Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-21498: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

CVE
#sql#vulnerability#web#mac#windows#apple#apache#redis#nodejs#js#java#oracle#kubernetes
  • Click to view our Accessibility Policy
  • Skip to content

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2022 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions

Patch Availability Document

Engineered Systems Utilities, versions 12.1.0.2, 19c, 21c

Oracle Autonomous Health Framework

Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0

Enterprise Manager

Enterprise Manager for Peoplesoft, versions 13.4.1.1, 13.5.1.1

Enterprise Manager

Enterprise Manager for Storage Management, version 13.4.0.0

Enterprise Manager

Enterprise Manager Ops Center, version 12.4.0.0

Enterprise Manager

Helidon, versions 1.4.7, 1.4.10, 2.0.0-RC1

Helidon

Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3

Oracle Construction and Engineering Suite

JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.3

JD Edwards

JD Edwards World Security, version A9.4

JD Edwards

Management Cloud Engine, versions 1.5.0 and prior

Oracle Management Cloud Engine

Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Fusion Middleware

MySQL Cluster, versions 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

MySQL

MySQL Connectors, versions 8.0.28 and prior

MySQL

MySQL Enterprise Monitor, versions 8.0.29 and prior

MySQL

MySQL Server, versions 5.7.37 and prior, 8.0.28 and prior

MySQL

MySQL Workbench, versions 8.0.28 and prior

MySQL

Oracle Advanced Supply Chain Planning, versions 12.1, 12.2

Oracle Supply Chain Products

Oracle Agile Engineering Data Management, version 6.2.1.0

Oracle Supply Chain Products

Oracle Agile PLM, version 9.3.6

Oracle Supply Chain Products

Oracle Agile PLM MCAD Connector, version 3.6

Oracle Supply Chain Products

Oracle Application Express, versions prior to 22.1

Database

Oracle Application Testing Suite, version 13.3.0.1

Enterprise Manager

Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2

Oracle Supply Chain Products

Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0

Contact Support

Oracle Banking Enterprise Default Management, versions 2.7.1, 2.10.0, 2.12.0

Oracle Banking Platform

Oracle Banking Loans Servicing, version 2.12.0

Contact Support

Oracle Banking Party Management, version 2.7.0

Oracle Banking Platform

Oracle Banking Payments, version 14.5

Contact Support

Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.12.0

Oracle Banking Platform

Oracle Banking Trade Finance, version 14.5

Contact Support

Oracle Banking Treasury Management, version 14.5

Contact Support

Oracle Blockchain Platform, versions prior to 21.1.2

Oracle Blockchain Platform

Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0

Oracle Analytics

Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Fusion Middleware

Oracle Commerce Guided Search, version 11.3.2

Oracle Commerce

Oracle Communications ASAP, version 7.3

Oracle Communications ASAP

Oracle Communications Billing and Revenue Management, versions 12.0.0.4, 12.0.0.5

Oracle Communications Billing and Revenue Management

Oracle Communications Cloud Native Core Automated Test Suite, versions 1.8.0, 1.9.0, 22.1.0

Oracle Communications Cloud Native Core Automated Test Suite

Oracle Communications Cloud Native Core Binding Support Function, version 1.11.0

Oracle Communications Cloud Native Core Binding Support Function

Oracle Communications Cloud Native Core Console, versions 1.9.0, 22.1.0

Oracle Communications Cloud Native Core Console

Oracle Communications Cloud Native Core Network Exposure Function, version 22.1.0

Oracle Communications Cloud Native Core Network Exposure Function

Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.10.0, 22.1.0

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

Oracle Communications Cloud Native Core Network Repository Function, versions 1.15.0, 1.15.1, 22.1.0

Oracle Communications Cloud Native Core Network Repository Function

Oracle Communications Cloud Native Core Network Slice Selection Function, versions 1.8.0, 22.1.0

Oracle Communications Cloud Native Core Network Slice Selection Function

Oracle Communications Cloud Native Core Policy, versions 1.14.0, 1.15.0, 22.1.0

Oracle Communications Cloud Native Core Policy

Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.7.0, 22.1.0

Oracle Communications Cloud Native Core Security Edge Protection Proxy

Oracle Communications Cloud Native Core Service Communication Proxy, version 1.15.0

Oracle Communications Cloud Native Core Service Communication Proxy

Oracle Communications Cloud Native Core Unified Data Repository, versions 1.15.0, 22.1.0

Oracle Communications Cloud Native Core Unified Data Repository

Oracle Communications Contacts Server, version 8.0.0.6.0

Oracle Communications Contacts Server

Oracle Communications Convergence, versions 3.0.2.2, 3.0.3.0

Oracle Communications Convergence

Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0

Oracle Communications Convergent Charging Controller

Oracle Communications Design Studio, versions 7.3.5, 7.4.0-7.4.2

Oracle Communications Design Studio

Oracle Communications Diameter Intelligence Hub, versions 8.0.0-8.2.3

Oracle Communications Diameter Signaling Router

Oracle Communications Diameter Signaling Router, version 8.4.0.0

Oracle Communications Diameter Signaling Router

Oracle Communications EAGLE Application Processor

Oracle Communications EAGLE Application Processor

Oracle Communications EAGLE Element Management System, version 46.6

Oracle Communications EAGLE Element Management System

Oracle Communications EAGLE FTP Table Base Retrieval, version 4.5

Oracle Communications EAGLE FTP Table Base Retrieval

Oracle Communications EAGLE LNP Application Processor, versions 10.1, 10.2

Oracle Communications EAGLE LNP Application Processor

Oracle Communications EAGLE Software, versions 46.7.0, 46.8.0-46.8.2, 46.9.1-46.9.3

Oracle Communications EAGLE (Software)

Oracle Communications Element Manager, versions prior to 9.0

Oracle Communications Element Manager

Oracle Communications Evolved Communications Application Server, version 7.1

Oracle Communications Evolved Communications Application Server

Oracle Communications Instant Messaging Server, version 10.0.1.5.0

Oracle Communications Instant Messaging Server

Oracle Communications Interactive Session Recorder, version 6.4

Oracle Communications Interactive Session Recorder

Oracle Communications IP Service Activator, version 7.4.0

Oracle Communications IP Service Activator

Oracle Communications Messaging Server, version 8.1

Oracle Communications Messaging Server

Oracle Communications MetaSolv Solution, version 6.3.1

Oracle Communications MetaSolv Solution

Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0

Oracle Communications Network Charging and Control

Oracle Communications Network Integrity, versions 7.3.2, 7.3.5, 7.3.6

Oracle Communications Network Integrity

Oracle Communications Operations Monitor, versions 4.3, 4.4, 5.0

Oracle Communications Operations Monitor

Oracle Communications Order and Service Management, versions 7.3, 7.4

Oracle Communications Order and Service Management

Oracle Communications Performance Intelligence Center (PIC) Software, versions 10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1

Oracle Communications Performance Intelligence Center (PIC) Software

Oracle Communications Policy Management, versions 12.5.0.0.0, 12.6.0.0.0

Oracle Communications Policy Management

Oracle Communications Pricing Design Center, versions 12.0.0.4, 12.0.0.5

Oracle Communications Pricing Design Center

Oracle Communications Services Gatekeeper, version 7.0.0.0.0

Oracle Communications Services Gatekeeper

Oracle Communications Session Border Controller, versions 8.4, 9.0

Oracle Communications Session Border Controller

Oracle Communications Session Report Manager, versions prior to 9.0

Oracle Communications Session Report Manager

Oracle Communications Session Route Manager, versions prior to 9.0

Oracle Communications Session Route Manager

Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2

Oracle Communications Unified Inventory Management

Oracle Communications Unified Session Manager, versions 8.2.5, 8.4.5

Oracle Communications Unified Session Manager

Oracle Communications User Data Repository, version 12.4

Oracle Communications User Data Repository

Oracle Communications WebRTC Session Controller, version 7.2.1

Oracle Communications WebRTC Session Controller

Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Database Server, versions 12.1.0.2, 19c, 21c

Database

Oracle Documaker, versions 12.6.0, 12.6.2-12.6.4, 12.7.0

Oracle Insurance Applications

Oracle E-Business Suite, versions 12.2.4-12.2.11, [EBS Cloud Manager and Backup Module] prior to 22.1.1.1, [Enterprise Command Center] 7.0, [Enterprise Information Discovery] 7-9

Oracle E-Business Suite

Oracle Enterprise Communications Broker, versions 3.2, 3.3

Oracle Enterprise Communications Broker

Oracle Enterprise Session Border Controller, versions 8.4, 9.0

Oracle Enterprise Session Border Controller

Oracle Ethernet Switch ES1-24, version 1.3.1

Systems

Oracle Ethernet Switch TOR-72, version 1.2.2

Systems

Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0

Oracle Financial Services Analytical Applications Infrastructure

Oracle Financial Services Behavior Detection Platform, versions 8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0

Oracle Financial Services Behavior Detection Platform

Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0

Oracle Financial Services Enterprise Case Management

Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0

Oracle Financial Services Revenue Management and Billing

Oracle FLEXCUBE Universal Banking, versions 11.83.3, 12.1-12.4, 14.0-14.3, 14.5

Contact Support

Oracle Global Lifecycle Management OPatch

Global Lifecycle Management

Oracle GoldenGate, versions prior to 12.3.0.1.2, prior to 23.1

Database

Oracle GoldenGate Application Adapters, versions prior to 23.1

Database

Oracle GoldenGate Big Data and Application Adapters, versions prior to 23.1

Database

Oracle GraalVM Enterprise Edition, versions 20.3.5, 21.3.1, 22.0.0.2

Java SE

Oracle Health Sciences Empirica Signal, versions 9.1.0.6, 9.2.0.0

Health Sciences

Oracle Health Sciences InForm, versions 6.2.1.1, 6.3.2.1, 7.0.0.0

Health Sciences

Oracle Health Sciences InForm Publisher, versions 6.2.1.1, 6.3.1.1

Health Sciences

Oracle Health Sciences Information Manager, versions 3.0.1-3.0.4

HealthCare Applications

Oracle Healthcare Data Repository, versions 8.1.0, 8.1.1

HealthCare Applications

Oracle Healthcare Foundation, versions 7.3.0.1-7.3.0.4

HealthCare Applications

Oracle Healthcare Master Person Index, version 5.0.1

HealthCare Applications

Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1

HealthCare Applications

Oracle Hospitality Suite8, versions 8.10.2, 8.11.0-8.14.0

Oracle Hospitality Suite8

Oracle Hospitality Token Proxy Service, version 19.2

Oracle Hospitality Token Proxy Service

Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Hyperion BI+, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Calculation Manager, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Data Relationship Management, versions prior to 11.2.8.0, prior to 11.2.9.0

Oracle Enterprise Performance Management

Oracle Hyperion Financial Management, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Infrastructure Technology, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Planning, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Profitability and Cost Management, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Hyperion Tax Provision, versions prior to 11.2.8.0

Oracle Enterprise Performance Management

Oracle Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Identity Manager Connector, versions 9.1.0, 11.1.1.5.0

Fusion Middleware

Oracle iLearning, versions 6.2, 6.3

iLearning

Oracle Insurance Data Gateway, version 1.0.1

Oracle Insurance Applications

Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0, 5.6.1

Oracle Insurance Applications

Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

Oracle Insurance Applications

Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

Oracle Insurance Applications

Oracle Internet Directory, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Java SE, versions 7u331, 8u321, 11.0.14, 17.0.2, 18

Java SE

Oracle JDeveloper, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0

Fusion Middleware

Oracle NoSQL Database

NoSQL Database

Oracle Outside In Technology, version 8.5.5

Fusion Middleware

Oracle Payment Interface, versions 19.1, 20.3

Oracle Payment Interface

Oracle Product Lifecycle Analytics, version 3.6.1.0

Oracle Supply Chain Products

Oracle REST Data Services, versions prior to 21.2

Database

Oracle Retail Bulk Data Integration, version 16.0.3

Retail Applications

Oracle Retail Customer Insights, versions 15.0.2, 16.0.2

Retail Applications

Oracle Retail Customer Management and Segmentation Foundation, versions 17.0-19.0

Retail Applications

Oracle Retail Data Extractor for Merchandising, versions 15.0.2, 16.0.2

Retail Applications

Oracle Retail EFTLink, versions 17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.0.0

