Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Tenable Research's Analysis of the Oracle Critical Patch Update
Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Oracle addresses 188 CVEs in its third quarterly update of 2022 with 349 patches, including 66 critical updates.

Background

On July 19, Oracle released its Critical Patch Update (CPU) for July 2022, the third quarterly update of the year. This CPU contains fixes for 188 CVEs in 349 security updates across 32 Oracle product families. Out of the 349 security updates published this quarter, 66 patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 146, followed by medium severity patches at 133.

This quarter’s update includes over 90 medium severity CVEs, followed by 65 high severity CVEs.

Severity Issues Patched CVEs
Critical 66 29
High 146 65
Medium 133 90
Low 4 4
Total 349 188

Analysis

This quarter, the Oracle Financial Services Applications product family contained the highest number of patches at 59, accounting for 16.91% of the total patches, followed by Oracle Communications with 56 patches, which accounted for 16.05% of the total patches.

Oracle did not include security patches for five product families:

  • Oracle Autonomous Health Framework
  • Oracle Berkeley DB
  • Oracle Blockchain Platform
  • Oracle NoSQL Database
  • Oracle SQL Developer

While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:

Oracle Product Family Component CVE
Oracle Autonomous Health Framework Autonomous Health Framework (NumPy) CVE-2021-41495
Oracle Autonomous Health Framework Autonomous Health Framework (NumPy) CVE-2021-41496
Oracle Autonomous Health Framework Autonomous Health Framework (Python) CVE-2021-29396
Oracle Autonomous Health Framework Autonomous Health Framework (Python) CVE-2021-29921
Oracle Autonomous Health Framework Trace File Analyzer (jackson-databind) CVE-2020-36518
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2021-4104
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23302
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23305
Oracle Berkeley DB Data Store (Apache Log4j) CVE-2022-23307
Oracle Blockchain Platform Blockchain Cloud Service Console (OpenSSH) CVE-2021-41617
Oracle NoSQL Database Administration (Netty) CVE-2021-43797
Oracle SQL Developer Oracle SQL Developer (Apache PDFBox) CVE-2021-31811
Oracle SQL Developer Oracle SQL Developer (Apache PDFBox) CVE-2021-31812

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remote Exploit without Authentication
Oracle Financial Services Applications 59 38
Oracle Communications 56 45
Oracle Fusion Middleware 38 32
Oracle MySQL 34 10
Oracle Supply Chain 24 19
Oracle Communications Applications 17 12
Oracle Retail Applications 17 13
Oracle Commerce 12 10
Oracle PeopleSOft 11 9
Oracle Database Server 9 1
Oracle Construction and Engineering 7 4
Oracle Systems 7 2
Oracle E-Business Suite 6 5
Oracle Enterprise Manager 6 6
Oracle Health Sciences Applications 6 3
Oracle JD Edwards 6 3
Oracle Java SE 5 4
Oracle GoldenGate 4 2
Oracle Big Data Graph 3 3
Oracle Food and Beverage Applications 3 3
Oracle HealthCare Applications 3 2
Oracle Policy Automation 3 1
Oracle REST Data Services 2 2
Oracle Hospitality Applications 2 2
Oracle Virtualization 2 0
Oracle Essbase 1 0
Oracle Global Lifecycle Management 1 0
Oracle Graph Server and Client 1 0
Oracle Spatial Studio 1 0
Oracle TimesTen In-Memory Database 1 1
Oracle Siebel CRM 1 0
Oracle Utilities Applications 1 1

Oracle out-of-band security alert for E-Business Suite

In some instances, Oracle will publish a security alert outside of its normal CPU process. Following Oracle’s April 2022 CPU, it published an alert on May 19 for CVE-2022-21500, a vulnerability in Oracle E-Business Suite version 12.2 that could allow an attacker to self-register a new user account on a publicly accessible E-Business Suite system. Successful exploitation could grant an attacker access to the system and allow them to collect personal information on the registered employees on the system including first and last names, email addresses and potentially more sensitive details.

For organizations that did not apply the patch for CVE-2022-21500 in May, applying this quarter’s CPU includes this fix.

Oracle patches Spring4Shell across a number of product families

As part of its July 2022 CPU, Oracle released additional patches for CVE-2022-22965, a remote code execution vulnerability in the Spring Core Framework, referred to as Spring4Shell by the security research community, that was originally disclosed in March. The patches in the July 2022 CPU that address Spring4Shell across a variety of Oracle products are summarized in the table below:

Oracle Product Component
Oracle Commerce Platform Endeca Integration (Spring Framework)
Oracle Communications Unified Inventory Management TMF APIs (Spring Framework)
Oracle Communications Billing and Revenue Management - Elastic Charging Engine Charging Server (Spring Framework)
Oracle Communications Cloud Native Core Binding Support Function BSF (Spring Framework)
Oracle Communications Cloud Native Core Security Edge Protection Proxy SEPP (Spring Framework)
Oracle Communications Cloud Native Core Service Communication Proxy SCP (Spring Boot)
Oracle Primavera Gateway Admin (Spring Framework)
Oracle Enterprise Manager for MySQL Database EM Plugin: General (Spring Framework)
Oracle WebLogic Server Third Party Tools, Samples (Spring Framework)
Oracle BI Publisher Web Service API (Spring Framework)
Oracle Business Intelligence Enterprise Edition Analytics Server (Spring Framework)
Oracle Data Integrator Runtime Java agent for ODI (Spring Framework)
Oracle Identity Management Suite Installer (Spring Framework)
Oracle Identity Manager Connector General and Misc (Spring Framework)
Oracle Middleware Common Libraries and Tools Third Party Patch (Spring Framework)
Oracle Retail Bulk Data Integration BDI Job Scheduler (Spring Framework)
Oracle Retail Customer Management and Segmentation Foundation Security (Spring Framework)
Oracle Retail Financial Integration PeopleSoft Integration Bugs (Spring Framework)
Oracle Retail Integration Bus RIB Kernal (Spring Framework)
Oracle Retail Merchandising System Foundation (Spring Framework)

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing ends September 30th.
Buy a multi-year license and save more.

Add Support and Training