On 19 October 2021, Oracle Critical Patch Update (CPU) released fixes for over 400 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
The latest Critical Patch Update addresses vulnerabilities in multiple Oracle product families and their third-party components; 21 products received fixes for vulnerabilities with a CVSS 3.1 score ranging from 9 to 10.
Essbase Administration Services (EAS) Console received five updates; three of these vulnerabilities may be remotely exploitable without prior authentication. One of these flaws, tracked as CVE-2021-35652, received a CVSS 3.1 base score of 10. A threat actor with network access via HTTP could compromise and take over the EAS. Since EAS provides an interface to multiple Essbase Servers, it may lead to compromises of additional services. The flaw received a CVSS 3.1 score of 10.
Other notable updates include the fixes in the following product families:
Communications: 71 updates and third-party patches with 56 of the CVEs allowing Remote Code Execution (RCE) without authentication. The following products within this family received fixes rated with a CVSS 3.1 score greater than 9: Communications Control Plane Monitor, Diameter Signaling Router, Diameter Signaling Router, EAGLE LNP Application Processor, Element Manager, Fraud Monitor, LSMS, Operations Monitor, Policy Management, Policy Management, Session Report Manager, Session Route Manager, Enterprise Telephony Fraud Monitor, and Tekelec Virtual Operating Environment.
Oracle Linux received updates for 200 vulnerabilities with seven of them rated with a CVSS 3.1 score greater than 9.
Communications Applications: 19 updates, with 14 marked as RCE. The most critical flaw is in the Python component of Pricing Design Center, tracked as CVE-2021-3177; CVSS 3.1 score: 9.8.
Financial Services Applications: 44 updates with 26 marked as RCE. The following products received fixes rated with a CVSS 3.1 score greater than 9: Banking Virtual Account Management, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Supply Chain Finance, Banking Virtual Account Management, and FLEXCUBE Core Banking.
Fusion Middleware: 38 updates with 30 marked as RCE. WebLogic Server and WebCenter Sites received fixes for CVEs with a CVSS 3.1 score greater than 9.
Insurance Applications: 16 updates with 11 marked as RCE. Documaker Development tools (Apache Commons FileUpload, Terracotta Quartz Scheduler, dom4j), and Insurance Policy Administration Architecture (Nimbus JOSE+JWT) received fixes for CVEs with a CVSS 3.1 score greater than 9.
Health Sciences Applications: six updates with three marked as RCE. Healthcare Data Repository 8.1.0 received fixes for CVE-2019-17195 with a CVSS 3.1 score of 9.8.
MySQL: 66 updates, 10 marked as RCE. MySQL Cluster: General (Node.js) and MySQL Server: Packaging (OpenSSL) received fixes for flaws with a CVSS 3.1 score of 9.8.
Systems: five updates, two marked as RCE. Version 8.8 of the ZFS Storage Appliance Kit received fixes for CVE-2021-26691 with a CVSS 3.1 score of 9.8.
Enterprise Manager: eight updates with five marked as RCE. Enterprise Manager Ops Center received fixes for CVE-2021-26691 with a CVSS 3.1 score of 9.8.
PeopleSoft: 17 updates with eight marked as RCE. Versions 8.57, 8.58, and 8.59 of PeopleSoft Enterprise PeopleTools received fixes for CVE-2021-23926 with a CVSS 3.1 score of 9.1.
Construction and Engineering: 12 updates with seven marked as RCE. Instantis EnterpriseTrack received fixes for CVE-2021-26691 with a CVSS 3.1 score of 9.8.
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.