On 19 January 2022, Oracle issued a Critical Patch Update fixing 497 vulnerabilities; many of these can be used for remote execution of code without authentication. We recommend applying the latest updates as soon as possible.
The Critical Patch Update addresses vulnerabilities in multiple Oracle product families and their third-party components; 28 of these were rated critical, and three of the vulnerabilities were rated with a CVSS 3.1 score of 10. The most impacted of those products, Oracle Communications, received 84 new security updates and third-party patches, with 50 of these vulnerabilities being remotely exploitable without authentication.
The latest updates address some of the third-party flaws in Apache Log4j, a logging framework for Java applications that is used by multiple Oracle products. Over 100 Oracle products have been reported to be vulnerable to these flaws, with some still being investigated. The current list includes products that received fixes for Log4j flaws tracked as CVE-2021-45105, CVE-2021-44832, and CVE-2021-4104.
In December 2021, Oracle published an advisory on Log4j vulnerabilities, which references a list of vulnerable products. This list was only shared with Oracle customers. The Log4j vulnerabilities from the advisory are tracked as CVE-2021-44228 and CVE-2021-45046.
Other notable updates include fixes in the Oracle Communications Applications family of products, which received 33 new security fixes; 22 of these vulnerabilities may be remotely exploitable without authentication. Within this family, the Communications Billing and Revenue Management product had the most severe vulnerabilities with a CVSS 3.1 score of 9.9-10. These included:
- CVE-2022-21275, CVE-2022-21389, CVE-2022-21276, and CVE-2022-21391, which affect (supported) versions 126.96.36.199, 188.8.131.52 of the Connection Manager component.
- CVE-2022-21390, which affects (supported) versions 184.108.40.206, 220.127.116.11 of the Web Services Manager.
These vulnerabilities are easy to exploit and could allow an unauthenticated or low privilege threat actor to obtain network access via HTTP. Oracle stated that such access may have an impact on additional products, possibly due to the nature of connections that these components have to various services.
Other Oracle products that received fixes for critical vulnerabilities include:
- Access Manager – versions 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0
- Banking APIs – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Banking Digital Experience – versions 18.1 to 18.3, 19.1, 19.2, 20.1 and 21.1
- Business Intelligence Enterprise Edition – versions 188.8.131.52.0 and 184.108.40.206.0
- Communications Billing and Revenue Management – versions 220.127.116.11 and 18.104.22.168
- Communications Cloud Native Core Policy – version 1.14.0
- Communications EAGLE Application Processor – versions 16.1 to 16.4
- Enterprise Manager Ops Center – version 22.214.171.124
- Essbase – versions prior to 126.96.36.199.047 and 21.3
- Essbase Administration Services – versions prior to 188.8.131.52.047
- GoldenGate – versions prior to 184.108.40.206.0
- HTTP Server – versions 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0
- Instantis EnterpriseTrack – versions 17.1, 17.2 and 17.3
- Insurance Policy Administration J2EE – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- Insurance Rules Palette – versions 10.2.0, 10.2.4, 11.0.2 and 11.1.0 to 11.3.0
- OSS Support Tools – versions prior to 2.12.42
- PeopleSoft Enterprise PeopleTools – versions 8.57, 8.58 and 8.59
- Primavera Unifier – versions 17.7 to 17.12, 18.8, 19.12, 20.12 and 21.12
- Secure Backup – versions prior to 126.96.36.199.0
- Utilities Framework – versions 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 to 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0 and 188.8.131.52.0
- WebLogic Server – versions 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0
If you are using any of the products mentioned in the Oracle Critical Patch Update Advisory, review the information on the advisory page referenced below.
We recommend applying the latest updates and all applicable mitigations as soon as possible.