On 19 July 2022, Oracle issued a Critical Patch Update fixing 349 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
Details
The Critical Patch Update (CPU) addresses vulnerabilities in multiple Oracle product families and their third-party components; 64 of these were rated critical.
The most severe of the vulnerabilities was rated with a CVSS 3.1 score of 10 out of 10, affecting those applications in the Oracle Communications family of products that use Spring Cloud Gateway. The flaw is tracked as CVE-2022-22947 and allows for code injection attacks when Gateway Actuator endpoint is enabled, externally exposed and unsecured. A remote threat actor could make a malicious request that would allow arbitrary code execution on a vulnerable host. The products that received fixes for this vulnerability were:
- Oracle Communications Cloud Native Core Binding Support Function BSF
- Oracle Communications Cloud Native Core Console CNC Console
- Oracle Communications Cloud Native Core Network Repository Function NRF
- Oracle Communications Cloud Native Core Security Edge Protection Proxy SEPP
The latest updates also address some of the third-party flaws in Spring Framework that is used by multiple Oracle products. The current list includes 35 Oracle products that received fixes for flaws tracked as CVE-2022-22965 and CVE-2022-22963, and rated with a CVSS 3.1 score of 9.8.
The most impacted of Oracle families – Financial Services Applications – received 59 new security updates; 38 of these vulnerabilities are remotely exploitable without authentication.
- Ten products in this family use Spring Cloud Function and were affected by CVE-2022-22963 noted above.
- Oracle Financial Services Crime and Compliance Management Studio uses multiple third-party components affected by Critical vulnerabilities rated with a CVSS 3.1 score of 9.8:
- CVE-2021-41303 in Apache Shiro could allow an authentication bypass using a malicious HTTP request.
- CVE-2018-1273, a four-year-old property binder vulnerability in Spring Data Commons that could allow unauthenticated remote code execution.
- CVE-2022-22978 in Spring Security framework allowing for authorization bypass.
The Oracle Solaris Third Party Bulletin contains 10 new security updates for the Oracle Solaris Operating System; eight of these vulnerabilities may be remotely exploitable without authentication. These CVEs were fixed in Solaris 11.4 Support Repository Updates (SRU) 47.
In the July Java Development Kit (JDK) 8u341 Update Release Notes, Oracle indicated that it enabled TLS 1.3 by default on both the client and the server on all Oracle Java releases that support TLS 1.3 (8, 11, 17, 18).
Other notable updates include fixes in Oracle E-Business Suite Information Discovery Packaging fixing Apache Log4j issues tracked as CVE-2022-23305. CVSS 3.1: 9.8.
Recommendations
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.
References