Headline
CVE-2022-21403: Oracle Critical Patch Update Advisory - January 2022
Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine). Supported versions that are affected are 3.4, 4.2, 4.3, 4.4 and 5.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. While the vulnerability is in Oracle Communications Operations Monitor, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Operations Monitor accessible data as well as unauthorized read access to a subset of Oracle Communications Operations Monitor accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Operations Monitor. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).
No results found
Your search did not match any results.
We suggest you try the following to help find what you’re looking for:
- Check the spelling of your keyword search.
- Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
- Try one of the popular searches shown below.
- Start a new search.
Trending Questions
Close
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 497 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2022 Critical Patch Update: Executive Summary and Analysis.
Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers should review the Alert if they have not already done so.
Affected Products and Patch Information
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Affected Products and Versions
Patch Availability Document
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, version 3.6
Oracle Supply Chain Products
Application Performance Management, versions 13.4.1.0, 13.5.1.0
Enterprise Manager
Big Data Spatial and Graph, versions prior to 23.1
Database
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0
Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2410, prior to XCP3110
Systems
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.1
JD Edwards
MySQL Cluster, versions 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
MySQL
MySQL Connectors, versions 8.0.27 and prior
MySQL
MySQL Server, versions 5.7.36 and prior, 8.0.27 and prior
MySQL
MySQL Workbench, versions 8.0.27 and prior
MySQL
Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Agile Engineering Data Management, version 6.2.1.0
Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.6
Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.6
Oracle Supply Chain Products
Oracle Airlines Data Model, versions 12.1.1.0.0, 12.2.0.1.0
Oracle Airlines Data Model
Oracle Application Express, versions prior to 21.1.4
Database
Oracle Application Testing Suite, version 13.3.0.1
Enterprise Manager
Oracle Argus Analytics, versions 8.2.1, 8.2.2, 8.2.3
Health Sciences
Oracle Argus Insight, versions 8.2.1, 8.2.2, 8.2.3
Health Sciences
Oracle Argus Mart, versions 8.2.1, 8.2.2, 8.2.3
Health Sciences
Oracle Argus Safety, versions 8.2.1, 8.2.2, 8.2.3
Health Sciences
Oracle Banking APIs, versions 18.1-18.3, 19.1, 19.2, 20.1, 21.1
Contact Support
Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0
Contact Support
Oracle Banking Digital Experience, versions 17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
Contact Support
Oracle Banking Enterprise Default Management, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.10.0, 2.12.0
Oracle Banking Platform
Oracle Banking Loans Servicing, version 2.12.0
Contact Support
Oracle Banking Party Management, version 2.7.0
Oracle Banking Platform
Oracle Banking Platform, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1
Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Business Activity Monitoring, versions 12.2.1.4.0, 12.2.1.5.0
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Clinical, versions 5.2.1, 5.2.2
Health Sciences
Oracle Commerce Guided Search, version 11.3.2
Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
Oracle Commerce
Oracle Communications Billing and Revenue Management, versions 12.0.0.3, 12.0.0.4
Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0
Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Calendar Server, version 8.0.0.5.0
Oracle Communications Calendar Server
Oracle Communications Cloud Native Core Automated Test Suite, version 1.8.0
Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function, versions 1.9.0, 1.10.0
Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Console, version 1.7.0
Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 1.9.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0
Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, version 1.14.0
Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.5.0, 1.6.0, 1.15.0
Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.14.0
Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, version 1.14.0
Communications Cloud Native Core Unified Data Repository
Oracle Communications Contacts Server, version 8.0.0.3.0
Oracle Communications Contacts Server
Oracle Communications Convergence, version 3.0.2.2.0
Oracle Communications Convergence
Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
Oracle Communications Convergent Charging Controller
Oracle Communications Data Model, versions 11.3.2.1.0, 11.3.2.2.0, 11.3.2.3.0, 12.1.0.1.0, 12.1.2.0.0
Oracle Communications Data Model
Oracle Communications Design Studio, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2
Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.1.0
Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Application Processor, versions 16.1-16.4
Oracle Communications EAGLE Application Processor
Oracle Communications Instant Messaging Server, version 10.0.1.5.0
Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 8.1
Oracle Communications Messaging Server
Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.5, 7.3.6
Oracle Communications Network Integrity
Oracle Communications Offline Mediation Controller, version 12.0.0.3
Oracle Communications Offline Mediation Controller
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4, 5.0
Oracle Communications Operations Monitor
Oracle Communications Pricing Design Center, versions 12.0.0.3.0, 12.0.0.4.0
Oracle Communications Pricing Design Center
Oracle Communications Service Broker, version 6.2
Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, version 7.0
Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2, 8.3, 8.4, 9.0
Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.5.0
Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21c
Database
Oracle Demantra Demand Management, versions 12.2.6-12.2.11
Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.2.3-12.2.11
Oracle E-Business Suite
Oracle Enterprise Communications Broker, version 3.3
Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.4, 9.0
Oracle Enterprise Session Border Controller
Oracle Essbase, versions prior to 11.1.2.4.47, prior to 21.3
Database
Oracle Essbase Administration Services, versions prior to 11.1.2.4.47
Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7-8.1.1
Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, versions 8.0.7, 8.0.8, 8.1.1
Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Enterprise Case Management, versions 8.0.7, 8.0.8, 8.1.1
Oracle Financial Services Enterprise Case Management
Oracle Financial Services Foreign Account Tax Compliance Act Management, versions 8.0.7, 8.0.8, 8.1.1
Contact Support
Oracle Financial Services Model Management and Governance, versions 8.0.8-8.1.1
Oracle Financial Services Model Management and Governance
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7, 8.0.8
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0
Contact Support
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
Contact Support
Oracle Fusion Middleware, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
Fusion Middleware
Oracle GoldenGate, versions prior to 12.3.0.1, prior to 19.1.0.0.220118, prior to 21.4.0.0.0, prior to 21.5.0.0.220118
Database
Oracle GraalVM Enterprise Edition, versions 20.3.4, 21.3.0
Java SE
Oracle Graph Server and Client, versions prior to 21.4
Database
Oracle Health Sciences Clinical Development Analytics, version 4.0.1
Health Sciences
Oracle Health Sciences InForm CRF Submit, version 6.2.1
Health Sciences
Oracle Health Sciences Information Manager, versions 3.0.2, 3.0.3
HealthCare Applications
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0, 8.1.1
HealthCare Applications
Oracle Healthcare Foundation, versions 7.3.0.0-7.3.0.2, 8.0.0-8.0.2, 8.1.0-8.1.1
HealthCare Applications
Oracle Healthcare Translational Research, version 4.1.0
HealthCare Applications
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality OPERA 5, version 5.6
Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0
Oracle Hospitality Reporting and Analytics
Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0, 12.2.1.5.0
Fusion Middleware
Oracle Hyperion Infrastructure Technology, version 11.2.7.0
Fusion Middleware
Oracle iLearning, versions 6.2, 6.3
iLearning
Oracle Insurance Data Gateway, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
Oracle Insurance Applications
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0
Oracle Insurance Applications
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0, 11.3.1
Oracle Insurance Applications
Oracle Java SE, versions 7u321, 8u311, 11.0.13, 17.1
Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle NoSQL Database, versions prior to 21.1.12
NoSQL Database
Oracle Policy Automation, versions 12.2.0-12.2.24
Oracle Policy Automation
Oracle Product Lifecycle Analytics, version 3.6.1
Oracle Supply Chain Products
Oracle Rapid Planning, versions 12.2.6-12.2.11
Oracle Supply Chain Products
Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0
Enterprise Manager
Oracle REST Data Services, versions prior to 21.2.4
Database
Oracle Retail Allocation, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Retail Applications
Oracle Retail Analytics, version 21.0.1
Retail Applications
Oracle Retail Assortment Planning, version 16.0.3
Retail Applications
Oracle Retail Back Office, version 14.1
Retail Applications
Oracle Retail Central Office, version 14.1
Retail Applications
Oracle Retail Customer Insights, version 21.0.1
Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0
Retail Applications
Oracle Retail EFTLink, versions 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1
Retail Applications
Oracle Retail Extract Transform and Load, version 13.2.8
Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Retail Applications
Oracle Retail Fiscal Management, version 14.2
Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
Retail Applications
Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
Retail Applications
Oracle Retail Merchandising System, version 19.0.1
Retail Applications
Oracle Retail Order Broker, versions 16.0, 18.0, 19.1
Retail Applications
Oracle Retail Order Management System, version 19.5
Retail Applications
Oracle Retail Point-of-Service, version 14.1
Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3, 14.1.3.46, 15.0.3, 15.0.3.115, 16.0.3, 16.0.3.240
