Key Patch Updates for All Series of Oracle Products in January

Key Patch Updates for All Series of Oracle Products in January

janeiro 18, 2024 | NSFOCUS


Recently, NSFOCUS CERT found that Oracle officially released a Critical Patch Update announcement (CPU) in January. A total of 413 vulnerabilities of different levels were fixed this time. This security update involves Oracle WebLogic Server, Oracle MySQL, Oracle Java SE, Oracle Fusion Middleware, Oracle HTTP Server and other commonly used products. Oracle strongly recommends that customers apply critical patch updates to fix the vulnerability as soon as possible.

Reference link:

Key Vulnerabilities

Screen out the vulnerabilities with great impact in this update according to product popularity and vulnerability importance.

Oracle WebLogic Server Security Features Bypass Vulnerabilities (CVE-2024-20927)

A security feature bypass vulnerability exists in Oracle WebLogic Server. A remote unauthenticated attacker can compromise system integrity through this vulnerability. .

Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2024-20931)

Oracle WebLogic Server has an information disclosure vulnerability. An unauthenticated attacker sends a special request to the affected server through T3/IIOP protocol, which may realize illegal access to critical data or full access to all data of Oracle WebLogic Server, resulting in sensitive information disclosure.

Oracle WebLogic Server Security Features Bypass Vulnerabilities (CVE-2024-20986)

A security feature exists in Oracle WebLogic Server that bypasses a vulnerability by which remote unauthenticated attackers can compromise system integrity or disclose sensitive information after inducing victim interaction.

Multiple vulnerabilities in Oracle MySQL

This security update fixes 40 vulnerabilities for Oracle MySQL, 12 of which can be exploited remotely without user authentication (i.e., through the network without user credentials). High-risk vulnerabilities are numbered as follows:

  • CVE-2023-38545
  • CVE-2023-50164
  • CVE-2023-5363
  • CVE-2023-5363
  • CVE-2023-46589
  • CVE-2023-5363
  • CVE-2023-5363
  • CVE-2023-5363
  • CVE-2023-41105

Multiple vulnerabilities in Oracle Financial Services Applications:

This security update fixes 71 vulnerabilities for Oracle Financial Services Applications. Fifty-four of these vulnerabilities were remotely exploitable without user authentication. High-risk vulnerabilities are numbered as follows:

  • CVE-2023-46604
  • CVE-2022-42920
  • CVE-2023-24998
  • CVE-2022-34169
  • CVE-2023-24998

The vulnerabilities in the key patch update of Oracle official website in January are summarized as follows:

ProductNo. of VulnerabilitiesNo. of unauthorized remote utilizationCVSS Score
Oracle Database Products Risk Matrices306.5
Oracle Database Server306.5
Oracle Audit Vault and Database Firewall517.6
Oracle Big Data Spatial and Graph117.5
Oracle Essbase329.8
Oracle Global Lifecycle Management113.7
Oracle GoldenGate113.7
Oracle Graph Server and Client117.5
Oracle NoSQL Database106.5
Oracle REST Data Services547.5
Oracle Secure Backup547.5
Oracle SQL Developer547.5
Oracle TimesTen In-Memory Database547.5
Oracle Commerce547.5
Oracle Communications Applications43259.8
Oracle Communications55439.8
Oracle Construction and Engineering627.5
Oracle E-Business Suite19146.5
Oracle Enterprise Manager12118.3
Oracle Financial Services Applications71549.8
Oracle Fusion Middleware39299.8
Oracle Analytics17118.2
Oracle Hyperion11109.8
Oracle Java SE13117.5
Oracle JD Edwards969.8
Oracle MySQL40129.8
Oracle PeopleSoft427.5
Oracle Retail Applications659.8
Oracle Siebel CRM227.5
Oracle Supply Chain648.8
Oracle Systems939.8
Oracle Utilities Applications737.5


Patch update

Please refer to the Appendix “Affected Products and Patch Information” in this document to download the affected product update patch in time, and install and update it by referring to the readme file in the patch installation package to ensure long-term effective protection.

Note: The official patch of Oracle requires the user to have a licensed account of genuine software. After logging in with this account, you can download the latest patch.

Temporary Weblogic Protection Measures

1. Restrict T3 protocol access

The following measures can be used to block attacks that exploit T3 protocol vulnerabilities if the user is temporarily unable to install patches or communicate with the JVM via the T3 protocol:

WebLogic Server provides a default connection filter named, which accepts all incoming connections. Access control can be performed on T3 and T3s protocols through the configuration rules of this connection filter. The detailed operation steps are as follows:

1) Go to the WebLogic console. On the configuration page of base_domain, go to the Security tab page and click Filters to configure connection filters.