Retail Applications

Oracle Retail Extract Transform and Load, version 13.2.8

Retail Applications

Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

Retail Applications

Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

Retail Applications

Oracle Retail Invoice Matching, version 16.0.3

Retail Applications

Oracle Retail Merchandising System, versions 16.0.3, 19.0.1

Retail Applications

Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

Retail Applications

Oracle Retail Store Inventory Management, versions 14.0.4.13, 14.1.3.5, 14.1.3.14, 15.0.3.3, 15.0.3.8, 16.0.3.7

Retail Applications

Oracle Retail Xstore Office Cloud Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1

Retail Applications

Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1, 21.0.0

Retail Applications

Oracle SD-WAN Edge, versions 9.0, 9.1

Oracle SD-WAN Edge

Oracle Secure Backup

Oracle Secure Backup

Oracle Secure Global Desktop, version 5.6

Virtualization

Oracle Solaris, version 11

Systems

Oracle Solaris Cluster, version 4

Systems

Oracle SQL Developer, versions prior to 21.99

Database

Oracle StorageTek ACSLS, version 8.5.1

Systems

Oracle StorageTek Tape Analytics (STA), version 2.4

Systems

Oracle Taleo Platform, versions prior to 22.1

Oracle Taleo

Oracle Transportation Management, versions 6.4.3, 6.5.1

Oracle Supply Chain Products

Oracle Tuxedo, version 12.2.2.0.0

Fusion Middleware

Oracle Utilities Framework, versions 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0

Oracle Utilities Applications

Oracle VM VirtualBox, versions prior to 6.1.34

Virtualization

Oracle Web Services Manager, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Fusion Middleware

Oracle ZFS Storage Appliance Kit, version 8.8

Systems

OSS Support Tools, versions 2.12.42, 18.3

Oracle Support Tools

PeopleSoft Enterprise CS Academic Advisement, version 9.2

PeopleSoft

PeopleSoft Enterprise FIN Cash Management, version 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59

PeopleSoft

PeopleSoft Enterprise PRTL Interaction Hub, version 9.1

PeopleSoft

Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12

Oracle Construction and Engineering Suite

Note:

  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
  • Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security patches detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
  • Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product’s risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • 4ra1n: CVE-2022-21441
  • Adi Farshteindiker: CVE-2022-21487, CVE-2022-21488
  • Ahmed Shah of Red Canari: CVE-2022-21481
  • Alexander Kornbrust of Red Database Security: CVE-2022-21410
  • AnhNH of Sacombank: CVE-2022-21419, CVE-2022-21448, CVE-2022-21492
  • Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2022-21482, CVE-2022-21490
  • Anthony Weems: CVE-2022-21496
  • Aobo Wang of Chaitin Security Research Lab: CVE-2022-21465, CVE-2022-21471
  • bendtheory: CVE-2022-21468
  • ChauUHM of Sacombank: CVE-2022-21419, CVE-2022-21448, CVE-2022-21492
  • Cl0und of Syclover Security Team: CVE-2022-21420
  • Dimitris Doganos of COSMOTE - Mobile Telecommunications S.A.: CVE-2022-21466
  • Emad Al-Mousa: CVE-2022-21410
  • Harrison Neal: CVE-2022-21411
  • HolyBugx: CVE-2022-21468
  • Iustin Ladunca (youstin): CVE-2022-21468
  • Jangggg of VNPT: CVE-2022-21445, CVE-2022-21497
  • Karan Lyons: CVE-2022-21496
  • Kun Yang of Chaitin Security Research Lab: CVE-2022-21465, CVE-2022-21471
  • lc working with Trend Micro Zero Day Initiative: CVE-2022-21483, CVE-2022-21484, CVE-2022-21489
  • Liboheng of Tophant Starlight laboratory: CVE-2022-21420
  • Lucas Leong (wmliang) of Trend Micro Zero Day Initiative: CVE-2022-21485, CVE-2022-21486
  • Luo Likang of NSFocus Security Team: CVE-2022-21487
  • Markus Loewe: CVE-2022-21443
  • Michael MOSKOPP of Sogeti: CVE-2022-21469
  • Natalia Trojanowska of SecuRing: CVE-2022-21467
  • Neil Madden of ForgeRock: CVE-2022-21449
  • Niels van Gijzen of HackDefense: CVE-2022-21470
  • Oliver Bachtik of NVISO: CVE-2022-21491
  • Omar Younis of Cysiv: CVE-2022-21477
  • osword from SGLAB of Legendsec at Qi’anxin Group: CVE-2022-21434
  • Paulino Calderon of websec mx: CVE-2022-21404
  • peterjson - Security Engineering - VNG Corporation: CVE-2022-21445, CVE-2022-21497
  • r00t4dm: CVE-2022-21421, CVE-2022-21441
  • Sander Meijering of HackDefense: CVE-2022-21470
  • Shihao Wen: CVE-2022-21459
  • TuanNT of Sacombank: CVE-2022-21419, CVE-2022-21448, CVE-2022-21492
  • TungHT of Sacombank: CVE-2022-21419, CVE-2022-21448, CVE-2022-21492
  • Vikas Khanna: CVE-2022-21450
  • Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-2427
  • Ze Wang: CVE-2022-21453

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

  • Charles Korn
  • John Jiang of Tencent.com
  • thiscodecc of MoyunSec V-Lab
  • Tugay Aslan of Beam Teknoloji

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

  • Aakash Adhikari (dark_haxor)
  • Abdiwahab Ahmed
  • Adarsh Sreedhar
  • Ahmad Henry Mansour
  • Ahmed Al-Saleem
  • Aitor Herrero Fuentes
  • Andrea NaD
  • Anis Haboubi
  • AR Movies A
  • Fahad Anwar Hussain
  • George Crook
  • Hamoud Al-Helmani
  • Het Vikam
  • Houssem Belhadj Ahmed
  • Hunt4r Bug
  • J Jebarson Immanuel
  • Joaquín Pochat
  • Juhanák, Petr of Accenture
  • Luca Ottoni
  • Manjil Ghimire
  • Marvi Alex
  • Michoel Chaikin of Carsales.com Ltd
  • Moahmed Lemin
  • Mohamed Selem
  • Mohammed Adam
  • Mohammed Awez Kagdi
  • Nagliy Kot
  • Pankaj Kumar Thakur of Green Tick Nepal Pvt. Ltd.
  • Pim Dieleman of Cadran Consultancy B.V. [2 reports]
  • Prathamesh Bagul
  • Rahul Singh
  • Sagar Elias
  • SEINT
  • Shuvam Adhikari [4 reports]
  • Tarun Garg
  • Tejas Pagare
  • Vikas Srivastava [2 reports]
  • Vismit Sudhir Rakhecha (Druk)
  • Vitali Lavrentikov

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 19 July 2022
  • 18 October 2022
  • 17 January 2023
  • 18 April 2023

References

  • Oracle Critical Patch Updates, Security Alerts and Bulletins
  • Critical Patch Update - April 2022 Documentation Map
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
  • Risk Matrix Definitions
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle
  • English text version of the risk matrices
  • CVRF XML version of the risk matrices
  • CSAF JSON version of the risk matrices
  • Map of CVE to Advisory/Alert
  • Oracle Lifetime support Policy
  • JEP 290 Reference Blocklist Filter

Modification History

Date

Note

2022-April-19

Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:

  • 5 new security patches for Oracle Database Products
  • 1 new security patch for Oracle Autonomous Health Framework
  • 15 new security patches for Oracle Blockchain Platform
  • No new security patches for Oracle Global Lifecycle Management, but third party patches are provided
  • 5 new security patches for Oracle GoldenGate
  • No new security patches for Oracle NoSQL Database, but third party patches are provided
  • 1 new security patch for Oracle REST Data Services
  • No new security patches for Oracle Secure Backup, but third party patches are provided
  • 2 new security patches for Oracle SQL Developer

Oracle Database Server Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle Database Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#

Component

Package and/or Privilege Required

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-21410

Oracle Database - Enterprise Edition Sharding

Create Any Procedure

Oracle Net

No

7.2

Network

Low

High

None

Un-
changed

High

High

High

19c

CVE-2022-21498

Java VM

Create Procedure

Multiple

No

6.5

Network

Low

Low

None

Un-
changed

None

High

None

12.1.0.2, 19c, 21c

CVE-2021-41165

Oracle Application Express (CKEditor)

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 22.1

CVE-2022-21411

RDBMS Gateway / Generic ODBC Connectivity

Create Session

Oracle Net

No

5.4

Network

Low

Low

None

Un-
changed

Low

Low

None

12.1.0.2, 19c, 21c

CVE-2021-22569

Oracle Spatial and Graph MapViewer (protobuf-java)

Local Logon

Local Logon

No

2.8

Local

Low

Low

Required

Un-
changed

None

None

Low

19c, 21c

Additional CVEs addressed are:

  • The patch for CVE-2021-41165 also addresses CVE-2021-41164.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Database - Enterprise Edition Portable Clusterware (Apache MINA SSHD): CVE-2021-30129.
  • Oracle Database - Enterprise Edition RDBMS (LibExpat): CVE-2022-23990 and CVE-2022-23852.
  • Oracle Database Configuration Assistant (Apache Commons Compress): CVE-2019-12402.
  • Oracle Database Enterprise Edition (Apache Tomcat): CVE-2021-42340.

Oracle Autonomous Health Framework Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Autonomous Health Framework. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Component

Package and/or Privilege Required

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-2464

Engineered Systems Utilities

Local Logon

Local Logon

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

12.1.0.2, 19c, 21c

Oracle Blockchain Platform Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-23017

Oracle Blockchain Platform

Backend (nginx)

UDP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 21.1.2

CVE-2020-5245

Oracle Blockchain Platform

Backend (Dropwizard-Validation)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

Prior to 21.1.2

CVE-2021-2351

Oracle Blockchain Platform

BCS Console (JDBC, OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

21.1.2

See Note 1

CVE-2020-8174

Oracle Blockchain Platform

BCS Console (Node.js)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

Prior to 21.1.2

CVE-2020-24750

Oracle Blockchain Platform

BCS Console (jackson-databind)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

Prior to 21.1.2

CVE-2020-28052

Oracle Blockchain Platform

BCS Console (Bouncy Castle Java Library)

HTTPS

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

Prior to 21.1.2

CVE-2019-12399

Oracle Blockchain Platform

BCS Console (Apache Kafka)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

Prior to 21.1.2

CVE-2020-17527

Oracle Blockchain Platform

BCS Console (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

Prior to 21.1.2

CVE-2020-11612

Oracle Blockchain Platform

BCS Console (Netty)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 21.1.2

CVE-2019-13565

Oracle Blockchain Platform

Backend (OpenLDAP)

LDAP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

Prior to 21.1.2

CVE-2020-8203

Oracle Blockchain Platform

BCS Console (Lodash)

HTTP

Yes

7.4

Network

High

None

None

Un-
changed

None

High

High

Prior to 21.1.2

CVE-2019-10086

Oracle Blockchain Platform

BCS Console (Apache Commons BeanUtils)

HTTP

Yes

7.3

Network

Low

None

None

Un-
changed

Low

Low

Low

Prior to 21.1.2

CVE-2020-11022

Oracle Blockchain Platform

Backend (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Prior to 21.1.2

CVE-2021-29425

Oracle Blockchain Platform

BCS Console (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

Prior to 21.1.2

CVE-2020-27218

Oracle Blockchain Platform

BCS Console (Eclipse Jetty)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

None

Low

Low

Prior to 21.1.2

Notes:

  1. This is a hotfix on top of version 21.1.2

Additional CVEs addressed are:

  • The patch for CVE-2019-13565 also addresses CVE-2017-14159, CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-12243, and CVE-2020-15719.
  • The patch for CVE-2020-17527 also addresses CVE-2020-13935.
  • The patch for CVE-2020-24750 also addresses CVE-2020-24616, CVE-2020-25649, and CVE-2020-36189.
  • The patch for CVE-2020-8174 also addresses CVE-2020-10531, CVE-2020-11080, CVE-2020-8172, and CVE-2020-8277.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Global Lifecycle Management. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Global Lifecycle Management. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Global Lifecycle Management OPatch
    • Centralized Third Party Jars (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle GoldenGate. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-26291

Oracle GoldenGate Big Data and Application Adapters

General (Apache Maven)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

Prior to 23.1

CVE-2022-21442

Oracle GoldenGate

OGG Core Library

None

No

8.8

Local

Low

Low

None

Changed

High

High

High

Prior to 23.1

CVE-2021-2351

Oracle GoldenGate Application Adapters

General (OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Prior to 23.1

CVE-2019-12086

Oracle GoldenGate

Internal Framework (jackson-databind)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

Prior to 12.3.0.1.2

CVE-2019-14862

Oracle GoldenGate

Internal Framework (Knockout)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Prior to 12.3.0.1.2

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle GoldenGate Application Adapters
    • General (Apache Log4j): CVE-2022-23305, CVE-2019-17571, CVE-2021-4104 and CVE-2022-23302.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle NoSQL Database. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle NoSQL Database. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle NoSQL Database
    • Administration (Netty): CVE-2021-37137, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-30129 and CVE-2021-37136.
    • Administration (Apache MINA SSHD): CVE-2021-30129.