Retail Applications
Oracle Retail Price Management, versions 13.2, 14.0.4, 14.1, 14.1.3, 15, 15.0.3, 16, 16.0.3
Retail Applications
Oracle Retail Returns Management, version 14.1
Retail Applications
Oracle Retail Service Backbone, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
Retail Applications
Oracle Retail Size Profile Optimization, version 16.0.3
Retail Applications
Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1
Retail Applications
Oracle SD-WAN Aware, version 8.2
Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 9.0, 9.1
Oracle SD-WAN Edge
Oracle Secure Backup, versions prior to 18.1.0.1.0
Oracle Secure Backup
Oracle Solaris, versions 10, 11
Systems
Oracle Spatial Studio, versions prior to 21.2.1
Database
Oracle Thesaurus Management System, versions 5.2.3, 5.3.0, 5.3.1
Health Sciences
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.27, prior to 21.1.1.1.0
Database
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
Oracle Utilities Applications
Oracle Utilities Testing Accelerator, versions 6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.32
Virtualization
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle WebLogic Server, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8
Systems
Oracle ZFS Storage Application Integration Engineering Software, version 1.3.3
Systems
OSS Support Tools, versions prior to 2.12.42
Oracle Support Tools
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59
PeopleSoft
Primavera Analytics, versions 18.8.3.3, 19.12.11.1, 20.12.12.0
Oracle Construction and Engineering Suite
Primavera Data Warehouse, versions 18.8.3.3, 19.12.11.1, 20.12.12.0
Oracle Construction and Engineering Suite
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0
Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.18.0, 20.12.0.0-20.12.12.0, 21.12.0.0
Oracle Construction and Engineering Suite
Primavera P6 Professional Project Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
Oracle Construction and Engineering Suite
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12
Oracle Construction and Engineering Suite
Siebel Applications, versions 21.11 and prior
Siebel
Note:
- Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
- Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
- Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product’s risk matrix.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:
- Abdelrhman Yousri: CVE-2022-21246, CVE-2022-21402, CVE-2022-21403
- Alexander Kornbrust of Red Database Security: CVE-2022-21247
- Andrej Simko of Accenture: CVE-2022-21251
- Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2022-21279, CVE-2022-21280, CVE-2022-21284, CVE-2022-21285, CVE-2022-21286, CVE-2022-21287, CVE-2022-21288, CVE-2022-21289, CVE-2022-21290, CVE-2022-21307, CVE-2022-21308, CVE-2022-21309
- Aobo Wang of Chaitin Security Research Lab: CVE-2022-21295
- Dan Rabe: CVE-2022-21296
- Dinh Ho Anh Khoa of Viettel Cyber Security: CVE-2021-35684, CVE-2022-21306
- Fabian Meumertzheim of Code Intelligence: CVE-2022-21360, CVE-2022-21366
- Frederic Quenneville of videotron.com: CVE-2022-21338
- Hamed Ashraf: CVE-2022-21395, CVE-2022-21396, CVE-2022-21397, CVE-2022-21398, CVE-2022-21399, CVE-2022-21400, CVE-2022-21401
- Hans Christian Woithe: CVE-2021-43395
- Harold Siyu Zang of Trustwave: CVE-2022-21381, CVE-2022-21382, CVE-2022-21383
- Jeremy Nunn of Trustwave: CVE-2022-21383
- Jie Liang of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304
- Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304
- Jonah T: CVE-2021-35685, CVE-2022-21371
- Jonni Passki of Apple Information Security: CVE-2022-21282
- Kun Yang of Chaitin Security Research Lab: CVE-2022-21295
- Liboheng of Tophant Starlight laboratory: CVE-2022-21261
- Longofo of Knownsec 404 Team: CVE-2022-21252, CVE-2022-21260
- Lucas Leong (wmliang) of Trend Micro Zero Day Initiative: CVE-2022-21310, CVE-2022-21311, CVE-2022-21312, CVE-2022-21313, CVE-2022-21314, CVE-2022-21315, CVE-2022-21316, CVE-2022-21317, CVE-2022-21318, CVE-2022-21319, CVE-2022-21320, CVE-2022-21321, CVE-2022-21322, CVE-2022-21323, CVE-2022-21324, CVE-2022-21325, CVE-2022-21326, CVE-2022-21327, CVE-2022-21328, CVE-2022-21329, CVE-2022-21330, CVE-2022-21331, CVE-2022-21332, CVE-2022-21333, CVE-2022-21334, CVE-2022-21335, CVE-2022-21336, CVE-2022-21337, CVE-2022-21355, CVE-2022-21356, CVE-2022-21357, CVE-2022-21380
- Markus Loewe: CVE-2022-21293, CVE-2022-21294
- Matei “Mal” Badanoiu: CVE-2022-21392
- osword from SGLAB of Legendsec at Qi’anxin Group: CVE-2022-21347
- peterjson - Security Engineering - VNG Corporation: CVE-2021-35587
- r00t4dm: CVE-2022-21252, CVE-2022-21257, CVE-2022-21258, CVE-2022-21259, CVE-2022-21260, CVE-2022-21261, CVE-2022-21262
- RE:HACK: CVE-2022-21373
- Reno Robert working with Trend Micro Zero Day Initiative: CVE-2022-21355, CVE-2022-21356, CVE-2022-21357, CVE-2022-21380
- Ryota Shiga (Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative: CVE-2022-21394
- Sander Meijering of HackDefense: CVE-2021-35685, CVE-2022-21371
- Thijmen Kooy of HackDefense: CVE-2021-35685, CVE-2022-21371
- thiscodecc of MoyunSec V-Lab: CVE-2022-21292, CVE-2022-21350, CVE-2022-21361
- Victor Rodriguez: CVE-2022-21364
- Yaoguang Chen of Ant Security Light-Year Lab: CVE-2022-21303, CVE-2022-21304
- Zhiqiang Zang of University of Texas at Austin: CVE-2022-21305
- Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304
Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:
- Huixin Ma of Tencent.com [2 reports]
- Liying Wang
- Longofo of Knownsec 404 Team
- r00t4dm
- Robin Textor
On-Line Presence Security Contributors
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:
- Abderrahmane Elghoul
- Abilash V L
- Abisheik M
- Adam Willard
- Aleena Avarachan
- Ali Alzahrani
- Aniket Nimkar
- Ashik Kunjumon
- B.Dhiyaneshwaran aka (Geek Freak) [2 reports]
- Dhanesh Sivasamy
- Dor Tumarkin, Principal Application Security Researcher at Checkmarx
- Gaurang Maheta [2 reports]
- Kishore Hariram
- Lidor Ben Shitrit from Orca Security
- Lokesh Rulz
- Malicious.Group
- Mohit Ahir
- N3td1v3r
- Nightwatch Cybersecurity Research
- peterjson - Security Engineering - VNG Corporation
- pinkflower
- Quan Doan of R&D Center - VinCSS LLC (a member of Vingroup)
- Rahul PS
- Rob Evans of Fortinet, Inc.
- Rounak Sharma
- Sakhare Vinayak
- Samprit Das (sampritdas8)
- Saptak Saha
- Shubham Choudhery
- Shuvam Adhikari [4 reports]
- Srikar V - exp1o1t9r
- Truffle Security Co
- Yeswanth Reddy
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 19 April 2022
- 19 July 2022
- 18 October 2022
- 17 January 2023
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Critical Patch Update - January 2022 Documentation Map
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- CVRF XML version of the risk matrices
- Map of CVE to Advisory/Alert
- Oracle Lifetime support Policy
- JEP 290 Reference Blocklist Filter
Modification History
Date
Note
2022-January-18
Rev 1. Initial Release.
Oracle Database Products Risk Matrices
This Critical Patch Update contains 28 new security patches for Oracle Database Products divided as follows:
- 4 new security patches for Oracle Database Products
- 1 new security patch for Oracle Airlines Data Model
- 2 new security patches for Oracle Big Data Graph
- 1 new security patch for Oracle Communications Data Model
- 4 new security patches for Oracle Essbase
- 3 new security patches for Oracle GoldenGate
- 2 new security patches for Oracle Graph Server and Client
- 1 new security patch for Oracle NoSQL Database
- 2 new security patches for Oracle REST Data Services
- 2 new security patches for Oracle Secure Backup
- 1 new security patch for Oracle Spatial Studio
- 5 new security patches for Oracle TimesTen In-Memory Database
Oracle Database Server Risk Matrix
This Critical Patch Update contains 4 new security patches plus additional third party patches noted below for Oracle Database Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
CVE#
Component
Package and/or Privilege Required
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-37695
Oracle Application Express (CKEditor)
Valid User Account
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
Prior to 21.1.4
CVE-2022-21393
Java VM
Create Procedure
Oracle Net
No
4.3
Network
Low
Low
None
Un-
changed
None
None
Low
12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-32723
Oracle Application Express (Prism)
Valid User Account
HTTP
No
3.5
Network
Low
Low
Required
Un-
changed
None
None
Low
Prior to 21.1.4
CVE-2022-21247
Core RDBMS
Create Session, Execute Catalog Role
Oracle Net
No
2.7
Network
Low
High
None
Un-
changed
Low
None
None
12.2.0.1, 19c
Additional CVEs addressed are:
- The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Oracle Database Configuration Assistant (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- Oracle Spatial and Graph (Apache Log4j): CVE-2021-45105.
- Trace file analyzer (Apache Log4j): CVE-2021-45105.
- Workload Manager (Guava): CVE-2020-8908.
- Workload Manager (Jetty): CVE-2021-28165, CVE-2021-28169 and CVE-2021-34428.
Oracle Airlines Data Model Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Airlines Data Model. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Airlines Data Model
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.0.1.0, 12.1.1.0.0
Oracle Big Data Graph Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle Big Data Graph. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Big Data Spatial and Graph
Big Data Graph (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 23.1
CVE-2021-30639
Big Data Spatial and Graph
Big Data Graph (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
Prior to 23.1
Oracle Communications Data Model Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Communications Data Model. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Communications Data Model
Utilities (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.3.2.2.0, 12.1.2.0.0, 12.1.0.1.0, 11.3.2.3.0, 11.3.2.1.0
Oracle Essbase Risk Matrix
This Critical Patch Update contains 4 new security patches plus additional third party patches noted below for Oracle Essbase. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-35683
Oracle Essbase Administration Services
EAS Console
HTTP
No
9.9
Network
Low
Low
None
Changed
High
High
High
Prior to 11.1.2.4.047
CVE-2021-3711
Oracle Essbase
Infrastructure (OpenSSL)
HTTPS
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 11.1.2.4.047, Prior to 21.3
CVE-2021-22901
Oracle Essbase
Build (cURL)
HTTPS
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
Prior to 11.1.2.4.047, Prior to 21.3
CVE-2021-20718
Oracle Essbase
Infrastructure (mod_auth_openidc)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
Prior to 21.3
Additional CVEs addressed are:
- The patch for CVE-2021-22901 also addresses CVE-2021-22897 and CVE-2021-22898.
- The patch for CVE-2021-3711 also addresses CVE-2021-3712.
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Oracle Essbase
- Infrastructure (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-23017
Oracle GoldenGate
GG Market Place for Support (nginx)
UDP
Yes
9.4
Network
Low
None
None
Un-
changed
High
High
Low
Prior to 21.4.0.0.0
CVE-2021-2351
Oracle GoldenGate
Database (OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 21.5.0.0.220118, Prior to 19.1.0.0.220118, Prior to 12.3.0.1
CVE-2018-1311
Oracle GoldenGate
Build Request (Apache Xerces-C++)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
Prior to 21.4.0.0.0
Oracle Graph Server and Client Risk Matrix
This Critical Patch Update contains 2 new security patches plus additional third party patches noted below for Oracle Graph Server and Client. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Graph Server and Client
Packaging/install issues (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 21.4
CVE-2021-33037
Oracle Graph Server and Client
Packaging/Install (Apache Tomcat)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
Prior to 21.4
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Oracle Graph Server and Client
- Packaging/Install (Apache Commons IO): CVE-2021-29425.
Oracle NoSQL Database Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-21409
Oracle NoSQL Database
Administration (Netty)
Local Logon
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
Prior to 21.1.12
Oracle REST Data Services Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle REST Data Services. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-28165
Oracle REST Data Services
General (Eclipse Jetty)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
Prior to 21.2.0
CVE-2021-32014
Oracle REST Data Services
General (SheetJS)
Local Logon
No
3.3
Local
Low
None
Required
Un-
changed
None
None
Low
Prior to 21.2.4
Additional CVEs addressed are:
- The patch for CVE-2021-28165 also addresses CVE-2021-28169 and CVE-2021-34428.
- The patch for CVE-2021-32014 also addresses CVE-2021-32012 and CVE-2021-32013.
Oracle Secure Backup Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-26691
Oracle Secure Backup
Oracle Secure Backup (Apache HTTP Server)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 18.1.0.1.0
CVE-2021-3712
Oracle Secure Backup
Oracle Secure Backup (OpenSSL)
HTTPS
Yes
7.4
Network
High
None
None
Un-
changed
High
None
High
Prior to 18.1.0.1.0
Additional CVEs addressed are:
- The patch for CVE-2021-26691 also addresses CVE-2021-33193 and CVE-2021-42013.
Oracle Spatial Studio Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Spatial Studio. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Spatial Studio
Install (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 21.2.1
Oracle TimesTen In-Memory Database Risk Matrix
This Critical Patch Update contains 5 new security patches for Oracle TimesTen In-Memory Database. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle TimesTen In-Memory Database
EM TimesTen plug-in (JDBC,OCCI)
OracleNet
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 21.1.1.1.0
CVE-2021-29923
Oracle TimesTen In-Memory Database
EM TimesTen plug-in (Go)
TCP/IP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
Prior to 21.1.1.1.0
CVE-2021-29923
Oracle TimesTen In-Memory Database
Install (Go)
TCP/IP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
Prior to 21.1.1.1.0
CVE-2020-7712
Oracle TimesTen In-Memory Database
TimesTen Infrastructure (Apache ZooKeeper)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
Prior to 21.1.1.1.0
CVE-2020-11979
Oracle TimesTen In-Memory Database
Install (Apache Ant)
Local Logon
No
6.5
Network
Low
Low
None
Un-
changed
None
High
None
Prior to 11.2.2.8.27
Additional CVEs addressed are:
- The patch for CVE-2020-11979 also addresses CVE-2020-1945, CVE-2021-36373 and CVE-2021-36374.
- The patch for CVE-2021-29923 also addresses CVE-2021-34558 and CVE-2021-36221.
Oracle Commerce Risk Matrix
This Critical Patch Update contains 6 new security patches for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Commerce Platform
Dynamo Application Framework (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.3.0, 11.3.1, 11.3.2
CVE-2021-36090
Oracle Commerce Guided Search
Content Acquisition System (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
11.3.2
CVE-2021-37137
Oracle Commerce Guided Search
Content Acquisition System (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
11.3.2
CVE-2020-13935
Oracle Commerce Guided Search
Endeca Application Controller (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
11.3.2
CVE-2022-21387
Oracle Commerce Platform
Dynamo Application Framework
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
11.3.0, 11.3.1, 11.3.2
CVE-2021-29425
Oracle Commerce Guided Search
Content Acquisition System (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
11.3.2
Additional CVEs addressed are:
- The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- The patch for CVE-2021-37137 also addresses CVE-2021-37136.
Oracle Communications Applications Risk Matrix
This Critical Patch Update contains 33 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-21275
Oracle Communications Billing and Revenue Management
Connection Manager
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
12.0.0.3, 12.0.0.4
CVE-2022-21389
Oracle Communications Billing and Revenue Management
Connection Manager
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
12.0.0.3, 12.0.0.4
CVE-2022-21390
Oracle Communications Billing and Revenue Management
Webservices Manager
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
12.0.0.3, 12.0.0.4
CVE-2022-21276
Oracle Communications Billing and Revenue Management
Connection Manager
HTTP
No
9.9
Network
Low
Low
None
Changed
High
High
High
12.0.0.3, 12.0.0.4
CVE-2022-21391
Oracle Communications Billing and Revenue Management
Connection Manager
HTTP
No
9.9
Network
Low
Low
None
Changed
High
High
High
12.0.0.3, 12.0.0.4
CVE-2021-39139
Oracle Communications BRM - Elastic Charging Engine
Updater (XStream)
TCP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
11.3, 12.0
CVE-2021-29505
Oracle Communications Unified Inventory Management
Rulesets (XStream)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2
CVE-2021-2351
Oracle Communications Calendar Server
Administration (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.0.5.0
CVE-2021-2351
Oracle Communications Contacts Server
Database (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.0.3.0
CVE-2021-2351
Oracle Communications Convergent Charging Controller
ACS (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
CVE-2021-2351
Oracle Communications Design Studio
OSM, NI Plugins (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
7.3.5, 7.4.0, 7.4.1, 7.4.2
CVE-2021-2351
Oracle Communications Network Charging and Control
ACS (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
CVE-2021-2351
Oracle Communications Network Integrity
Installer (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
7.3.5, 7.3.6
CVE-2020-28052
Oracle Communications Convergence
Messaging (Bouncy Castle Java Library)
S/MIME
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
3.0.2.2.0
CVE-2020-24750
Oracle Communications Instant Messaging Server
PresenceApi (jackson-databind)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
10.0.1.5.0
CVE-2020-24750
Oracle Communications Offline Mediation Controller
Installer (jackson-databind)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
12.0.0.3
CVE-2020-24750
Oracle Communications Pricing Design Center
Installation (jackson-databind)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
12.0.0.4.0
CVE-2021-22118
Oracle Communications Unified Inventory Management
TMF API (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
7.4.1, 7.4.2, 7.5.0
CVE-2022-21266
Oracle Communications Billing and Revenue Management
Pipeline Manager
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.0.0.3, 12.0.0.4
CVE-2021-25122
Oracle Communications Instant Messaging Server
DBPlugin (Apache Tomcat)
XMPP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
10.0.1.5.0
CVE-2021-37714
Oracle Communications Messaging Server
ISC (jsoup)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.1
CVE-2021-36090
Oracle Communications Unified Inventory Management
Inventory Organizer (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
7.4.0, 7.4.1, 7.4.2, 7.5.0
CVE-2019-10086
Oracle Communications Convergence
Message Store (Apache Commons BeanUtils)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
3.0.2.2.0
CVE-2019-10086
Oracle Communications Design Studio
Inventory (Apache Commons BeanUtils)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
7.3.4, 7.3.5, 7.4.0
CVE-2020-5421
Oracle Communications Design Studio
Inventory (Spring Framework)
HTTP
No
6.5
Network
High
Low
Required
Changed
Low
High
None
7.3.4, 7.3.5, 7.4.0
CVE-2021-36374
Oracle Communications Unified Inventory Management
Build Tool (Apache Ant)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0
CVE-2021-29425
Oracle Communications BRM - Elastic Charging Engine
Charging Controller (Apache Commons IO)
TCP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
12.0
CVE-2021-29425
Oracle Communications Convergence
Convergence Server (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
3.0.2.2.0
CVE-2021-29425
Oracle Communications Offline Mediation Controller
Installation (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
12.0.0.3
CVE-2022-21338
Oracle Communications Convergence
General Framework
HTTP
No
4.6
Network
Low
Low
Required
Un-
changed
Low
Low
None
3.0.2.2.0
CVE-2022-21267
Oracle Communications Billing and Revenue Management
Pipeline Manager
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
12.0.0.3, 12.0.0.4
CVE-2022-21268
Oracle Communications Billing and Revenue Management
Pipeline Manager
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
12.0.0.3, 12.0.0.4
CVE-2022-21388
Oracle Communications Pricing Design Center
On Premise Install
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
12.0.0.3.0, 12.0.0.4.0
Additional CVEs addressed are:
- The patch for CVE-2020-24750 also addresses CVE-2020-24616, CVE-2020-25649 and CVE-2020-36189.
- The patch for CVE-2021-25122 also addresses CVE-2020-13934, CVE-2020-13935, CVE-2020-17527, CVE-2021-25329 and CVE-2021-33037.
- The patch for CVE-2021-29505 also addresses CVE-2021-39154.
- The patch for CVE-2021-39139 also addresses CVE-2021-29505, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.
