Thousands of passengers of Canadian low-cost airline face delays after third-party system was hacked

Read More

Oracle addresses 221 CVEs in its second quarterly update of 2022 with 520 patches, including 27 critical updates.

Background

On April 19, Oracle released its Critical Patch Update (CPU) for April 2022, the second quarterly update of the year. This CPU contains fixes for 221 CVEs in 520 security updates across 31 Oracle product families. Out of the 520 security updates published this quarter, 14.8% of patches were assigned critical severity. Medium severity patches accounted for the bulk of the release at 55.2%, followed by high severity patches at 27.1%.

This quarter’s update includes 77 critical patches across 27 CVEs.

Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 149, accounting for 28.6% of the total patches, followed by Oracle Fusion Middleware at 54 patches, which accounted for 10.4% of the total patches.

Two CVEs receive the highest possible CVSS Score

This month’s CPU release included two CVEs that were given a CVSSv3 score of 10.0, the highest possible severity.

CVE-2022-22947 is a vulnerability impacting the Oracle Communications product family that can be exploited by an unauthenticated attacker with network access via HTTP. This vulnerability would allow a remote attacker to exploit arbitrary code when the Spring Cloud gateway actuator is enabled and unsecured.

CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product that can be exploited by an unauthenticated attacker with network access via TCP to gain full control of the Billing and Revenue Management service; however, Oracle indicates that exploitation of this vulnerability could “significantly impact additional products.”

Three product families receive only third party patches

While 31 product families received security patches this quarter, Oracle did not include security patches for three product families:

Oracle Global Lifecycle Management
Oracle NoSQL Database
Oracle Secure Backup

While these three product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release:

Third party patches also include fixes for Apache Log4j

Oracle has also addressed multiple additional third party patches in this release, including fixes for vulnerabilities in Apache Log4j, most notably a remote code execution vulnerability dubbed Log4Shell and originally disclosed in December.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2022 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Oracle Critical Patch Update Advisory – April 2022
Oracle April 2022 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Joint advisory reveals Lazarus APT is targeting cryptocurrency organizations using trojanized applications

Read More