Oracle security updates: October 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Oracle released 387 security patches within the October 2023 CPU. A total of 185 vulnerabilities, with unique common vulnerability and exposures (CVEs) have been addressed pertaining to both code and third-party components. The Oracle advisory contains details regarding over 40 security patches relating to critical-severity flaws and more than 200 to remediate issues that can be exploited remotely without authentication. It should be noted that many of them are non-exploitable for the impacted Oracle products.

A statistical overview regarding the patches has been outlined below:

• The Oracle Financial Services Applications received the highest number of patches, at 103, of which 40 are remotely exploitable without authentication
• Oracle Communications received the second-highest number of patches with 91, of which 60 are remotely exploitable without authentication
• Forty-six patches were released for Oracle Fusion Middleware, of which 35 are remotely exploitable without authentication
• Thirty-seven patches were released in regard to MySQL, of which nine have been discovered to be remotely exploitable without authentication.

Oracle also disclosed 61 security patches in this month’s Oracle Linux Bulletin, which includes all CVEs listed in Oracle Linux Security Advisories (ELSA) for October 2023. Additionally, 14 new security patches were released for Oracle Solaris, which included 12 remotely exploitable, unauthenticated vulnerabilities, as well as a fix relating to a critical-severity bug in VM Server for x86.

Impact

Successful exploitation of the vulnerabilities disclosed within each of the Oracle security updates will almost certainly result in the compromise of the integrity of data on target systems.

Vulnerability Detection

Security patches have been released with regards to all of the disclosed vulnerabilities. As such, previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

For a list of the affected product versions, please refer to the following Oracle Security Advisories:

Oracle Critical Patch Update Advisory – October 2023

Oracle Linux Bulletin – October 2023

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected Oracle products apply the relevant security patches as soon as possible. Oracle recommends reviewing previously released security updates for users that have not applied one or more of the related updates. This will allow for the determination of whether or not patch application is required.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Oracle occupies a significant portion of the relational-databases market share. The related products are used extensively by organisations across the industry sector spectrum. Within the context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

Intelligence indicates that vulnerabilities related to Oracle products for which patches exist have previously been subjected to malicious cyber operations. It is therefore of critical importance to follow the recommended remediation and mitigation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution