Oracle releases security updates of January 2023, 327 security patches for various product families, including Oracle Communications, Oracle Fusion Middleware, Oracle MySQL, etc. Although, this advisory includes different products which are prone to multiple vulnerabilities.
Oracle Communications has received 79 new security patches, of which 50 vulnerabilities may be remotely exploitable without authentication. Whereas, CVE-2022-43403 has a base score of 9.9, along with 18 other vulnerabilities with a base score of 9.8. However, these vulnerabilities are considered to be the most critical. Finally, you can patch these critical vulnerabilities using efficient patch management software, out of which 39 vulnerabilities may be remotely exploitable without authentication. Despite all this, there are 15 vulnerabilities with a base score of 9.8 which are considered to be the most critical ones. Therefore, it is essential to have a vulnerability management tool.
Oracle releases Security Updates January 2023 Summary
Oracle Database Server
Affected Components: Oracle Data Provider for .NET, Oracle Database – Machine Learning for Python (Python), Oracle Database – Workload Manager (Jackson-databind), Oracle Database Fleet Patching (Jackson-databind), Oracle Database RDBMS Security, Java VM, Oracle Database (Python), Oracle Database (Zlib) and then Oracle Database Data Redaction
CVEs: CVE-2023-21893, CVE-2021-3737, CVE-2022-42003, CVE-2022-42003, CVE-2023-21829, CVE-2022-39429, CVE-2020-10735, CVE-2018-25032, CVE-2023-21827
This patch update also includes third-party patches for the following non-exploitable CVEs:
- GraalVM Multilingual Engine: CVE-2022-21597.
- Oracle Database (MIT Kerberos KDC): CVE-2021-37750.
- Oracle Database Portable Clusterware (Apache Mina SSHD): CVE-2022-45047.
- Oracle Database SQLcl (Apache Commons Text): CVE-2022-42889.
- Oracle SQLcl (Apache Mina SSHD): CVE-2022-45047.
- Perl: CVE-2020-10878, CVE-2020-10543, and CVE-2020-12723.
- Spatial and Graph (OpenJPEG): CVE-2022-1122 and CVE-2021-29338.
- Spatial and Graph Mapviewer (Google Protobuf-Java): CVE-2022-3171, CVE-2022-22970, CVE-2022-3509, and CVE-2022-3510.
- SQL Developer (Apache Commons Text): CVE-2022-42889.
Oracle Big Data Graph
This security update does not address any patch for exploitable flaws but does have fixes for non-exploitable third-party CVEs for Oracle Big Data Graph:
- Big Data Graph (Apache Tomcat): CVE-2022-42252.
- Big Data Graph (SnakeYAML): CVE-2022-38752, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, and CVE-2022-38751.
Oracle Essbase
Product: Oracle Essbase
Affected Components: Essbase Web Platform (OpenSSL), Infrastructure (cURL)
CVEs: CVE-2022-2274, CVE-2022-42915
This patch update also includes third-party patches for the following non-exploitable CVEs:
- Essbase Web Platform (Moment): CVE-2022-31129
Oracle Global Lifecycle Management
This January 2023 security update does not address any patch for exploitable flaws but does have fixes for non-exploitable third-party CVEs for Oracle Global Lifecycle Management:
- Database extensions (Apache Mina SSHD): CVE-2022-45047.
- Database extensions (jackson-databind): CVE-2022-42004 and CVE-2022-42003.
Oracle GoldenGate
Products: GoldenGate Stream Analytics, Oracle Stream Analytics
Affected Components: GoldenGate Stream Analytics (Google Gson), GoldenGate Stream Analytics (jackson-databind), Stream Analytics (Apache HttpClient)
CVEs: CVE-2022-25647, CVE-2020-36518, CVE-2020-13956
This Oracle January 2023 patch update also includes third-party patches for the following non-exploitable CVEs:
- GoldenGate Stream Analytics
- GoldenGate Stream Analytics (Eclipse Jetty): CVE-2022-2048, CVE-2022-2047, and CVE-2022-2191.
