You are currently viewing Oracle Critical Security Updates July 2023

Oracle Critical Security Updates July 2023

  • Post author:
  • Reading time:59 mins read

Oracle security updates July 2023 has released 508 new security patches for its many product families, including Oracle Communications, Oracle MySQL, Oracle Financial Services Applications, Oracle Retail Applications, etc. Further, this alert addresses several products that are vulnerable to several flaws.

Oracle Communications has received 77 new security patches, of which 57 vulnerabilities may be remotely exploitable without authentication. However, ten vulnerabilities have a base score of 9.8, and one vulnerability with a base score of 9.1. On the contrary, these vulnerabilities are considered to be critical.

Oracle Communication Applications has received 40 new security patches, of which 30 vulnerabilities may be remotely exploitable without authentication. Moreover, there are ten vulnerabilities with a base score of 9.8, although it is considered to be critical. Additionally, you can patch these critical vulnerabilities using efficient patch management software. 

Oracle releases Security Updates July 2023 Summary

Oracle Database Server
Affected Components: Oracle Text (LibExpat), Oracle Database – Machine Learning for Python (Cryptography), Oracle Database – Unified Audit, Advanced Networking Option, Java VM
CVEs: CVE-2022-43680, CVE-2023-23931, CVE-2023-22034, CVE-2023-21949, CVE-2023-22052

Oracle Application Express
Products: Application Express Customers Plugin, Application Express Team Calendar Plugin, Application Express Administration
Affected Components: User Accounts
CVEs: CVE-2023-21975, CVE-2023-21974, CVE-2023-21983

Oracle Essbase
Products: Oracle Hyperion Essbase Administration Services, Oracle Essbase
Affected Components: EAS Administration and EAS Console, Security and then Provisioning
CVEs: CVE-2023-21961, CVE-2023-22010
After all, this patch update also includes third-party patches for the following non-exploitable CVEs: 

Oracle GoldenGate
Products: Oracle GoldenGate Stream Analytics, Oracle GoldenGate Stream Analytics
Affected Component: Oracle GoldenGate Stream Analytics (jackson-databind), Oracle GoldenGate Stream Analytics (jsoup)
CVEs: CVE-2022-42003, CVE-2022-36033
Oracle security updates July 2023 update also includes third-party patches for the following non-exploitable CVEs: 

Oracle Graph Server and Client
Products: Oracle Graph Server and Client
Affected Component: Packaging (json-smart)
CVEs: CVE-2023-1370
Therefore, this patch update further includes third-party patches for the following non-exploitable CVEs: 

Oracle NoSQL Database
This Oracle security updates July 2023 does not address any patch for exploitable flaws but additionally  have fixes for non-exploitable third-party CVEs for Oracle NoSQL Database: 

Oracle Secure Backup
This security update does not address any patch for exploitable flaws but does have fixes for non-exploitable third-party CVEs for Oracle Secure Backup: 

Oracle Spatial Studio
Product: Oracle Spatial Studio
Affected Components: Oracle Spatial Studio (Apache Commons FileUpload)
CVEs: CVE-2023-24998
This patch update further includes third-party patches for the following non-exploitable CVEs: 

Oracle TimesTen In-Memory Database
Products: Oracle TimesTen In-Memory Database
Affected Components: TimesTen IMDB (Dell BSAFE Micro Edition Suite)
CVEs: CVE-2020-35168
This patch update additionally includes third-party patches for the following non-exploitable CVEs: 

Oracle Commerce
Products: Oracle Commerce Guided Search, Oracle Commerce Platform
Affected Components: Endeca Application Controller (Apache Santuario XML Security For Java), Endeca Application Controller (Apache Tomcat), Experience Manager (Netty), Platform (Apache Commons FileUpload), Experience Manager, Platform Services (Apache Commons BeanUtils), Endeca Application Controller (Apache Xerces2 Java), Experience Manager (jQueryUI), WebUI (CKEditor)
CVEs: CVE-2021-40690, CVE-2022-45143, CVE-2022-41881, CVE-2023-24998, CVE-2019-10086, CVE-2022-23437, CVE-2021-41184, CVE-2023-28439

