Oracle issues mammoth patch collection

Oracle’s quarterly patch release fixes an eye-watering 387 security vulnerabilities, but only 14 of them are rated critical (with a CVSS score greater than 9).

A critical Apache Commons ByteCode engineering library (BCEL) bug affects the company’s Communications Applications.

CVE-2023-34462 is an API bug that gives an attacker control over the bytecode produced by the library, and was first disclosed in July 2022.

The bug also affects PeopleSoft, Communications, Insurance Applications, Retail Applications, Utilities Applications, and Fusion Middleware.

Oracle Communications inherits a critical bug in OpenSSH, CVE-2023-38408, patched by the project in in September 2023; another in PHP patched in August, CVE-2023-3824; and CVE-2022-36944, a deserialisation bug in Scala.

Oracle Financial Services Applications gets fixes for three critical bugs: CVE-2023-22946 in Apache Spark (also fixed in Oracle Analytics), CVE-2022-1471 in SnakeYaml (also fixed in Retail Applications, Financial Services, and Banking), and CVE-2023-20873 in Spring Boot.

Among its eight fixes, the company’s Fusion middleware has three critical bugs in its core component: CVE-2023-22069, CVE-2023-22072, and CVE-2023-22089, all described as “easily exploited” vulnerabilities allowing an attacker to compromise the WebLogic server.

Oracle Analytics inherits two further bugs from the Apache project: CVE-2022-26612 in the Hadoop unTar function; and CVE-2022-33980 in the Apache Commons configuration utility.

Hyperion inherits yet another Apache bug: CVE-2023-25690, a web request smuggling vulnerability in the project’s HTTP server.

Finally, a Spring security bug, CVE-2023-34034, shows up in MySQL and Communications.

Oracle's critical patch update is here.