Oracle on Tuesday announced 386 new security patches as part of its July 2024 Critical Patch Update (CPU), including over 260 for unauthenticated, remotely exploitable vulnerabilities.
SecurityWeek has identified roughly 240 unique CVEs in Oracle’s July 2024 CPU. More than two dozen security patches resolve critical-severity flaws.
The same as in April 2024, Oracle Communications received the largest number of security patches. Of the 95 fixes, 84 resolve vulnerabilities that can be exploited remotely without authentication.
Financial Services Applications also received a hefty round of security patches, at 60, including 44 for unauthenticated, remotely exploitable bugs. Next in line is Fusion Middleware, with 41 fixes, 32 of which address issues that can be exploited by remote, unauthenticated attackers.
Oracle released 37 security patches for MySQL, including 11 for vulnerabilities that are remotely exploitable without authentication, 20 fixes for Communications Applications (14 for unauthenticated, remotely exploitable flaws), and 17 patches for Analytics (12 for remotely exploitable, unauthenticated bugs).
Security patches were also released for Siebel CRM (12 fixes – 11 for issues that are remotely exploitable without authentication), PeopleSoft (11 – 3), Insurance Applications (10 – 7), E-Business Suite (10 – 2), JD Edwards (8 – 6), Database Server (8 – 3), Commerce (7 – 7), Java SE (7 – 7), and Supply Chain (7 – 5).
Other Oracle products that received patches include Application Express, Essbase, GoldenGate, NoSQL Database, REST Data Services, TimesTen In-Memory Database, Construction and Engineering, Enterprise Manager, HealthCare Applications, Hyperion, Retail Applications, Systems, Utilities Applications, and Virtualization.
It should be noted that the patches for multiple vulnerabilities resolve additional CVEs and that fixes were also released for non-exploitable CVEs in Oracle’s products. The tech giant also released patches for third-party components in its products.
Oracle customers are advised to apply the security patches as soon as possible. Threat actors are known to have exploited vulnerabilities in Oracle products for which fixes had been released.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the tech giant notes.
On Tuesday, the company also released patches for third-party software included in Oracle Solaris, and published Linux and VM Server for x86 bulletins, which list all CVEs that had been resolved and announced in these products in the last one month prior to the bulletin’s release.
Related: ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories
Related: Microsoft Patches Xbox Vulnerability Following Public Disclosure
Related: Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities
Related: Oracle Patches 230 Vulnerabilities With April 2024 CPU
