Un-
changed
None None Low Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11 See Note 2

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
 

Additional CVEs addressed are:

  • The patch for CVE-2023-42950 also addresses CVE-2023-42843, CVE-2023-42956, CVE-2024-23252, CVE-2024-23254, CVE-2024-23263, CVE-2024-23280, CVE-2024-23284, and CVE-2024-27834.
  • The patch for CVE-2024-36138 also addresses CVE-2024-22020.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Java SE
    • JavaFX (SQLite): CVE-2023-7104 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security patches, plus additional third party patches noted below, for Oracle MySQL.  12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-37371 MySQL Cluster Cluster: General (Kerberos) Multiple Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-5535 MySQL Cluster Cluster: Packaging (OpenSSL) Multiple Yes 9.1 Network Low None None Un-
changed
High None High 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-5535 MySQL Connectors Connector/C++ (OpenSSL) MySQL Protocol Yes 9.1 Network Low None None Un-
changed
High None High 9.0.0 and prior  
CVE-2024-5535 MySQL Connectors Connector/ODBC (OpenSSL) MySQL Protocol Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior, 9.0.0 and prior  
CVE-2024-5535 MySQL Enterprise Backup Enterprise Backup (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-5535 MySQL Enterprise Monitor Monitoring: General (OpenSSL) Multiple Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior  
CVE-2024-5535 MySQL Server Server: Packaging (OpenSSL) MySQL Protocol Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-5535 MySQL Workbench MySQL Workbench (OpenSSL) MySQL Workbench Yes 9.1 Network Low None None Un-
changed
High None High 8.0.38 and prior  
CVE-2024-21272 MySQL Connectors Connector/Python MySQL Protocol No 7.5 Network High Low None Un-
changed
High High High 9.0.0 and prior  
CVE-2024-21230 MySQL Cluster Cluster: General Multiple No 6.5 Network Low Low None Un-
changed
None None High 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21262 MySQL Connectors Connector/ODBC MySQL Protocol Yes 6.5 Network Low None None Un-
changed
None Low Low 8.0.39 and prior, 9.0.0 and prior  
CVE-2024-7264 MySQL Enterprise Backup Enterprise Backup (curl) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21230 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-7264 MySQL Server Server: Packaging (curl) MySQL Protocol Yes 6.5 Network Low None Required Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21196 MySQL Server Server: X Plugin MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21238 MySQL Cluster Cluster: General Multiple No 5.3 Network High Low None Un-
changed
None None High 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-28182 MySQL Cluster Cluster: General (Nghttp2) Multiple Yes 5.3 Network Low None None Un-
changed
None None Low 8.0.38 and prior, 8.4.1 and prior, 9.0.0  
CVE-2024-21238 MySQL Server Server: Thread Pooling MySQL Protocol No 5.3 Network High Low None Un-
changed
None None High 8.0.39 and prior, 8.4.1 and prior, 9.0.1 and prior  
CVE-2024-21218 MySQL Cluster Cluster: General Multiple No 4.9 Network Low High None Un-
changed
None None High 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21203 MySQL Cluster Cluster: General Multiple No 4.9 Network Low High None Un-
changed
None None High 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21194 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21199 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21207 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.38 and prior, 8.4.1 and prior, 9.0.1 and prior  
CVE-2024-21218 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21236 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21239 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21198 MySQL Server Server: DDL MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21219 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21203 MySQL Server Server: FTS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21197 MySQL Server Server: Information Schema MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21200 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.35 and prior  
CVE-2024-21201 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21241 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21193 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21204 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.4.0, 9.0.1 and prior  
CVE-2024-21212 MySQL Server Server: Health Monitor MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.0.39 and prior, 8.4.0  
CVE-2024-21213 MySQL Server InnoDB None No 4.2 Local Low High Required Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21247 MySQL Client Client: mysqldump MySQL Protocol No 3.8 Network Low High None Un-
changed
Low Low None 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21247 MySQL Cluster Cluster: General MySQL Protocol No 3.8 Network Low High None Un-
changed
Low Low None 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21231 MySQL Server Client programs MySQL Protocol No 3.1 Network High Low None Un-
changed
None None Low 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21232 MySQL Server Server: Components Services MySQL Protocol No 2.2 Network High High None Un-
changed
None None Low 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21237 MySQL Server Server: Group Replication GCS MySQL Protocol No 2.2 Network High High None Un-
changed
None None Low 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21243 MySQL Server Server: Telemetry MySQL Protocol No 2.2 Network High High None Un-
changed
Low None None 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21244 MySQL Server Server: Telemetry MySQL Protocol No 2.2 Network High High None Un-
changed
Low None None 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-21209 MySQL Client Client: mysqldump MySQL Protocol No 2.0 Network High High Required Un-
changed
Low None None 8.4.2 and prior, 9.0.1 and prior  

Additional CVEs addressed are:

  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.
  • The patch for CVE-2024-5535 also addresses CVE-2024-6119.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • MySQL Connectors
    • Connector/C++ (zlib): CVE-2023-45853 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Connector/ODBC (zlib): CVE-2023-45853 [VEX Justification: vulnerable_code_not_in_execute_path].
  • MySQL Shell
    • Shell: Core Client (Certifi): CVE-2024-39689 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 12 new security patches, plus additional third party patches noted below, for Oracle PeopleSoft.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-21255 PeopleSoft Enterprise PeopleTools XMLPublisher HTTP No 8.8 Network Low Low None Un-
changed
High High High 8.59, 8.60, 8.61  
CVE-2024-21283 PeopleSoft Enterprise HCM Global Payroll Core Global Payroll for Core HTTP No 8.1 Network Low Low None Un-
changed
High High None 9.2.48-9.2.50  
CVE-2024-21214 PeopleSoft Enterprise PeopleTools Query HTTP No 8.1 Network Low Low None Un-
changed
High High None 8.59, 8.60, 8.61  
CVE-2024-26130 PeopleSoft Enterprise PeopleTools Porting (Cryptography) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.59, 8.60, 8.61  
CVE-2024-0450 PeopleSoft Enterprise PeopleTools Porting (Python) None No 6.2 Local Low None None Un-
changed
None None High 8.59, 8.60, 8.61  
CVE-2024-21202 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.59, 8.60, 8.61  
CVE-2024-0232 PeopleSoft Enterprise PeopleTools Porting (SQLite) None No 5.5 Local Low None Required Un-
changed
None None High 8.59, 8.60, 8.61  
CVE-2024-0727 PeopleSoft Enterprise PeopleTools Security, Porting, Cloud Deployment Architecture (OpenSSL) None No 5.5 Local Low None Required Un-
changed
None None High 8.59, 8.60, 8.61  
CVE-2024-21264 PeopleSoft Enterprise CC Common Application Objects Activity Guide Composer HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2024-21286 PeopleSoft Enterprise ELM Enterprise Learning Management Enterprise Learning Management HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2  
CVE-2024-21249 PeopleSoft Enterprise FIN Expenses Expenses HTTP No 4.3 Network Low Low None Un-
changed
Low None None 9.2  
CVE-2023-5752 PeopleSoft Enterprise PeopleTools Porting (pip) None No 3.3 Local Low Low None Un-
changed
None Low None 8.59, 8.60, 8.61  

Additional CVEs addressed are:

  • The patch for CVE-2024-0450 also addresses CVE-2023-6597.
  • The patch for CVE-2024-0727 also addresses CVE-2023-4807, CVE-2023-5363, CVE-2023-5678, CVE-2023-6129, and CVE-2023-6237.
  • The patch for CVE-2024-26130 also addresses CVE-2023-49083.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • PeopleSoft Enterprise PeopleTools
    • Porting (Certifi): CVE-2023-37920 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Retail Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-4043 Oracle Retail EFTLink Core/Plugin (Eclipse Parsson) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.0.0, 22.0.0, 23.0.0  
CVE-2024-22201 Oracle Retail EFTLink Framework (Eclipse Jetty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 20.0.1, 21.0.0, 22.0.0, 23.0.0  
CVE-2024-41909 Oracle Retail Customer Management and Segmentation Foundation Internal Operations (Apache Mina SSHD) HTTP Yes 5.9 Network High None None Un-
changed
None High None 19.0.0.10  
CVE-2024-38808 Oracle Retail Customer Management and Segmentation Foundation Internal Operations (Spring Framework) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 19.0.0.10  

Additional CVEs addressed are:

  • The patch for CVE-2024-41909 also addresses CVE-2023-48795.

 

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Siebel CRM.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-24549 Siebel CRM Integration EAI (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 24.7 and prior  
CVE-2023-28439 Siebel Apps - Marketing User Interface (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 24.7 and prior  

 

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Supply Chain.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-23807 Oracle Autovue for Agile Product Lifecycle Management Core (Apache Xerces-C++) HTTP Yes 8.1 Network High None None Un-
changed
High High High 21.1.0  
CVE-2024-24549 Oracle Agile PLM File Manager (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 9.3.6  
CVE-2024-22201 Oracle Autovue for Agile Product Lifecycle Management Core (Eclipse Jetty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-24549 also addresses CVE-2024-23672.

 

Oracle Systems Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Systems.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-46337 Oracle Solaris Cluster Tools (Apache Derby) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 4  
CVE-2024-22262 Oracle Solaris Cluster Tools (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 4  
CVE-2023-5072 Oracle Solaris Cluster Tools (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 4  
CVE-2023-2976 Oracle Solaris Cluster Tools (Google Guava) None No 7.1 Local Low Low None Un-
changed
High High None 4  
CVE-2023-44483 Oracle Solaris Cluster Tools (Apache Santuario XML Security For Java) HTTP No 6.5 Network Low Low None Un-
changed
High None None 4  
CVE-2024-23635 Oracle Solaris Cluster Tools (AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 4  
CVE-2023-33201 Oracle Solaris Cluster Tools (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 4  

 

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Utilities Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11022 Oracle Utilities Application Framework General (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 4.0.0.0.0, 4.0.0.2.0, 4.0.0.3.0, 4.3.0.3.0-4.3.0.6.0, 4.5.0.0.0  
CVE-2021-41184 Oracle Utilities Application Framework General (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None 4.0.0.0.0, 4.0.0.2.0, 4.0.0.3.0, 4.3.0.3.0-4.3.0.6.0, 4.5.0.0.0  
CVE-2024-29025 Oracle Utilities Network Management System System Wide (Netty) T3, IIOP Yes 5.3 Network Low None None Un-
changed
None None Low 2.5.0.1.14, 2.5.0.2.8, 2.6.0.1.5  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2021-41184 also addresses CVE-2021-41182, CVE-2021-41183, and CVE-2022-31160.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Utilities Network Management System
    • Certifi (pip): CVE-2023-37920 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • System Wide (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • System Wide (Apache Xerces-C++): CVE-2024-23807 [VEX Justification: inline_mitigations_already_exist].
    • Workbook (Apache Commons Compress): CVE-2024-26308 and CVE-2024-25710 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-21259 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 7.0.22, prior to 7.1.2  
CVE-2024-21263 Oracle VM VirtualBox Core None No 6.1 Local Low Low None Un-
changed
Low None High Prior to 7.0.22, prior to 7.1.2  
CVE-2024-21273 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 7.0.22, prior to 7.1.2  
CVE-2024-21248 Oracle VM VirtualBox Core None No 5.3 Local High Low None Changed Low Low Low Prior to 7.0.22, prior to 7.1.2  
CVE-2024-21253 Oracle VM VirtualBox Core None No 2.3 Local Low High None Un-
changed
None None Low Prior to 7.0.22