Skip Navigation

January 21, 2022 |

Oracle critical patch update addresses 497 flaws

Last updated: February 7, 2023

On 19 January 2022, Oracle issued a Critical Patch Update fixing 497 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.


The Critical Patch Update addresses vulnerabilities in multiple Oracle product families and their third-party components; 28 of these were rated critical, and three of the vulnerabilities were rated with a CVSS 3.1 score of 10. The most impacted of those products, Oracle Communications, received 84 new security updates and third-party patches, with 50 of these vulnerabilities being remotely exploitable without authentication.

The latest updates address some of the third-party flaws in Apache Log4j, a logging framework for Java applications that is used by multiple Oracle products. Over 100 Oracle products have been reported to be vulnerable to these flaws, with some still being investigated. The current list includes products that received fixes for Log4j flaws tracked as CVE-2021-45105, CVE-2021-44832, and CVE-2021-4104.

In December 2021, Oracle published an advisory on Log4j vulnerabilities, which references a list of vulnerable products. This list was only shared with Oracle customers. The Log4j vulnerabilities from the advisory are tracked as CVE-2021-44228 and CVE-2021-45046.

Other notable updates include fixes in the Oracle Communications Applications family of products, which received 33 new security fixes; 22 of these vulnerabilities may be remotely exploitable without authentication. Within this family, the Communications Billing and Revenue Management product had the most severe vulnerabilities with a CVSS 3.1 score of 9.9-10. These included:

These vulnerabilities are easy to exploit and could allow an unauthenticated or low privilege threat actor to obtain network access via HTTP. Oracle stated that such access may have an impact on additional products, possibly due to the nature of connections that these components have to various services.

Other Oracle products that received fixes for critical vulnerabilities include:

  •  Access Manager – versions, and
  •  Banking APIs – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
  •  Banking Digital Experience – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
  •  Business Intelligence Enterprise Edition – versions and
  •  Communications Billing and Revenue Management – versions and
  •  Communications Cloud Native Core Policy – version 1.14.0
  •  Communications EAGLE Application Processor – versions 16.1 to 16.4
  •  Enterprise Manager Ops Center – version
  •  Essbase – versions prior to and 21.3
  •  Essbase Administration Services – versions prior to
  •  GoldenGate – versions prior to
  •  HTTP Server – versions, and
  •  Instantis EnterpriseTrack – versions 17.1, 17.2 and 17.3
  •  Insurance Policy Administration J2EE – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
  •  Insurance Rules Palette – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
  •  OSS Support Tools – versions prior to 2.12.42
  •  PeopleSoft Enterprise PeopleTools – versions 8.57, 8.58 and 8.59
  •  Primavera Unifier – versions 17.7 to 17.12, 18.8, 19.12, 20.12 and 21.12
  •  Secure Backup – versions prior to
  •  Utilities Framework – versions,, to,, and
  •  WebLogic Server – versions,, and


If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.


Oracle Critical Patch Update Advisory