- Stream Analytics (Apache ActiveMQ): CVE-2020-13920.
- GoldenGate Veridata
- GoldenGate Veridata (Spring Framework): CVE-2022-22971 and CVE-2022-22970.
- Management Pack for Oracle GoldenGate
- Monitor (Spring Framework): CVE-2022-22950
Oracle Graph Server and Client
This January 2023 security update does not address any patch for exploitable flaws but does have fixes for non-exploitable third-party CVEs for Oracle Graph Server and Client:
- Oracle Graph Server and Client
- Oracle Graph Server (Apache Commons Configuration): CVE-2022-33980.
- PGX Java Client (Moment.js): CVE-2022-31129.
- Packaging/install (Apache Tomcat): CVE-2022-42252.
- Packaging/install (Google Protobuf-Java): CVE-2022-3171.
- Packaging/install (SnakeYAML): CVE-2022-38752, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, and CVE-2022-38751
Oracle Spatial Studio
This security update does not address any patch for exploitable flaws but does have fixes for non-exploitable third-party CVEs for Oracle Spatial Studio:
- Oracle Spatial Studio
- Oracle Spatial Studio (Google Protobuf-Java): CVE-2022-3171
- Oracle Spatial Studio (Jackson-databind): CVE-2022-42003 and CVE-2022-42004
Oracle TimesTen In-Memory Database
Product: Oracle TimesTen In-Memory Database
Affected Component: In-Memory Database (Zlib)
CVE: CVE-2022-37434
Oracle Communications Applications
Products: Oracle Communications Design Studio, Oracle Communications Elastic Charging Engine, Oracle Communications Order and Service Management, Oracle Communications Unified Assurance, Oracle Communications Unified Inventory Management, Oracle Communications Convergence, Oracle Communications Billing and Revenue Management, Oracle Communications Calendar Server, Oracle Communications Contacts Server, Oracle Communications Instant Messaging Server, Oracle Communications Messaging Server, Oracle Communications MetaSolv Solution, Oracle Communications Pricing Design Center and then Oracle Communications BRM – Elastic Charging Engine
Affected Components: PSR Designer (Apache Commons Text), Cloud native deployment (Apache Commons Configuration), Security (Apache Commons Text), Installer (Apache Commons Text), Core (Apache Commons Text), Message Bus (Apache Log4j, Spring Security), User Interface (PHP), REST API (Spring Security), Rulesets (XStream), Admin Configuration, User Interface (Node.js), Core (Perl DBI), Billing Care, BOC, DM Kafka, REST API (jackson-databind), REST Services Manager (SnakeYaml), Webservices Manager (Jettison), Calendar Server (jackson-databind), Contact Server (jackson-databind), Security (Apache Kafka), DBPlugin (Apache Tomcat), DBPlugin (jackson-databind), ISC (jackson-databind), IMAP (NSS), Utilities (Apache Batik), REST Service Manager (jackson-databind), Core (Go), Integration (Apache Tomcat), Message Bus (jackson-databind), Cloud Native (Traefik), Others (jackson-databind), Policy (Google Protobuf-Java), REST API (Google Gson), Security (Netty), Security (Spring Framework), Core (Helm), Signaling (SnakeYAML), TMF APIs (Spring Framework), ISC (Apache Tika), Customer, Config and then Pricing Manager
