Critical Patch Updates, Security Alerts and Bulletins
This page lists announcements of security fixes made in Critical Patch Update Advisories, Security Alerts and Bulletins, and it is updated when new Critical Patch Update Advisories, Security Alerts and Bulletins are released.
This page contains the following sections:
Critical Patch Updates
Critical Patch Updates provide security patches for supported Oracle on-premises products. They are available to customers with valid support contracts. Starting in April 2022, Critical Patch Updates are released on the third Tuesday of January, April, July, and October (They were previously published on the Tuesday closest to the 17th day of January, April, July, and October). The next four dates are:
- 15 October 2024
- 21 January 2025
- 15 April 2025
- 15 July 2025
A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.
The Critical Patch Updates released since 2018 are listed in the following table. Critical Patch Updates released before 2018 are available here.
Critical Patch Update |
Latest Version/Date |
Critical Patch Update - July 2024 |
Rev 3, 18 September 2024 |
Critical Patch Update - April 2024 |
Rev 2, 18 September 2024 |
Critical Patch Update - January 2024 |
Rev 4, 03 April 2024 |
Critical Patch Update - October 2023 |
Rev 5, 8 December 2023 |
Critical Patch Update - July 2023 |
Rev 1, 18 July 2023 |
Critical Patch Update - April 2023 |
Rev 2, 25 April 2023 |
Critical Patch Update - January 2023 |
Rev 3, 27 February 2023 |
Critical Patch Update - October 2022 |
Rev 3, 12 December 2022 |
Critical Patch Update - July 2022 |
Rev 4, 31 October 2022 |
Critical Patch Update - April 2022 |
Rev 8, 20 September 2024 |
Critical Patch Update - January 2022 |
Rev 6, 14 March 2022 |
Critical Patch Update - October 2021 |
Rev 3, 18 January 2022 |
Critical Patch Update - July 2021 |
Rev 7, 03 September 2021 |
Critical Patch Update - April 2021 |
Rev 6, 28 July 2021 |
Critical Patch Update - January 2021 |
Rev 3, 22 February 2021 |
Critical Patch Update - October 2020 |
Rev 6, 8 December 2020 |
Critical Patch Update - July 2020 |
Rev 8, 1 December 2020 |
Critical Patch Update - April 2020 |
Rev 11, 20 July 2020 |
Critical Patch Update - January 2020 |
Rev 7, 20 April 2020 |
Critical Patch Update - October 2019 |
Rev 3, 22 January 2020 |
Critical Patch Update - July 2019 |
Rev 6, 12 October 2020 |
Critical Patch Update - April 2019 |
Rev 6, 28 May 2019 |
Critical Patch Update - January 2019 |
Rev 7, 13 February 2020 |
Critical Patch Update - October 2018 |
Rev 6, 18 December 2018 |
Critical Patch Update - July 2018 |
Rev 8, 12 October 2018 |
Critical Patch Update - April 2018 |
Rev 4, 10 December 2018 |
Critical Patch Update - January 2018 |
Rev 8, 20 March 2018 |
Security Alerts
Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2018 are listed in the following table. Security Alerts released before 2018 are available here.
Solaris Third Party Bulletins
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris Third Party Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will be updated on the third Tuesday of the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates). In addition, Solaris Third Party Bulletins may also be updated for vulnerability patches deemed too critical to wait for the next scheduled publication date. Solaris Third Party Bulletins released before 2018 are available here.