2) Enter in the connection filter, and configure rules conforming to the actual situation of the enterprise in the connection filter rule by referring to the following writing: * * allow t3 t3s

Local IP ** allow t3 t3s

IP allowed to be accessed ** allow t3 t3s * * * deny t3 t3s

The connection filter rule format is as follows: target localAddress localPort action protocols, where:

  • target specifies one or more servers to filter.
  • localAddress can be used to define the host address of the server. (If an asterisk (*) is specified, the returned match will be all local IP addresses.)
  • localPort defines the port on which the server is listening. (If an asterisk is specified, the match will return all available ports on the server).
  • action specifies the operation to be performed. (Value must be “allow” or “deny”.)

Protocols is a list of protocol names to be matched. (Must specify one of the following protocols: http, https, t3, t3s, giop, giops, dcom or ftp. If no protocol is defined, all protocols will match one rule.

3) If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption. It is recommended that relevant personnel assess the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows: Enter the bin directory under the directory where the domain is located, run stopWebLogic.cmd file in Windows system to terminate WebLogic service, and run file in Linux system.

After the termination script is executed, run the startWebLogic.cmd or file to start WebLogic to restart the WebLogic service.

Reference link:

2. Disable IIOP protocol

Users can block attacks that exploit IIOP protocol vulnerabilities by disabling the IIOP protocol as follows: In the WebLogic console, choose Services > AdminServer > Protocol and uncheck Enable IIOP. Restart the WebLogic project to make the configuration take effect.