Oracle Communications Risk Matrix
This Critical Patch Update contains 84 new security patches plus additional third party patches noted below for Oracle Communications. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-23440
Oracle Communications Cloud Native Core Policy
Policy (set-value)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
1.14.0
CVE-2021-21783
Oracle Communications EAGLE Application Processor
Platform (gSOAP)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
16.1-16.4
CVE-2021-32827
Oracle Communications Cloud Native Core Policy
Policy (MockServer)
HTTP
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
1.14.0
CVE-2021-27568
Oracle Communications Cloud Native Core Policy
Policy (netplex json-smart)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
None
High
1.14.0
CVE-2021-39139
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (XStream)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
1.10.0
CVE-2019-13734
Oracle Communications Cloud Native Core Network Repository Function
NRF (SQLite)
HTTP
Yes
8.8
Network
Low
None
Required
Un-
changed
High
High
High
1.14.0
CVE-2020-13936
Oracle Communications Cloud Native Core Policy
Policy (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
1.14.0
CVE-2020-15824
Oracle Communications Cloud Native Core Policy
Policy (Kotlin)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
1.14.0
CVE-2020-10878
Oracle Communications EAGLE Application Processor
Platform (Perl)
HTTP
Yes
8.6
Network
Low
None
None
Un-
changed
Low
Low
High
16.1-16.4
CVE-2021-39153
Oracle Communications Cloud Native Core Policy
Signaling (XStream)
HTTP
No
8.5
Network
High
Low
None
Changed
High
High
High
1.14.0
CVE-2020-36189
Oracle Communications Cloud Native Core Policy
Policy (jackson-databind)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
1.14.0
CVE-2021-22118
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
1.9.0
CVE-2021-22118
Oracle Communications Cloud Native Core Policy
Policy (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
1.14.0
CVE-2021-22118
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
1.6.0
CVE-2021-22118
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
1.14.0
CVE-2021-22118
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
1.14.0
CVE-2021-33909
Oracle Communications Session Border Controller
Core (Kernel)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
8.2, 8.3, 8.4, 9.0
CVE-2022-21382
Oracle Enterprise Session Border Controller
WebUI
HTTP
No
7.7
Network
Low
Low
None
Changed
None
High
None
8.4, 9.0
CVE-2020-17527
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
1.10.0
CVE-2021-37137
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Netty)
TCP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.10.0
CVE-2021-33560
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (libgcrypt)
TCP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
1.9.0
CVE-2020-13949
Oracle Communications Cloud Native Core Policy
Policy (Apache Thrift)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2020-17527
Oracle Communications Cloud Native Core Policy
Policy (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
1.14.0
CVE-2021-28165
Oracle Communications Cloud Native Core Policy
Policy (Eclipse Jetty)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-22119
Oracle Communications Cloud Native Core Policy
Policy (Spring Security)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2020-28469
Oracle Communications Cloud Native Core Policy
Policy (glob-parent)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-25122
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
1.6.0
CVE-2021-36090
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-36090
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-37137
Oracle Communications Diameter Signaling Router
API Gateway (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.0.0.0-8.5.0.2
CVE-2021-42340
Oracle Communications Diameter Signaling Router
Platform (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.0.0.0-8.5.0.2
CVE-2021-42340
Oracle SD-WAN Edge
Management (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
9.0, 9.1
CVE-2021-23337
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Lodash)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
1.9.0
CVE-2022-21395
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2021-23337
Oracle Communications Services Gatekeeper
Policy service (Lodash)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
7.0
CVE-2021-21703
Oracle Communications Diameter Signaling Router
Platform (PHP)
None
No
7.0
Local
High
Low
None
Un-
changed
High
High
High
8.0.0.0-8.5.0.2
CVE-2021-44832
Oracle Communications Diameter Signaling Router
Virtual Network Function Manager, API Gateway (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
8.3.0.0-8.5.1.0
See Note 1
CVE-2021-44832
Oracle Communications Interactive Session Recorder
RSS (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
6.3, 6.4
See Note 1
CVE-2022-21399
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
6.6
Network
Low
High
None
Changed
Low
Low
Low
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21401
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
6.6
Network
Low
High
None
Changed
Low
Low
Low
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21403
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
6.6
Network
Low
High
None
Changed
Low
Low
Low
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21381
Oracle Enterprise Session Border Controller
WebUI
HTTP
No
6.4
Network
Low
Low
None
Changed
Low
Low
None
8.4, 9.0
CVE-2020-11022
Oracle Communications EAGLE Application Processor
Platform (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.1-16.4
CVE-2020-11022
Oracle Communications Services Gatekeeper
API Portal (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
7.0
CVE-2021-21409
Oracle Communications Cloud Native Core Console
Console (Netty)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
High
None
1.7.0
CVE-2020-14340
Oracle Communications Cloud Native Core Network Repository Function
Network Repository Function (XNIO)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
1.14.0
CVE-2020-14340
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (XNIO)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
1.15.0
CVE-2021-33880
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (aaugustin websockets)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
High
None
None
1.5.0
CVE-2021-3326
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (glibc)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
1.5.0
CVE-2020-14340
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (XNIO)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-33880
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (aaugustin websockets)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
High
None
None
1.14.0
CVE-2020-14340
Oracle Communications Cloud Native Core Unified Data Repository
UDR (XNIO)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
1.14.0
CVE-2021-33880
Oracle Communications Cloud Native Core Unified Data Repository
UDR (aaugustin websockets)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
High
None
None
1.14.0
CVE-2021-45105
Oracle Communications Service Broker
Integration (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
6.2
See Note 1
CVE-2021-45105
Oracle Communications Services Gatekeeper
API Portal (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
7.0
See Note 1
CVE-2021-45105
Oracle Communications WebRTC Session Controller
Signaling Engine, Media Engine (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
7.2.0, 7.2.1
See Note 1
CVE-2021-3426
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Python)
Multiple
No
5.7
Adjacent
Network
Low
Low
None
Un-
changed
High
None
None
1.10.0
CVE-2021-23017
Oracle Communications Session Border Controller
Routing (nginx)
HTTP
Yes
5.6
Network
High
None
None
Un-
changed
Low
Low
Low
8.4, 9.0
CVE-2021-23017
Oracle Enterprise Communications Broker
Routing (nginx)
HTTP
Yes
5.6
Network
High
None
None
Un-
changed
Low
Low
Low
3.3
CVE-2021-23017
Oracle Enterprise Session Border Controller
Routing (nginx)
HTTP
Yes
5.6
Network
High
None
None
Un-
changed
Low
Low
Low
8.4, 9.0
CVE-2020-27618
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (glibc)
None
No
5.5
Local
Low
Low
None
Un-
changed
None
None
High
1.14.0
CVE-2022-21246
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21396
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21397
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21398
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21400
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2021-34429
Oracle Communications Cloud Native Core Binding Support Function
Binding Support Function (Eclipse Jetty)
TCP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
1.10.0
CVE-2021-34429
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
1.5.0
CVE-2020-13956
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Apache HttpClient)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
1.14.0
CVE-2021-33037
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Apache Tomcat)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
1.14.0
CVE-2021-34429
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
1.14.0
CVE-2020-29582
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Kotlin)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
1.14.0
CVE-2021-34429
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
1.14.0
CVE-2021-34429
Oracle Communications Diameter Signaling Router
API Gateway (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.0.0.0-8.5.0.2
CVE-2021-21705
Oracle SD-WAN Aware
Management (PHP)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
8.2
CVE-2020-8554
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Kubernetes API)
HTTP
No
5.0
Network
High
Low
None
Un-
changed
Low
Low
Low
1.14.0
CVE-2020-8554
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Kubernetes API)
HTTP
No
5.0
Network
High
Low
None
Un-
changed
Low
Low
Low
1.14.0
CVE-2021-29921
Oracle Communications Cloud Native Core Automated Test Suite
ATS Framework (Python)
HTTP
No
4.9
Network
Low
High
None
Un-
changed
None
High
None
1.8.0
CVE-2021-29425
Oracle Communications Cloud Native Core Network Repository Function
NRF (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
1.14.0
CVE-2021-29425
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
1.14.0
CVE-2022-21402
Oracle Communications Operations Monitor
Mediation Engine
HTTP
No
4.8
Network
Low
High
Required
Changed
Low
Low
None
3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21383
Oracle Enterprise Session Border Controller
Log
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
None
None
Low
8.4, 9.0
CVE-2021-3448
Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (dnsmasq)
TCP
Yes
4.0
Network
High
None
None
Changed
None
Low
None
1.9.0
CVE-2020-8908
Oracle Communications Cloud Native Core Unified Data Repository
UDR (Guava)
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
1.14.0
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
- The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
- The patch for CVE-2020-17527 also addresses CVE-2020-13934, CVE-2020-13935, CVE-2020-9484, CVE-2021-25122, CVE-2021-25329, CVE-2021-30369, CVE-2021-30640 and CVE-2021-33037.
- The patch for CVE-2020-36189 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187 and CVE-2020-36188.
- The patch for CVE-2021-23337 also addresses CVE-2020-28500.
- The patch for CVE-2021-25122 also addresses CVE-2021-25329.
- The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- The patch for CVE-2021-37137 also addresses CVE-2021-37136.
- The patch for CVE-2021-39139 also addresses CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.
- The patch for CVE-2021-39153 also addresses CVE-2021-39139, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152 and CVE-2021-39154.
- The patch for CVE-2021-42340 also addresses CVE-2021-33037.
- The patch for CVE-2021-44832 also addresses CVE-2021-45105.