Oracle Communications Applications
Products: Oracle Communications Billing and Revenue Management, Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Convergence, Oracle Communications Convergent Charging Controller, Oracle Communications Messaging Server, Oracle Communications Network Charging and Control, Oracle Communications Pricing Design Center, Oracle Communications Unified Assurance, Oracle Communications Unified Inventory Management, Oracle Communications Calendar Server, Oracle Communications Contacts Server, Oracle Communications Instant Messaging Server, Oracle Communications Order and Service Management, Oracle Communications Design Studio, Oracle Communications Network Integrity and then Oracle Communications BRM – Elastic Charging Engine
Affected Components: REST API (SnakeYAML),Platform (SnakeYAML),Configuration (Java HTML Sanitizer),Common fns (SnakeYAML),Messaging Store (Apache CXF),REST Services Manager (SnakeYAML),Vision (Spring Security) , Security (Spring Boot), Security (Spring Security),BRM Server (BSAFE Crypto-c),Notification (Apache Kafka) TCP No,Common fns (Apache Kafka),BRM Server (Jettison),Pricing Updater (XStream),Third Party (Apache Commons FileUpload),Mail Proxy (Apache Commons FileUpload),Common fns (Netty),DBPlugin (Apache Tomcat) XMPP, Security (NSS) S,Messaging Store (Netty) SMTP, Security (Apache Commons FileUpload),Core (Apache Commons FileUpload), Security (XStream),Charging Server (Spring Framework),Other (Apache Xerces2 Java),Other (Apache Commons Net),Other (Spring Framework), Security (Traefik),Rest Services Manager (Netty),Core (Spring Boot), Security (Spring Framework), Security Component (Apache Xerces2 Java), Security (Google Protobuf-Java) None,Core (Oracle Java SE) and then Charging Server (Google Guava)
CVEs: CVE-2022-1471, CVE-2021-42575, CVE-2022-46364, CVE-2022-31692, CVE-2023-20873, CVE-2023-20862, CVE-2020-35169, CVE-2023-25194, CVE-2023-1436, CVE-2022-41881, CVE-2022-41966, CVE-2023-24998, CVE-2023-28709, CVE-2022-3479, CVE-2021-43859, CVE-2023-20863, CVE-2022-23437, CVE-2021-37533, CVE-2022-46153, CVE-2022-41915, CVE-2023-20861, CVE-2021-22569, CVE-2023-21830, CVE-2020-8908