CVEs: CVE-2022-42889, CVE-2022-33980, CVE-2022-42889, CVE-2022-42889, CVE-2022-42889, CVE-2019-17571, CVE-2022-22978, CVE-2022-37454, CVE-2022-31692, CVE-2021-41411, CVE-2023-21848, CVE-2022-32212, CVE-2020-16156, CVE-2022-42003, CVE-2022-25857, CVE-2022-40150, CVE-2022-42003, CVE-2022-42003, CVE-2022-34917, CVE-2022-42252, CVE-2022-42003, CVE-2022-42003, CVE-2022-35737, CVE-2022-40146, CVE-2022-42003, CVE-2022-41720, CVE-2022-42252, CVE-2022-42003, CVE-2022-39271, CVE-2022-42003, CVE-2022-3171, CVE-2022-25647, CVE-2021-43797, CVE-2022-22971, CVE-2022-36055, CVE-2022-38752, CVE-2022-22971, CVE-2022-30126, CVE-2023-21824
This Oracle January 2023 security update also includes third-party patches for the following non-exploitable CVEs:
- Oracle Communications Billing and Revenue Management
- EAI Manager (SnakeYAML): CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, and CVE-2022-38752
Oracle Communications Products
Products: Oracle Communications Cloud Native Core Unified Data Repository, Management Cloud Engine, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Exposure Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Converged Application Server, Oracle Communications Diameter Signaling Router, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Data Analytics Function, Oracle Communications Diameter Intelligence Hub, Oracle Communications and then Performance Intelligence Center (PIC) Software
Affected Components: Signaling (Jenkins Script),Security (Apache Commons Text), ATS Framework (systemd-libs), Install (FreeType), Install/Upgrade (LibExpat), Install (cURL), Install (zlib), Studio (Spring Data Commons), Configuration (Spring Security), Platform (Spring Security), Oracle Linux 8 (FreeType), Installation (Spring Security crypto), Policy (Spring Security), Configuration (Spring Security), Configuration (zlib), Signaling (Apache Commons Text), Core, Virtual Network Function Manager (Apache Common Text), Platform (zlib), Install (Cyrus SASL), Policy (MySQL), Policy (MySQL), Platform (Multiple), Oracle Linux (e2fsprogs), Oracle Linux (libxml2), Installation and Configuration (e2fsprogs), Platform (Kernel), Security (jackson-databind), Signaling (SnakeYAML), Signaling (Undertow), Configuration (Google Protobuf-Java), Configuration (Netty), Configuration (Quarkus), Configuration (jackson-databind), Configuration (undertow-core), Configuration (xnio-api), REST API (jackson-databind), Platform (Google Protobuf-Java), Platform (jackson-databind), Oracle Linux 8 (dnsmasq), Installation (Google Protobuf-Java), Installation (Undertow), Installation (jackson-databind), Platform (Google Protobuf-Java), Platform (jackson-databind), Configuration (jackson-databind), Signaling (Google Protobuf-Java), Signaling (Google Protobuf-Java), Signaling (WebKitGTK), Signaling (jackson-databind), Mediation (jackson-databind), Platform (Apache Tomcat), Management (Google Gson), Virtual Network Function Manager (Kernel), ATS Framework (SnakeYAML), Install (Spring Framework), Install (libxml2), Installation (SnakeYAML), Backend Server (Apache Tomcat), Install (Libgcrypt), Install (Netty) and then Signaling (Spring Framework)
Critical CVEs:
