On 20 July 2021, Oracle Critical Patch Update (CPU) released fixes for 327 vulnerabilities; 43 of these are remotely executable flaws requiring no authentication to exploit. Timely patching is recommended.
- The July 2021 CPU addresses vulnerabilities in multiple Oracle product families and its third-party components; 49 of them have a CVSS 3.1 score above 9.
- Of note is a critical vulnerability in Essbase Analytic Provider Services 21.2 (component: JAPI), tracked as CVE-2021-2244, that received a CVSS 3.1 score of 10. An unauthenticated threat actor with network access via HTTP could compromise an unpatched product remotely.
- Oracle Fusion Middleware was the most affected product with 48 fixes overall. Nine of these vulnerabilities have a score above 9 and are remotely exploitable with no authentication required.
- Oracle MySQL received 41 patches. Ten of these vulnerabilities may be exploited remotely without requiring user credentials.
- Other products with multiple critical fixes include Oracle E-Business Suite, Oracle Database Server, Oracle PeopleSoft, Oracle Retail Applications, Oracle Financial Services Applications, Oracle Communications Applications, and Oracle Communications among others.
- If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, check for the updates on the advisory page noted below.
- Timely implementation of the updates and all applicable mitigations is recommended.
References Oracle Critical Patch Update Advisory