Oracle Communications
Products: Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Exposure Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Diameter Signaling Router, Oracle Communications Network Analytics Data Director, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Converged Application Server – Service Controller and then Oracle Communications Operations Monitor
Affected Component: Install/Upgrade (Spring Security), Configuration (Spring Security), Platform (Spring Security), Installation (Spring Security), Install/Upgrade (Spring Security), Configuration (Spring Security), Virtual Network Function Manager (zlib), Core (SnakeYAML), Install/Upgrade (Spring Boot),
Install/Upgrade (Kerberos), Platform (Kerberos), Platform (NSS), Core (Apache Kafka), Install/Upgrade (Kerberos), Platform (Sudo), Virtual Network Function Manager (git), Automated Test Suite Framework (Flask), Automated Test Suite Framework (Jenkins), Install/Upgrade (Apache Commons FileUpload), Install/Upgrade (Flask), Install/Upgrade (GnuTLS), Install/Upgrade (Python), Install/Upgrade (json-smart), Configuration (GnuTLS),
Configuration (Python), Install/Upgrade (Apache Commons BeanUtils), Install/Upgrade (Jenkins), Install/Upgrade (Netty), Install/Upgrade (GnuTLS), Install/Upgrade (json-smart), Policy (Flask), Policy (Python), Configuration (Flask), Configuration (JSON-java), Configuration (Jenkins Script Security), Configuration (json-smart), Signaling (OpenSSL), Install/Upgrade (Apache Commons FileUpload), Install/Upgrade (JasPer), Signaling (JSON-java), Signaling (OpenSSL), Third Party (Jettison), Virtual Network Function Manager (Libwebp), Core (Netty), Install/Upgrade (GnuTLS), Mediation Engine (Python), Mediation Engine (OpenSSL), Platform (OpenSSL), Virtual Network Function Manager (BIND), Install/Upgrade (Cryptography), Install/Upgrade (Spring Framework), Install/Upgrade (Spring Framework), Fraud Detection Monitor (Redis), Install/Upgrade (Cryptography), Install/Upgrade (Spring Framework), Install/Upgrade (libxml2), Install/Upgrade (Spring Framework), Configuration (Spring Framework), Virtual Network Function Manager (Apache Portable Runtime Utility), Base (Spring Framework), Fraud Detection Monitor (Redis), Internal tools (Spring Framework), Signaling (libgcrypt), Configuration (Apache James MIME4J), Installation (Eclipse Jetty), Policy (MySQL Connectors), Platform (Eclipse Jetty), Installation (Eclipse Jetty), Policy, Install/Upgrade (Eclipse Jetty), Install/Upgrade (Apache Tomcat), Install/Upgrade (Apache Tomcat), Platform (Apache Tomcat) and then Internal tools (Apache Tomcat),
CVEs: CVE-2023-20862, CVE-2022-37434, CVE-2022-1471, CVE-2023-20873, CVE-2022-36944, CVE-2022-42898, CVE-2023-0767, CVE-2023-25194, CVE-2023-22809, CVE-2023-29007, CVE-2023-30861, CVE-2023-27901, CVE-2023-24998, CVE-2023-0361, CVE-2022-45061, CVE-2023-1370, CVE-2023-0215, CVE-2020-10735, CVE-2022-41881, CVE-2022-45688, CVE-2022-2963, CVE-2022-4450, CVE-2023-1436, CVE-2023-1999, CVE-2023-0286, CVE-2021-25220, CVE-2023-23931, CVE-2023-20861, CVE-2023-28856, CVE-2023-20863, CVE-2023-28484, CVE-2022-25147, CVE-2021-40528, CVE-2022-45787, CVE-2023-26049, CVE-2023-21971, CVE-2023-28708
Oracle security updates for July 2023 also include third-party patches for the following non-exploitable CVEs: 

Oracle Construction and Engineering
Products: Primavera Gateway
Affected Components: Admin (json-smart), Document Management (Apache Commons FileUpload), Web Services (json-smart), Admin (JSZip), Admin (Apache Commons Net) and then Admin (Spring Framework)
CVEs: CVE-2023-1370, CVE-2023-24998, CVE-2023-48285, CVE-2023-37533, CVE-2023-20863
IndeedOracle security updates for July 2023 also include third-party patches for the following non-exploitable CVEs: 

    • Primavera P6 Enterprise Project Portfolio Management

Oracle E-Business Suite
Products: Oracle Web Applications Desktop Integrator, Oracle Applications Framework, Oracle Scripting, Oracle Applications Technology, Oracle Self-Service Human Resources
Affected Components: MS Excel Specific, Diagnostics, iSurvey Module, Reports Configuration and then Workforce Management
CVEs: CVE-2023-22037, CVE-2023-22042, CVE-2023-22035, CVE-2023-22004, CVE-2023-22009

Oracle Enterprise Manager
Products: Oracle Application Testing Suite, Oracle Enterprise Manager Ops Center, Oracle Enterprise Manager for Fusion Middleware, Oracle Enterprise Manager for Oracle Database and then Oracle Enterprise Manager for Exadata
Affected Components: Load Testing for Web Apps (Apache Log4j), Networking (Apache HTTP Server), Load Testing for Web Apps (Apache Commons FileUpload), Load Testing for Web Apps (jackson-databind), Infrastructure Management (Spring Framework), Security Management (Spring Framework), DB Machine Management (jQueryUI) and then Security Management (jQueryUI)
CVEs: CVE-2022-23305, CVE-2023-25690, CVE-2023-24998, CVE-2022-42003, CVE-2022-22971, CVE-2022-22950, CVE-2021-41184