CVEs: CVE-2022-43403, CVE-2022-42889, CVE-2022-2526, CVE-2022-27404, CVE-2022-25315, CVE-2022-42915, CVE-2022-37434, CVE-2018-1273, CVE-2022-31692, CVE-2022-31692, CVE-2022-27404, CVE-2022-31692, CVE-2022-31692, CVE-2022-31692, CVE-2022-37434, CVE-2022-42889, CVE-2023-21890, CVE-2022-42889, CVE-2022-37434, CVE-2022-24407, CVE-2022-21824, CVE-2022-21824, CVE-2022-24903, CVE-2022-1304,CVE-2022-40304, CVE-2022-1304, CVE-2022-0492, CVE-2022-42003, CVE-2022-25647, CVE-2022-25647, CVE-2022-31129, CVE-2020-10735, CVE-2022-42252, CVE-2022-3171, CVE-2022-2509, CVE-2022-2048, CVE-2022-25857, CVE-2022-2053, CVE-2022-3171, CVE-2022-41881, CVE-2022-4147, CVE-2022-42003, CVE-2022-2053, CVE-2022-0084, CVE-2022-42003, CVE-2022-3171, CVE-2022-42003, CVE-2022-0934, CVE-2022-3171, CVE-2022-1319, CVE-2022-42003, CVE-2022-3171, CVE-2022-42003, CVE-2022-42252, CVE-2022-2048, CVE-2022-3510, CVE-2022-2053, CVE-2022-42003, CVE-2022-3171, CVE-2022-3171, CVE-2022-30293, CVE-2022-42003, CVE-2022-42003, CVE-2022-42252, CVE-2022-25647, CVE-2022-3028, CVE-2022-38752, CVE-2022-22971, CVE-2022-29824, CVE-2022-38752, CVE-2022-38752, CVE-2022-38752, CVE-2022-22971, CVE-2022-31629, CVE-2022-38752, CVE-2022-34305,CVE-2021-40528, CVE-2022-24823, CVE-2022-22970
This Oracle January 2023 security update also includes third-party patches for the following non-exploitable CVEs:
- Oracle Communications Cloud Native Core Binding Support Function
- Install/Upgrade (jackson-databind): CVE-2022-42003 and CVE-2022-42004
- Oracle Communications Cloud Native Core Console
- Configuration (Apache MINA SSHD): CVE-2022-45047
- Oracle SD-WAN Aware
- Management (PHP): CVE-2021-21708
Oracle security update Construction and Engineering
Products: Primavera Gateway, Primavera Unifier
Affected Components: Admin (Apache Commons Text), Admin (Google Protobuf-Java), Admin (Jackson-databind), Event Streams and Communications (Apache Kafka), Document Management (Jackson-databind), WebUI, User Interface (UnderscoreJS)
CVEs: CVE-2022-42889, CVE-2022-3171, CVE-2022-42003, CVE-2022-34917, CVE-2022-42003, CVE-2023-21888, CVE-2021-23358
Oracle E-Business Suite
Products: Oracle Applications DBA, Oracle Collaborative Planning, Oracle HCM Common Architecture, Oracle iSetup, Oracle Learning Management, Oracle Marketing, Oracle Mobile Field Service, Oracle Sales for Handhelds, Oracle Sales Offline, Oracle Web Applications Desktop Integrator, Oracle iSupplier Portal and then Oracle Self-Service Human Resources
Affected Components: Java utils, Installation, Automated Test Suite, General Ledger Update Transform, Reports, Setup, Marketing Administration, Synchronization, Pocket Outlook Sync(PocketPC), Core Components, Download, Supplier Management, Workflow, Approval and then Work Force Management
CVEs: CVE-2023-21849, CVE-2023-21858, CVE-2023-21857, CVE-2023-21856, CVE-2023-21852, CVE-2023-21851, CVE-2023-21853, CVE-2023-21855, CVE-2023-21854, CVE-2023-21847, CVE-2023-21825, CVE-2023-21834
Oracle Financial Services Applications
Products: Oracle Banking Enterprise Default Management, Oracle Banking Party Management, Oracle Financial Services Crime, and Compliance Management Studio, Oracle Banking Loans Servicing and then Oracle Banking Platform
