Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle April 2022 Critical Patch Update Addresses 221 CVEs

Oracle addresses 221 CVEs in its second quarterly update of 2022 with 520 patches, including 27 critical updates.

Background

On April 19, Oracle released its Critical Patch Update (CPU) for April 2022, the second quarterly update of the year. This CPU contains fixes for 221 CVEs in 520 security updates across 31 Oracle product families. Out of the 520 security updates published this quarter, 14.8% of patches were assigned critical severity. Medium severity patches accounted for the bulk of the release at 55.2%, followed by high severity patches at 27.1%.

This quarter’s update includes 77 critical patches across 27 CVEs.

Severity Issues Patched CVEs
Critical 77 27
High 141 69
Medium 287 114
Low 15 11
Total 520 221

Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 149, accounting for 28.6% of the total patches, followed by Oracle Fusion Middleware at 54 patches, which accounted for 10.4% of the total patches.

Two CVEs receive the highest possible CVSS Score

This month's CPU release included two CVEs that were given a CVSSv3 score of 10.0, the highest possible severity.

CVE-2022-22947 is a vulnerability impacting the Oracle Communications product family that can be exploited by an unauthenticated attacker with network access via HTTP. This vulnerability would allow a remote attacker to exploit arbitrary code when the Spring Cloud gateway actuator is enabled and unsecured.

CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product that can be exploited by an unauthenticated attacker with network access via TCP to gain full control of the Billing and Revenue Management service; however, Oracle indicates that exploitation of this vulnerability could “significantly impact additional products.”

Oracle addresses “psychic signatures” vulnerability in Java

Additionally, Oracle addressed CVE-2022-21449, a cryptographic signature vulnerability in Java 15, 16, 17 and 18. It has been referred to as a “psychic signatures” vulnerability by Neil Madden, security architect at Forgerock, who published a detailed blog post about the flaw. While Oracle assigned a CVSSv3 score of 7.5 to the vulnerability, Madden says that Forgerock assigned a CVSSv3 score of 10.0.

Three product families receive only third party patches

While 31 product families received security patches this quarter, Oracle did not include security patches for three product families:

  • Oracle Global Lifecycle Management
  • Oracle NoSQL Database
  • Oracle Secure Backup

While these three product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release:

Oracle Product Family Component CVE
Oracle NoSQL Database Administration (Netty) CVE-2021-37137
Oracle NoSQL Database Administration (Netty) CVE-2021-21290
Oracle NoSQL Database Administration (Netty) CVE-2021-21295
Oracle NoSQL Database Administration (Netty) CVE-2021-21409
Oracle NoSQL Database Administration (Netty) CVE-2021-30129
Oracle NoSQL Database Administration (Netty) CVE-2021-37136
Oracle NoSQL Database Administration (Apache MINA SSHD) CVE-2021-30129
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-44790
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-32785
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-32786
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-32791
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-32792
Oracle Secure Backup Secure Backup (Apache HTTP Server) CVE-2021-44224
Oracle Secure Backup Secure Backup (PHP) CVE-2021-21703
Oracle Global Lifecycle Management OPatch Centralized Third Party Jars (Apache Commons Compress) CVE-2021-36090
Oracle Global Lifecycle Management OPatch Centralized Third Party Jars (Apache Commons Compress) CVE-2021-35515
Oracle Global Lifecycle Management OPatch Centralized Third Party Jars (Apache Commons Compress) CVE-2021-35516
Oracle Global Lifecycle Management OPatch Centralized Third Party Jars (Apache Commons Compress) CVE-2021-35517

Third party patches also include fixes for Apache Log4j

Oracle has also addressed multiple additional third party patches in this release, including fixes for vulnerabilities in Apache Log4j, most notably a remote code execution vulnerability dubbed Log4Shell and originally disclosed in December.

Third Party Component CVE
Apache Tomcat CVE-2021-42340
Apache Log4j CVE-2021-44832
Apache Log4j CVE-2022-23305
Apache Xerces-J CVE-2022-23437
Apache Kafka CVE-2021-38153
Jakarta CVE-2021-28170
Guava CVE-2020-8908

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remote Exploit without Auth
Oracle Communications 149 98
Oracle Fusion Middleware 54 41
Oracle MySQL 43 11
Oracle Financial Services Applications 41 19
Oracle Communications Applications 39 22
Oracle Retail Applications 30 15
Oracle Systems 20 14
Oracle Blockchain Platform 15 14
Oracle PeopleSoft 14 8
Oracle Hyperion 12 4
Oracle Supply Chain 11 5
Oracle Enterprise Manager 10 7
Oracle HealthCare Applications 10 5
Oracle JD Edwards 8 8
Oracle Commerce 7 3
Oracle Insurance Applications 7 5
Oracle Java SE 7 7
Oracle Hospitality Applications 6 2
Oracle Virtualization 6 1
Oracle Database Server 5 0
Oracle GoldenGate 5 4
Oracle E-Business Suite 5 2
Oracle Construction and Engineering 3 1
Oracle Health Sciences Applications 3 1
Oracle Support Tools 3 1
Oracle SQL Developer 2 1
Oracle Autonomous Health Framework 1 0
Oracle REST Data Services 1 0
Oracle iLearning 1 1
Oracle Taleo 1 0
Oracle Utilities Applications 1 0

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2022 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.