Oracle Financial Services Applications
Products: Oracle Banking APIs, Oracle Banking Cash Management, Oracle Banking Corporate Lending, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Digital Experience, Oracle Banking Liquidity Management, Oracle Banking Origination, Oracle Banking Payments, Oracle Banking Supply Chain Finance, Oracle Banking Trade Finance, Oracle Banking Trade Finance Process Management, Oracle Banking Treasury Management, Oracle FLEXCUBE Investor Servicing, Oracle FLEXCUBE Universal Banking, Oracle Banking Branch, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Compliance Studio, Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition and then Oracle Financial Services Enterprise Case Management
Affected Copmonents: IDM – Authentication (SnakeYAML), Accessibility (Apache CXF), core module (Apache Mina SSHD), Base (Apache CXF), Common (Apache CXF), UI General (SnakeYAML), Common (Spring Security), Payments Core (Apache Mina SSHD), Security (Apache CXF), Security (Spring Security), Infrastructure (Apache Mina SSHD), Dashboard (Apache CXF), Dashboard (Spring Security), Infra Code (Apache Mina SSHD), Infrastructure Code (SnakeYAML), INFRA code (Apache Mina SSHD), IDM – Authentication (Apache Velocity Engine), Reports (Apache Kafka), Accessibility (Apache Kafka), Base (Apache Kafka), Common (Apache Kafka), UI General (Apache Velocity Engine), Security (Apache Kafka), Dashboard (Apache Kafka), IDM – Authentication (Moment.js), Reports (Apache Batik), Reports (Apache Commons FileUpload), Reports (Netty), Reports (Pillow), Reports (XStream), Accessibility (Apache Batik), Accessibility (Apache Commons FileUpload), Accessibility (Eclipse Jetty), Accessibility (Google Protobuf-Java), Accessibility (Netty), Accessibility (Pillow), Accessibility (XStream), Accessibility (jackson-databind), core module (Jettison), core module (jackson-databind), Base (Apache Batik), Base (Apache Commons FileUpload), Base (Jettison), Base (Netty), Base (XStream), Base (json-smart), Common (Apache Batik), Common (Apache Commons FileUpload), Common (Google Protobuf-Java), Common (Netty), Common (Pillow), Common (XStream), Common (jackson-databind), UI General (Moment.js), Common (Jettison), Payments Core (Jettison), Security (Apache Batik), Security (Apache Commons FileUpload), Security (Eclipse Jetty), Security (Google Protobuf-Java), Security (Netty), Security (Pillow), Security (XStream), Security (jackson-databind), Infrastructure (Jettison), Infrastructure (jackson-databind), Dashboard (Apache Batik), Dashboard (Apache Commons FileUpload), Dashboard (Google Protobuf-Java), Dashboard (Jettison), Dashboard (Netty), Dashboard (Pillow), Dashboard (XStream), Dashboard (jackson-databind), Dashboard (json-smart), Infra Code (Jettison), Infra Code (jackson-databind), Platform (Apache Commons FileUpload), Third Party (json-smart), Studio (Apache Tomcat), Infrastructure Code (json-smart), INFRA code (Jettison), INFRA code (Netty), INFRA code (XStream), INFRA code (jackson-databind), INFRA code (json-smart), Infrastructure (Apache Batik), IDM – Authentication (JSZip), Common (JSZip), UI General (JSZip), Security (JSZip), User Interface (JSZip), Reports (Spring Framework), Accessibility (Spring Framework), core module (Apache Commons Net), core module (Spring Framework), Base (Spring Framework), Common (Spring Framework), Payments Core (Apache Commons Net), Security (Spring Framework), Infrastructure (Apache Commons Net), Dashboard (Spring Framework), Infra Code (Apache Commons Net), Centralized Thirdparty Jars (Spring Framework), Platform (Spring Framework), ECM (Spring Framework), Infrastructure Code (Apache Commons Net), Infrastructure Code (Spring Framework), Infrastructure (Spring Framework), IDM – Authentication (CKEditor), Accessibility (jsoup), Common (jsoup), UI General (CKEditor), Security (jsoup), Dashboard (jsoup), Accessibility (Apache Tomcat), Security (Apache Tomcat), Reports (Apache Tika) , Accessibility (Apache Tika) , Base (Apache Tika) , Common (Apache Tika) , UI General (Apache Tika) , Security (Apache Tika) and then Dashboard (Apache Tika)
CVEs: CVE-2022-1471, CVE-2022-46364, CVE-2022-45047, CVE-2022-31692, CVE-2020-13936, CVE-2023-25194, CVE-2022-31129, CVE-2022-42890, CVE-2023-24998, CVE-2022-41881, CVE-2022-45199, CVE-2022-41966, CVE-2022-2048, CVE-2022-3171, CVE-2022-42003, CVE-2023-1436, CVE-2023-1370, CVE-2022-45693, CVE-2022-45143, CVE-2022-48285, CVE-2023-20861, CVE-2021-37533, CVE-2023-20863, CVE-2023-28439, CVE-2022-36033, CVE-2023-28708, CVE-2022-33879