Solaris Third Party Bulletin |
Latest Version/Date |
Solaris Third Party Bulletin - July 2024 |
Rev 3, 24 September 2024 |
Solaris Third Party Bulletin - April 2024 |
Rev 3, 14 June 2024 |
Solaris Third Party Bulletin - January 2024 |
Rev 3, 19 March 2024 |
Solaris Third Party Bulletin - October 2023 |
Rev 3, 19 December 2023 |
Solaris Third Party Bulletin - July 2023 |
Rev 3, 19 September 2023 |
Solaris Third Party Bulletin - April 2023 |
Rev 3, 23 June 2023 |
Solaris Third Party Bulletin - January 2023 |
Rev 3, 20 March 2023 |
Solaris Third Party Bulletin - October 2022 |
Rev 4, 14 February 2023 |
Solaris Third Party Bulletin - July 2022 |
Rev 3, 20 September 2022 |
Solaris Third Party Bulletin - April 2022 |
Rev 3, 17 June 2022 |
Solaris Third Party Bulletin - January 2022 |
Rev 4, 15 March 2022 |
Solaris Third Party Bulletin - October 2021 |
Rev 3, 10 December 2021 |
Solaris Third Party Bulletin - July 2021 |
Rev 3, 14 September 2021 |
Solaris Third Party Bulletin - April 2021 |
Rev 3, 15 June 2021 |
Solaris Third Party Bulletin - January 2021 |
Rev 4, 16 March 2021 |
Solaris Third Party Bulletin - October 2020 |
Rev 4, 06 January 2021 |
Solaris Third Party Bulletin - July 2020 |
Rev 3, 15 September 2020 |
Solaris Third Party Bulletin - April 2020 |
Rev 3, 16 June 2020 |
Solaris Third Party Bulletin - January 2020 |
Rev 3, 16 March 2020 |
Solaris Third Party Bulletin - October 2019 |
Rev 3, 17 December 2019 |
Solaris Third Party Bulletin - July 2019 |
Rev 4, 03 October 2019 |
Solaris Third Party Bulletin - April 2019 |
Rev 3, 25 June 2019 |
Solaris Third Party Bulletin - January 2019 |
Rev 4, 16 April 2019 |
Solaris Third Party Bulletin - October 2018 |
Rev 3, 14 December 2018 |
Solaris Third Party Bulletin - July 2018 |
Rev 3, 24 September 2018 |
Solaris Third Party Bulletin - April 2018 |
Rev 3, 15 June 2018 |
Solaris Third Party Bulletin - January 2018 |
Rev 3, 20 March 2018 |
Oracle Linux Bulletins
Oracle releases security advisories for Oracle Linux as patches become available. Security advisories (ELSA) are published at https://linux.oracle.com/security/.
Starting October 20, 2015, Oracle will also publish Oracle Linux Bulletins which list all CVEs that had been resolved and announced in Oracle Linux Security Advisories in the last one month prior to the release of the bulletin. The Oracle Linux Bulletin will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability patches deemed too critical to wait for the next scheduled bulletin publication date. Oracle Linux Bulletins released before 2018 are here.
Oracle Linux Bulletin |
Latest Version/Date |
Oracle Linux Bulletin - July 2024 |
Rev 2, 21 August 2024 |
Oracle Linux Bulletin - April 2024 |
Rev 3, 26 June 2024 |
Oracle Linux Bulletin - January 2024 |
Rev 3, 20 March 2024 |
Oracle Linux Bulletin - October 2023 |
Rev 3, 19 December 2023 |
Oracle Linux Bulletin - July 2023 |
Rev 3, 19 September 2023 |
Oracle Linux Bulletin - April 2023 |
Rev 2, 16 May 2023 |
Oracle Linux Bulletin - January 2023 |
Rev 3, 21 March 2023 |
Oracle Linux Bulletin - October 2022 |
Rev 3, 20 December 2022 |
Oracle Linux Bulletin - July 2022 |
Rev 3, 20 September 2022 |
Oracle Linux Bulletin - April 2022 |
Rev 4, 20 September 2022 |
Oracle Linux Bulletin - January 2022 |
Rev 3, 15 March 2022 |
Oracle Linux Bulletin - October 2021 |
Rev 3, 14 December 2021 |
Oracle Linux Bulletin - July 2021 |
Rev 3, 21 September 2021 |
Oracle Linux Bulletin - April 2021 |
Rev 3, 17 June 2021 |
Oracle Linux Bulletin - January 2021 |
Rev 3, 19 March 2021 |
Oracle Linux Bulletin - October 2020 |
Rev 1, 20 October 2020 |
Oracle Linux Bulletin - July 2020 |
Rev 3, 21 September 2020 |
Oracle Linux Bulletin - April 2020 |
Rev 3, 15 June 2020 |
Oracle Linux Bulletin - January 2020 |
Rev 3, 17 March 2020 |
Oracle Linux Bulletin - October 2019 |
Rev 3, 18 December 2019 |
Oracle Linux Bulletin - July 2019 |
Rev 3, 19 September 2019 |
Oracle Linux Bulletin - April 2019 |
Rev 3, 18 June 2019 |
Oracle Linux Bulletin - January 2019 |
Rev 3, 18 March 2019 |
Oracle Linux Bulletin - October 2018 |
Rev 3, 17 December 2018 |
Oracle Linux Bulletin - July 2018 |
Rev 3, 18 September 2018 |
Oracle Linux Bulletin - April 2018 |
Rev 3, 18 June 2018 |
Oracle Linux Bulletin - January 2018 |
Rev 3, 16 March 2018 |
Oracle VM Server for x86 Bulletins
Oracle releases security advisories for Oracle VM Server for x86 as patches become available. Security advisories (OVMSA) are published at https://linux.oracle.com/errata/.
Starting July 19, 2016, Oracle will also publish Oracle VM Server for x86 Bulletins which will list all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories in the last one month prior to the release of the bulletin. The Oracle VM Server for x86 Bulletin will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability patches deemed too critical to wait for the next scheduled bulletin publication date. Oracle VM Server for x86 Bulletins released before 2018 are here.
