Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.
Oracle Communications Applications
The update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS score of 10 out of 10. Supported versions that are affected by this flaw are 126.96.36.199 and 188.8.131.52.
CVE-2022-23305 is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.
CVE-2022-23990 is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the
doProlog function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.
Oracle Blockchain Platform
The update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication.
The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate. 4 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2021-26291 is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.
The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication.
CVE-2022-22947 is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Oracle Java SE
The update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.
CVE-2022-21449 is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was published by ForgeRock.
For a complete list of the security vulnerabilities have a look at the Oracle security alerts page. Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it’s definitely worth looking into.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the Oracle page to access the documentation for patch availability information and installation instructions.
Stay safe, everyone!