Oracle Food and Beverage Applications
Products: Oracle Hospitality Simphony
Affected Components: Linux POS (MySQL Server)
CVEs: CVE-2022-37434

Oracle Fusion Middleware Risk Matrix
Products: Oracle BAM (Business Activity Monitoring), Oracle Enterprise Data Quality, Oracle HTTP Server, Oracle JDeveloper, Oracle Middleware Common Libraries and Tools, Oracle WebCenter Content, Oracle WebLogic Server, Oracle SOA Suite, Oracle Access Manager, Oracle Fusion Middleware MapViewer, Oracle Identity Manager, Oracle Service Bus, Oracle WebCenter Sites, Oracle Business Process Management Suite, Oracle Data Integrator, Oracle Identity Manager Connector, Oracle Mobile Security Suite, Oracle Coherence
Affected Components: General (Apache Commons BCEL), General (Apache Mina SSHD), SSL Module (Apache HTTP Server), ADF Faces (Java HTML Sanitizer), Third Party (HyperSQL Database), Content Server (iTextPDF), Centralized Thirdparty Jars (NekoHTML), SSL Module (cURL), Fabric Layer (Apache XMLBeans), Realtime Processing (Apache Kafka), Third Party (Apache Velocity Engine), General (PostgreSQL JDBC Driver), Centralized Thirdparty Jars (jackson-databind), General (Google Gson), General (Apache ActiveMQ), General (Apache Batik), General (Apache Commons Compress), Install (Apache Batik), Thirdparty (LibExpat), Installer (Apache Commons FileUpload), Third Party (Spring Framework), Remote Diagnostic Agent (json-smart), Third Party (JSON-java), Third Party (NekoHTML), Third Party (Woodstox), Web Console Design (Apache Log4j), WebCenter Sites (XStream), Centralized Third Party Jars (Jettison), Centralized Thirdparty Jars (json-smart), Centralized Thirdparty Jars (Apache Batik), Samples (Spring Framework), Centralized Thirdparty Jars (BSAFE SSL-J), Runtime Engine (Apache Xerces2 Java), 10g – Users, roles, credentials, security (jackson-databind), 10g – Users, roles, credentials, security (json-smart), Runtime Java agent for ODI (Apache Commons FileUpload), General (Spring Framework), Generic Unix Connector (Apache Commons Net), Mainframe Connectors (Spring Framework), Android Mobile Authenticator App, Core (Spring Framework), Core Multiple No 6.5 Network Low High, BPM Studio (jQueryUI), General (jsoup), Third Party (Zip4j), Installer (Apache Ant), General (Apache Groovy), Centralized Thirdparty Jars (Eclipse Jersey), Runtime Engine (Apache ZooKeeper), Centralized Thirdparty Jars (Eclipse Jetty), Runtime Java agent for ODI (Eclipse Jetty), General (Apache HttpClient), General (Apache Commons IO), WebCenter Sites (Apache Commons IO), Core , 10g – Users, roles, credentials, security (Google Guava), Third Party (Apache Tika), Centralized Thirdparty Jars (Jython)
CVEs: CVE-2022-42920, CVE-2022-45047, CVE-2023-25690, CVE-2021-42575, CVE-2022-41853, CVE-2021-43113, CVE-2023-26119, CVE-2023-23914, CVE-2021-23926, CVE-2023-25194, CVE-2020-13936, CVE-2022-31197, CVE-2020-36518, CVE-2022-25647, CVE-2021-26117, CVE-2022-42890, CVE-2021-36090, CVE-2022-43680, CVE-2023-24998, CVE-2023-20860, CVE-2023-1370, CVE-2022-45688, CVE-2022-29546, CVE-2022-40152, CVE-2021-33813, CVE-2021-4104, CVE-2022-41966, CVE-2023-1436, CVE-2022-24409, CVE-2022-23437, CVE-2021-46877, CVE-2023-20861, CVE-2021-37533, CVE-2023-20863, CVE-2023-21994, CVE-2023-22040, CVE-2021-41184, CVE-2022-36033, CVE-2023-22899, CVE-2021-36374, CVE-2020-17521, CVE-2021-28168, CVE-2021-34429, CVE-2023-26049, CVE-2020-13956, CVE-2021-29425, CVE-2023-22031, CVE-2020-8908, CVE-2022-33879