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Oracle Communications Cloud Native Core Network Repository Function
- NRF (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
Oracle Construction and Engineering Risk Matrix
This Critical Patch Update contains 22 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-44790
Instantis EnterpriseTrack
Core (Apache HTTP Server)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
17.1, 17.2, 17.3
CVE-2021-42575
Primavera Unifier
Platform, Data Persistence (OWASP Java HTML Sanitizer)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2021-2351
Primavera Analytics
ETL (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
18.8.3.3, 19.12.11.1, 20.12.12.0
CVE-2021-2351
Primavera Data Warehouse
ETL (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
18.8.3.3, 19.12.11.1, 20.12.12.0
CVE-2021-2351
Primavera P6 Enterprise Project Portfolio Management
Web Access (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
CVE-2021-2351
Primavera P6 Professional Project Management
API component of P6 Pro (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
CVE-2021-2351
Primavera Unifier
Platform,Data Access,Data Persistence (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2021-37714
Primavera Unifier
Platform,Data Parsing (jsoup)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
20.12, 21.12
CVE-2021-44832
Primavera Gateway
Admin (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0
See Note 1
CVE-2021-44832
Primavera P6 Enterprise Project Portfolio Management
Web Access (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
19.12.0.0-19.12.18.0, 20.12.0.0-20.12.12.0, 21.12.0.0
See Note 1
CVE-2021-44832
Primavera Unifier
Logging (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
18.8, 19.12, 20.12, 21.12
See Note 1
CVE-2022-21269
Primavera Portfolio Management
Web Access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2021-45105
Instantis EnterpriseTrack
Logging (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
17.1, 17.2, 17.3
See Note 1
CVE-2021-38153
Primavera Unifier
Event Streams and Communications (Apache Kafka)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
High
None
None
18.8, 19.12, 20.12, 21.12
CVE-2022-21377
Primavera Portfolio Management
Web API
HTTP
Yes
5.4
Network
Low
None
Required
Un-
changed
Low
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0
CVE-2022-21242
Primavera Portfolio Management
Web Access
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2022-21376
Primavera Portfolio Management
Web Access
HTTP
Yes
5.4
Network
Low
None
Required
Un-
changed
Low
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0
CVE-2022-21281
Primavera Portfolio Management
Web Access
HTTP
No
4.8
Network
Low
High
Required
Changed
Low
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2021-29425
Primavera Unifier
Platform (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2022-21243
Primavera Portfolio Management
Web Access
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
None
None
Low
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2022-21244
Primavera Portfolio Management
Web Access
HTTP
Yes
4.3
Network
Low
None
Required
Un-
changed
None
Low
None
18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2020-8908
Primavera Unifier
Data Service (Guava)
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
17.7-17.12, 18.8, 19.12, 20.12, 21.12
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2021-44790 also addresses CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013 and CVE-2021-44224.
- The patch for CVE-2021-44832 also addresses CVE-2021-45105.
Oracle E-Business Suite Risk Matrix
This Critical Patch Update contains 9 new security patches for Oracle E-Business Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2022), My Oracle Support Note 2484000.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-21255
Oracle Configurator
UI Servlet
HTTP
No
8.1
Network
Low
Low
None
Un-
changed
High
High
None
12.2.3-12.2.11
CVE-2022-21273
Oracle Project Costing
Expenses, Currency Override
HTTP
No
8.1
Network
Low
Low
None
Un-
changed
High
High
None
12.2.3-12.2.11
CVE-2022-21274
Oracle Sourcing
Intelligence, RFx Creation
HTTP
No
8.1
Network
Low
Low
None
Un-
changed
High
High
None
12.2.3-12.2.11
CVE-2022-21250
Oracle Trade Management
GL Accounts
HTTP
No
8.1
Network
Low
Low
None
Un-
changed
High
High
None
12.2.3-12.2.11
CVE-2022-21251
Oracle Installed Base
Instance Main
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.2.3-12.2.11
CVE-2019-10086
Oracle Time and Labor
Timecard (Apache Commons Beanutils)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
12.2.6-12.2.11
CVE-2020-6950
Oracle Time and Labor
Timecard (Eclipse Mojarra)
HTTP
Yes
6.5
Network
Low
None
Required
Un-
changed
High
None
None
12.2.6-12.2.11
CVE-2022-21354
Oracle iStore
User Interface
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.3-12.2.11
CVE-2022-21373
Oracle Partner Management
Reseller Locator
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.3-12.2.11
Additional CVEs addressed are:
- The patch for CVE-2020-6950 also addresses CVE-2019-17091.
Oracle Enterprise Manager Risk Matrix
This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2817011.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-3177
Enterprise Manager Ops Center
Networking (Python)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.4.0.0
CVE-2021-2351
Application Performance Management
End User Experience Management (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
13.4.1.0, 13.5.1.0
CVE-2021-2351
Enterprise Manager Base Platform
Enterprise Manager Install (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
13.4.0.0, 13.5.0.0
CVE-2021-2351
Enterprise Manager Ops Center
Networking (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.4.0.0
CVE-2021-2351
Oracle Application Testing Suite
Load Testing for Web Apps (JDBC, OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
13.3.0.1
CVE-2021-2351
Oracle Real User Experience Insight
End User Experience Management (OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
13.4.1.0, 13.5.1.0
CVE-2022-21392
Enterprise Manager Base Platform
Policy Framework
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
High
Low
None
13.4.0.0, 13.5.0.0
Additional CVEs addressed are:
- The patch for CVE-2021-3177 also addresses CVE-2021-23336.
Oracle Financial Services Applications Risk Matrix
This Critical Patch Update contains 48 new security patches for Oracle Financial Services Applications. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17495
Oracle Banking APIs
Framework (Swagger UI)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2019-17495
Oracle Banking Digital Experience
Framework (Swagger UI)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-13936
Oracle Banking Deposits and Lines of Credit Servicing
Web UI (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
2.12.0
CVE-2020-13936
Oracle Banking Enterprise Default Management
Collections (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
2.3.0-2.4.1, 2.6.2, 2.7.1, 2.10.0, 2.12.0
CVE-2020-13936
Oracle Banking Loans Servicing
Web UI (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
2.12.0
CVE-2020-13936
Oracle Banking Party Management
Web UI (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
2.7.0
CVE-2020-13936
Oracle Banking Platform
Security (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
2.3.0-2.4.1, 2.6.2, 2.7.1
CVE-2021-2351
Oracle Banking APIs
Framework (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-2351
Oracle Banking Digital Experience
Framework (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-2351
Oracle Financial Services Analytical Applications Infrastructure
Rate Management (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.7-8.1.1
CVE-2021-2351
Oracle Financial Services Behavior Detection Platform
Third Party (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.7, 8.0.8, 8.1.1
CVE-2021-2351
Oracle Financial Services Enterprise Case Management
Installers (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.7, 8.0.8, 8.1.1
CVE-2021-2351
Oracle Financial Services Foreign Account Tax Compliance Act Management
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.7, 8.0.8, 8.1.1
CVE-2021-2351
Oracle Financial Services Model Management and Governance
Installer & Configuration (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.8-8.1.1
CVE-2021-2351
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
User Interface (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.0.7, 8.0.8
CVE-2021-2351
Oracle FLEXCUBE Investor Servicing
Infrastructure Code (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0
CVE-2021-2351
Oracle FLEXCUBE Private Banking
Miscellaneous (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.0.0, 12.1.0
CVE-2020-11987
Oracle Banking APIs
Framework (Apache Batik)
HTTP
Yes
8.2
Network
Low
None
None
Un-
changed
High
Low
None
18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-11987
Oracle Banking Digital Experience
Framework (Apache Batik)
HTTP
Yes
8.2
Network
Low
None
None
Un-
changed
High
Low
None
18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-22118
Oracle Financial Services Analytical Applications Infrastructure
Others (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
8.0.8-8.1.1
CVE-2021-36090
Oracle Banking APIs
Framework (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-25649
Oracle Banking APIs
Framework (jackson-databind)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37137
Oracle Banking APIs
Framework (Netty)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-36090
Oracle Banking Digital Experience
Framework (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37137
Oracle Banking Digital Experience
Framework (Netty)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-36090
Oracle Banking Enterprise Default Management
Collections (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
2.7.0
CVE-2021-36090
Oracle Banking Party Management
Web UI (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
2.7.0
CVE-2021-35043
Oracle Banking Enterprise Default Management
Collections (AntiSamy)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.7.0
CVE-2020-9281
Oracle Banking Enterprise Default Management
Collections (CKEditor)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.7.0
CVE-2021-35043
Oracle Banking Party Management
Web UI (AntiSamy)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.7.0
CVE-2021-35043
Oracle Banking Platform
SECURITY (AntiSamy)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.7.0
CVE-2021-45105
Oracle Financial Services Analytical Applications Infrastructure
Others (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
8.0.7-8.1.1
See Note 1
CVE-2021-45105
Oracle Financial Services Model Management and Governance
Installer & Configuration (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
8.0.8, 8.1.0, 8.1.1
See Note 1
CVE-2021-41165
Oracle Banking APIs
Framework (CKEditor)
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-41165
Oracle Banking Digital Experience
Framework (CKEditor)
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37695
Oracle Banking Party Management
Web UI (CKEditor)
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
2.7.0
CVE-2021-37695
Oracle Financial Services Analytical Applications Infrastructure
Others (CKEditor)
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.0.7-8.1.1
CVE-2021-28164
Oracle Banking APIs
Framework (Apache Ignite)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
20.1, 21.1
CVE-2021-28164
Oracle Banking Digital Experience
Framework (Apache Ignite)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
20.1, 21.1
CVE-2021-35687
Oracle Financial Services Analytical Applications Infrastructure
Unified Metadata Manager
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.0.7-8.1.1
CVE-2021-29425
Oracle Banking APIs
Framework (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-29425
Oracle Banking Digital Experience
Framework (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-29425
Oracle Banking Enterprise Default Management
Collections (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
2.3.0-2.4.1, 2.6.2, 2.7.1, 2.10.0, 2.12.0
CVE-2021-29425
Oracle Banking Party Management
Web UI (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
2.7.0
CVE-2021-29425
Oracle Banking Platform
Security (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
2.3.0-2.4.1, 2.6.2, 2.7.1
CVE-2021-29425
Oracle Financial Services Analytical Applications Infrastructure
Others (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
8.0.7-8.1.1
CVE-2021-29425
Oracle Financial Services Model Management and Governance
Installer & Configuration (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
8.0.8, 8.1.0, 8.1.1
CVE-2021-35686
Oracle Financial Services Analytical Applications Infrastructure
Unified Metadata Manager
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
Low
None
None
8.0.7-8.1.1
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2021-28164 also addresses CVE-2021-28163.
