Oracle Critical Patch Update of January 2023 available
The updates for many products fix more than 400 security vulnerabilities.
The first Oracle Critical Patch Update for January 2023 provides updates for 400 security vulnerabilities. More than 100 products are affected by security vulnerabilities for which the manufacturer provides updates. In total, Oracle released 327 security patches.
The vulnerabilities affect many popular Oracle products such as MySQL databases, Oracle Communications Cloud products, Oracle databases, Solaris or VirtualBox. Oracle's January 2023 Critical Patch Update Advisory provides a detailed list.
Major vulnerabilities in Oracle products
Oracle itself highlights some vulnerabilities. In Oracle's Essbase Web Platform, there is a vulnerability in the OpenSSL component (CVE-2022-2274, CVSS 9.8, critical) that can be exploited by malicious actors without logging in from the web. Oracle Commerce Guided Search's Content Acquisition System ships a vulnerable version of the Spring framework with similar impacts (CVE-2022-22965, CVSS 9.8, critical).
Third-party components such as Apache Commons Text, Apache Log4j, PHP or XStream and others in the Oracle Communications products are affected with 29 critical security gaps.
Oracle Construction and Engineering also brings Apache Commons Critical Vulnerability Text, as does Oracle Enterprise Manager. Critical vulnerabilities in Oracle Financial Services software come from the Apache Commons Configuration component. Oracle Fusion Middleware closes critical gaps with Update 15.
A critical vulnerability that allows attackers to abuse the network without authentication can be found in Oracle Health Sciences. Two other such leaks involve Oracle Healthcare. Also in Hyperion, Oracle closes two critical bugs. Other vulnerabilities classified as critical affect Oracle JD Edwards EnterpriseOne Orchestrator, MySQL, PeopleSoft software, Siebel CRM, Oracle Support Tools, and Oracle Systems (server firmware) and Oracle Utilities Applications.
In numerous other products, the vulnerabilities still reach the high level of severity and only just missed a critical rating. IT managers should check the information provided about the products they use and quickly download and apply the updates.
Users should not rely on the automatic update check of some products. VirtualBox is currently not yet updated to version 7.0.6, which also closes a high-risk vulnerability.