IndeedOracle security updates for July 2023 also include third-party patches for the following non-exploitable CVEs: 

Oracle Analytics
Products: Oracle Business Intelligence Enterprise Edition, BI Publishers
Affected Components: Analytics Server (Werkzeug), Analytics Server (jackson-databind), Framework (Quartz), Majel Mobile Service (SnakeYAML), Presentation Services (Apache Commons Configuration), Analytics Server (Apache Hive), Development Operations (Snowflake JDBC), BI FNDN (Apache XmlGraphics Commons), Analytics Web Answers (Apache Commons FileUpload), BI FNDN (JDOM), Framework (Google Gson), Installation (Apache Axis), Installation (Apache Commons Compress), Installation (Jettison), Visual Analyzer (jackson-databind), Analytics Server (JSZip), Presentation Services (Apache Commons BeanUtils), Service Administration UI (Apache Commons BeanUtils), Web Server (Spring Framework), Service Administration UI (Apache Commons Net), Security (Enterprise Security API), Service Administration UI, BI Platform Security (jQueryUI), Visual Analyzer (CKEditor), Analytics Server, Analytics Server (Apache Spark), Visual Analyzer, Analytics Server
CVEs: CVE-2022-46364, CVE-2022-29361, CVE-2019-17531, CVE-2019-13990, CVE-2022-1471, CVE-2022-33980, CVE-2018-1282, CVE-2023-30535, CVE-2020-11988, CVE-2023-24998, CVE-2021-33813, CVE-2022-25647, CVE-2019-0227, CVE-2021-36090, CVE-2023-1436, CVE-2022-42003, CVE-2022-48285, CVE-2019-10086, CVE-2023-20861, CVE-2021-37533, CVE-2022-24891, CVE-2021-41183, CVE-2023-28439, CVE-2023-22011, CVE-2023-22020, CVE-2022-31777, CVE-2023-22061, CVE-2023-22013, CVE-2023-22012, CVE-2023-22021, CVE-2023-22027

Oracle Health Sciences Applications
Products: Oracle Health Sciences Sciences Data Management Workbench
Affected Components: Blinding Functionality
CVEs: CVE-2023-22022

