Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Tenable Research's Analysis of the Oracle Critical Patch Update
Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Oracle addresses 188 CVEs in its third quarterly update of 2022 with 349 patches, including 66 critical updates.

Background

On July 19, Oracle released its Critical Patch Update (CPU) for July 2022, the third quarterly update of the year. This CPU contains fixes for 188 CVEs in 349 security updates across 32 Oracle product families. Out of the 349 security updates published this quarter, 66 patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 146, followed by medium severity patches at 133.

This quarter’s update includes over 90 medium severity CVEs, followed by 65 high severity CVEs.

Severity Issues Patched CVEs
Critical 66 29
High 146 65
Medium 133 90
Low 4 4
Total 349 188

Analysis

This quarter, the Oracle Financial Services Applications product family contained the highest number of patches at 59, accounting for 16.91% of the total patches, followed by Oracle Communications with 56 patches, which accounted for 16.05% of the total patches.

Oracle did not include security patches for five product families:

  • Oracle Autonomous Health Framework
  • Oracle Berkeley DB
  • Oracle Blockchain Platform
  • Oracle NoSQL Database
  • Oracle SQL Developer

While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:

Oracle Product Family Component CVE
Oracle Autonomous Health Framework Autonomous Health Framework (NumPy) CVE-2021-41495
Oracle Autonomous Health Framework Autonomous Health Framework (NumPy) CVE-2021-41496
Oracle Autonomous Health Framework Autonomous Health Framework (Python) CVE-2021-29396
Oracle Autonomous Health Framework Autonomous Health Framework (Python) CVE-2021-29921
Oracle Autonomous Health Framework Trace File Analyzer (jackson-databind) CVE-2020-36518
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2021-4104
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23302
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23305
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23307
Oracle Blockchain Platform Blockchain Cloud Service Console (OpenSSH) CVE-2021-41617
Oracle NoSQL Database Administration (Netty) CVE-2021-43797
Oracle SQL Developer Oracle SQL Developer (Apache PDFBox) CVE-2021-31811
Oracle SQL Developer Oracle SQL Developer (Apache PDFBox) CVE-2021-31812

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remote Exploit without Authentication
Oracle Financial Services Applications 59 38
Oracle Communications 56 45
Oracle Fusion Middleware 38 32
Oracle MySQL 34 10
Oracle Supply Chain 24 19
Oracle Communications Applications 17 12
Oracle Retail Applications 17 13
Oracle Commerce 12 10
Oracle PeopleSOft 11 9
Oracle Database Server 9 1
Oracle Construction and Engineering 7 4
Oracle Systems 7 2
Oracle E-Business Suite 6 5
Oracle Enterprise Manager 6 6
Oracle Health Sciences Applications 6 3
Oracle JD Edwards 6 3
Oracle Java SE 5 4
Oracle GoldenGate 4 2
Oracle Big Data Graph 3 3
Oracle Food and Beverage Applications 3 3
Oracle HealthCare Applications 3 2
Oracle Policy Automation 3 1
Oracle REST Data Services 2 2
Oracle Hospitality Applications 2 2
Oracle Virtualization 2 0
Oracle Essbase 1 0
Oracle Global Lifecycle Management 1 0
Oracle Graph Server and Client 1 0
Oracle Spatial Studio 1 0
Oracle TimesTen In-Memory Database 1 1
Oracle Siebel CRM 1 0
Oracle Utilities Applications 1 1

Oracle out-of-band security alert for E-Business Suite

In some instances, Oracle will publish a security alert outside of its normal CPU process. Following Oracle’s April 2022 CPU, it published an alert on May 19 for CVE-2022-21500, a vulnerability in Oracle E-Business Suite version 12.2 that could allow an attacker to self-register a new user account on a publicly accessible E-Business Suite system. Successful exploitation could grant an attacker access to the system and allow them to collect personal information on the registered employees on the system including first and last names, email addresses and potentially more sensitive details.

For organizations that did not apply the patch for CVE-2022-21500 in May, applying this quarter’s CPU includes this fix.

Oracle patches Spring4Shell across a number of product families

As part of its July 2022 CPU, Oracle released additional patches for CVE-2022-22965, a remote code execution vulnerability in the Spring Core Framework, referred to as Spring4Shell by the security research community, that was originally disclosed in March. The patches in the July 2022 CPU that address Spring4Shell across a variety of Oracle products are summarized in the table below:

Oracle Product Component
Oracle Commerce Platform Endeca Integration (Spring Framework)
Oracle Communications Unified Inventory Management TMF APIs (Spring Framework)
Oracle Communications Billing and Revenue Management - Elastic Charging Engine Charging Server (Spring Framework)
Oracle Communications Cloud Native Core Binding Support Function BSF (Spring Framework)
Oracle Communications Cloud Native Core Security Edge Protection Proxy SEPP (Spring Framework)
Oracle Communications Cloud Native Core Service Communication Proxy SCP (Spring Boot)
Oracle Primavera Gateway Admin (Spring Framework)
Oracle Enterprise Manager for MySQL Database EM Plugin: General (Spring Framework)
Oracle WebLogic Server Third Party Tools, Samples (Spring Framework)
Oracle BI Publisher Web Service API (Spring Framework)
Oracle Business Intelligence Enterprise Edition Analytics Server (Spring Framework)
Oracle Data Integrator Runtime Java agent for ODI (Spring Framework)
Oracle Identity Management Suite Installer (Spring Framework)
Oracle Identity Manager Connector General and Misc (Spring Framework)
Oracle Middleware Common Libraries and Tools Third Party Patch (Spring Framework)
Oracle Retail Bulk Data Integration BDI Job Scheduler (Spring Framework)
Oracle Retail Customer Management and Segmentation Foundation Security (Spring Framework)
Oracle Retail Financial Integration PeopleSoft Integration Bugs (Spring Framework)
Oracle Retail Integration Bus RIB Kernal (Spring Framework)
Oracle Retail Merchandising System Foundation (Spring Framework)

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.