Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.
Oracle Communications Applications
The update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
CVE-2022-21431is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS scoreof 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.
CVE-2022-23305is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.
CVE-2022-23990is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the doPrologfunction that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.
Oracle Blockchain Platform
The update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2021-23017is a security issue in nginx resolverwith a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.
Oracle GoldenGate
The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate. 4 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2021-26291is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.
Oracle Communications
The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2022-22947is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Oracle Java SE
The update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.
CVE-2022-21449is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was published by ForgeRock.
Mitigation
For a complete list of the security vulnerabilities have a look at the Oracle security alerts page. Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it’s definitely worth looking into.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the Oracle pageto access the documentation for patch availability information and installation instructions.
Stay safe, everyone!