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle REST Data Services. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-29425

Oracle REST Data Services

General (Apache Commons IO)

HTTP

No

4.2

Network

High

Low

None

Un-
changed

Low

Low

None

Prior to 21.2

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Secure Backup. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Secure Backup. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Secure Backup
    • Oracle Secure Backup (Apache HTTP Server): CVE-2021-44790, CVE-2021-32785, CVE-2021-32786, CVE-2021-32791, CVE-2021-32792 and CVE-2021-44224.
    • Oracle Secure Backup (PHP): CVE-2021-21703.

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle SQL Developer. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-44832

Oracle SQL Developer

Installation (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 21.4.2

CVE-2020-13956

Oracle SQL Developer

Thirdparty Database support (Apache HTTPClient)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

Prior to 21.99

Oracle Commerce Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-39139

Oracle Commerce Guided Search

Content Acquisition System (XStream)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

11.3.2

CVE-2021-22118

Oracle Commerce Guided Search

Content Acquisition System (Spring Framework)

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

11.3.2

CVE-2021-42340

Oracle Commerce Guided Search

Content Acquisition System (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

11.3.2

CVE-2022-21466

Oracle Commerce Guided Search

Tools and Frameworks

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

11.3.2

CVE-2021-41165

Oracle Commerce Guided Search

Content Acquisition System (CKEditor)

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

11.3.2

CVE-2020-13956

Oracle Commerce Guided Search

Workbench (HTTPClient)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

11.3.2

CVE-2020-8908

Oracle Commerce Guided Search

Workbench (Guava)

None

No

3.3

Local

Low

Low

None

Un-
changed

Low

None

None

11.3.2

Additional CVEs addressed are:

  • The patch for CVE-2021-22118 also addresses CVE-2020-5421.
  • The patch for CVE-2021-39139 also addresses CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, and CVE-2021-39154.
  • The patch for CVE-2021-41165 also addresses CVE-2021-41164.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-21431

Oracle Communications Billing and Revenue Management

Connection Manager

TCP

Yes

10.0

Network

Low

None

None

Changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2022-23305

Oracle Communications Messaging Server

ISC (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.1

CVE-2022-23990

Oracle Communications MetaSolv Solution

User Interface (LibExpat)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

6.3.1

CVE-2022-23305

Oracle Communications Network Integrity

Cartridge Deployer Tool (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.3.6

CVE-2022-23305

Oracle Communications Unified Inventory Management

Logging (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.4.1, 7.4.2

CVE-2020-13936

Oracle Communications Network Integrity

TL1 Cartridge (Apache Velocity Engine)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

7.3.6

CVE-2022-21430

Oracle Communications Billing and Revenue Management

Connection Manager

TCP

No

8.5

Network

High

Low

None

Changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2021-2351

Oracle Communications Billing and Revenue Management

Pipeline Configuration Center, Oracle Data Manager, Rated Event Loader (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2022-21424

Oracle Communications Billing and Revenue Management

Connection Manager

TCP

No

8.3

Network

Low

Low

None

Un-
changed

High

High

Low

12.0.0.4

CVE-2021-2351

Oracle Communications IP Service Activator

Service Activator (OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

7.4.0

CVE-2021-2351

Oracle Communications Pricing Design Center

Cloud Native Deployment (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2021-22118

Oracle Communications Network Integrity

MSS Cartridge (Spring Framework)

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

7.3.6

CVE-2021-36090

Oracle Communications Billing and Revenue Management

Billing Care (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.0.0.4

CVE-2022-21422

Oracle Communications Billing and Revenue Management

Connection Manager

TCP

No

7.5

Network

High

Low

None

Un-
changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2021-42340

Oracle Communications Instant Messaging Server

DBPlugin (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

10.0.1.5.0

CVE-2021-40690

Oracle Communications Messaging Server

ISC (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

8.1

CVE-2021-33813

Oracle Communications Messaging Server

ISC (Apache Tika)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.1

CVE-2019-10086

Oracle Communications Network Integrity

User Interface (Apache Commons BeanUtils)

HTTP

Yes

7.3

Network

Low

None

None

Un-
changed

Low

Low

Low

7.3.6

CVE-2021-44832

Oracle Communications ASAP

SRP (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.3

CVE-2021-44832

Oracle Communications Billing and Revenue Management

Rated Event Manager, Business Operations Center, Kafka Data Manager (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2021-44832

Oracle Communications Convergence

Configuration (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

3.0.2.2, 3.0.3.0

CVE-2021-44832

Oracle Communications Convergent Charging Controller

Network Gateway (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0

CVE-2021-44832

Oracle Communications IP Service Activator

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.4.0

CVE-2021-44832

Oracle Communications Messaging Server

ISC (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

8.1

CVE-2021-44832

Oracle Communications Network Charging and Control

Gateway (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0

CVE-2021-44832

Oracle Communications Network Integrity

Cartridge Deployer Tool (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.3.6

CVE-2021-44832

Oracle Communications Pricing Design Center

REST Services Manager (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.0.0.4, 12.0.0.5

CVE-2021-44832

Oracle Communications Unified Inventory Management

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.4.1, 7.4.2

CVE-2021-43797

Oracle Communications Messaging Server

ISC (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

8.1

CVE-2020-6950

Oracle Communications Network Integrity

Installer (Eclipse Mojarra)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

7.3.6

CVE-2019-3740

Oracle Communications Network Integrity

Installer (RSA BSAFE Crypto-J)

HTTPS

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

7.3.2, 7.3.5, 7.3.6

CVE-2021-36374

Oracle Communications Order and Service Management

Installer, OSM SDK (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

7.3, 7.4

CVE-2022-24329

Oracle Communications Pricing Design Center

REST Services Manager (Kotlin)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

12.0.0.4, 12.0.0.5

CVE-2021-29425

Oracle Communications Contacts Server

File Upload (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

8.0.0.6.0

CVE-2021-29425

Oracle Communications Design Studio

OSM Plugin (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

7.3.5, 7.4.0-7.4.2

CVE-2021-29425

Oracle Communications Order and Service Management

OSM SDK (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

7.3, 7.4

CVE-2021-29425

Oracle Communications Pricing Design Center

REST Service Manager (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

12.0.0.4, 12.0.0.5

CVE-2021-21275

Oracle Communications Pricing Design Center

REST Service Manager (Jacoco)

HTTP

Yes

4.3

Network

Low

None

Required

Un-
changed

None

Low

None

12.0.0.4, 12.0.0.5

CVE-2020-8908

Oracle Communications Pricing Design Center

REST Services Manager (Guava)

None

No

3.3

Local

Low

Low

None

Un-
changed

Low

None

None

12.0.0.4, 12.0.0.5

Additional CVEs addressed are:

  • The patch for CVE-2019-3740 also addresses CVE-2019-3738, and CVE-2019-3739.
  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.
  • The patch for CVE-2021-36374 also addresses CVE-2021-36373.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.
  • The patch for CVE-2022-23990 also addresses CVE-2022-23852.

Oracle Communications Risk Matrix

This Critical Patch Update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-22947

Oracle Communications Cloud Native Core Network Exposure Function

NEF (Spring Cloud Gateway)

HTTP

Yes

10.0

Network

Low

None

None

Changed

High

High

High

22.1.0

CVE-2022-22947

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Spring Cloud Gateway)

HTTP

Yes

10.0

Network

Low

None

None

Changed

High

High

High

22.1.0, 1.8.0

CVE-2017-1000353

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite (Jenkins)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.9.0

CVE-2022-22965

Oracle Communications Cloud Native Core Automated Test Suite

Automation Test Suite (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.9.0, 22.1.0

CVE-2021-29921

Oracle Communications Cloud Native Core Binding Support Function

BSF (Python)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.11.0

CVE-2021-43527

Oracle Communications Cloud Native Core Binding Support Function

BSF (NSS)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.11.0

CVE-2022-23221

Oracle Communications Cloud Native Core Console

CNC Console (H2)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.9.0

CVE-2022-22965

Oracle Communications Cloud Native Core Console

CNC Console (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.9.0, 22.1.0

CVE-2022-22965

Oracle Communications Cloud Native Core Network Exposure Function

NEF (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

22.1.0

CVE-2022-22965

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

DB Tier (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.10.0, 22.1.0

CVE-2020-14343

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (PyYAML)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.10.0

CVE-2022-22965

Oracle Communications Cloud Native Core Network Repository Function

OCNRF (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0, 22.1.0

CVE-2021-43527

Oracle Communications Cloud Native Core Network Repository Function

OCNRF (NSS)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0, 1.15.1

CVE-2021-29921

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Python)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.8.0

CVE-2022-22965

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

22.1.0, 1.8.0

CVE-2021-43527

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (NSS)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.8.0

CVE-2021-42392

Oracle Communications Cloud Native Core Policy

Policy (H2)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0

CVE-2022-22965

Oracle Communications Cloud Native Core Policy

Policy (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0, 22.1.0

CVE-2021-35574

Oracle Communications Cloud Native Core Policy

Policy (glibc)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0

CVE-2021-3520

Oracle Communications Cloud Native Core Policy

Policy (lz4)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.14.0

CVE-2022-22965

Oracle Communications Cloud Native Core Security Edge Protection Proxy

OC SEPP (Spring framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.7.0, 22.1.0

CVE-2022-22965

Oracle Communications Cloud Native Core Unified Data Repository

UDR (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

1.15.0, 22.1.0

CVE-2020-17530

Oracle Communications Diameter Intelligence Hub

Visualization (Apache Struts)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2022-23305

Oracle Communications EAGLE FTP Table Base Retrieval

Core (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

4.5

CVE-2020-35198

Oracle Communications EAGLE Software

Measurements (VxWorks)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

46.7.0, 46.8.0-46.8.2, 46.9.1-46.9.3

CVE-2021-44790

Oracle Communications Element Manager

Security (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2021-44790

Oracle Communications Operations Monitor

Mediation Engine (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

4.3, 4.4, 5.0

CVE-2022-22965

Oracle Communications Policy Management

CMP (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.6.0.0.0

CVE-2021-23450

Oracle Communications Policy Management

CMP (dojo)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.6.0.0.0

CVE-2021-43527

Oracle Communications Policy Management

CMP (NSS)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.6.0.0.0

CVE-2021-44790

Oracle Communications Session Report Manager

General (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2021-44790

Oracle Communications Session Route Manager

Third Party (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2022-22965

Oracle SD-WAN Edge

Management (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

9.0, 9.1

CVE-2020-36242

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (python-cryptography)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

None

High

1.10.0

CVE-2021-3518

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (libxml2)

HTTP

Yes

8.8

Network

Low

None

Required

Un-
changed

High

High

High

1.10.0

CVE-2021-32626

Oracle Communications Operations Monitor

FDP (Redis)

TCP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

4.3, 4.4, 5.0

CVE-2020-10878

Oracle Communications EAGLE LNP Application Processor

Platform (Perl)

HTTP

Yes

8.6

Network

Low

None

None

Un-
changed

Low

Low

High

10.1, 10.2

CVE-2020-10878

Oracle Communications Performance Intelligence Center (PIC) Software

Platform (Perl)

HTTP

Yes

8.6

Network

Low

None

None

Un-
changed

Low

Low

High

10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1

CVE-2021-39153

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite Framework (XStream)

HTTP

No

8.5

Network

High

Low

None

Changed

High

High

High

1.9.0

CVE-2021-2351

Oracle Communications Diameter Intelligence Hub

Integrated DIH (JDBC, OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

8.0.0-8.2.3

CVE-2021-2351

Oracle Communications Services Gatekeeper

Third party software/products (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

