- 16/2023
- Critical
Oracle released its critical patch updates for January 2023, containing (327) new security patches for multiple affected products. The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
This critical patch update provides security updates to fix several vulnerabilities that may be remotely exploitable without authentication in a wide range of product families, including Oracle Banking Platform, Oracle Financial Services Applications, Oracle Database Products, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Fusion Middleware, and Oracle Communications Applications.
The complete list of the affected products: Oracle Advisory – January 2023
Samples of the addressed vulnerabilities:
1. Oracle Communications Converged Application Server RCE Vulnerability (CVE-2023-21890):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Oracle Communications Convergence Privilege Escalation Vulnerability (CVE-2023-21848):
• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Privilege
Vulnerabilities
Mitigations
The enterprise should deploy patches as soon as the testing phase is completed.