Oracle addresses 188 CVEs in its third quarterly update of 2022 with 349 patches, including 66 critical updates.
Background
On July 19, Oracle released its Critical Patch Update (CPU) for July 2022, the third quarterly update of the year. This CPU contains fixes for 188 CVEs in 349 security updates across 32 Oracle product families. Out of the 349 security updates published this quarter, 66 patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 146, followed by medium severity patches at 133.
This quarter’s update includes over 90 medium severity CVEs, followed by 65 high severity CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 66 | 29 |
| High | 146 | 65 |
| Medium | 133 | 90 |
| Low | 4 | 4 |
| Total | 349 | 188 |
Analysis
This quarter, the Oracle Financial Services Applications product family contained the highest number of patches at 59, accounting for 16.91% of the total patches, followed by Oracle Communications with 56 patches, which accounted for 16.05% of the total patches.
Oracle did not include security patches for five product families:
- Oracle Autonomous Health Framework
- Oracle Berkeley DB
- Oracle Blockchain Platform
- Oracle NoSQL Database
- Oracle SQL Developer
While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:
| Oracle Product Family | Component | CVE |
|---|---|---|
| Oracle Autonomous Health Framework | Autonomous Health Framework (NumPy) | CVE-2021-41495 |
| Oracle Autonomous Health Framework | Autonomous Health Framework (NumPy) | CVE-2021-41496 |
| Oracle Autonomous Health Framework | Autonomous Health Framework (Python) | CVE-2021-29396 |
| Oracle Autonomous Health Framework | Autonomous Health Framework (Python) | CVE-2021-29921 |
| Oracle Autonomous Health Framework | Trace File Analyzer (jackson-databind) | CVE-2020-36518 |
| Oracle Berkeley DB | Data Store (Apache Log4j) | CVE-2021-4104 |
| Oracle Berkeley DB | Data Store (Apache Log4j) | CVE-2022-23302 |
| Oracle Berkeley DB | Data Store (Apache Log4j) | CVE-2022-23305 |
| Oracle Berkeley DB | Data Store (Apache Log4j) | CVE-2022-23307 |
| Oracle Blockchain Platform | Blockchain Cloud Service Console (OpenSSH) | CVE-2021-41617 |
| Oracle NoSQL Database | Administration (Netty) | CVE-2021-43797 |
| Oracle SQL Developer | Oracle SQL Developer (Apache PDFBox) | CVE-2021-31811 |
| Oracle SQL Developer | Oracle SQL Developer (Apache PDFBox) | CVE-2021-31812 |
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
|---|---|---|
| Oracle Financial Services Applications | 59 | 38 |
| Oracle Communications | 56 | 45 |
| Oracle Fusion Middleware | 38 | 32 |
| Oracle MySQL | 34 | 10 |
| Oracle Supply Chain | 24 | 19 |
| Oracle Communications Applications | 17 | 12 |
| Oracle Retail Applications | 17 | 13 |
| Oracle Commerce | 12 | 10 |
| Oracle PeopleSOft | 11 | 9 |
| Oracle Database Server | 9 | 1 |
| Oracle Construction and Engineering | 7 | 4 |
| Oracle Systems | 7 | 2 |
| Oracle E-Business Suite | 6 | 5 |
| Oracle Enterprise Manager | 6 | 6 |
| Oracle Health Sciences Applications | 6 | 3 |
| Oracle JD Edwards | 6 | 3 |
| Oracle Java SE | 5 | 4 |
| Oracle GoldenGate | 4 | 2 |
| Oracle Big Data Graph | 3 | 3 |
| Oracle Food and Beverage Applications | 3 | 3 |
| Oracle HealthCare Applications | 3 | 2 |
| Oracle Policy Automation | 3 | 1 |
| Oracle REST Data Services | 2 | 2 |
| Oracle Hospitality Applications | 2 | 2 |
| Oracle Virtualization | 2 | 0 |
| Oracle Essbase | 1 | 0 |
| Oracle Global Lifecycle Management | 1 | 0 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle Spatial Studio | 1 | 0 |
| Oracle TimesTen In-Memory Database | 1 | 1 |
| Oracle Siebel CRM | 1 | 0 |
| Oracle Utilities Applications | 1 | 1 |
Oracle out-of-band security alert for E-Business Suite
In some instances, Oracle will publish a security alert outside of its normal CPU process. Following Oracle’s April 2022 CPU, it published an alert on May 19 for CVE-2022-21500, a vulnerability in Oracle E-Business Suite version 12.2 that could allow an attacker to self-register a new user account on a publicly accessible E-Business Suite system. Successful exploitation could grant an attacker access to the system and allow them to collect personal information on the registered employees on the system including first and last names, email addresses and potentially more sensitive details.
For organizations that did not apply the patch for CVE-2022-21500 in May, applying this quarter’s CPU includes this fix.
Oracle patches Spring4Shell across a number of product families
As part of its July 2022 CPU, Oracle released additional patches for CVE-2022-22965, a remote code execution vulnerability in the Spring Core Framework, referred to as Spring4Shell by the security research community, that was originally disclosed in March. The patches in the July 2022 CPU that address Spring4Shell across a variety of Oracle products are summarized in the table below:
| Oracle Product | Component |
|---|---|
| Oracle Commerce Platform | Endeca Integration (Spring Framework) |
| Oracle Communications Unified Inventory Management | TMF APIs (Spring Framework) |
| Oracle Communications Billing and Revenue Management - Elastic Charging Engine | Charging Server (Spring Framework) |
| Oracle Communications Cloud Native Core Binding Support Function | BSF (Spring Framework) |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy | SEPP (Spring Framework) |
| Oracle Communications Cloud Native Core Service Communication Proxy | SCP (Spring Boot) |
| Oracle Primavera Gateway | Admin (Spring Framework) |
| Oracle Enterprise Manager for MySQL Database | EM Plugin: General (Spring Framework) |
| Oracle WebLogic Server | Third Party Tools, Samples (Spring Framework) |
| Oracle BI Publisher | Web Service API (Spring Framework) |
| Oracle Business Intelligence Enterprise Edition | Analytics Server (Spring Framework) |
| Oracle Data Integrator | Runtime Java agent for ODI (Spring Framework) |
| Oracle Identity Management Suite | Installer (Spring Framework) |
| Oracle Identity Manager Connector | General and Misc (Spring Framework) |
| Oracle Middleware Common Libraries and Tools | Third Party Patch (Spring Framework) |
| Oracle Retail Bulk Data Integration | BDI Job Scheduler (Spring Framework) |
| Oracle Retail Customer Management and Segmentation Foundation | Security (Spring Framework) |
| Oracle Retail Financial Integration | PeopleSoft Integration Bugs (Spring Framework) |
| Oracle Retail Integration Bus | RIB Kernal (Spring Framework) |
| Oracle Retail Merchandising System | Foundation (Spring Framework) |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - July 2022
- Oracle July 2022 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.