- The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- The patch for CVE-2021-37137 also addresses CVE-2021-37136.
- The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.
- The patch for CVE-2021-41165 also addresses CVE-2021-41164.
Oracle Food and Beverage Applications Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-10086
Oracle Hospitality Reporting and Analytics
Reporting (Apache Commons BeanUtils)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
9.1.0
Oracle Fusion Middleware Risk Matrix
This Critical Patch Update contains 39 new security patches for Oracle Fusion Middleware. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update January 2022 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2817011.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-35587
Oracle Access Manager
OpenSSO Agent
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-17530
Oracle Business Intelligence Enterprise Edition
Installation (Apache Struts2)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2022-21306
Oracle WebLogic Server
Core
T3
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-40438
Oracle HTTP Server
OSSL Module (Apache HTTP Server)
HTTP
Yes
9.0
Network
High
None
None
Changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 12.2.1.5.0
CVE-2021-39154
Oracle Business Activity Monitoring
Centralized Thirdparty Jars (XStream)
HTTP
No
8.5
Network
High
Low
None
Changed
High
High
High
12.2.1.4.0, 12.2.1.5.0
CVE-2021-2351
Oracle Data Integrator
Runtime Java agent for ODI (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2021-2351
Oracle Enterprise Data Quality
General (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2021-2351
Oracle Fusion Middleware
Centralized Third-party Jars (JDBC, OCCI, ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2022-21346
Oracle BI Publisher
BI Publisher Security
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17566
Oracle Business Intelligence Enterprise Edition
Analytics Web Answers (Apache Batik)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-36090
Oracle Business Process Management Suite
Installer (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.2.1.3.0, 12.2.1.4.0
CVE-2021-4104
Oracle WebLogic Server
Centralized Thirdparty Jars (Apache Log4j)
HTTP
No
7.5
Network
High
Low
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21292
Oracle WebLogic Server
Samples
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.2.1.4.0, 14.1.1.0.0
CVE-2020-5258
Oracle WebLogic Server
Samples (dojo)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21371
Oracle WebLogic Server
Web Container
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-27568
Oracle WebLogic Server
Web Services (json-smart)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-44832
Oracle WebLogic Server
Centralized Thirdparty Jars (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
See Note 1
CVE-2022-21252
Oracle WebLogic Server
Samples
HTTP
Yes
6.5
Network
Low
None
None
Un-
changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21347
Oracle WebLogic Server
Core
T3
Yes
6.5
Network
Low
None
None
Un-
changed
None
Low
Low
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21350
Oracle WebLogic Server
Core
T3
Yes
6.5
Network
Low
None
None
Un-
changed
None
Low
Low
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21353
Oracle WebLogic Server
Core
T3
Yes
6.5
Network
Low
None
None
Un-
changed
None
Low
Low
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2934
Oracle WebLogic Server
Datasource (MySQL Connector)
SQL
Yes
6.3
Network
Low
None
Required
Un-
changed
Low
Low
Low
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21361
Oracle WebLogic Server
Sample apps
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2020-11023
Oracle WebLogic Server
Sample apps (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21257
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21258
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
14.1.1.0.0
CVE-2022-21259
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21260
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21261
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21262
Oracle WebLogic Server
Samples
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2022-21386
Oracle WebLogic Server
Web Container
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-10219
Oracle WebLogic Server
Web Services (JBoss Enterprise Application Platform)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-45105
Oracle Business Intelligence Enterprise Edition
Analytics Server (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
5.5.0.0.0
See Note 1
CVE-2021-45105
Oracle Managed File Transfer
MFT Runtime Server (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
12.2.1.3.0, 12.2.1.4.0
See Note 1
CVE-2021-45105
Oracle WebCenter Portal
Security Framework (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
12.2.1.3.0, 12.2.1.4.0
See Note 1
CVE-2018-1324
Oracle WebLogic Server
WLST (Apache Commons Compress)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
14.1.1.0.0
CVE-2020-13956
Oracle WebLogic Server
Samples (Apache HttpClient)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
12.2.1.4.0, 14.1.1.0.0
CVE-2021-29425
Oracle Fusion Middleware MapViewer
Install (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
12.2.1.4.0
CVE-2021-29425
Oracle WebLogic Server
Third Party Tools (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2018-1324 also addresses CVE-2018-11771.
- The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022.
- The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- The patch for CVE-2021-39154 also addresses CVE-2021-29505, CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152 and CVE-2021-39153.
- The patch for CVE-2021-44832 also addresses CVE-2021-45105.
Oracle Health Sciences Applications Risk Matrix
This Critical Patch Update contains 8 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Argus Analytics
Schema Creation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.2.1, 8.2.2, 8.2.3
CVE-2021-2351
Oracle Argus Insight
Schema Creation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.2.1, 8.2.2, 8.2.3
CVE-2021-2351
Oracle Argus Mart
Schema Creation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.2.1, 8.2.2, 8.2.3
CVE-2021-2351
Oracle Argus Safety
Schema Creation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.2.1, 8.2.2, 8.2.3
CVE-2021-2351
Oracle Clinical
Schema Creation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
5.2.1, 5.2.2
CVE-2021-2351
Oracle Health Sciences Clinical Development Analytics
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
4.0.1
CVE-2021-2351
Oracle Health Sciences InForm CRF Submit
Installation and Configuration (JDBC, ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.2.1
CVE-2021-2351
Oracle Thesaurus Management System
Report Generation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
5.2.3, 5.3.0, 5.3.1
Oracle HealthCare Applications Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle HealthCare Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Health Sciences Information Manager
Health Policy Engine (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
3.0.2, 3.0.3
CVE-2021-2351
Oracle Healthcare Data Repository
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
7.0.2, 8.1.0, 8.1.1
CVE-2021-2351
Oracle Healthcare Foundation
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
7.3.0.0-7.3.0.2, 8.0.0-8.0.2, 8.1.0-8.1.1
CVE-2021-2351
Oracle Healthcare Translational Research
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
4.1.0
Oracle Hospitality Applications Risk Matrix
This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Hospitality OPERA 5
Integrations (JDBC, ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
5.6
CVE-2021-2351
Oracle Hospitality Suite8
Rest API (ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
CVE-2021-42340
Oracle Hospitality Cruise Shipboard Property Management System
Next-Gen SPMS (Apache Tomcat)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
20.1.0
Additional CVEs addressed are:
- The patch for CVE-2021-42340 also addresses CVE-2021-30640 and CVE-2021-33037.
Oracle Hyperion Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Hyperion. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Hyperion Infrastructure Technology
Installation and Configuration (JDBC, OCCI, ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.2.7.0
Oracle iLearning Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle iLearning
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.2, 6.3
Oracle Insurance Applications Risk Matrix
This Critical Patch Update contains 7 new security patches for Oracle Insurance Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-10683
Oracle Insurance Policy Administration J2EE
Architecture (dom4j)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2020-10683
Oracle Insurance Rules Palette
Architecture (dom4j)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2021-2351
Oracle Insurance Data Gateway
Security (JDBC)
HTTP
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-2351
Oracle Insurance Insbridge Rating and Underwriting
Framework Administrator IBFA (JDBC, ODP for .NET)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
5.2.0, 5.4.0-5.6.0
CVE-2021-2351
Oracle Insurance Policy Administration
Architecture (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-2351
Oracle Insurance Rules Palette
Architecture (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-22118
Oracle Insurance Rules Palette
Architecture (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
Oracle Java SE Risk Matrix
This Critical Patch Update contains 18 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-22959
Oracle GraalVM Enterprise Edition
Node (Node.js)
HTTP
Yes
6.5
Network
Low
None
None
Un-
changed
Low
Low
None
Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
CVE-2022-21349
Oracle Java SE, Oracle GraalVM Enterprise Edition
2D
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21291
Oracle Java SE, Oracle GraalVM Enterprise Edition
Hotspot
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21305
Oracle Java SE, Oracle GraalVM Enterprise Edition
Hotspot
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21277
Oracle Java SE, Oracle GraalVM Enterprise Edition
ImageIO
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21360
Oracle Java SE, Oracle GraalVM Enterprise Edition
ImageIO
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21365
Oracle Java SE, Oracle GraalVM Enterprise Edition
ImageIO
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21366
Oracle Java SE, Oracle GraalVM Enterprise Edition
ImageIO
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21282
Oracle Java SE, Oracle GraalVM Enterprise Edition
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21296
Oracle Java SE, Oracle GraalVM Enterprise Edition
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21299
Oracle Java SE, Oracle GraalVM Enterprise Edition
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21271
Oracle Java SE, Oracle GraalVM Enterprise Edition
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21283
Oracle Java SE, Oracle GraalVM Enterprise Edition
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21293
Oracle Java SE, Oracle GraalVM Enterprise Edition
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21294
Oracle Java SE, Oracle GraalVM Enterprise Edition
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21340
Oracle Java SE, Oracle GraalVM Enterprise Edition
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21341
Oracle Java SE, Oracle GraalVM Enterprise Edition
Serialization
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
CVE-2022-21248
Oracle Java SE, Oracle GraalVM Enterprise Edition
Serialization
Multiple
Yes
3.7
Network
High
None
None
Un-
changed
None
Low
None
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
See Note 1
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Additional CVEs addressed are:
- The patch for CVE-2021-22959 also addresses CVE-2021-22960.