Oracle VM Server for x86 Bulletin |
Latest Version/Date |
Oracle VM Server for x86 Bulletin - July 2024 |
Rev 2, 21 August 2024 |
Oracle VM Server for x86 Bulletin - April 2024 |
Rev 1, 16 April 2024 |
Oracle VM Server for x86 Bulletin - January 2024 |
Rev 1, 20 March 2024 |
Oracle VM Server for x86 Bulletin - October 2023 |
Rev 3, 19 December 2023 |
Oracle VM Server for x86 Bulletin - July 2023 |
Rev 2, 19 September 2023 |
Oracle VM Server for x86 Bulletin - April 2023 |
Rev 2, 16 May 2023 |
Oracle VM Server for x86 Bulletin - January 2023 |
Rev 2, 21 March 2023 |
Oracle VM Server for x86 Bulletin - October 2022 |
Rev 3, 20 December 2022 |
Oracle VM Server for x86 Bulletin - July 2022 |
Rev 3, 20 September 2022 |
Oracle VM Server for x86 Bulletin - April 2022 |
Rev 3, 22 June 2022 |
Oracle VM Server for x86 Bulletin - January 2022 |
Rev 2, 15 February 2022 |
Oracle VM Server for x86 Bulletin - October 2021 |
Rev 3, 14 December 2021 |
Oracle VM Server for x86 Bulletin - July 2021 |
Rev 3, 21 September 2021 |
Oracle VM Server for x86 Bulletin - April 2021 |
Rev 1, 20 May 2021 |
Oracle VM Server for x86 Bulletin - January 2021 |
Rev 3, 19 March 2021 |
Oracle VM Server for x86 Bulletin - October 2020 |
Rev 1, 20 October 2020 |
Oracle VM Server for x86 Bulletin - July 2020 |
Rev 3, 21 September 2020 |
Oracle VM Server for x86 Bulletin - April 2020 |
Rev 3, 15 June 2020 |
Oracle VM Server for x86 Bulletin - January 2020 |
Rev 3, 17 March 2020 |
Oracle VM Server for x86 Bulletin - October 2019 |
Rev 2, 18 December 2019 |
Oracle VM Server for x86 Bulletin - July 2019 |
Rev 2, 16 August 2019 |
Oracle VM Server for x86 Bulletin - April 2019 |
Rev 3, 18 June 2019 |
Oracle VM Server for x86 Bulletin - January 2019 |
Rev 3, 18 March 2019 |
Oracle VM Server for x86 Bulletin - October 2018 |
Rev 3, 17 December 2018 |
Oracle VM Server for x86 Bulletin - July 2018 |
Rev 3, 18 September 2018 |
Oracle VM Server for x86 Bulletin - April 2018 |
Rev 3, 18 June 2018 |
Oracle VM Server for x86 Bulletin - January 2018 |
Rev 3, 16 March 2018 |
Map of CVE to Advisory/Alert
The Map of CVE to Advisory/Alert indicates which CVEs are fixed in each Critical Patch Update and Security Alert. The Map of CVE to Solaris Third Party Bulletin indicates which CVEs are fixed in each Solaris Third Party Bulletin.
Oracle CVEs not published in other Oracle public documents
The page provides a public mapping between CVEs and associated My Oracle Support (MOS) remediation documents which are accessible to any Oracle customer with a valid support license.
CVEs for Oracle open source projects not published in other Oracle public documents
The page lists CVEs for Oracle open source projects not published in other Oracle public documents.
Policy on information provided in Critical Patch Updates and Security Alerts
As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on Critical Patch Update or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code (or "proof of concept code") for vulnerabilities in our products.
Applicability of Critical Patch Updates and Security Alerts to Oracle Cloud
The Oracle Cloud operations and security teams regularly evaluate Oracle’s Critical Patch Updates and Security Alert fixes as well as relevant third-party fixes as they become available and apply the relevant patches in accordance with applicable change management processes.
Cloud customers requiring information that is not addressed in the Critical Patch Update Advisory may obtain information as follows:
- Oracle Cloud (IaaS, PaaS, and SaaS) customers should submit a SR within their designated support system
- Oracle Managed Cloud Services (OMCS) customers should contact their Service Delivery Manager (SDM) or Technical Account Manager (TAM)
- CRM On Demand customers should request status via a Service Request (SR)
- Global Business Units/Industry Cloud Services customers should submit a SR within their designated support system or, if applicable, contact their Customer Success Manager
- Oracle Advertising customers should contact their Client Partner.
- Oracle NetSuite customers should submit an Oracle NetSuite Support Case from within their Oracle NetSuite account.
References