Time to get patching: Oracle's quarterly Critical Patch Update arrives with 520 fixes

Oracle has released its regular collection of patches for a range of security vulnerabilities.
Written by Liam Tung, Contributing Writer

Enterprise software giant Oracle has released its April Critical Patch Update (CPU) advisory, which includes 520 fixes for security flaws. 

Critical Patch Updates are collections of security fixes for Oracle products, published quarterly. This update addresses security flaws in dozens of products with three bugs getting a severity rating of 10 out of a possible 10, and about 70 with a score of 9.8.

Oracle notes that customers should update their software as soon as they can, as it continues to receive reports periodically of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches: "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay."

SEE: Google: We're spotting more zero-day bugs than ever. But hackers still have it too easy

Oracle Communications Cloud Native Core Network Exposure Function has two bugs with a score of 10, both tracked as CVE-2022-22947, and 31 bugs with a score of 9.8, while Oracle Communications Billing and Revenue Management is affected by one flaw with a score of 10, CVE-2022-21431.  

Eric Maurice, Oracle's VP of security assurance, says the updates are for a "wide range of product families", from its database server to the blockchain platform and Oracle Virtualization. 

Maurice flagged a small adjustment to the timing of Oracle's CPU release schedule from this point on. 

"With this Critical Patch Update release, Oracle is making a small adjustment to the Critical Patch Update release schedule. Critical Patch Updates will no longer be released on the Tuesday closest to the 17th of the month of January, April, July, and October, but they will be released on the third Tuesday of January, April, July, and October," he says in a blogpost.    

"This minor adjustment will not affect the frequency of Critical Patch Update releases (still 4 times a year), but essentially, makes it easier to set calendar reminders and determine the date of future Critical Patch Update releases."  

Of the 520 patches, Oracle Communications products received 149 of them, 98 of which "may be remotely exploitable without authentication." 

Oracle Financial Services applications received 41 patches, with 19 possibly remotely exploitable without authentication. 

Oracle Fusion Middleware got 54 patches and 41 of them may be remotely exploitable without authentication. Some 13 vulnerabilities have a severity score of 9.8, affecting products such as Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle HTTP Server, and more. 

SEE: Windows 11 security: How to protect your home and small business PCs

The other major recipient of patches was Oracle MySQL, which got 43 patches, of which 11 may be remotely exploitable without authentication. 

Oracle Retail applications got 30 patches, 15 of which may be remotely exploitable without authentication. Oracle Retail Xstore Point of Service was hit by a 9.8 severity bug tracked as CVE-2022-22965. 

Oracle Blockchain platform received 15 patches, 14 of them may be remotely exploitable without authentication. It has one bug with a severity score of 9.8 that affects its nginx backend.  

Admins of Oracle E-Business Suite Cloud Manager and Cloud Backup Module also need to fix a bug with a score of 9.8, which affects the Log4j component that was hit by the Log4Shell bug.

Editorial standards