Read Time:4 Minute, 44 Second
Oracle addresses 221 CVEs in its second quarterly update of 2022 with 520 patches, including 27 critical updates.
Background
On April 19, Oracle released its Critical Patch Update (CPU) for April 2022, the second quarterly update of the year. This CPU contains fixes for 221 CVEs in 520 security updates across 31 Oracle product families. Out of the 520 security updates published this quarter, 14.8% of patches were assigned critical severity. Medium severity patches accounted for the bulk of the release at 55.2%, followed by high severity patches at 27.1%.
This quarter’s update includes 77 critical patches across 27 CVEs.
Severity
Issues Patched
CVEs
Critical
77
27
High
141
69
Medium
287
114
Low
15
11
Total
520
221
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 149, accounting for 28.6% of the total patches, followed by Oracle Fusion Middleware at 54 patches, which accounted for 10.4% of the total patches.
Two CVEs receive the highest possible CVSS Score
This month’s CPU release included two CVEs that were given a CVSSv3 score of 10.0, the highest possible severity.
CVE-2022-22947 is a vulnerability impacting the Oracle Communications product family that can be exploited by an unauthenticated attacker with network access via HTTP. This vulnerability would allow a remote attacker to exploit arbitrary code when the Spring Cloud gateway actuator is enabled and unsecured.
CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product that can be exploited by an unauthenticated attacker with network access via TCP to gain full control of the Billing and Revenue Management service; however, Oracle indicates that exploitation of this vulnerability could “significantly impact additional products.”
Three product families receive only third party patches
While 31 product families received security patches this quarter, Oracle did not include security patches for three product families:
Oracle Global Lifecycle Management
Oracle NoSQL Database
Oracle Secure Backup
While these three product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release:
Oracle Product Family
Component
CVE
Oracle NoSQL Database
Administration (Netty)
CVE-2021-37137
Oracle NoSQL Database
Administration (Netty)
CVE-2021-21290
Oracle NoSQL Database
Administration (Netty)
CVE-2021-21295
Oracle NoSQL Database
Administration (Netty)
CVE-2021-21409
Oracle NoSQL Database
Administration (Netty)
CVE-2021-30129
Oracle NoSQL Database
Administration (Netty)
CVE-2021-37136
Oracle NoSQL Database
Administration (Apache MINA SSHD)
CVE-2021-30129
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-44790
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-32785
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-32786
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-32791
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-32792
Oracle Secure Backup Risk Matrix
Secure Backup (Apache HTTP Server)
CVE-2021-44224
Oracle Secure Backup Risk Matrix
Secure Backup (PHP)
CVE-2021-21703
Oracle Global Lifecycle Management OPatch
Centralized Third Party Jars (Apache Commons Compress)
CVE-2021-36090
Oracle Global Lifecycle Management OPatch
Centralized Third Party Jars (Apache Commons Compress)
CVE-2021-35515
Oracle Global Lifecycle Management OPatch
Centralized Third Party Jars (Apache Commons Compress)
CVE-2021-35516
Oracle Global Lifecycle Management OPatch
Centralized Third Party Jars (Apache Commons Compress)
CVE-2021-35517
Third party patches also include fixes for Apache Log4j
Oracle has also addressed multiple additional third party patches in this release, including fixes for vulnerabilities in Apache Log4j, most notably a remote code execution vulnerability dubbed Log4Shell and originally disclosed in December.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family
Number of Patches
Remote Exploit without Auth
Oracle Communications
149
98
Oracle Fusion Middleware
54
41
Oracle MySQL
43
11
Oracle Financial Services Applications
41
19
Oracle Communications Applications
39
22
Oracle Retail Applications
30
15
Oracle Systems
20
14
Oracle Blockchain Platform
15
14
Oracle PeopleSoft
14
8
Oracle Hyperion
12
4
Oracle Supply Chain
11
5
Oracle Enterprise Manager
10
7
Oracle HealthCare Applications
10
5
Oracle JD Edwards
8
8
Oracle Commerce
7
3
Oracle Insurance Applications
7
5
Oracle Java SE
7
7
Oracle Hospitality Applications
6
2
Oracle Virtualization
6
1
Oracle Database Server
5
0
Oracle GoldenGate
5
4
Oracle E-Business Suite
5
2
Oracle Construction and Engineering
3
1
Oracle Health Sciences Applications
3
1
Oracle Support Tools
3
1
Oracle SQL Developer
2
1
Oracle Autonomous Health Framework
1
0
Oracle REST Data Services
1
0
Oracle iLearning
1
1
Oracle Taleo
1
0
Oracle Utilities Applications
1
0
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2022 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
Oracle Critical Patch Update Advisory – April 2022
Oracle April 2022 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.