On 19 January 2022, Oracle issued a Critical Patch Update fixing 497 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
The Critical Patch Update addresses vulnerabilities in multiple Oracle product families and their third-party components; 28 of these were rated critical, and three of the vulnerabilities were rated with a CVSS 3.1 score of 10. The most impacted of those products, Oracle Communications, received 84 new security updates and third-party patches, with 50 of these vulnerabilities being remotely exploitable without authentication.
The latest updates address some of the third-party flaws in Apache Log4j, a logging framework for Java applications that is used by multiple Oracle products. Over 100 Oracle products have been reported to be vulnerable to these flaws, with some still being investigated. The current list includes products that received fixes for Log4j flaws tracked as CVE-2021-45105, CVE-2021-44832, and CVE-2021-4104.
In December 2021, Oracle published an advisory on Log4j vulnerabilities, which references a list of vulnerable products. This list was only shared with Oracle customers. The Log4j vulnerabilities from the advisory are tracked as CVE-2021-44228 and CVE-2021-45046.
Other notable updates include fixes in the Oracle Communications Applications family of products, which received 33 new security fixes; 22 of these vulnerabilities may be remotely exploitable without authentication. Within this family, the Communications Billing and Revenue Management product had the most severe vulnerabilities with a CVSS 3.1 score of 9.9-10. These included:
These vulnerabilities are easy to exploit and could allow an unauthenticated or low privilege threat actor to obtain network access via HTTP. Oracle stated that such access may have an impact on additional products, possibly due to the nature of connections that these components have to various services.
Other Oracle products that received fixes for critical vulnerabilities include:
- Access Manager – versions 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0
- Banking APIs – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Banking Digital Experience – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Business Intelligence Enterprise Edition – versions 126.96.36.199.0 and 188.8.131.52.0
- Communications Billing and Revenue Management – versions 184.108.40.206 and 220.127.116.11
- Communications Cloud Native Core Policy – version 1.14.0
- Communications EAGLE Application Processor – versions 16.1 to 16.4
- Enterprise Manager Ops Center – version 18.104.22.168
- Essbase – versions prior to 22.214.171.124.047 and 21.3
- Essbase Administration Services – versions prior to 126.96.36.199.047
- GoldenGate – versions prior to 188.8.131.52.0
- HTTP Server – versions 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0
- Instantis EnterpriseTrack – versions 17.1, 17.2 and 17.3
- Insurance Policy Administration J2EE – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- Insurance Rules Palette – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- OSS Support Tools – versions prior to 2.12.42
- PeopleSoft Enterprise PeopleTools – versions 8.57, 8.58 and 8.59
- Primavera Unifier – versions 17.7 to 17.12, 18.8, 19.12, 20.12 and 21.12
- Secure Backup – versions prior to 22.214.171.124.0
- Utilities Framework – versions 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 to 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0
- WebLogic Server – versions 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.
Oracle Critical Patch Update Advisory