Affected Components: Collections (Apache Commons Configuration), Web UI (Apache Commons Configuration), Studio (Apache Commons Configuration), Collections (Jackson-databind), Web UI (Jackson-databind), Security (Jackson-databind), Studio (Apache Tomcat), Studio (Eclipse Jetty), Studio (Google Protobuf-Java), Studio (Jackson-databind), Collections (SnakeYAML), Web UI (SnakeYAML), Studio (jsoup), Collections (Netty) and then Web UI (Netty)
CVEs: CVE-2022-33980, CVE-2022-33980, CVE-2022-33980, CVE-2022-42003, CVE-2022-42003, CVE-2022-42003, CVE-2022-42003, CVE-2022-42252, CVE-2022-2048, CVE-2022-3171, CVE-2022-42003, CVE-2022-38752, CVE-2022-38752, CVE-2022-36033, CVE-2022-24823, CVE-2022-24823
Oracle MySQL
Products: MySQL Enterprise Monitor, MySQL Server, MySQL Workbench, MySQL Shell, MySQL Connectors, MySQL Cluster
Affected Components: Monitoring: General (Spring Security), Server: Packaging (cURL), Workbench (Zlib), Shell: Core Client (cryptography), Connector/C++ (Cyrus SASL), Connector/ODBC (Cyrus SASL), Workbench (libxml2), Connector/Net (Google Protobuf-Java), Connector/Python (Python), Monitoring: General (Apache Tomcat), Shell: Core Client (Python), Monitoring: General (Spring Framework), Server: Optimizer, Cluster: Internal Operations, Server: Security: Encryption, InnoDB, Server: DML, Server: GIS, Server: PS and then Server: Thread Pooling
CVEs: CVE-2022-31692, CVE-2022-32221, CVE-2022-37434, CVE-2020-36242, CVE-2022-24407, CVE-2022-24407, CVE-2022-40304, CVE-2022-3171, CVE-2022-1941, CVE-2022-42252, CVE-2020-10735, CVE-2022-22971, CVE-2023-21868, CVE-2023-21860, CVE-2023-21875, CVE-2023-21869, CVE-2023-21877, CVE-2023-21880, CVE-2023-21872, CVE-2023-21871, CVE-2023-21836, CVE-2023-21887, CVE-2023-21863, CVE-2023-21864, CVE-2023-21865, CVE-2023-21866, CVE-2023-21867, CVE-2023-21870, CVE-2023-21873, CVE-2023-21876, CVE-2023-21878, CVE-2023-21879, CVE-2023-21881, CVE-2023-21883, CVE-2023-21840, CVE-2023-21882, CVE-2023-21874
Note:
Since CVE-2020-36242 is a cryptographic weakness that affects a module distributed by MySQL Shell and is not a functional dependent of MySQL Shell, and cannot be exploited in the shell.
Since CVE-2020-10735 is a bug in Python, distributed by MySQL Shell, and the vulnerable Python module is not a functional dependency of MySQL Shell, it is not exploitable in MySQL Shell.
Oracle Fusion Middleware
Products: Middleware Common Libraries and Tools, Oracle Business Intelligence Enterprise Edition, Oracle Coherence, Oracle Global Lifecycle Management NextGen OUI Framework, Oracle HTTP Server, Oracle Middleware Common Libraries and Tools, Oracle Outside In Technology, Oracle WebCenter Content, Oracle WebCenter Sites, Oracle WebLogic Server, Oracle BI Publisher, Oracle Web Services Manager, Oracle Fusion Middleware MapViewer and then Oracle Access Manager
Affected Components: RDA – Remote Diagnostic Agent (Apache Mina SSHD), Analytics Server (Apache Commons Text), Core (Apache Log4j), End-User Documentation (Apache Mina SSHD), NextGen Installer issues (Apache Mina SSHD), Centralized Third-party Jars (Expat), SSL Module (Apache HTTP Server), SSL Module (OpenSSL), Third-Party Patch (Apache Commons Text), DC-Specific Component (FreeType), DC-Specific Component (zlib), Content Server (Apache Commons Text), WebCenter Sites (Apache Shiro), Centralized