Oracle Hospitality Applications
Products: Oracle Hospitality Cruise Shipboard Property Management System
Affected Components: Next-Gen SPMS (Helidon), Next-Gen SPMS (Spring Framework)
CVEs: CVE-2022-1471, CVE-2023-20873

Oracle Hyperion
Products: Oracle Hyperion Data Relationship Management, Oracle Hyperion Financial Reporting, Oracle Hyperion Workspace
Affected Components: Web Client – Unicode (.NET Core), Repository, UI and Visualization
CVEs: CVE-2021-24112, CVE-2023-22062, CVE-2023-22060

Oracle Insurance Applications
Products: Oracle Documaker
Affected Components: Documaker EWPS (Jettison), Docupresentment Server and Documaker Connector (Apache Commons Net), Interactive Docupresentment Server (Spring Framework)
CVEs: CVE-2023-1436, CVE-2021-37533, CVE-2023-20863

Oracle Java SE
Products: Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK
Affected Components: JavaFX, Hotspot, GraalVM Compiler, 2D (Harfbuzz), Libraries, Utility
CVEs: CVE-2023-22043, CVE-2023-22041, CVE-2023-22051, CVE-2023-25193, CVE-2023-22044, CVE-2023-22045, CVE-2023-22049, CVE-2023-22036, CVE-2023-22006

Indeed, Oracle security updates for July 2023 also include third-party patches for the following non-exploitable CVEs: 

    • Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK

Oracle JD Edwards
Products: JD Edwards EnterpriseOne Orchestrator, JD Edwards EnterpriseOne Tools
Affected Components: E1 IOT Orchestrator Security (SnakeYAML), E1 Dev Platform Tech (Node.js), Web Runtime SEC, E1 IOT Orchestrator Security
CVEs: CVE-2022-1471, CVE-2022-43548, CVE-2023-22055, CVE-2023-22050

Oracle MySQL
Products: MySQL Enterprise Monitor, MySQL Cluster, MySQL Workbench, MySQL Server, MySQL Connectors
Affected Components: Monitoring: General (Spring Security), Monitoring: General (Apache Ivy), Cluster: General (Zstandard), Cluster: NDB Operator (GnuTLS), Connector/C++ (Zstandard), Monitoring: General (Apache Commons FileUpload), Monitoring: General (Apache Tomcat), Monitoring: General (OpenSSL), Server: Compiling (Zstandard), Workbench (OpenSSL), Workbench (libxml2), Client programs, InnoDB, Server: Optimizer, Server: Replication, Server: DDL, Server: Pluggable Auth, Server: Security: Privileges MySQL Protocol
CVEs: CVE-2023-20862, CVE-2022-37865, CVE-2022-4899, CVE-2023-0361, CVE-2023-24998, CVE-2023-28709, CVE-2023-2650, CVE-2023-28484, CVE-2023-22053, CVE-2023-22008, CVE-2023-22046, CVE-2023-22054, CVE-2023-22056, CVE-2023-21950, CVE-2023-22007, CVE-2023-22057, CVE-2023-22033, CVE-2023-22058, CVE-2023-22005, CVE-2023-22048, CVE-2023-22038

Oracle PeopleSoft
Products: PeopleSoft Enterprise PeopleTools
Affected Components: Elastic Search (SnakeYAML), Portal, Porting (Certifi), Porting (Python), Security (Jettison), Security (OpenSSL), Porting (Cryptography), Porting (Python setuptools)
CVEs: CVE-2022-1471, CVE-2023-22014, CVE-2023-22047, CVE-2022-23491, CVE-2022-45061, CVE-2023-1436, CVE-2023-0286, CVE-2023-23931, CVE-2022-40897

Oracle Policy Automation
Products: Oracle Policy Automation
Affected Components: Determinations Engine (Apache Commons FileUpload), Determinations Engine (json-smart)
CVEs: CVE-2023-24998, CVE-2023-1370

