On 19 January 2022, Oracle issued a Critical Patch Update fixing 497 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
Details
The Critical Patch Update addresses vulnerabilities in multiple Oracle product families and their third-party components; 28 of these were rated critical, and three of the vulnerabilities were rated with a CVSS 3.1 score of 10. The most impacted of those products, Oracle Communications, received 84 new security updates and third-party patches, with 50 of these vulnerabilities being remotely exploitable without authentication.
The latest updates address some of the third-party flaws in Apache Log4j, a logging framework for Java applications that is used by multiple Oracle products. Over 100 Oracle products have been reported to be vulnerable to these flaws, with some still being investigated. The current list includes products that received fixes for Log4j flaws tracked as CVE-2021-45105, CVE-2021-44832, and CVE-2021-4104.
In December 2021, Oracle published an advisory on Log4j vulnerabilities, which references a list of vulnerable products. This list was only shared with Oracle customers. The Log4j vulnerabilities from the advisory are tracked as CVE-2021-44228 and CVE-2021-45046.
Other notable updates include fixes in the Oracle Communications Applications family of products, which received 33 new security fixes; 22 of these vulnerabilities may be remotely exploitable without authentication. Within this family, the Communications Billing and Revenue Management product had the most severe vulnerabilities with a CVSS 3.1 score of 9.9-10. These included:
These vulnerabilities are easy to exploit and could allow an unauthenticated or low privilege threat actor to obtain network access via HTTP. Oracle stated that such access may have an impact on additional products, possibly due to the nature of connections that these components have to various services.
Other Oracle products that received fixes for critical vulnerabilities include:
- Access Manager – versions 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0
- Banking APIs – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Banking Digital Experience – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Business Intelligence Enterprise Edition – versions 12.2.1.3.0 and 12.2.1.4.0
- Communications Billing and Revenue Management – versions 12.0.0.3 and 12.0.0.4
- Communications Cloud Native Core Policy – version 1.14.0
- Communications EAGLE Application Processor – versions 16.1 to 16.4
- Enterprise Manager Ops Center – version 12.4.0.0
- Essbase – versions prior to 11.1.2.4.047 and 21.3
- Essbase Administration Services – versions prior to 11.1.2.4.047
- GoldenGate – versions prior to 21.4.0.0.0
- HTTP Server – versions 12.2.1.3.0, 12.2.1.4.0 and 12.2.1.5.0
- Instantis EnterpriseTrack – versions 17.1, 17.2 and 17.3
- Insurance Policy Administration J2EE – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- Insurance Rules Palette – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- OSS Support Tools – versions prior to 2.12.42
- PeopleSoft Enterprise PeopleTools – versions 8.57, 8.58 and 8.59
- Primavera Unifier – versions 17.7 to 17.12, 18.8, 19.12, 20.12 and 21.12
- Secure Backup – versions prior to 18.1.0.1.0
- Utilities Framework – versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 to 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 and 4.4.0.3.0
- WebLogic Server – versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
Recommendations
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.
References
Oracle Critical Patch Update Advisory