7.0.0.0.0

CVE-2019-16789

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (ceph)

HTTP

Yes

8.2

Network

Low

None

None

Un-
changed

Low

High

None

1.10.0

CVE-2019-18276

Oracle Communications Cloud Native Core Policy

Policy (GNU Bash)

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

1.14.0

CVE-2021-22118

Oracle Communications Diameter Intelligence Hub

Visualization, Mediation (Spring Framework)

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2021-3156

Oracle Communications Performance Intelligence Center (PIC) Software

Platform (Sudo)

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1

CVE-2021-42340

Management Cloud Engine

Security (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 1.5.0

CVE-2021-35515

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.8.0

CVE-2021-22946

Oracle Communications Cloud Native Core Binding Support Function

CNC BSF (cURL)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.11.0

CVE-2020-36518

Oracle Communications Cloud Native Core Console

CNC Console (jackson-databind)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.9.0

CVE-2021-22946

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (cURL)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.10.0

CVE-2021-22946

Oracle Communications Cloud Native Core Network Repository Function

OCNRF (cURL)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.15.0, 1.15.1

CVE-2021-3690

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Undertow)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.8.0

CVE-2021-22946

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (cURL)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.8.0

CVE-2020-28196

Oracle Communications Cloud Native Core Policy

Policy (MIT Kerberos)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.14.0

CVE-2021-3807

Oracle Communications Cloud Native Core Policy

Policy (ansi-regex)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.15.0

CVE-2020-8231

Oracle Communications Cloud Native Core Policy

Policy (libcurl)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.14.0

CVE-2020-29363

Oracle Communications Cloud Native Core Policy

Policy (p11-kit)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.14.0

CVE-2021-42340

Oracle Communications Cloud Native Core Service Communication Proxy

SCP (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

1.15.0

CVE-2021-22946

Oracle Communications Cloud Native Core Service Communication Proxy

SCP (cURL)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

1.15.0

CVE-2021-36090

Oracle Communications Diameter Intelligence Hub

Integrated DIH (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.0-8.2.3

CVE-2020-11971

Oracle Communications Diameter Intelligence Hub

Mediation (Apache Camel)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2021-43859

Oracle Communications Diameter Intelligence Hub

Visualization, Database (XStream)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2021-30468

Oracle Communications Diameter Intelligence Hub

Visualization, Mediation (Apache CXF)

SOAP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2021-42340

Oracle Communications Element Manager

Security (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 9.0

CVE-2021-43859

Oracle Communications Policy Management

CMP (XStream)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.6.0.0.0

CVE-2021-42340

Oracle Communications Session Report Manager

General (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 9.0

CVE-2021-42340

Oracle Communications Session Route Manager

Third Party (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 9.0

CVE-2020-25638

Oracle Communications Cloud Native Core Console

CNC Console (hibernate-core)

HTTP

Yes

7.4

Network

High

None

None

Un-
changed

High

High

None

1.9.0

CVE-2021-3712

Oracle Communications Cloud Native Core Console

CNC Console (OpenSSL)

HTTPS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

1.9.0

CVE-2021-3712

Oracle Communications Cloud Native Core Security Edge Protection Proxy

SEPP (OpenSSL)

HTTP

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

1.7.0

CVE-2021-3712

Oracle Communications Cloud Native Core Unified Data Repository

UDR (OpenSSL)

HTTPS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

1.15.0

CVE-2021-3712

Oracle Communications Session Border Controller

Security (OpenSSL)

TLS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

8.4, 9.0

CVE-2021-3712

Oracle Communications Unified Session Manager

Security (OpenSSL)

TLS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

8.2.5, 8.4.5

CVE-2021-3712

Oracle Enterprise Communications Broker

Security (OpenSSL)

TLS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

3.2, 3.3

CVE-2021-3712

Oracle Enterprise Session Border Controller

Security (OpenSSL)

TLS

Yes

7.4

Network

High

None

None

Un-
changed

High

None

High

8.4, 9.0

CVE-2022-23181

Oracle Communications Cloud Native Core Policy

Policy (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

1.15.0

CVE-2021-44832

Management Cloud Engine

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.5.0

CVE-2021-44832

Oracle Communications Cloud Native Core Console

CNC Console (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.9.0

CVE-2021-44832

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

DBTier (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.10.0

CVE-2021-44832

Oracle Communications Cloud Native Core Network Repository Function

OCNRF (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.15.0, 1.15.1

CVE-2021-44832

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.8.0

CVE-2021-44832

Oracle Communications Cloud Native Core Policy

Policy (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.15.0

CVE-2021-44832

Oracle Communications Cloud Native Core Security Edge Protection Proxy

SEPP (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.7.0

CVE-2021-44832

Oracle Communications Cloud Native Core Service Communication Proxy

SCP (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.15.0

CVE-2021-44832

Oracle Communications Cloud Native Core Unified Data Repository

UDR (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.15.0

CVE-2021-44832

Oracle Communications EAGLE Element Management System

Platform (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

46.6

CVE-2021-44832

Oracle Communications EAGLE FTP Table Base Retrieval

Core (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

4.5

CVE-2021-44832

Oracle Communications Element Manager

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2021-44832

Oracle Communications Evolved Communications Application Server

SDC,SCF (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.1

CVE-2021-44832

Oracle Communications Performance Intelligence Center (PIC) Software

Management (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

10.4.0.3

CVE-2021-44832

Oracle Communications Services Gatekeeper

OCSG common services - CORE (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.0.0.0.0

CVE-2021-44832

Oracle Communications Session Report Manager

General (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2021-44832

Oracle Communications Session Route Manager

Third Party (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 9.0

CVE-2021-44832

Oracle Communications User Data Repository

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.4

CVE-2021-44832

Oracle Communications WebRTC Session Controller

Admin console, LWPR (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.2.1

CVE-2021-43797

Oracle Communications Cloud Native Core Binding Support Function

Policy (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.11.0

CVE-2021-30129

Oracle Communications Cloud Native Core Console

CNC Console (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

1.9.0

CVE-2021-43797

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.8.0

CVE-2021-43797

Oracle Communications Cloud Native Core Policy

Policy (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.15.0

CVE-2019-3799

Oracle Communications Cloud Native Core Policy

Policy (Spring Cloud Config)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

1.15.0

CVE-2021-43797

Oracle Communications Cloud Native Core Security Edge Protection Proxy

SEPP (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.7.0

CVE-2021-43797

Oracle Communications Cloud Native Core Unified Data Repository

UDR (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.15.0

CVE-2022-23437

Oracle Communications Element Manager

Security (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

Prior to 9.0

CVE-2022-23437

Oracle Communications Session Report Manager

General (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

Prior to 9.0

CVE-2022-23437

Oracle Communications Session Route Manager

Third Party (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

Prior to 9.0

CVE-2021-39140

Oracle Communications Cloud Native Core Policy

Policy (XStream)

HTTP

No

6.3

Network

High

Low

None

Changed

None

None

High

1.14.0

CVE-2021-41184

Oracle Communications Interactive Session Recorder

Dashboard (jQueryUI)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

6.4

CVE-2021-41184

Oracle Communications Operations Monitor

Mediation Engine (jQueryUI)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

4.3, 4.4, 5.0

CVE-2021-2471

Oracle Communications Cloud Native Core Console

CNC Console (MySQL Connectors)

HTTP

No

5.9

Network

High

High

None

Un-
changed

High

None

High

1.9.0

CVE-2020-14340

Oracle Communications Cloud Native Core Console

CNC Console (XNIO)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

None

None

High

1.9.0

CVE-2020-1971

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (OpenSSL)

HTTPS

Yes

5.9

Network

High

None

None

Un-
changed

None

None

High

1.10.0

CVE-2021-2471

Oracle Communications Cloud Native Core Network Slice Selection Function

NSSF (MySQL)

TCP

No

5.9

Network

High

High

None

Un-
changed

High

None

High

1.8.0

CVE-2021-21409

Oracle Communications Cloud Native Core Policy

Policy (Netty)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

None

High

None

1.14.0

CVE-2021-38153

Oracle Communications Cloud Native Core Policy

Policy (Apache Kafka)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

1.15.0

CVE-2021-2471

Oracle Communications Cloud Native Core Policy

Policy (MySQL)

HTTP

No

5.9

Network

High

High

None

Un-
changed

High

None

High

1.15.0

CVE-2020-14340

Oracle Communications Cloud Native Core Policy

Policy (XNIO)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

None

None

High

1.14.0

CVE-2021-33880

Oracle Communications Cloud Native Core Policy

Policy (aaugustin websockets)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

1.14.0

CVE-2020-16135

Oracle Communications Cloud Native Core Policy

Policy (libssh)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

None

None

High

1.15.0

CVE-2021-2471

Oracle Communications Cloud Native Core Security Edge Protection Proxy

SEPP (MySQL)

TCP

No

5.9

Network

High

High

None

Un-
changed

High

None

High

1.7.0

CVE-2021-3572

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (python-pip)

HTTP

No

5.7

Network

Low

Low

Required

Un-
changed

None

High

None

1.10.0

CVE-2021-3572

Oracle Communications Cloud Native Core Policy

Policy (python-pip)

HTTP

No

5.7

Network

Low

Low

Required

Un-
changed

None

High

None

1.15.0

CVE-2021-36374

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

1.9.0

CVE-2021-36374

Oracle Communications Cloud Native Core Binding Support Function

CNC BSF (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

1.11.0

CVE-2021-22569

Oracle Communications Cloud Native Core Console

CNC Console (protobuf-java)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

1.9.0

CVE-2021-22569

Oracle Communications Cloud Native Core Network Repository Function

OCNRF (protobuf-java)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

1.15.0, 1.15.1

CVE-2020-13434

Oracle Communications Cloud Native Core Policy

Policy (SQLite)

None

No

5.5

Local

Low

Low

None

Un-
changed

None

None

High

1.14.0

CVE-2020-15250

Oracle Communications Cloud Native Core Policy

Policy (JUnit)

None

No

5.5

Local

Low

None

Required

Un-
changed

High

None

None

1.14.0

CVE-2021-28168

Oracle Communications Cloud Native Core Policy

Policy (Eclipse Jersey)

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

1.15.0

CVE-2021-22569

Oracle Communications Cloud Native Core Policy

Policy (protobuf-java)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

1.15.0

CVE-2021-28168

Oracle Communications Cloud Native Core Unified Data Repository

UDR (Eclipse Jersey)

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

1.15.0

CVE-2021-36374

Oracle Communications Diameter Intelligence Hub

Visualization (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2020-17521

Oracle Communications Diameter Signaling Router

API Gateway (Apache Groovy)

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

8.4.0.0

CVE-2022-20615

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite Framework (Jenkins Matrix Project)

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

1.9.0

CVE-2021-20289

Oracle Communications Cloud Native Core Console

CNC Console (RESTEasy)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

1.9.0

CVE-2020-14155

Oracle Communications Cloud Native Core Policy

Policy (PCRE)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

1.15.0

CVE-2021-28169

Oracle Communications Cloud Native Core Policy

Policy (Eclipse Jetty)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

1.14.0

CVE-2021-28170

Oracle Communications Cloud Native Core Policy

Policy (Jakarta)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

1.14.0

CVE-2020-29582

Oracle Communications Cloud Native Core Policy

Policy (Kotlin)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

1.14.0

CVE-2020-8554

Oracle Communications Cloud Native Core Policy

Policy (Kubernetes)

HTTP

No

5.0

Network

High

Low

None

Un-
changed

Low

Low

Low

1.15.0

CVE-2021-22132

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite Framework (Elasticsearch)

HTTP

No

4.8

Network

High

Low

Required

Un-
changed

High

None

None

1.8.0

CVE-2021-29425

Oracle Communications Cloud Native Core Policy

Policy (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

1.14.0

CVE-2021-29425

Oracle Communications Diameter Intelligence Hub

Database (Apache Commons IO)

Oracle Net

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

8.0.0-8.1.0, 8.2.0-8.2.3

CVE-2021-29425

Oracle Communications Policy Management

CMP (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

12.5.0.0.0

CVE-2021-3521

Oracle Communications Cloud Native Core Network Function Cloud Native Environment