Oracle Retail Applications
Products: Oracle Retail Advanced Inventory Planning, Oracle Retail Bulk Data Integration, Oracle Retail Integration Bus, Oracle Retail Order Broker, Oracle Retail Service Backbone, Oracle Retail Financial Integration, Oracle Retail Predictive Application Server
Affected Components: Operations & Maintenance (zlib), BDI Job Scheduler (Apache Commons FileUpload), Process Flow (Jettison), RIB Kernal (Apache Commons FileUpload), System Administration (Apache Commons FileUpload), RSB Installation (Apache Commons FileUpload), PeopleSoft Integration Bugs (Spring Framework), RIB Kernal (Apache Commons Net), RIB Kernal (Spring Framework), RPAS Server (Spring Framework), RSB Installation (Apache Commons Net)
CVEs: CVE-2022-37434, CVE-2023-24998, CVE-2023-1436, CVE-2023-20863, CVE-2021-37533

Oracle Siebel CRM
Products: Siebel CRM, Siebel Apps
Affected Components: EAI (SnakeYAML), Marketing (Apache Commons FileUpload), EAI (JSON-java), EAI (Jettison), Siebel Core (Apache ZooKeeper), Siebel Core (zlib), UI Framework (CodeMirror), UI Framework (jQueryUI)EAI (Apache Tomcat)
CVEs: CVE-2022-1471, CVE-2023-24998, CVE-2022-45688, CVE-2022-40150, CVE-2022-42003, CVE-2018-25032, CVE-2020-7760, CVE-2022-31160, CVE-2023-28708

Oracle Supply Chain
Products: Oracle Agile Engineering Data Management, Oracle AutoVue, Oracle Agile PLM, Oracle Autovue for Agile Product Lifecycle Management
Affected Components: Installation (zlib),Security (FreeType), Security (zlib), Installation (Apache Batik), Installation (Apache Tomcat), Folders, Files and Attachments (Apache Commons FileUpload), Security (jackson-databind), Core (jackson-databind), Security (Apache Commons Net), WebClient (CKEditor), Security (OpenJPEG), None, WebClient, Folders, Files and Attachments (Apache Tomcat)
CVEs: CVE-2022-37434, CVE-2022-27404, CVE-2022-42890, CVE-2022-45143, CVE-2023-24998, CVE-2022-42004, CVE-2022-42003, CVE-2021-37533, CVE-2023-28439, CVE-2022-1122, CVE-2023-22039, CVE-2023-28708

Oracle Systems Risk
Products: Oracle Solaris
Affected Components: Device Driver Interface
CVEs: CVE-2023-22023

Oracle Utilities Applications
Products: Oracle Utilities Network Management System, Oracle Utilities Testing Accelerator, Oracle Utilities & Enterprise Taxation, Oracle Utilities Application Framework
Affected Components: System Wide (SnakeYAML), Tools (SnakeYAML), Tools (Spring Boot), Tools (Spring Security), Application Management Pack for Oracle Utilities & Enterprise Taxation 000 System Wide (XStream), General (Apache Commons FileUpload), General (Jettison), General (json-smart), Tools (Netty), Tools (XStream), Tools (JSZip), Tools (Spring Framework), Tools (Apache Tomcat)
CVEs: CVE-2022-1471, CVE-2023-20873, CVE-2023-20862, CVE-2022-41966, CVE-2023-24998, CVE-2022-40150, CVE-2023-1370, CVE-2022-41881, CVE-2022-48285, CVE-2023-20863, CVE-2023-28708

Oracle security updates for July 2023 also include third-party patches for the following non-exploitable CVEs: 

    • Oracle Utilities Network Management System

Oracle Virtualization
Products: Oracle VM VirtualBox
Affected Components: Core, Core (OpenSSL)
CVEs: CVE-2023-22018, CVE-2023-0464, CVE-2023-22017, CVE-2023-22016

However, SanerNow VM and SanerNow PM can detect and automatically fix these vulnerabilities by applying security updates. Therefore, use SanerNow and keep your systems secure and updated. 

Share this article