Affected Products and Patches

Affected product and version numberAvailable patches
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2430, prior to XCP3130, prior to XCP4040
GoldenGate Big Data and Application Adapters, versions, 21.3-21.12
Integrated Lights Out Manager (ILOM), versions 3, 4, 5
JD Edwards EnterpriseOne Orchestrator, versions prior to
JD Edwards EnterpriseOne Tools, versions prior to
MySQL Cluster, versions 7.5.32 and prior, 7.6.28 and prior, 8.0.35 and prior, 8.1.0, 8.2.0 and prior
MySQL Connectors, versions 8.0.35 and prior, 8.2.0 and prior
MySQL Enterprise Monitor, versions 8.0.36 and prior
MySQL Server, versions 8.0.35 and prior, 8.1.0, 8.2.0 and prior
MySQL Workbench, versions 8.0.34 and prior
Oracle Access Manager, version
Oracle Agile PLM, version 9.3.6
Oracle Agile Product Lifecycle Management for Process, versions prior to
Oracle Analytics Desktop, versions, prior to 7.2
Oracle Application Testing Suite, version
Oracle Audit Vault and Database Firewall, versions 20.1-20.9
Oracle Banking APIs, versions 19.1.0, 21.1.0, 22.1.0, 22.2.0
Oracle Banking Branch, versions 14.5.0-14.7.0
Oracle Banking Cash Management, versions 14.5.0-14.7.0
Oracle Banking Collections and Recovery, versions 14.5.0-14.7.0
Oracle Banking Corporate Lending Process Management, versions 14.5.0-14.7.0
Oracle Banking Credit Facilities Process Management, versions 14.5.0-14.7.0
Oracle Banking Digital Experience, versions 19.1.0, 21.1.0, 22.1.0, 22.2.0
Oracle Banking Electronic Data Exchange for Corporates, versions 14.5.0-14.7.0
Oracle Banking Enterprise Default Management, versions 14.5.0-14.7.0
Oracle Banking Extensibility Workbench, versions 14.5.0-14.7.0
Oracle Banking Liquidity Management, versions 14.5.0-14.7.0,
Oracle Banking Origination, versions 14.5.0-14.7.0
Oracle Banking Party Management, versions 14.5.0-14.7.0
Oracle Banking Supply Chain Finance, versions 14.5.0-14.7.0
Oracle Banking Trade Finance Process Management, versions 14.5.0-14.7.0
Oracle Banking Virtual Account Management, versions 14.5.0-14.7.0
Oracle BI Publisher, versions,,
Oracle Big Data Spatial and Graph, version 3.0.4
Oracle Business Intelligence Enterprise Edition, versions,,
Oracle Business Process Management Suite, version
Oracle Coherence, versions,
Oracle Commerce Guided Search, version 11.3.2
Oracle Commerce Platform, version 11.3.2
Oracle Communications ASAP, version 7.4
Oracle Communications Billing and Revenue Management, versions,
Oracle Communications BRM – Elastic Charging Engine, versions
Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.3, 23.2.1, 23.3.0
Oracle Communications Cloud Native Core Console, versions 23.3.0, 23.3.1
Oracle Communications Cloud Native Core Network Data Analytics Function, versions 23.3.0, 23.4.0
Oracle Communications Cloud Native Core Network Exposure Function, version 23.3.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.1.0, 23.2.0, 23.3.1
Oracle Communications Cloud Native Core Network Repository Function, versions 23.1.4, 23.3.1
Oracle Communications Cloud Native Core Network Slice Selection Function, versions 23.2.0, 23.3.1
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.1.0, 23.2.0, 23.3.0
Oracle Communications Cloud Native Core Unified Data Repository, version 23.3.1
Oracle Communications Convergence, versions,
Oracle Communications Convergent Charging Controller, versions,,
Oracle Communications Diameter Signaling Router, versions,
Oracle Communications Element Manager, versions, 9.4.53
Oracle Communications Fraud Monitor, versions 5.0, 5.1
Oracle Communications Instant Messaging Server, version
Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0
Oracle Communications Messaging Server, version
Oracle Communications MetaSolv Solution, version
Oracle Communications Network Analytics Data Director, versions,
Oracle Communications Network Charging and Control, versions,,
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1
Oracle Communications Policy Management, versions,
Oracle Communications Pricing Design Center, versions,
Oracle Communications Service Catalog and Design, versions,,
Oracle Communications Session Report Manager, versions, 9.4.53
Oracle Communications Unified Assurance, versions 5.0.0-5.5.19, 6.0.0-6.0.3
Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2
Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5, 12.1, 12.2
Oracle Database Server, versions 19.3-19.21, 21.3-21.12, 22.3-23.8, 23.9.0-23.9.4, 23.10
Oracle E-Business Suite, versions 12.2.3-12.2.13
Oracle Enterprise Data Quality, version
Oracle Enterprise Manager Base Platform, version
Oracle Enterprise Manager for Fusion Middleware, version
Oracle Enterprise Manager for Oracle Database, version
Oracle Enterprise Manager for Oracle Virtual Infrastructure, version
Oracle Enterprise Manager for Virtualization, version
Oracle Enterprise Manager Ops Center, version
Oracle Essbase, version
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2
Oracle Financial Services Behavior Detection Platform, versions,,,
Oracle Financial Services Compliance Studio, version
Oracle Financial Services Enterprise Case Management, versions,,,
Oracle Financial Services Lending and Leasing, versions 14.5.0-14.7.0
Oracle Financial Services Revenue Management and Billing, versions 2.7.1, 2.8.0, 2.9.0, 2.9.1, 3.0.0-3.2.0, 4.0.0, 5.0.0, 5.1.0, 6.0.0
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 14.5.0-14.7.0
Oracle FLEXCUBE Investor Servicing, versions 14.5.0-14.7.0
Oracle FLEXCUBE Private Banking, versions 14.5.0-14.7.0
Oracle Fusion Middleware, version
Oracle Global Lifecycle Management OPatch, versions prior to
Oracle GoldenGate, versions, 21.3-21.12
Oracle GoldenGate Studio, version
Oracle GraalVM Enterprise Edition, versions 20.3.12, 21.3.8, 22.3.4
Oracle GraalVM for JDK, versions 17.0.9, 21.0.1
Oracle Graph Server and Client, versions prior to 22.4.6, prior to 23.4.0
Oracle HTTP Server, version
Oracle Hyperion Calculation Manager, version
Oracle Hyperion Financial Data Quality Management, Enterprise Edition, version
Oracle Hyperion Financial Management, version
Oracle Hyperion Financial Reporting, version
Oracle Hyperion Infrastructure Technology, version
Oracle Hyperion Planning, version
Oracle Identity Manager, version
Oracle Java SE, versions 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1
Oracle JDeveloper, version
Oracle Managed File Transfer, version
Oracle Middleware Common Libraries and Tools, version
Oracle NoSQL Database, versions prior to 1.6, prior to 19.5.40, prior to 20.3.38, prior to 21.2.30, prior to 22.3.94, prior to 23.1.29
Oracle Outside In Technology, version 8.5.6
Oracle REST Data Services, versions prior to 23.3.0
Oracle Retail Advanced Inventory Planning, versions 15.0.3, 16.0.3
Oracle Retail Customer Management and Segmentation Foundation, versions,
Oracle Retail EFTLink, versions 20.0.1, 21.0.0-23.0.0
Oracle Secure Backup, versions prior to
Oracle Service Bus, version
Oracle SOA Suite, version
Oracle Solaris, version 11
Oracle SQL Developer, versions 21.4.2, 22.2.0, 23.1.0
Oracle Utilities Network Management System, versions,,,,,
Oracle Utilties Application Framework, versions,,,,,,
Oracle WebCenter Content, version
Oracle WebCenter Portal, version
Oracle WebCenter Sites, version
Oracle WebLogic Server, versions,
Oracle ZFS Storage Appliance Kit, version 8.8
PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61
Primavera P6 Enterprise Project Portfolio Management, versions 19.12.0-19.12.22, 20.12.0-20.12.20, 21.12.0-21.12.17, 22.12.0-22.12.10
Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.11
Siebel Applications, versions prior to 23.12
TimesTen In-Memory Database, versions prior to, prior to


This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.


NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.