OC-CNE (rpm)

None

No

4.4

Local

High

Low

Required

Un-
changed

None

High

None

1.10.0

CVE-2022-20613

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite (Jenkins Mailer)

HTTP

Yes

4.3

Network

Low

None

Required

Un-
changed

None

Low

None

1.9.0

CVE-2022-20612

Oracle Communications Cloud Native Core Automated Test Suite

Automated Test Suite Framework (Jenkins)

HTTP

Yes

4.3

Network

Low

None

Required

Un-
changed

None

Low

None

1.9.0

CVE-2021-22096

Oracle Communications Cloud Native Core Console

CNC Console (Spring boot)

HTTP

No

4.3

Network

Low

Low

None

Un-
changed

None

Low

None

1.9.0

CVE-2021-22096

Oracle Communications Cloud Native Core Service Communication Proxy

SCP (Spring Framework)

HTTP

No

4.3

Network

Low

Low

None

Un-
changed

None

Low

None

1.15.0

CVE-2021-3200

Oracle Communications Cloud Native Core Policy

Signaling (libsolv)

None

No

3.3

Local

Low

None

Required

Un-
changed

None

None

Low

1.15.0

Additional CVEs addressed are:

  • The patch for CVE-2017-1000353 also addresses CVE-2018-1000067, CVE-2018-1000068, CVE-2018-1000192, CVE-2018-1000193, CVE-2018-1000194, CVE-2018-1000195, CVE-2018-1999001, CVE-2018-1999002, CVE-2018-1999003, CVE-2018-1999004, CVE-2018-1999005, CVE-2018-1999007, CVE-2018-6356, CVE-2019-1003049, CVE-2019-1003050, CVE-2019-10383, and CVE-2019-10384.
  • The patch for CVE-2019-16789 also addresses CVE-2019-16785, CVE-2019-16786, and CVE-2019-16792.
  • The patch for CVE-2019-18276 also addresses CVE-2021-27568.
  • The patch for CVE-2020-10878 also addresses CVE-2020-10543, and CVE-2020-12723.
  • The patch for CVE-2020-13434 also addresses CVE-2020-15358.
  • The patch for CVE-2020-35198 also addresses CVE-2020-28895.
  • The patch for CVE-2020-36242 also addresses CVE-2020-25659.
  • The patch for CVE-2020-8231 also addresses CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286.
  • The patch for CVE-2021-21409 also addresses CVE-2021-21295.
  • The patch for CVE-2021-22132 also addresses CVE-2021-22134, CVE-2021-22144, and CVE-2021-22145.
  • The patch for CVE-2021-22946 also addresses CVE-2021-22897, CVE-2021-22898, CVE-2021-22901, CVE-2021-22947, and CVE-2021-33560.
  • The patch for CVE-2021-28169 also addresses CVE-2019-10247.
  • The patch for CVE-2021-30468 also addresses CVE-2021-22696, and CVE-2021-40690.
  • The patch for CVE-2021-32626 also addresses CVE-2021-32627, CVE-2021-32628, CVE-2021-32672, CVE-2021-32675, CVE-2021-32687, CVE-2021-32762, and CVE-2021-41099.
  • The patch for CVE-2021-3518 also addresses CVE-2019-20388, CVE-2020-24977, CVE-2020-7595, CVE-2021-3517, and CVE-2021-3537.
  • The patch for CVE-2021-35515 also addresses CVE-2021-35516, CVE-2021-35517, and CVE-2021-36090.
  • The patch for CVE-2021-35574 also addresses CVE-2019-13750, CVE-2019-13751, CVE-2019-18218, CVE-2019-19603, CVE-2019-20838, CVE-2019-5827, CVE-2020-13435, CVE-2020-14155, CVE-2021-20231, CVE-2021-20232, CVE-2021-23840, CVE-2021-23841, CVE-2021-27645, CVE-2021-33574, CVE-2021-3445, CVE-2021-3580, CVE-2021-35942, CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, and CVE-2021-36087.
  • The patch for CVE-2021-3572 also addresses CVE-2019-20916.
  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.
  • The patch for CVE-2021-36374 also addresses CVE-2021-36373.
  • The patch for CVE-2021-3712 also addresses CVE-2021-3711.
  • The patch for CVE-2021-39153 also addresses CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39154, and CVE-2021-43859.
  • The patch for CVE-2021-41184 also addresses CVE-2021-41182, and CVE-2021-41183.
  • The patch for CVE-2021-44790 also addresses CVE-2021-44224.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.
  • The patch for CVE-2022-20613 also addresses CVE-2022-20614.
  • The patch for CVE-2022-22965 also addresses CVE-2022-22963.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Communications Cloud Native Core Policy
    • Policy (Apache Santuario XML Security For Java): CVE-2021-40690.
    • Policy (Spring Integration): CVE-2020-5413.
  • Oracle Communications EAGLE Application Processor
    • Platform (Perl): CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Construction and Engineering. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-23450

Primavera Unifier

Platform (dojo)

HTTP

No

7.6

Network

Low

Low

None

Un-
changed

Low

Low

High

17.7-17.12, 18.8, 19.12, 20.12, 21.12

CVE-2021-44832

Instantis EnterpriseTrack

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

17.1, 17.2, 17.3

CVE-2021-41184

Primavera Unifier

User Interface (jQueryUI)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

17.7-17.12, 18.8, 19.12, 20.12, 21.12

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2022), My Oracle Support Note 2484000.1.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Oracle E-Business Suite Cloud Manager and Cloud Backup Module

Logging (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

EBS Cloud Manager and Backup Module: Prior to 22.1.1.1

CVE-2021-44832

Oracle E-Business Suite Information Discovery

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Enterprise Information Discovery: 7-9

See Note 1

CVE-2021-44832

Oracle Enterprise Command Center Framework

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Enterprise Command Center: 7.0

See Note 1

CVE-2022-21468

Oracle Applications Framework

Popups

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.4-12.2.11

CVE-2022-21477

Oracle Applications Framework

Attachments, File Upload

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

12.2.6-12.2.11

Notes:

  1. Oracle E-Business Suite version is 12.2

Additional CVEs addressed are:

  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle Enterprise Manager. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2844807.1 .

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Enterprise Manager Base Platform

Oracle Management Service (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

13.4.0.0, 13.5.0.0

CVE-2018-1285

Oracle Application Testing Suite

Load Testing for Web Apps (Apache log4net)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

13.3.0.1

CVE-2021-40438

Enterprise Manager Ops Center

User Interface (Apache HTTP Server)

HTTP

Yes

9.0

Network

High

None

None

Changed

High

High

High

12.4.0.0

CVE-2021-3518

Enterprise Manager Base Platform

Enterprise Manager Install (libxml2)

HTTP

Yes

8.8

Network

Low

None

Required

Un-
changed

High

High

High

13.4.0.0, 13.5.0.0

CVE-2021-2351

Enterprise Manager Ops Center

Networking (OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

12.4.0.0

CVE-2021-3450

Enterprise Manager for Storage Management

Privilege Management (OpenSSL)

HTTPS

Yes

7.4

Network

High

None

None

Un-
changed

High

High

None

13.4.0.0

CVE-2021-44832

Enterprise Manager Base Platform

Enterprise Manager Install (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

13.4.0.0, 13.5.0.0

CVE-2021-44832

Enterprise Manager for Peoplesoft

PSEM Plugin (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

13.4.1.1, 13.5.1.1

CVE-2021-44832

Enterprise Manager Ops Center

Networking (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.4.0.0

CVE-2022-21469

Enterprise Manager Base Platform

UI Framework

HTTP

Yes

4.7

Network

Low

None

Required

Changed

None

Low

None

13.4.0.0, 13.5.0.0

Additional CVEs addressed are:

  • The patch for CVE-2021-3450 also addresses CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, and CVE-2021-3449.
  • The patch for CVE-2021-3518 also addresses CVE-2019-20388, CVE-2020-24977, CVE-2020-7595, CVE-2021-3517, and CVE-2021-3537.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle Financial Services Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-22965

Oracle Financial Services Analytical Applications Infrastructure

Others (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.1.1.0, 8.1.2.0

CVE-2022-22965

Oracle Financial Services Behavior Detection Platform

BD (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.1.1.0, 8.1.1.1, 8.1.2.0

CVE-2022-22965

Oracle Financial Services Enterprise Case Management

Installers (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.1.1.0, 8.1.1.1, 8.1.2.0

CVE-2022-23305

Oracle Financial Services Revenue Management and Billing

Infrastructure (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.7.0.0, 2.7.0.1, 2.8.0.0

CVE-2021-2351

Oracle Banking Enterprise Default Management

Collections (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

2.10.0, 2.12.0

CVE-2021-2351

Oracle Banking Platform

Security (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

2.6.2, 2.7.1, 2.12.0

CVE-2021-36090

Oracle Banking Payments

Infrastructure (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.5

CVE-2021-36090

Oracle Banking Trade Finance

Infrastructure (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.5

CVE-2021-37714

Oracle Banking Trade Finance

Infrastructure (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.5

CVE-2021-36090

Oracle Banking Treasury Management

Infrastructure (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.5

CVE-2021-37714

Oracle Banking Treasury Management

Infrastructure (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.5

CVE-2021-36090

Oracle FLEXCUBE Universal Banking

Infrastructure (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.4, 14.0-14.3, 14.5

CVE-2021-37714

Oracle FLEXCUBE Universal Banking

Infrastructure (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

14.0-14.3, 14.5

CVE-2021-44832

Oracle Banking Deposits and Lines of Credit Servicing

Web UI (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

2.12.0

CVE-2021-44832

Oracle Banking Enterprise Default Management

Collections (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

2.7.1, 2.12.0

CVE-2021-44832

Oracle Banking Loans Servicing

Web UI (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

2.12.0

CVE-2021-44832

Oracle Banking Party Management

Web UI (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

2.7.0

CVE-2021-44832

Oracle Banking Payments

Infrastructure (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.5

CVE-2021-44832

Oracle Banking Platform

SECURITY (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

2.6.2, 2.7.1, 2.12.0

CVE-2021-44832

Oracle Banking Trade Finance

Infrastructure (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.5

CVE-2021-44832

Oracle Banking Treasury Management

Infrastructure (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.5

CVE-2021-44832

Oracle FLEXCUBE Universal Banking

Infrastructure (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

11.83.3, 12.1-12.4, 14.0-14.3, 14.5

CVE-2021-30129

Oracle Banking Payments

Infrastructure (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

14.5

CVE-2021-30129

Oracle Banking Trade Finance

Infrastructure (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

14.5

CVE-2021-30129

Oracle Banking Treasury Management

Infrastructure (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

14.5

CVE-2022-23437

Oracle Financial Services Analytical Applications Infrastructure

Others (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0

CVE-2022-23437

Oracle Financial Services Behavior Detection Platform

Third Party (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0

CVE-2022-23437

Oracle Financial Services Enterprise Case Management

Installers (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1

CVE-2021-30129

Oracle FLEXCUBE Universal Banking

Infrastructure (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

14.0-14.3, 14.5

CVE-2022-21475

Oracle Banking Payments

Infrastructure

HTTP

No

5.9

Network

High

Low

Required

Un-
changed

Low

High

Low

14.5

CVE-2022-21474

Oracle Banking Trade Finance

Infrastructure

HTTP

No

5.9

Network

High

Low

Required

Un-
changed

Low

High

Low

14.5

CVE-2022-21473

Oracle Banking Treasury Management

Infrastructure

HTTP

No

5.9

Network

High

Low

Required

Un-
changed

Low

High

Low

14.5

CVE-2021-38153

Oracle Financial Services Analytical Applications Infrastructure

Others (Apache Kafka)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0

CVE-2021-38153

Oracle Financial Services Behavior Detection Platform

Third Party (Apache Kafka)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0

CVE-2021-38153

Oracle Financial Services Enterprise Case Management

Installers (Apache Kafka)

HTTP

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1

CVE-2022-21472

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

No

5.9

Network

High

Low

Required

Un-
changed

Low

High

Low

12.4, 14.0-14.3, 14.5

CVE-2021-36374

Oracle Banking Trade Finance

Infrastructure (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

14.5

CVE-2021-31812

Oracle Banking Trade Finance

Infrastructure (Apache PDFBox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

14.5

CVE-2021-36374

Oracle Banking Treasury Management

Infrastructure (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

14.5

CVE-2021-31812

Oracle Banking Treasury Management

Infrastructure (Apache PDFBox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

14.5

CVE-2021-31812

Oracle FLEXCUBE Universal Banking

Infrastructure (Apache PDFBox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

14.0-14.3, 14.5

Additional CVEs addressed are:

  • The patch for CVE-2021-31812 also addresses CVE-2021-27807, CVE-2021-27906, and CVE-2021-31811.
  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.
  • The patch for CVE-2021-36374 also addresses CVE-2021-36373.
  • The patch for CVE-2021-38153 also addresses CVE-2021-26291.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 54 new security patches plus additional third party patches noted below for Oracle Fusion Middleware. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update April 2022 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2853458.2.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Oracle Business Intelligence Enterprise Edition

Analytics Server (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

5.9.0.0.0

CVE-2022-23305

Oracle Business Intelligence Enterprise Edition

BI Platform Security (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2022-23305

Oracle Business Intelligence Enterprise Edition

Storage Service Integration (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.4.0

CVE-2022-23305

Oracle Business Process Management Suite

Runtime Engine (JBoss Enterprise Application Platform)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-21420

Oracle Coherence

Core

T3

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2021-39275

Oracle HTTP Server

Web Listener (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-23305

Oracle Identity Management Suite

Installer (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-23305

Oracle Identity Manager Connector

General and Misc (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.1.1.5.0

CVE-2022-21445

Oracle JDeveloper

ADF Faces

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-23305

Oracle JDeveloper

Oracle JDeveloper (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0

CVE-2022-23305

Oracle Middleware Common Libraries and Tools

Third Party Patch (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.4.0

CVE-2022-23305

Oracle Tuxedo

Third Party Patch (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.2.0.0

CVE-2022-23305

Oracle WebLogic Server

Centralized Third Party Jars (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2022-21404

Helidon

Reactive WebServer

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

1.4.10, 2.0.0-RC1

CVE-2021-22901

Oracle HTTP Server

SSL Module (cURL)

HTTPS

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-21497

Oracle Web Services Manager

Web Services Security

HTTP

Yes

8.1

Network

Low

None

Required

Un-
changed

High

High

None

12.2.1.3.0, 12.2.1.4.0

CVE-2022-21421

Oracle Business Intelligence Enterprise Edition

Analytics Web General

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2021-37714

Oracle Business Process Management Suite

Installer (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2019-0227

Oracle Internet Directory

Oracle Directory Services Mngr (Apache Axis)

HTTP

Yes

7.5

Adjacent
Network

High

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

See Note 1

CVE-2021-40690

Oracle Outside In Technology

Installation (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

8.5.5

See Note 2

CVE-2021-36090

Oracle WebCenter Portal

Security Framework (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-37137

Oracle WebCenter Portal

Security Framework (Netty)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-25649

Oracle WebCenter Portal

Security Framework (jackson-databind)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

High

None

12.2.1.3.0, 12.2.1.4.0

CVE-2021-37714

Oracle WebCenter Portal

Security Framework (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-7226

Oracle WebCenter Sites

WebCenter Sites (Cryptacular)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2022-21441

Oracle WebLogic Server

Core

T3/IIOP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2021-44832

Oracle Data Integrator

Runtime Java agent for ODI (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-44832

Oracle Identity Management Suite

Installer (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-44832

Oracle Identity Manager Connector

General and Misc (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

9.1.0

CVE-2021-44832

Oracle JDeveloper

Oracle JDeveloper (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.4.0

CVE-2021-44832

Oracle Managed File Transfer

MFT Runtime Server (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-44832

Oracle WebCenter Portal

Security Framework (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-44832

Oracle WebCenter Sites

Advanced UI (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-43797

Helidon

Reactive WebServer (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

1.4.10,2.4.0

CVE-2021-30129

Middleware Common Libraries and Tools

Enterprise Test Tools (Apache MINA SSHD and Apache MINA)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2021-43797

Oracle Coherence

Configuration and Parsing (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

12.2.1.4.0, 14.1.1.0.0

CVE-2020-24977

Oracle HTTP Server

SSL Module (libxml2)

HTTPS

Yes

6.5

Network

Low

None

None

Un-
changed

Low

None

Low

12.2.1.3.0, 12.2.1.4.0

CVE-2021-44224

Oracle HTTP Server

SSL Module (Apache HTTP Server)

HTTPS

Yes

6.5

Network

Low

None

None

Un-
changed

None

Low

Low

12.2.1.3.0, 12.2.1.4.0

CVE-2022-23437

Oracle WebLogic Server

Third Party Tools (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2022-21492

Oracle Business Intelligence Enterprise Edition

Analytics Server

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.9.0.0.0

CVE-2022-21419

Oracle Business Intelligence Enterprise Edition

Visual Analyzer

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.5.0.0.0, 5.9.0.0.0

CVE-2022-21448

Oracle Business Intelligence Enterprise Edition

Visual Analyzer

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.9.0.0.0

CVE-2022-21453

Oracle WebLogic Server

Console

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2021-41184

Oracle WebLogic Server

Console, Samples (jQueryUI)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-17521

Oracle Business Process Management Suite

BPM Studio (Apache Groovy)

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

12.2.1.3.0, 12.2.1.4.0

CVE-2021-31812

Oracle WebCenter Portal

Security Framework (Apache PDFbox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-28657

Oracle WebCenter Portal

Security Framework (Apache Tika)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2021-41165

Oracle WebCenter Portal

Security Framework (CKEditor)

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0

CVE-2018-11212

Oracle Internet Directory

Oracle Directory Services Manager (libjpeg)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

12.2.1.3.0, 12.2.1.4.0

CVE-2021-33037

Oracle Managed File Transfer

MFT Runtime Server (Apache Tomcat)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

12.2.1.3.0, 12.2.1.4.0

CVE-2021-28170

Oracle WebLogic Server

Centralized Third Party Jars (JBoss Enterprise Application Platform)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

14.1.1.0.0

CVE-2021-29425

Helidon

CDI support (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

1.4.7, 2.2.0

CVE-2021-29425

Oracle WebCenter Portal

Security Framework (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0

CVE-2020-8908

Oracle WebLogic Server

Third Party Tools (Guava)

None

No

3.3

Local

Low

Low

None

Un-
changed

Low

None

None

14.1.1.0.0

Notes:

  1. The patch for CVE-2019-0227 also addresses CVE-2018-2601 for Oracle Internet Directory 12.2.1.4.0.
  2. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS Base Score depend on the software that uses Outside In Technology. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2020-24977 also addresses CVE-2021-22901, CVE-2021-39275, and CVE-2021-44224.
  • The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, and CVE-2020-36189.
  • The patch for CVE-2021-28170 also addresses CVE-2020-10693.
  • The patch for CVE-2021-30129 also addresses CVE-2021-41973.
  • The patch for CVE-2021-31812 also addresses CVE-2021-31811.
  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.
  • The patch for CVE-2021-37137 also addresses CVE-2021-37136.
  • The patch for CVE-2021-41165 also addresses CVE-2021-41164.
  • The patch for CVE-2021-41184 also addresses CVE-2021-41182, and CVE-2021-41183.
  • The patch for CVE-2021-43797 also addresses CVE-2021-21409, CVE-2021-37136, and CVE-2021-37137.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle WebCenter Sites
    • WebCenter Sites (Bouncy Castle Java Library): CVE-2020-28052.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-3711

Oracle Health Sciences InForm Publisher

Connector (OpenSSL)

TLS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

6.2.1.1, 6.3.1.1

CVE-2021-44832

Oracle Health Sciences Empirica Signal

Logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

9.1.0.6, 9.2.0.0

CVE-2021-44832

Oracle Health Sciences InForm

Cognos logging (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

6.2.1.1, 6.3.2.1, 7.0.0.0

Additional CVEs addressed are:

  • The patch for CVE-2021-3711 also addresses CVE-2021-3712, and CVE-2021-4160.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle HealthCare Applications Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle HealthCare Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Oracle Healthcare Data Repository

FHIR (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.1.0

CVE-2021-36090

Oracle Healthcare Data Repository

FHIR Commandline (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.1.0

CVE-2021-44832

Oracle Health Sciences Information Manager

Record Locator (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

3.0.1-3.0.4

CVE-2021-44832

Oracle Healthcare Data Repository

FHIR (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

8.1.1

CVE-2021-44832

Oracle Healthcare Foundation

RPD Generation (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

7.3.0.1-7.3.0.4

CVE-2021-44832

Oracle Healthcare Master Person Index

IHE (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

5.0.1

CVE-2021-44832

Oracle Healthcare Translational Research

Datastudio (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

4.1.1

CVE-2021-33037

Oracle Healthcare Translational Research

Datastudio (Apache Tomcat)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

4.1.0

CVE-2021-29425

Oracle Health Sciences Information Manager

Health Policy Engine (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

3.0.1-3.0.4

CVE-2021-29425

Oracle Healthcare Data Repository

FHIR Comandline (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

8.1.0

Additional CVEs addressed are:

  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-13936

Oracle Hospitality Token Proxy Service

TPS Service (Apache Velocity Engine)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

19.2

CVE-2021-37714

Oracle Hospitality Token Proxy Service

TPS Service (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

19.2

CVE-2021-44832

Oracle Hospitality Suite8

Leisure (Apache Log4j)

TCP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

8.13.0, 8.14.0

CVE-2021-44832

Oracle Hospitality Token Proxy Service

TPS Service (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

19.2

CVE-2021-44832

Oracle Payment Interface

OPI Core (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

19.1, 20.3

CVE-2021-41184

Oracle Hospitality Suite8

WebConnect (jQueryUI)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.10.2, 8.11.0-8.14.0

Additional CVEs addressed are:

  • The patch for CVE-2021-41184 also addresses CVE-2021-41182, and CVE-2021-41183.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Hyperion. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Oracle Hyperion Data Relationship Management

Installation/Configuration (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2022-23305

Oracle Hyperion Infrastructure Technology

Installation and Configuration (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion BI+

Architect (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Data Relationship Management

Installation/Configuration (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Financial Management

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Infrastructure Technology

Installation and Configuration (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Planning

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Profitability and Cost Management

Install (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2021-44832

Oracle Hyperion Tax Provision

Tax Provision (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 11.2.8.0

CVE-2020-6950

Oracle Hyperion Calculation Manager

General (Eclipse Mojarra)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

Prior to 11.2.8.0

CVE-2021-31812

Oracle Hyperion Infrastructure Technology

Installation and Configuration (Apache PDFbox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

Prior to 11.2.8.0

CVE-2020-7760

Oracle Hyperion Data Relationship Management

Web Client - Unicode (CodeMirror)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

Prior to 11.2.9.0

Additional CVEs addressed are:

  • The patch for CVE-2021-31812 also addresses CVE-2021-31811.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23437

Oracle iLearning

Installation (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

6.2, 6.3

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Insurance Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-2351

Oracle Documaker

Development Tools (JDBC, OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

12.6.0, 12.6.2-12.6.4, 12.7.0

CVE-2021-36090

Oracle Insurance Policy Administration

Architecture (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

CVE-2021-44832

Oracle Insurance Data Gateway

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

1.0.1

CVE-2021-44832

Oracle Insurance Insbridge Rating and Underwriting

Framework Administrator IBFA (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

5.2.0, 5.4.0-5.6.0, 5.6.1

CVE-2021-35043

Oracle Insurance Policy Administration

Architecture (AntiSamy)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

CVE-2021-29425

Oracle Insurance Policy Administration

Architecture (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

CVE-2021-29425

Oracle Insurance Rules Palette

Architecture (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1

Additional CVEs addressed are:

  • The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516, and CVE-2021-35517.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-0778

Oracle GraalVM Enterprise Edition

Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

CVE-2022-21449

Oracle Java SE, Oracle GraalVM Enterprise Edition

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Un-
changed

None

High

None

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

CVE-2022-21476

Oracle Java SE, Oracle GraalVM Enterprise Edition

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

CVE-2022-21426

Oracle Java SE, Oracle GraalVM Enterprise Edition

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

CVE-2022-21496

Oracle Java SE, Oracle GraalVM Enterprise Edition

JNDI

Multiple

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

CVE-2022-21434

Oracle Java SE, Oracle GraalVM Enterprise Edition

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

CVE-2022-21443

Oracle Java SE, Oracle GraalVM Enterprise Edition

Libraries

Multiple

Yes

3.7

Network

High

None

None

Un-
changed

None

None

Low

Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

See Note 1

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Additional CVEs addressed are:

