Oracle has released critical security updates for April 2022, containing 520 security patches for a wide range of product families, including Oracle E-Business Suite, Oracle MySQL, Oracle Java SE, etc. This advisory covers multiple products which are prone to many vulnerabilities using patch management.
Oracle Critical Security Update Summary
The critical security update contains 520 new patches across multiple Oracle products. A vulnerability management solution detects and provides a solution to vulnerabilities. Moreover, Security vulnerabilities addressed by these critical patches affect some of the below products:
Oracle Communications has received 149 new security patches; 98 of these detected vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without user credentials. Meanwhile, CVE-2022-21431, CVE-2022-23305, and CVE-2022-23990 are the most critical, with a base score of 10.0, 9.8 and 9.8 respectively. However, The components affected are NEF(Spring Cloud Gateway), NSSF (Spring Cloud Gateway), Automated Test Suite (Jenkins), Automation Test Suite (Spring Framework), and BSF (Python).
Oracle MySQL has received 43 new security patches; 11 of these vulnerabilities may be remotely exploitable without authentication. Meanwhile, CVE-2022-23305 and CVE-2022-22965 are the most critical, both CVEs have a base score of 9.8. However, The components affected are Apache Log4j, OpenSSL, Apache Tomcat and Spring Framework.
Oracle Java SE has received seven new security patches. All of these vulnerabilities may be remotely exploitable without authentication. Meanwhile, CVE-2022-0778, CVE-2022-21449, and CVE-2022-21476 are considered the most critical and have a base score of 7.5. However, The components affected are nodes, libraries and JAXP.
Oracle Systems has received 20 new security patches; 14 of these vulnerabilities may be remotely exploitable without authentication. Meanwhile, CVE-2019-17195, CVE-2021-39275, and CVE-2021-2351 are considered the most critical, with a base score of 9.8, 9.8 and 8.3. However, The components affected are Tools (Nimbus JOSE+JWT), Operating System Image, Software and Application Server (JDBC).
Oracle Blockchain Platform has received 15 new security patches; 14 of these vulnerabilities may be remotely exploitable without authentication. Meanwhile, CVE-2021-23017, CVE-2020-5245, and CVE-2021-2351 are considered the most critical, with a base score of 9.8, 8.8 and 8.3. However, The components affected are Backend (Nginx), Backend (Dropwizard-Validation), and BCS Console (JDBC, OCCI).
Third-Party Patches In Oracle Critical Security Update for 2022:
Oracle has not provided new security patches for below mentioned three product families, but third-party patches are available.
- Oracle Global Lifecycle Management
- Oracle Secure Backup
- Oracle NoSQL Database
Furthermore, The most critical vulnerabilities for third-party patches are mentioned below:
CVE | Product | Component | CVSS Score |
CVE-2021-44790 | Oracle Communications Session Route Manager | Apache HTTP Server | 9.8 |
CVE-2022-23305 | Oracle Middleware Common Libraries and Tools | Apache Log4j | 9.8 |
CVE-2021-2351 | Oracle Communications Services Gatekeeper | Software/products (JDBC) | 8.3 |
CVE-2022-23306 | Oracle Communications Session Route Manager | Apache Tomcat | 7.5 |
CVE-2021-44832 | Oracle Communications Session Route Manager | Apache Log4j | 6.6 |
CVE-2022-23437 | Oracle Communications Session Route Manager | Apache Xerces-J | 6.5 |
Severity Level
The new security patches include a severity range of low, medium, high, and critical, and they are as follows:
Other Affected Oracle Products:
After all, most of the Oracle family products are affected, including Oracle Communications, Oracle MySQL, Oracle Financial Services Applications, Oracle Retail Applications, Oracle E-Business Suite, Oracle MySQL, Oracle Java SE, etc.
Impact:
Remote Code Execution, Privilege Escalation, Information Disclosure, Security Feature Bypass, SQL injection, Denial of Service and then Network Connection Hijacking, etc.
Solution:
However, Oracle has already released security updates for April 2022 and these patches are available only for Oracle customers. Although, Please be advised to download the patch from the Oracle portal and install it. Meanwhile, SanerNow software deployment capability can be used to install executable/scripts.
For the same reason, Use SanerNow, and keep your systems updated and secure.