Oracle JD Edwards Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle JD Edwards. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-23337
JD Edwards EnterpriseOne Tools
E1 Dev Platform Tech - Cloud (Lodash)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
Prior to 9.2.6.1
Additional CVEs addressed are:
- The patch for CVE-2021-23337 also addresses CVE-2020-28500.
Oracle MySQL Risk Matrix
This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-22946
MySQL Server
Server: Compiling (cURL)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
5.7.36 and prior, 8.0.27 and prior
CVE-2021-3712
MySQL Connectors
Connector/C++ (OpenSSL)
MySQL Protocol
Yes
7.4
Network
High
None
None
Un-
changed
High
None
High
8.0.27 and prior
CVE-2021-3712
MySQL Connectors
Connector/ODBC (OpenSSL)
MySQL Protocol
Yes
7.4
Network
High
None
None
Un-
changed
High
None
High
8.0.27 and prior
CVE-2022-21278
MySQL Server
Server: Optimizer
MySQL Protocol
No
7.1
Network
Low
Low
None
Un-
changed
None
Low
High
8.0.26 and prior
CVE-2022-21351
MySQL Server
Server: Optimizer
MySQL Protocol
No
7.1
Network
Low
Low
None
Un-
changed
None
Low
High
8.0.27 and prior
CVE-2022-21363
MySQL Connectors
Connector/J
MySQL Protocol
No
6.6
Network
High
High
None
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21358
MySQL Server
Server: Security: Encryption
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2021-3634
MySQL Workbench
Workbench: libssh
MySQL Workbench
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21279
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21280
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21284
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21285
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21286
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21287
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21288
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21289
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21290
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21307
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21308
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21309
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21310
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21314
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21315
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21316
MySQL Cluster
Cluster: General
Multiple
No
6.3
Local
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21318
MySQL Cluster
Cluster: General
Multiple
No
6.3
Local
High
High
Required
Un-
changed
High
High
High
7.6.20 and prior, 8.0.27 and prior
CVE-2022-21320
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21322
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21326
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21327
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21328
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21329
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21330
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21332
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21334
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
8.0.27 and prior
CVE-2022-21335
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21336
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21337
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21356
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21380
MySQL Cluster
Cluster: General
Multiple
No
6.3
Adjacent
Network
High
High
Required
Un-
changed
High
High
High
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21352
MySQL Server
InnoDB
MySQL Protocol
No
5.9
Network
High
High
None
Un-
changed
None
High
High
8.0.26 and prior
CVE-2022-21367
MySQL Server
Server: Compiling
MySQL Protocol
No
5.5
Network
Low
High
None
Un-
changed
None
Low
High
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21301
MySQL Server
Server: DML
MySQL Protocol
No
5.5
Network
Low
High
None
Un-
changed
None
Low
High
8.0.27 and prior
CVE-2022-21378
MySQL Server
Server: Optimizer
MySQL Protocol
No
5.5
Network
Low
High
None
Un-
changed
None
Low
High
8.0.27 and prior
CVE-2022-21302
MySQL Server
InnoDB
MySQL Protocol
No
5.3
Network
High
Low
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21254
MySQL Server
Server: Optimizer
MySQL Protocol
No
5.3
Network
High
Low
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21348
MySQL Server
InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21270
MySQL Server
Server: Federated
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21256
MySQL Server
Server: Group Replication Plugin
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21379
MySQL Server
Server: Group Replication Plugin
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21362
MySQL Server
Server: Information Schema
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21374
MySQL Server
Server: Information Schema
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21253
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21264
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21297
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.26 and prior
CVE-2022-21339
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21342
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21370
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.27 and prior
CVE-2022-21304
MySQL Server
Server: Parser
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21344
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21303
MySQL Server
Server: Stored Procedure
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21368
MySQL Server
Server: Components Services
MySQL Protocol
No
4.7
Network
Low
High
None
Un-
changed
Low
Low
Low
8.0.27 and prior
CVE-2022-21245
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
4.3
Network
Low
Low
None
Un-
changed
None
Low
None
5.7.36 and prior, 8.0.27 and prior
CVE-2022-21265
MySQL Server
Server: Optimizer
MySQL Protocol
No
3.8
Network
Low
High
None
Un-
changed
None
Low
Low
8.0.27 and prior
CVE-2022-21311
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21312
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21313
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.6.20 and prior, 8.0.27 and prior
CVE-2022-21317
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21319
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21321
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21323
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21324
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21325
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21331
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21333
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21355
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21357
MySQL Cluster
Cluster: General
Multiple
No
2.9
Adjacent
Network
High
High
Required
Un-
changed
Low
None
Low
7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21249
MySQL Server
Server: DDL
MySQL Protocol
No
2.7
Network
Low
High
None
Un-
changed
None
None
Low
8.0.27 and prior
CVE-2022-21372
MySQL Server
Server: Security: Encryption
MySQL Protocol
No
2.7
Network
Low
High
None
Un-
changed
None
None
Low
8.0.27 and prior
Additional CVEs addressed are:
- The patch for CVE-2021-22946 also addresses CVE-2021-22947.
- The patch for CVE-2021-3712 also addresses CVE-2021-3711.
Oracle PeopleSoft Risk Matrix
This Critical Patch Update contains 13 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-22931
PeopleSoft Enterprise PeopleTools
Elastic Search (Node.js)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.57, 8.58, 8.59
CVE-2021-2351
PeopleSoft Enterprise PeopleTools
Change Impact Analyzer (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
8.57, 8.58, 8.59
CVE-2022-21300
PeopleSoft Enterprise CS SA Integration Pack
Snapshot Integration
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
9.0, 9.2
CVE-2021-37137
PeopleSoft Enterprise PeopleTools
Elastic Search (Netty)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.57, 8.58, 8.59
CVE-2021-22946
PeopleSoft Enterprise PeopleTools
File Processing (cURL)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
8.57, 8.58, 8.59
CVE-2021-3712
PeopleSoft Enterprise PeopleTools
Security (OpenSSL)
Multiple
Yes
7.4
Network
High
None
None
Un-
changed
High
None
High
8.57, 8.58, 8.59
CVE-2021-23337
PeopleSoft Enterprise PeopleTools
Elastic Search (Lodash)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
8.58, 8.59
CVE-2022-21345
PeopleSoft Enterprise PeopleTools
Security
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
High
None
None
8.58, 8.59
CVE-2022-21359
PeopleSoft Enterprise PeopleTools
Optimization Framework
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.57, 8.58, 8.59
CVE-2022-21272
PeopleSoft Enterprise PeopleTools
Portal
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.57, 8.58, 8.59
CVE-2022-21369
PeopleSoft Enterprise PeopleTools
Rich Text Editor
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.57, 8.58, 8.59
CVE-2021-37695
PeopleSoft Enterprise PeopleTools
Rich Text Editor (CKEditor)
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.57, 8.58, 8.59
CVE-2022-21364
PeopleSoft Enterprise PeopleTools
Weblogic
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.57, 8.58, 8.59
Additional CVEs addressed are:
- The patch for CVE-2021-22931 also addresses CVE-2021-22939 and CVE-2021-22940.
- The patch for CVE-2021-22946 also addresses CVE-2021-22924, CVE-2021-22925, CVE-2021-22926 and CVE-2021-22947.
- The patch for CVE-2021-23337 also addresses CVE-2020-28500 and CVE-2020-8203.
- The patch for CVE-2021-3712 also addresses CVE-2021-3711.
- The patch for CVE-2021-37137 also addresses CVE-2021-37136.
- The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.