  • The patch for CVE-2022-0778 also addresses CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, and CVE-2022-21824.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-42013

JD Edwards EnterpriseOne Tools

Upgrade SEC (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 9.2.6.0

CVE-2021-3711

JD Edwards EnterpriseOne Tools

Enterprise Infrastructure (OpenSSL)

JDENET

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 9.2.6.3

CVE-2021-3711

JD Edwards World Security

World Software Security (OpenSSL)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

A9.4

CVE-2021-2351

JD Edwards EnterpriseOne Tools

Database and Comm SEC (OCCI)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Prior to 9.2.6.3

CVE-2021-2351

JD Edwards EnterpriseOne Tools

Monitoring and Diagnostics SEC (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Prior to 9.2.6.3

CVE-2022-21464

JD Edwards EnterpriseOne Tools

Business Logic Infra SEC

HTTP

Yes

8.2

Network

Low

None

None

Un-
changed

Low

None

High

Prior to 9.2.6.3

CVE-2021-32066

JD Edwards EnterpriseOne Tools

E1 Dev Platform Tech-Cloud (Ruby)

HTTP

Yes

7.4

Network

High

None

None

Un-
changed

High

High

None

Prior to 9.2.6.1

CVE-2022-21409

JD Edwards EnterpriseOne Tools

Web Runtime

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Prior to 9.2.6.3

Additional CVEs addressed are:

  • The patch for CVE-2021-32066 also addresses CVE-2021-31799, and CVE-2021-31810.
  • The patch for CVE-2021-3711 also addresses CVE-2021-3712.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

MySQL Enterprise Monitor

Monitoring: General (Apache Log4j)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.29 and prior

CVE-2022-22965

MySQL Enterprise Monitor

Monitoring: General (Spring Framework)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.29 and prior

CVE-2022-0778

MySQL Connectors

Connector/C++ (OpenSSL)

MySQL Protocol

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-0778

MySQL Connectors

Connector/ODBC (OpenSSL)

MySQL Protocol

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2021-42340

MySQL Enterprise Monitor

Monitoring: General (Apache Tomcat)

Multiple

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.29 and prior

CVE-2022-0778

MySQL Enterprise Monitor

Monitoring: General (OpenSSL)

Multiple

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.29 and prior

CVE-2021-22570

MySQL Server

Server: Compiling (protobuf)

MySQL Protocol

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-0778

MySQL Server

Server: Packaging (OpenSSL)

MySQL Protocol

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-0778

MySQL Workbench

Workbench: libssh (OpenSSL)

MySQL Workbench

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-23181

MySQL Enterprise Monitor

Monitoring: General (Apache Tomcat)

Multiple

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

8.0.29 and prior

CVE-2021-44832

MySQL Enterprise Monitor

Monitoring: General (Apache Log4j)

Multiple

No

6.6

Network

High

High

None

Un-
changed

High

High

High

8.0.29 and prior

CVE-2022-21454

MySQL Server

Server: Group Replication Plugin

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21482

MySQL Cluster

Cluster: General

Multiple

No

6.3

Adjacent
Network

High

High

Required

Un-
changed

High

High

High

8.0.28 and prior

CVE-2022-21483

MySQL Cluster

Cluster: General

Multiple

No

6.3

Adjacent
Network

High

High

Required

Un-
changed

High

High

High

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2022-21489

MySQL Cluster

Cluster: General

Multiple

No

6.3

Adjacent
Network

High

High

Required

Un-
changed

High

High

High

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2022-21490

MySQL Cluster

Cluster: General

Multiple

No

6.3

Adjacent
Network

High

High

Required

Un-
changed

High

High

High

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2021-41184

MySQL Enterprise Monitor

Monitoring: General (jQueryUI)

Multiple

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.29 and prior

CVE-2022-21457

MySQL Server

Server: PAM Auth Plugin

FIDO protocols

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

8.0.28 and prior

CVE-2022-21425

MySQL Server

Server: DDL

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

None

Low

High

8.0.28 and prior

CVE-2022-21440

MySQL Server

Server: Optimizer

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

None

Low

High

8.0.28 and prior

CVE-2022-21459

MySQL Server

Server: Optimizer

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

None

Low

High

8.0.28 and prior

CVE-2022-21478

MySQL Server

Server: Optimizer

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

None

Low

High

8.0.28 and prior

CVE-2022-21479

MySQL Server

Server: Optimizer

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

Low

None

High

8.0.28 and prior

CVE-2022-21418

MySQL Server

InnoDB

MySQL Protocol

No

5.0

Network

High

High

None

Un-
changed

None

Low

High

8.0.28 and prior

CVE-2022-21417

MySQL Server

InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21413

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21427

MySQL Server

Server: FTS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21412

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21414

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21435

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21436

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21437

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21438

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21452

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21462

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21415

MySQL Server

Server: Replication

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.28 and prior

CVE-2022-21451

MySQL Server

InnoDB

MySQL Protocol

No

4.4

Network

High

High

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21444

MySQL Server

Server: DDL

MySQL Protocol

No

4.4

Network

High

High

None

Un-
changed

None

None

High

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21460

MySQL Server

Server: Logging

MySQL Protocol

No

4.4

Network

High

High

None

Un-
changed

High

None

None

5.7.37 and prior, 8.0.28 and prior

CVE-2022-21484

MySQL Cluster

Cluster: General

Multiple

No

2.9

Adjacent
Network

High

High

Required

Un-
changed

Low

None

Low

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2022-21485

MySQL Cluster

Cluster: General

Multiple

No

2.9

Adjacent
Network

High

High

Required

Un-
changed

Low

None

Low

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2022-21486

MySQL Cluster

Cluster: General

Multiple

No

2.9

Adjacent
Network

High

High

Required

Un-
changed

Low

None

Low

7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior

CVE-2022-21423

MySQL Server

InnoDB

MySQL Protocol

No

2.7

Network

Low

High

None

Un-
changed

None

None

Low

8.0.28 and prior

Additional CVEs addressed are:

  • The patch for CVE-2021-41184 also addresses CVE-2021-41182, and CVE-2021-41183.
  • The patch for CVE-2022-23305 also addresses CVE-2019-17571, CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-3518

PeopleSoft Enterprise PeopleTools

PeopleSoft CDA (libxml2)

HTTP

Yes

8.8

Network

Low

None

Required

Un-
changed

High

High

High

8.58

CVE-2021-37714

PeopleSoft Enterprise PeopleTools

Elastic Search (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.58, 8.59

CVE-2021-40690

PeopleSoft Enterprise PeopleTools

Security (Apache Santuario XML Security for Java)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

8.58, 8.59

CVE-2021-44832

PeopleSoft Enterprise PeopleTools

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

8.58, 8.59

CVE-2022-21447

PeopleSoft Enterprise CS Academic Advisement

Advising Notes

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

9.2

CVE-2021-43797

PeopleSoft Enterprise PeopleTools

Elastic Search (Netty)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

High

None

8.58, 8.59

CVE-2022-21458

PeopleSoft Enterprise PeopleTools

Navigation Pages, Portal, Query

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.58, 8.59

CVE-2022-21470

PeopleSoft Enterprise PeopleTools

Process Scheduler

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.58, 8.59

CVE-2021-4160

PeopleSoft Enterprise PeopleTools

Security (OpenSSL)

TLS

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

8.58, 8.59

CVE-2022-21481

PeopleSoft Enterprise FIN Cash Management

Financial Gateway

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.2

CVE-2021-41165

PeopleSoft Enterprise PeopleTools

Rich Text Editor (CKEditor)

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

8.58, 8.59

CVE-2022-21450

PeopleSoft Enterprise PRTL Interaction Hub

My Links

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.1

CVE-2021-44533

PeopleSoft Enterprise PeopleTools

Elastic Search (Node.js)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

Low

None

8.58, 8.59

CVE-2020-8908

PeopleSoft Enterprise PeopleTools

File Processing (Guava)

None

No

3.3

Local

Low

Low

None

Un-
changed

Low

None

None

8.58, 8.59

Additional CVEs addressed are:

  • The patch for CVE-2021-3518 also addresses CVE-2019-20388, CVE-2020-24977, CVE-2020-7595, CVE-2021-3517, and CVE-2021-3537.
  • The patch for CVE-2021-41165 also addresses CVE-2021-41164.
  • The patch for CVE-2021-44533 also addresses CVE-2021-44531, CVE-2021-44532, and CVE-2022-21824.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 30 new security patches for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-22965

Oracle Retail Xstore Point of Service

Xenvironment (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

20.0.1, 21.0.0

CVE-2020-13936

Oracle Retail Xstore Office Cloud Service

Configurator (Apache Velocity Engine)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1

CVE-2021-39139

Oracle Retail Xstore Point of Service

Xenvironment (XStream)

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1

CVE-2021-40690

Oracle Retail Bulk Data Integration

BDI Job Scheduler (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

16.0.3

CVE-2021-37714

Oracle Retail Customer Management and Segmentation Foundation

Segment (jsoup)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

17.0-19.0

CVE-2021-40690

Oracle Retail Financial Integration

PeopleSoft Integration Bugs (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2021-40690

Oracle Retail Integration Bus

RIB Kernal (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2021-40690

Oracle Retail Merchandising System

Foundation (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

16.0.3, 19.0.1

CVE-2021-40690

Oracle Retail Service Backbone

RSB Installation (Apache Santuario XML Security For Java)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2019-10086

Oracle Retail Invoice Matching

Security (Apache Commons BeanUtils)

HTTP

Yes

7.3

Network

Low

None

None

Un-
changed

Low

Low

Low

16.0.3

CVE-2021-44832

Oracle Retail Customer Insights

Other (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

15.0.2, 16.0.2

CVE-2021-44832

Oracle Retail Data Extractor for Merchandising

Installer (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

15.0.2, 16.0.2

CVE-2021-44832

Oracle Retail EFTLink

Installation (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.0.0

CVE-2021-44832

Oracle Retail Financial Integration

PeopleSoft Integration Bugs (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

CVE-2021-44832

Oracle Retail Integration Bus

RIB Kernal (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

CVE-2021-44832

Oracle Retail Merchandising System

Foundation (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

16.0.3, 19.0.1

CVE-2021-44832

Oracle Retail Service Backbone

RSB Installation (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1

CVE-2021-44832

Oracle Retail Store Inventory Management

SIM Integration (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

14.0.4.13, 14.1.3.14, 14.1.3.5, 15.0.3.3, 15.0.3.8, 16.0.3.7

CVE-2022-23437

Oracle Retail Bulk Data Integration

BDI Job Scheduler (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

16.0.3

CVE-2021-30129

Oracle Retail Customer Management and Segmentation Foundation

Segment (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

18.0, 19.0

CVE-2022-23437

Oracle Retail Extract Transform and Load

Mathematical Operators (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

13.2.8

CVE-2022-23437

Oracle Retail Financial Integration

PeopleSoft Integration Bugs (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2022-23437

Oracle Retail Integration Bus

RIB Kernal (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2022-23437

Oracle Retail Merchandising System

Foundation (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

16.0.3, 19.0.1

CVE-2022-23437

Oracle Retail Service Backbone

RSB Installation (Apache Xerces-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1

CVE-2021-36374

Oracle Retail EFTLink

Installation (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

19.0.1, 20.0.1

CVE-2021-36374

Oracle Retail Invoice Matching

Security (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

16.0.3

CVE-2021-36374

Oracle Retail Xstore Point of Service

Xenvironment (Apache Ant)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1

CVE-2021-31812

Oracle Retail Xstore Point of Service

Xstore Office (Apache PDFbox)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1

CVE-2021-34429

Oracle Retail EFTLink

Framework (Eclipse Jetty)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

20.0.1

Additional CVEs addressed are:

  • The patch for CVE-2021-31812 also addresses CVE-2021-27807, CVE-2021-27906, and CVE-2021-31811.
  • The patch for CVE-2021-36374 also addresses CVE-2021-36373.
  • The patch for CVE-2021-39139 also addresses CVE-2021-29505, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, and CVE-2021-39154.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Supply Chain. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2022-23305

Oracle Advanced Supply Chain Planning

MscObieeSrvlt (Apache Log4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.1, 12.2

CVE-2022-22965

Oracle Product Lifecycle Analytics

Installer (Spring Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

3.6.1.0

CVE-2021-42340

Oracle Agile PLM

Security (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

9.3.6

CVE-2021-44832

Oracle Agile Engineering Data Management

Installation Issues (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

6.2.1.0

CVE-2021-44832

Oracle Agile PLM

Security (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

9.3.6

CVE-2021-44832

Oracle Agile PLM MCAD Connector

CAX Client (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

3.6

CVE-2021-44832

Oracle Autovue for Agile Product Lifecycle Management

Internal Operations (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

21.0.2

CVE-2022-21467

Oracle Agile PLM

Attachments

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

9.3.6

CVE-2022-21480

Oracle Transportation Management

User Interface

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

6.4.3, 6.5.1

CVE-2021-41165

Oracle Agile PLM

Security (CKEditor)

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.3.6

CVE-2021-29425

Oracle Agile PLM

Security (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

9.3.6

Additional CVEs addressed are:

  • The patch for CVE-2021-41165 also addresses CVE-2021-41164.
  • The patch for CVE-2021-44832 also addresses CVE-2021-45105.
  • The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Support Tools. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-30129

OSS Support Tools

Diagnostic Assistant (Apache MINA SSHD)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

2.12.42

CVE-2021-41973

OSS Support Tools

Diagnostic Assistant (Apache MINA)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

None

None

High

2.12.42

CVE-2022-21405

OSS Support Tools

Oracle Explorer

None

No

5.5

Local

Low

High

Required

Changed

High

None

None

18.3

Oracle Systems Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Systems. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-17195

Oracle Solaris Cluster

Tools (Nimbus JOSE+JWT)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

4

CVE-2021-39275

Oracle ZFS Storage Appliance Kit

Operating System Image

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.8

CVE-2021-2351

Oracle StorageTek ACSLS

Software (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

8.5.1

CVE-2021-2351

Oracle StorageTek Tape Analytics (STA)

Application Server (JDBC)

Oracle Net

Yes

8.3

Network

High

None

Required

Changed

High

High

High

2.4

CVE-2022-21446

Oracle Solaris

Utility

Multiple

Yes

8.2

Network

Low

None

None

Un-
changed

Low

High

None

11

CVE-2020-11979

Oracle StorageTek ACSLS

Software (Apache Ant)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

High

None

8.5.1

CVE-2020-11979

Oracle StorageTek Tape Analytics (STA)

Core (Apache Ant)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

High

None

2.4

CVE-2020-6950

Oracle Solaris Cluster

Tools (Eclipse Mojarra)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

4

CVE-2020-5421

Oracle StorageTek ACSLS

Software (Spring Framework)

HTTP

No

6.5

Network

High

Low

Required

Changed

Low

High

None

8.5.1

CVE-2019-3740

Oracle StorageTek ACSLS

Software (RSA BSAFE Crypto-J)

HTTPS

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

8.5.1

CVE-2020-11022

Oracle StorageTek ACSLS

Software (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.5.1

CVE-2022-21493

Oracle Solaris

Kernel

None

No

5.9

Local

Low

Low

Required

Changed

None

None

High

11

CVE-2022-21461

Oracle Solaris

Kernel

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

11

CVE-2022-21463

Oracle Solaris

Kernel

None

No

5.5

Local

Low

Low

None

Un-
changed

None

None

High

11

CVE-2022-21416

Oracle Solaris

Utility

None

No

5.0

Local

Low

Low

Required

Un-
changed

None

High

None

11

CVE-2021-29425

Oracle Solaris Cluster

Tools (Apache Commons IO)

HTTP

Yes

4.8

Network

High

None

None

Un-
changed

Low

Low

None

4

CVE-2022-21494

Oracle Solaris

Kernel

None

No

4.0

Local

High

High

Required

Un-
changed

None

None

High

11

CVE-2020-1968

Oracle Ethernet Switch ES1-24

Firmware (OpenSSL)

HTTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

1.3.1

CVE-2020-1968

Oracle Ethernet Switch TOR-72

Firmware (OpenSSL)

HTTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

1.2.2

CVE-2020-9488

Oracle StorageTek ACSLS

Software (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.5.1

Additional CVEs addressed are:

  • The patch for CVE-2019-3740 also addresses CVE-2019-3738, and CVE-2019-3739.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2021-39275 also addresses CVE-2019-13038, CVE-2019-14822, CVE-2021-25219, CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-4034, CVE-2021-40438, CVE-2021-41617, CVE-2021-4181, CVE-2021-4182, CVE-2021-4183, CVE-2021-4184, CVE-2021-4185, CVE-2021-42717, CVE-2021-43395, CVE-2021-43818, CVE-2021-44224, CVE-2021-44790, CVE-2022-0391, CVE-2022-0778, CVE-2022-21271, CVE-2022-21375, CVE-2022-21384, CVE-2022-21439, CVE-2022-21446, CVE-2022-21461, CVE-2022-21463, CVE-2022-21493, CVE-2022-21494, CVE-2022-21716, CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315.

Oracle Taleo Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Taleo. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-44832

Oracle Taleo Platform

Taleo Connect Client Installer (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

Prior to 22.1

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-44832

Oracle Utilities Framework

General (Apache Log4j)

HTTP

No

6.6

Network

High

High

None

Un-
changed

High

High

High

4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2021-40438

Oracle Secure Global Desktop

Web Server (Apache HTTP Server)

HTTP

Yes

9.0

Network

High

None

None

Changed

High

High

High

5.6

CVE-2022-21491

Oracle VM VirtualBox

Core

None

No

7.8

Local

Low

Low

None

Un-
changed

High

High

High

Prior to 6.1.34

See Note 1

CVE-2022-21465

Oracle VM VirtualBox

Core

None

No

6.7

Local

Low

High

None

Changed

None

Low

High

Prior to 6.1.34

CVE-2022-21471

Oracle VM VirtualBox

Core

None

No

6.5

Local

Low

Low

None

Changed

None

None

High

Prior to 6.1.34

CVE-2022-21487

Oracle VM VirtualBox

Core

None

No

3.8

Local

Low

Low

None

Changed

Low

None

None

Prior to 6.1.34

CVE-2022-21488

Oracle VM VirtualBox

Core

None

No

3.8

Local

Low

Low

None

Changed

None

Low

None

Prior to 6.1.34

Notes:

  1. This vulnerability applies to Windows systems only.

Why Oracle

  • Analyst Reports
  • Gartner MQ for ERP Cloud
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • Oracle Supports Ukraine

  • Oracle CloudWorld

  • Oracle and Premier League

  • Oracle Red Bull Racing

  • Employee Experience Platform

  • Oracle Support Rewards

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

RHSA-2022:1461: Red Hat Security Advisory: Logging Subsystem 5.4 - Red Hat OpenShift Security and Bug update

Logging Subsystem 5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0759: kubeclient: kubeconfig parsing error can lead to MITM attacks * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter

CVE-2022-24874: Build software better, together

acs commons is an open source framework for AEM projects. ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html` endpoint via the `a` and `b` GET parameters. User input submitted via these parameters is not validated or sanitized. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. This issue has been resolved in 5.2.0. There are no known workarounds for this issue.

RHSA-2022:1478: Red Hat Security Advisory: Satellite 6.9.9 Async Bug Fix Update

Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-27023: puppet: unsafe HTTP redirect

CVE-2022-24865: Fix must change password (#5638) · humhub/humhub@eb83de2

HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.

RHSA-2022:1389: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update

Updated packages that provide Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 11, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3516: libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3518: libxml...

RHSA-2022:1390: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 11 zip release for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3516: libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3518: libxml2: Use-after-free in xmlXIncludeDoProcess() in xinc...

CVE-2022-0540: Jira Security Advisory 2022-04-20 | Atlassian Support

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

CVE-2022-26133: [BSERV-13173] Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

CVE-2022-24861: fix some security bug (#103) · vran-dev/databasir@ca22a8f

Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has remote code execution vulnerability. JDBC drivers are not validated prior to use and may be provided by users of the system. This can lead to code execution by any basic user who has access to the system. Users are advised to upgrade. There are no known workarounds to this issue.

CVE-2022-24864: Remove presale join endpoint by DanielVF · Pull Request #617 · OriginProtocol/origin-website

Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the [email protected]. If the email recipient is using an email program that is susceptible to XSS, then that email recipient will receive an email that may contain malicious XSS. Regardless if the email recipient’s mail program has vulnerabilities or not, the hacker can at the very least inject malicious HTML that modifies the body content of the email. There are currently no known workarounds.

CVE-2022-24871: Shopware 6 - Security Updates

Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.

CVE-2022-24862: Build software better, together

Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Server-Side Request Forgery vulnerability. During the download verification process of a JDBC driver the corresponding JDBC driver download address will be downloaded first, but this address will return a response page with complete error information when accessing a non-existent URL. Attackers can take advantage of this feature for SSRF.

CVE-2022-24799: fix: Improve message rendering (#12748) · wireapp/wire-webapp@d144552

wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** an...

RHSA-2022:1455: Red Hat Security Advisory: kernel security, bug fix, and enhancement update

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c

RHSA-2022:1440: Red Hat Security Advisory: java-11-openjdk security, bug fix, and enhancement update

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defective ...

RHSA-2022:1463: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 8

New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern

RHSA-2022:1462: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 7

New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern

Oracle releases massive Critical Patch Update containing 520 security patches

Oracle's April Critical Patch UPdate contains 520 new security patches. We spell out some of the most important vulnerabilities. The post Oracle releases massive Critical Patch Update containing 520 security patches appeared first on Malwarebytes Labs.

RHSA-2022:1469: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update

A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern

RHSA-2022:1363: Red Hat Security Advisory: OpenShift Container Platform 4.9.29 bug fix and security update

Red Hat OpenShift Container Platform release 4.9.29 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

RHSA-2022:1442: Red Hat Security Advisory: java-11-openjdk security update

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defective ...

RHSA-2022:1445: Red Hat Security Advisory: java-17-openjdk security and bug fix update

An update for java-17-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21449: OpenJDK: Improper E...

RHSA-2022:1441: Red Hat Security Advisory: java-11-openjdk security update

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-...

RHSA-2022:1443: Red Hat Security Advisory: java-11-openjdk security update

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-...

RHSA-2022:1444: Red Hat Security Advisory: java-11-openjdk security update

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) *...

RHSA-2022:1336: Red Hat Security Advisory: OpenShift Container Platform 4.7.49 security update

Red Hat OpenShift Container Platform release 4.7.49 is now available with updates to packages and images that fix several bugs and add enhancements. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.49. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0711: haproxy: Denial of service via set-cookie2 header

RHSA-2022:1370: Red Hat Security Advisory: OpenShift Container Platform 4.8.37 security and extras update

Red Hat OpenShift Container Platform release 4.8.37 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.37. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

RHSA-2022:1357: Red Hat Security Advisory: OpenShift Container Platform 4.10.10 security and extras update

Red Hat OpenShift Container Platform release 4.10.10 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

CVE-2022-27629: MicroPayments – Paid Author Subscriptions, Content, Downloads, Membership

Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.

CVE-2022-24826: Build software better, together

On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended progra...

CVE-2022-24858: Upgrade Guide (v4) | NextAuth.js

next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.

CVE-2021-3101: Build software better, together

Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process. This would allow a container to gain full privileges on the host, bypassing restrictions set on the container.

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-28222: Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php`

CVE-2022-1187: Changeset 2702715 for wp-youtube-live – WordPress Plugin Repository

The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.

CVE-2022-1186: Changeset 2701343 for be-popia-compliant – WordPress Plugin Repository

The WordPress plugin Be POPIA Compliant exposed sensitive information to unauthenticated users consisting of site visitors emails and usernames via an API route, in versions up to an including 1.1.5.

CVE-2022-1329: Changeset 2708766 for elementor/trunk/core/app/modules/onboarding/module.php – WordPress Plugin Repository

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.

CVE-2022-24825: Build software better, together

Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or later.

Rethinking Cyber-Defense Strategies in the Public-Cloud Age

Exploring what's next for public-cloud security, including top risks and how to implement better risk management.

CVE-2022-25648: Command Injection in git | CVE-2022-25648 | Snyk

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907