News

Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Read Time:5 Minute, 21 Second

Oracle July 2022 Critical Patch Update Addresses 188 CVEs

Oracle addresses 188 CVEs in its third quarterly update of 2022 with 349 patches, including 66 critical updates.

Background

On July 19, Oracle released its Critical Patch Update (CPU) for July 2022, the third quarterly update of the year. This CPU contains fixes for 188 CVEs in 349 security updates across 32 Oracle product families. Out of the 349 security updates published this quarter, 66 patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 146, followed by medium severity patches at 133.

This quarter’s update includes over 90 medium severity CVEs, followed by 65 high severity CVEs.

Severity
Issues Patched
CVEs

Critical
66
29

High
146
65

Medium
133
90

Low
4
4

Total
349
188

Analysis

This quarter, the Oracle Financial Services Applications product family contained the highest number of patches at 59, accounting for 16.91% of the total patches, followed by Oracle Communications with 56 patches, which accounted for 16.05% of the total patches.

Oracle did not include security patches for five product families:

Oracle Autonomous Health Framework
Oracle Berkeley DB
Oracle Blockchain Platform
Oracle NoSQL Database
Oracle SQL Developer

While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:

Oracle Product Family
Component
CVE

Oracle Autonomous Health Framework
Autonomous Health Framework (NumPy)
CVE-2021-41495

Oracle Autonomous Health Framework
Autonomous Health Framework (NumPy)
CVE-2021-41496

Oracle Autonomous Health Framework
Autonomous Health Framework (Python)
CVE-2021-29396

Oracle Autonomous Health Framework
Autonomous Health Framework (Python)
CVE-2021-29921

Oracle Autonomous Health Framework
Trace File Analyzer (jackson-databind)
CVE-2020-36518

Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2021-4104

Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23302

Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23305

Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23307

Oracle Blockchain Platform
Blockchain Cloud Service Console (OpenSSH)
CVE-2021-41617

Oracle NoSQL Database
Administration (Netty)
CVE-2021-43797

Oracle SQL Developer
Oracle SQL Developer (Apache PDFBox)
CVE-2021-31811

Oracle SQL Developer
Oracle SQL Developer (Apache PDFBox)
CVE-2021-31812

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family
Number of Patches
Remote Exploit without Authentication

Oracle Financial Services Applications
59
38

Oracle Communications
56
45

Oracle Fusion Middleware
38
32

Oracle MySQL
34
10

Oracle Supply Chain
24
19

Oracle Communications Applications
17
12

Oracle Retail Applications
17
13

Oracle Commerce
12
10

Oracle PeopleSOft
11
9

Oracle Database Server
9
1

Oracle Construction and Engineering
7
4

Oracle Systems
7
2

Oracle E-Business Suite
6
5

Oracle Enterprise Manager
6
6

Oracle Health Sciences Applications
6
3

Oracle JD Edwards
6
3

Oracle Java SE
5
4

Oracle GoldenGate
4
2

Oracle Big Data Graph
3
3

Oracle Food and Beverage Applications
3
3

Oracle HealthCare Applications
3
2

Oracle Policy Automation
3
1

Oracle REST Data Services
2
2

Oracle Hospitality Applications
2
2

Oracle Virtualization
2
0

Oracle Essbase
1
0

Oracle Global Lifecycle Management
1
0

Oracle Graph Server and Client
1
0

Oracle Spatial Studio
1
0

Oracle TimesTen In-Memory Database
1
1

Oracle Siebel CRM
1
0

Oracle Utilities Applications
1
1

Oracle out-of-band security alert for E-Business Suite

In some instances, Oracle will publish a security alert outside of its normal CPU process. Following Oracle’s April 2022 CPU, it published an alert on May 19 for CVE-2022-21500, a vulnerability in Oracle E-Business Suite version 12.2 that could allow an attacker to self-register a new user account on a publicly accessible E-Business Suite system. Successful exploitation could grant an attacker access to the system and allow them to collect personal information on the registered employees on the system including first and last names, email addresses and potentially more sensitive details.

For organizations that did not apply the patch for CVE-2022-21500 in May, applying this quarter’s CPU includes this fix.

Oracle patches Spring4Shell across a number of product families

As part of its July 2022 CPU, Oracle released additional patches for CVE-2022-22965, a remote code execution vulnerability in the Spring Core Framework, referred to as Spring4Shell by the security research community, that was originally disclosed in March. The patches in the July 2022 CPU that address Spring4Shell across a variety of Oracle products are summarized in the table below:

Oracle Product
Component

Oracle Commerce Platform
Endeca Integration (Spring Framework)

Oracle Communications Unified Inventory Management
TMF APIs (Spring Framework)

Oracle Communications Billing and Revenue Management – Elastic Charging Engine
Charging Server (Spring Framework)

Oracle Communications Cloud Native Core Binding Support Function
BSF (Spring Framework)

Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (Spring Framework)

Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Spring Boot)

Oracle Primavera Gateway
Admin (Spring Framework)

Oracle Enterprise Manager for MySQL Database
EM Plugin: General (Spring Framework)

Oracle WebLogic Server
Third Party Tools, Samples (Spring Framework)

Oracle BI Publisher
Web Service API (Spring Framework)

Oracle Business Intelligence Enterprise Edition
Analytics Server (Spring Framework)

Oracle Data Integrator
Runtime Java agent for ODI (Spring Framework)

Oracle Identity Management Suite
Installer (Spring Framework)

Oracle Identity Manager Connector
General and Misc (Spring Framework)

Oracle Middleware Common Libraries and Tools
Third Party Patch (Spring Framework)

Oracle Retail Bulk Data Integration
BDI Job Scheduler (Spring Framework)

Oracle Retail Customer Management and Segmentation Foundation
Security (Spring Framework)

Oracle Retail Financial Integration
PeopleSoft Integration Bugs (Spring Framework)

Oracle Retail Integration Bus
RIB Kernal (Spring Framework)

Oracle Retail Merchandising System
Foundation (Spring Framework)

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Oracle Critical Patch Update Advisory – July 2022
Oracle July 2022 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More