Oracle Policy Automation Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Policy Automation
Determinations Engine (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.0-12.2.24
Oracle Retail Applications Risk Matrix
This Critical Patch Update contains 43 new security patches for Oracle Retail Applications. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-13936
Oracle Retail Integration Bus
RIB Kernal (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
19.0.1
CVE-2020-13936
Oracle Retail Order Broker
Order Broker Foundation (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
16.0
CVE-2020-13936
Oracle Retail Service Backbone
RSB kernel (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
19.0.1
CVE-2021-2351
Oracle Retail Analytics
Other (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
21.0.001
CVE-2021-2351
Oracle Retail Assortment Planning
Application Core (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
16.0.3
CVE-2021-2351
Oracle Retail Back Office
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1
CVE-2021-2351
Oracle Retail Central Office
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1
CVE-2021-2351
Oracle Retail Customer Insights
Other (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
21.0.001
CVE-2021-2351
Oracle Retail Extract Transform and Load
Mathematical Operators (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
13.2.8
CVE-2021-2351
Oracle Retail Financial Integration
PeopleSoft Integration Bugs (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351
Oracle Retail Integration Bus
RIB Kernal (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351
Oracle Retail Merchandising System
Foundation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
19.0.1
CVE-2021-2351
Oracle Retail Order Broker
System Administration (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
16.0, 18.0, 19.1
CVE-2021-2351
Oracle Retail Order Management System
Upgrade Install (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
19.5
CVE-2021-2351
Oracle Retail Point-of-Service
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1
CVE-2021-2351
Oracle Retail Predictive Application Server
RPAS Server (OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1.3, 15.0.3, 16.0.3
CVE-2021-2351
Oracle Retail Price Management
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1, 15, 16
CVE-2021-2351
Oracle Retail Returns Management
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1
CVE-2021-2351
Oracle Retail Service Backbone
RSB Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351
Oracle Retail Xstore Point of Service
Xenvironment (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
17.0.4, 18.0.3, 19.0.2, 20.0.1
CVE-2021-22118
Oracle Retail Customer Management and Segmentation Foundation
Deal (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
16.0-19.0
CVE-2021-4104
Oracle Retail Allocation
General (Apache Log4j)
HTTP
No
7.5
Network
High
Low
None
Un-
changed
High
High
High
14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-23337
Oracle Retail Customer Management and Segmentation Foundation
Security (Lodash)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
19.0
CVE-2021-44832
Oracle Retail Assortment Planning
Application Core (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
16.0.3
See Note 1
CVE-2021-44832
Oracle Retail Fiscal Management
NF Issuing (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
14.2
See Note 1
CVE-2021-45105
Oracle Retail Back Office
Security (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1
See Note 1
CVE-2021-45105
Oracle Retail Central Office
Security (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1
See Note 1
CVE-2021-45105
Oracle Retail EFTLink
Installation (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1
See Note 1
CVE-2021-45105
Oracle Retail Integration Bus
RIB Kernal (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
See Note 1
CVE-2021-45105
Oracle Retail Invoice Matching
Security (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
15.0.3, 16.0.3
See Note 1
CVE-2021-45105
Oracle Retail Order Broker
System Administration (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
16.0, 18.0, 19.1
See Note 1
CVE-2021-45105
Oracle Retail Order Management System
Upgrade Install (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
19.5
See Note 1
CVE-2021-45105
Oracle Retail Point-of-Service
Administration (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1
See Note 1
CVE-2021-45105
Oracle Retail Predictive Application Server
RPAS Server (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1.3.46, 15.0.3.115, 16.0.3.240
See Note 1
CVE-2021-45105
Oracle Retail Price Management
Security (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
13.2, 14.0.4, 14.1.3, 15.0.3, 16.0.3
See Note 1
CVE-2021-45105
Oracle Retail Returns Management
Security (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1
See Note 1
CVE-2021-45105
Oracle Retail Service Backbone
RSB Installation (Apache Log4j)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
See Note 1
CVE-2021-31812
Oracle Retail Customer Management and Segmentation Foundation
Security (Apache PDFbox)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
18.1
CVE-2021-29425
Oracle Retail Assortment Planning
Application Core (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
16.0.3
CVE-2021-29425
Oracle Retail Integration Bus
RIB Kernal (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-29425
Oracle Retail Order Broker
System Administration (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
16.0, 18.0, 19.1
CVE-2021-29425
Oracle Retail Service Backbone
RSB Installation (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
15.0.3.1, 16.0.3, 19.0.1
CVE-2021-29425
Oracle Retail Size Profile Optimization
Application Core (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
16.0.3
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2021-23337 also addresses CVE-2020-28500.
- The patch for CVE-2021-31812 also addresses CVE-2021-31811.
Oracle Siebel CRM Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Siebel UI Framework
EAI (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
21.11 and prior
CVE-2021-44832
Siebel UI Framework
Enterprise Cache (Apache Log4j)
HTTP
No
6.6
Network
High
High
None
Un-
changed
High
High
High
21.11 and prior
See Note 1
Notes:
- This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.
Additional CVEs addressed are:
- The patch for CVE-2021-44832 also addresses CVE-2021-45105.
Oracle Supply Chain Risk Matrix
This Critical Patch Update contains 10 new security patches for Oracle Supply Chain. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2351
Oracle Agile Engineering Data Management
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.2.1.0
CVE-2021-2351
Oracle Agile PLM
Security (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
9.3.6
CVE-2021-2351
Oracle Demantra Demand Management
Security (JDBC, OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.6-12.2.11
CVE-2021-2351
Oracle Product Lifecycle Analytics
Installation (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
3.6.1
CVE-2021-2351
Oracle Rapid Planning
Middle Tier (JDBC, OCCI)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
12.2.6-12.2.11
CVE-2020-25649
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite
Installation Issues (jackson-databind)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
High
None
3.6
CVE-2021-35043
Oracle Agile PLM
Security (AntiSamy)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.3
CVE-2021-36374
Oracle Agile PLM
Security (Apache Ant)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
9.3.6
CVE-2020-17521
Oracle Agile PLM MCAD Connector
CAX Client (Apache Groovy)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
3.6, 3.4
CVE-2021-33037
Oracle Agile PLM
Security (Apache Tomcat)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
9.3.6
Additional CVEs addressed are:
- The patch for CVE-2021-36374 also addresses CVE-2021-36373.
Oracle Support Tools Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle Support Tools. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-27568
OSS Support Tools
Diagnostic Assistant (json-smart)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
None
High
Prior to 2.12.42
CVE-2021-2351
OSS Support Tools
Diagnostic Assistant (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Prior to 2.12.42
CVE-2016-7103
OSS Support Tools
Diagnostic Assistant (jQuery UI)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
Prior to 2.12.42
CVE-2021-29425
OSS Support Tools
Diagnostic Assistant (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
Prior to 2.12.42
Oracle Systems Risk Matrix
This Critical Patch Update contains 11 new security patches for Oracle Systems. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-3517
Oracle ZFS Storage Appliance Kit
Operating System Image
Multiple
Yes
8.6
Network
Low
None
None
Un-
changed
Low
Low
High
8.8
CVE-2021-2351
Oracle ZFS Storage Application Integration Engineering Software
Snap Management Utility (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
1.3.3
CVE-2020-8285
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
XCP Firmware (cURL)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
Prior to XCP2410, prior to XCP3110
CVE-2021-3326
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
XCP Firmware (glibc)
Multiple
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
Prior to XCP2410, prior to XCP3110
CVE-2021-23840
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
XCP Firmware (OpenSSL)
TLS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
Prior to XCP2410, prior to XCP3110
CVE-2020-13817
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
XCP Firmware (NTP)
NTP
Yes
7.4
Network
High
None
None
Un-
changed
None
High
High
Prior to XCP2410, prior to XCP3110
CVE-2021-43395
Oracle Solaris
Filesystem
None
No
6.5
Local
Low
Low
None
Changed
None
None
High
11, 10
CVE-2022-21375
Oracle Solaris
Kernel
None
No
5.5
Local
Low
Low
None
Un-
changed
None
None
High
11
CVE-2022-21271
Oracle Solaris
Libraries
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
11
CVE-2022-21263
Oracle Solaris
Fault Management Architecture
None
No
4.8
Local
Low
Low
Required
Un-
changed
Low
Low
Low
11
CVE-2022-21298
Oracle Solaris
Install
None
No
3.9
Local
Low
Low
Required
Un-
changed
None
Low
Low
11
Additional CVEs addressed are:
- The patch for CVE-2020-8285 also addresses CVE-2020-8177 and CVE-2020-8284.
- The patch for CVE-2021-3517 also addresses CVE-2021-3516, CVE-2021-3541 and CVE-2021-36690.
Oracle Utilities Applications Risk Matrix
This Critical Patch Update contains 13 new security patches for Oracle Utilities Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14756
Oracle Utilities Framework
General (Oracle Coherence)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-27568
Oracle Utilities Framework
Common (json-smart)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
None
High
4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-39139
Oracle Utilities Framework
General (XStream)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2020-13936
Oracle Utilities Testing Accelerator
Tools (Apache Velocity Engine)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-39139
Oracle Utilities Testing Accelerator
Tools (XStream)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
6.0.0.1.1
CVE-2021-2351
Oracle Utilities Framework
General (JDBC)
HTTP
Yes
8.3
Network
High
None
Required
Changed
High
High
High
4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-2351
Oracle Utilities Testing Accelerator
Tools (JDBC)
Oracle Net
Yes
8.3
Network
High
None
Required
Changed
High
High
High
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-22118
Oracle Utilities Testing Accelerator
Tools (Spring Framework)
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-36090
Oracle Utilities Testing Accelerator
Tools (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-4104
Oracle Utilities Testing Accelerator
Tools (Apache Log4j)
HTTP
No
7.5
Network
High
Low
None
Un-
changed
High
High
High
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-36374
Oracle Utilities Testing Accelerator
Tools (Apache Ant)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
6.0.0.1.1
CVE-2021-33037
Oracle Utilities Testing Accelerator
Tools (Apache Tomcat)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-29425
Oracle Utilities Testing Accelerator
Tools (Apache Commons IO)
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
6.0.0.1.1
Additional CVEs addressed are:
- The patch for CVE-2020-14756 also addresses CVE-2020-14642, CVE-2021-2277, CVE-2021-2344, CVE-2021-2371 and CVE-2021-2428.
- The patch for CVE-2021-27568 also addresses CVE-2021-31684.
- The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- The patch for CVE-2021-36374 also addresses CVE-2021-36373.
- The patch for CVE-2021-39139 also addresses CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.
Oracle Virtualization Risk Matrix
This Critical Patch Update contains 2 new security patches for Oracle Virtualization. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-21394
Oracle VM VirtualBox
Core
None
No
6.5
Local
Low
Low
None
Changed
High
None
None
Prior to 6.1.32
CVE-2022-21295
Oracle VM VirtualBox
Core
None
No
3.8
Local
Low
Low
None
Changed
Low
None
None
Prior to 6.1.32
See Note 1
Notes:
- This vulnerability applies to Windows systems only.
Why Oracle
- Analyst Reports
- Gartner MQ for ERP Cloud
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
Try Oracle Cloud Free Tier
Oracle Product Navigator
Oracle and Premier League
Oracle and Red Bull Racing Honda
Employee Experience Platform
Oracle Support Rewards
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube