Oracle addresses 179 CVEs in its fourth and final quarterly update of 2022 with 370 patches, including 56 critical updates.
Background
On October 18, Oracle released its Critical Patch Update (CPU) for October 2022, the fourth and final quarterly update of the year. This CPU contains fixes for 179 CVEs in 370 security updates across 27 Oracle product families. Out of the 370 security updates published this quarter, 56 patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 163, followed by high severity patches at 144.
This quarter’s update includes 83 medium severity CVEs, followed by 57 high severity CVEs and 7 low severity CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 56 | 32 |
| High | 144 | 57 |
| Medium | 163 | 83 |
| Low | 7 | 7 |
| Total | 370 | 179 |
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 74, accounting for 20% of the total patches, followed by Oracle Fusion Middleware with 56 patches, which accounted for 15.14% of the total patches.
Oracle did not include security patches for five product families:
- Oracle Airlines Data Model
- Oracle Big Data Graph
- Oracle NoSQL Database
- Oracle SQL Developer
- Oracle TimesTen In-Memory Database
While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:
| Oracle Product Family | Component | CVE |
|---|---|---|
| Oracle Airlines Data Model | Installation (Apache Commons BeanUtils) | CVE-2019-10086 |
| Oracle Airlines Data Model | Installation (Apache Commons IO) | CVE-2021-29425 |
| Oracle Airlines Data Model | Installation (Apache Groovy) | CVE-2020-17521 |
| Oracle Airlines Data Model | Installation (Apache Log4j) | CVE-2021-4104 |
| Oracle Airlines Data Model | Installation (Nimbus JOSE+JWT) | CVE-2019-17195 |
| Oracle Airlines Data Model | Installation (Spring Framework) | CVE-2021-22118 |
| Oracle Airlines Data Model | Installation (Spring Framework) | CVE-2020-5421 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-9546 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-10650 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-10672 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-10673 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-10968 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-10969 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-11111 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-11112 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-11113 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-14195 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-25649 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-36189 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-9547 |
| Oracle Airlines Data Model | Installation (jackson-databind) | CVE-2020-9548 |
| Oracle Big Data Spatial and Graph | Big Data Graph (Apache Tomcat) | CVE-2022-34305 |
| Oracle NoSQL Database | Administration (Google Gson) | CVE-2022-25647 |
| Oracle NoSQL Database | Administration (jackson-databind) | CVE-2020-36518 |
| Oracle SQL Developer | Install (Apache Batik) | CVE-2020-11987 |
| Oracle SQL Developer | Install (Apache Kafka) | CVE-2021-38153 |
| Oracle SQL Developer | Install (Apache Kafka) | CVE-2021-26291 |
| Oracle TimesTen In-Memory Database | Kubernetes Operator (Golang Go) | CVE-2022-28327 |
| Oracle TimesTen In-Memory Database | Kubernetes Operator (Golang Go) | CVE-2022-24675 |
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Authentication |
|---|---|---|
| Oracle Communications | 74 | 64 |
| Oracle Fusion Middleware | 56 | 43 |
| Oracle MySQL | 37 | 11 |
| Oracle Communications Applications | 27 | 21 |
| Oracle Retail Applications | 27 | 21 |
| Oracle Financial Services Applications | 24 | 16 |
| Oracle Siebel CRM | 14 | 12 |
| Oracle Supply Chain | 13 | 9 |
| Oracle JD Edwards | 10 | 9 |
| Oracle Virtualization | 10 | 3 |
| Oracle Java SE | 9 | 9 |
| Oracle Database Server | 8 | 1 |
| Oracle PeopleSoft | 8 | 4 |
| Oracle Systems | 8 | 4 |
| Oracle Utilities Applications | 6 | 4 |
| Oracle Construction and Engineering | 5 | 2 |
| Oracle E-Business Suite | 5 | 4 |
| Oracle Enterprise Manager | 5 | 4 |
| Oracle HealthCare Applications | 5 | 4 |
| Oracle Insurance Applications | 5 | 3 |
| Oracle Hospitality Applications | 4 | 2 |
| Oracle Commerce | 3 | 2 |
| Oracle Essbase | 2 | 1 |
| Oracle GoldenGate | 2 | 1 |
| Oracle Communications Data Model | 1 | 0 |
| Oracle Secure Backup | 1 | 1 |
| Oracle Hyperion | 1 | 1 |
| Oracle Airlines Data Model | 0 | 0 |
| Oracle Big Data Graph | 0 | 0 |
| Oracle NoSQL Database | 0 | 0 |
| Oracle SQL Developer | 0 | 0 |
| Oracle TimesTen In-Memory Database | 0 | 0 |
2021 Critical Patch Update totals: 854 CVEs patched
The combined total of CVEs patched in this year’s CPUs was 854. This year saw a 7.27% decrease in the number of CVEs patched compared to 2021, when Oracle patched a total of 921 CVEs.
The first two quarters in both 2021 and 2022 saw the most patches released, 487 in 2022 and 459 in 2021. In 2021, Q3 and Q4 had an equal number of patches (231), whereas Q3 and Q4 of 2022 saw a marked decrease in patches (188 and 179 respectively).
Schedule for quarterly patch updates for 2023
Looking ahead to 2023, Oracle has specified the dates for upcoming Oracle CPUs:
- January 17, 2023
- April 18, 2023
- July 18, 2023
- October 17, 2023
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - October 2022
- Oracle October 2022 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.