Third-Party Jars (jackson-databind), Centralized Third-party Jars (Apache Commons BCEL), Security, Third-Party Patch (Apache Batik), XML Security component, Third-Party Patch (Perl), Majel Mobile Service (Google Gson), Install (Apache Batik), Install (Google Protobuf-Java), NextGen Installer issues (jackson-databind), Centralized Third-party Jars (zlib), SSL Module (cURL), SSL Module (ModSecurity), Centralized Third-party Jars (Libexpat), Third-Party Patch (Enterprise Security API), Third-Party Patch (cURL), DC-Specific Component (LibExpat), Centralized Third-Party Jars (Jettison), Centralized Third-Party Jars (XStream), Samples (Google GSON), Web Container,Core, NextGen Installer issues, SSL Module (libxml2), DC-Specific Component (OpenJPEG), WebCenter Sites (Apache PDFBox), Visual Analyzer, Majel Mobile Service (Kotlin), Third-Party Patch (Apache HttpClient), Third-Party Patch (Hibernate Validator) and then Authentication Engine
CVEs: CVE-2022-45047, CVE-2022-42889, CVE-2022-23305, CVE-2022-45047, CVE-2022-45047, CVE-2022-25236, CVE-2022-31813, CVE-2022-2274, CVE-2022-42889, CVE-2022-27404, CVE-2022-37434, CVE-2022-42889, CVE-2022-40664, CVE-2018-7489, CVE-2022-42920, CVE-2023-21846, CVE-2023-21832, CVE-2020-11987, CVE-2023-21862, CVE-2021-36770, CVE-2022-25647, CVE-2022-40146, CVE-2022-3171, CVE-2022-42003, CVE-2018-25032, CVE-2022-27782, CVE-2021-42717, CVE-2022-43680, CVE-2022-23457, CVE-2021-36090, CVE-2022-43680, CVE-2022-40150, CVE-2022-40153, CVE-2022-25647, CVE-2023-21842, CVE-2023-21837, CVE-2023-21838, CVE-2023-21839, CVE-2023-21841, CVE-2023-21894, CVE-2022-29824, CVE-2022-1122, CVE-2021-31812, CVE-2023-21891,CVE-2023-21892,CVE-2023-21861, CVE-2022-24329, CVE-2020-13956, CVE-2020-10693, CVE-2023-21859
Oracle security updates affected applications:
Oracle Health Sciences Applications
Product: Oracle Health Sciences Empirica Signal
Affected Components: Core (Enterprise Security API), Core (Jackson-databind)
CVEs: CVE-2022-23457, CVE-2022-42003
Oracle Healthcare Applications
Products: Oracle Healthcare Data Repository, Oracle Healthcare Translational Research
Affected Components: FHIR Server (Spring Data Commons), Data Studio (H2 Database), FHIR Server (Spring Framework), Data Studio (Spring Framework)
CVEs: CVE-2018-1273, CVE-2022-23221, CVE-2022-22971
Oracle Hospitality Applications
Product: Oracle Hospitality Cruise Shipboard Property Management System
Affected Component: FMS Suite (DevExpress)
CVE: CVE-2021-36483
Oracle Hyperion
Product: Oracle Hyperion Infrastructure Technology
Affected Components: Installation and Configuration (Apache Commons Text), Installation and Configuration (Apache Struts)
CVEs: CVE-2022-42889, CVE-2021-31805
Oracle Insurance Applications
Product: Oracle Documaker
Affected Component: Development Tools (Apache Xerces-J)
CVE: CVE-2022-23437
Oracle Java SE
Products: Oracle GraalVM Enterprise Edition, Oracle Java SE
Affected Components: Node (Node.js), JSSE, Serialization, Sound
CVEs: CVE-2022-43548, CVE-2023-21835, CVE-2023-21830, CVE-2023-21843
This patch update also includes third-party patches for the following non-exploitable CVEs:
- The patch for CVE-2022-43548 also addresses CVE-2022-3602 and CVE-2022-3786.
Oracle JD Edwards
Products: JD Edwards EnterpriseOne Orchestrator, JD Edwards EnterpriseOne Tools
Affected Components: E1 IOT Orchestrator Security (Apache Commons Text), Web Runtime SEC (Apache POI)
CVEs: CVE-2022-42889, CVE-2022-26336
Oracle Commerce
Product: Oracle Commerce Guided Search
Affected Components: Content Acquisition System (Spring Framework), Content Acquisition System (Jackson-databind)
CVEs: CVE-2022-22965, CVE-2020-36518
Oracle Enterprise Manager
Products: Enterprise Manager Base Platform, Enterprise Manager Ops Center
Affected Components: Management Agent (Apache Commons Text), Application Config Console (Google Gson), Update Provisioning (Apache HTTP Server)
CVEs: CVE-2022-42889, CVE-2022-25647, CVE-2022-31813
Oracle PeopleSoft
Products: PeopleSoft Enterprise CC Common Application Objects, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise CS Academic Advisement
Affected Components: Chatbot Framework (JSON Schema), Elastic Search (JSON Schema), PeopleSoft CDA (Zlib), Cloud Manager (SnakeYAML), Elastic Search (Moment.js), Elastic Search (Jackson-databind), File Processing (cURL), Porting (Python), Security (Jettison), Elastic Search, Panel Processor and then Advising Notes
CVEs:CVE-2021-3918, CVE-2021-3918, CVE-2022-37434, CVE-2022-25857, CVE-2022-31129, CVE-2022-42003, CVE-2022-27782, CVE-2020-10735, CVE-2022-40149, CVE-2023-21844,CVE-2023-21845, CVE-2023-21831
Oracle Food and Beverage Applications
Products: Oracle Hospitality Reporting and Analytics, Oracle Hospitality Gift and Loyalty, Oracle Hospitality Labor Management, Oracle Hospitality Simphony
Affected Components: Reporting, Reporting (Apache Log4j), Engagement (jQuery UI)
CVEs: CVE-2021-2351, CVE-2023-21828, CVE-2023-21826, CVE-2021-44832, CVE-2021-44832, CVE-2021-44832, CVE-2021-41184
Oracle Retail Applications
Product: Oracle Retail Service Backbone
Affected Component: Installation (Jackson-databind)
CVE: CVE-2022-42003
Oracle Siebel CRM
Products: Siebel CRM, Siebel Apps – Marketing
Affected Components: Siebel Core – Server Infrastructure (OpenSSL), Marketing (Apache Log4j)
CVEs: CVE-2022-2274, CVE-2021-44832
Oracle Supply Chain
Products: Oracle AutoVue, Oracle Agile PLM, Oracle Demantra Demand Management
Affected Components: Security (OpenJPEG), Application Server (Apache Xalan-J), Security (Apache Tomcat), Security (NekoHTML), E-Business Collections, Security (Apache Log4j), Installation (Apache POI) and then Security (libpng)
CVEs: CVE-2020-27844, CVE-2022-34169, CVE-2022-42252, CVE-2022-24839, CVE-2023-21850, CVE-2021-44832, CVE-2019-12415, CVE-2019-7317
Oracle Support Tools
Product: OSS Support Tools
Affected Components: Diagnostic Assistant (Apache Mina SSHD), RDA – Remote Diagnostic Agent (Apache MINA SSHD), Services Tools Bundle (Apache Mina SSHD), Diagnostic Assistant (Apache Commons Net), RDA – Remote Diagnostic Agent (Apache Commons Net) and then Services Tools Bundle (Apache Commons Net)
CVEs: CVE-2022-45047, CVE-2021-37533
Oracle Systems
Products: Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle Solaris
Affected Components: XCP Firmware (Glibc), NSSwitch
CVEs: CVE-2022-23219, CVE-2023-21900
Oracle Utilities Applications
Products: Oracle Utilities Framework, Oracle Utilities Network Management System
Affected Components: General (Apache Commons Text), Content Acquisition System (dom4j), General (Jackson-databind), Installation (Apache Ant), System-Wide (Netty), System-Wide (Apache Log4j) and then System-Wide (Apache Commons IO)
CVEs: CVE-2022-42889, CVE-2020-10683, CVE-2022-42003, CVE-2020-11979, CVE-2021-43797, CVE-2021-45105, CVE-2021-29425
This patch update also includes third-party patches for the following non-exploitable CVEs:
- Oracle Utilities Network Management System
- System-Wide (Apache Commons Compress): CVE-2019-12402.
Oracle Virtualization
Product: Oracle VM VirtualBox
Affected Component: Core
CVEs: CVE-2023-21886, CVE-2023-21898, CVE-2023-21899, CVE-2023-21884, CVE-2023-21885, CVE-2023-21889
This patch update also includes third-party patches for the following non-exploitable CVEs:
- Oracle VM VirtualBox
- Core (zlib): CVE-2022-37434.
However, SanerNow VM and SanerNow PM can detect and automatically fix these vulnerabilities by applying security updates. Therefore, use SanerNow and keep your systems secure and updated.