Oracle January 2022 Critical Patch Update Addresses 266 CVEs
Oracle addresses 266 CVEs in its first quarterly update of 2022 with 497 patches, including 25 critical updates.
Background
On January 18, Oracle released its Critical Patch Update (CPU) for January 2022, the first quarterly update of the year. This CPU contains fixes for 266 CVEs in 497 security updates across 39 Oracle product families. Out of the 497 security updates published this quarter, 6.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.5%, followed by high severity patches at 41.9%.
This quarter’s update includes 33 critical patches across 25 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 33 | 25 |
| High | 208 | 63 |
| Medium | 231 | 154 |
| Low | 25 | 24 |
| Total | 497 | 266 |
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 84, accounting for 16.9% of the total patches, followed by Oracle MySQL at 78 patches, which accounted for 15.7% of the total patches.
Oracle fixes Log4Shell and associated vulnerabilities across some of its product suites
As part of the January 2022 CPU, Oracle addressed CVE-2021-44228, the Apache Log4Shell vulnerability disclosed in December 2021 as well as associated Log4j vulnerabilities that have been disclosed in the weeks since.
Oracle did not explicitly provide details within this release regarding CVE-2021-44228 and which components were affected. Instead, they broadly highlighted that applying the January 2022 CPU would address CVE-2021-44228 and CVE-2021-45046 across the following products:
- Oracle Communications
- Oracle Construction and Engineering
- Oracle Financial Services Applications
- Oracle Fusion Middleware
- Oracle Retail Applications
- Oracle Siebel CRM
While it’s not clear if Oracle has completed an assessment of all product families to address all occurrences of the recently disclosed Log4j vulnerabilities, we will continue to monitor for further updates. In addition to the broader message, Oracle provided some details around affected products for the other associated Log4j vulnerabilities:
| CVE | Product | Component | Remote Exploit without Auth |
|---|---|---|---|
| CVE-2021-45105 | Oracle Communications WebRTC Session Controller | Signaling Engine, Media Engine (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Communications Services Gatekeeper | API Portal (Apache Log4j) | Yes |
| CVE-2021-45105 | Instantis EnterpriseTrack | Logging (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Integration Bus | RIB Kernel (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Financial Services Analytical Applications Infrastructure | Others (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Invoice Matching | Security (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Service Backbone | RSB Installation (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Order Broker | System Administration (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle WebCenter Portal | Security Framework (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Managed File Transfer | MFT Runtime Server (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Business Intelligence Enterprise Edition | Analytics Server (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Order Management System | Upgrade Install (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Point-of-Service | Administration (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Predictive Application Server | RPAS Server (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Price Management | Security (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Communications Service Broker | Integration (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Returns Management | Security (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Financial Services Model Management and Governance | Installer & Configuration (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail EFTLink | Installation (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Back Office | Security (Apache Log4j) | Yes |
| CVE-2021-45105 | Oracle Retail Central Office | Security (Apache Log4j) | Yes |
| CVE-2021-44832 | Oracle Communications Interactive Session Recorder | RSS (Apache Log4j) | No |
| CVE-2021-44832 | Primavera Unifier | Logging (Apache Log4j) | No |
| CVE-2021-44832 | Oracle WebLogic Server | Centralized Thirdparty Jars (Apache Log4j) | No |
| CVE-2021-44832 | Oracle Communications Diameter Signaling Router | Virtual Network Function Manager, API Gateway (Apache Log4j) | No |
| CVE-2021-44832 | Primavera Gateway | Admin (Apache Log4j) | No |
| CVE-2021-44832 | Primavera P6 Enterprise Project Portfolio Management | Web Access (Apache Log4j) | No |
| CVE-2021-44832 | Siebel UI Framework | Enterprise Cache (Apache Log4j) | No |
| CVE-2021-44832 | Oracle Retail Fiscal Management | NF Issuing (Apache Log4j) | No |
| CVE-2021-44832 | Oracle Retail Assortment Planning | Application Core (Apache Log4j) | No |
| CVE-2021-4104 | Oracle Retail Allocation | General (Apache Log4j) | No |
| CVE-2021-4104 | Oracle Utilities Testing Accelerator | Tools (Apache Log4j) | No |
| CVE-2021-4104 | Oracle WebLogic Server | Centralized Thirdparty Jars (Apache Log4j) | No |
Oracle CPU Patch Breakdown
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Communications | 84 | 50 |
| Oracle MySQL | 78 | 3 |
| Oracle Financial Services Applications | 48 | 37 |
| Oracle Retail Applications | 43 | 34 |
| Oracle Fusion Middleware | 39 | 35 |
| Oracle Communications Applications | 33 | 22 |
| Oracle Construction and Engineering | 22 | 15 |
| Oracle Java SE | 18 | 18 |
| Oracle PeopleSoft | 13 | 10 |
| Oracle Utilities Applications | 13 | 7 |
| Oracle Systems | 11 | 7 |
| Oracle Supply Chain | 10 | 8 |
| Oracle E-Business Suite | 9 | 5 |
| Oracle Health Sciences Applications | 8 | 8 |
| Oracle Enterprise Manager | 7 | 6 |
| Oracle Insurance Applications | 7 | 6 |
| Oracle Commerce | 6 | 6 |
| Oracle TimesTen In-Memory Database | 5 | 3 |
| Oracle Database Server | 4 | 0 |
| Oracle Essbase | 4 | 3 |
| Oracle HealthCare Applications | 4 | 4 |
| Oracle Support Tools | 4 | 4 |
| Oracle GoldenGate | 3 | 3 |
| Oracle Hospitality Applications | 3 | 3 |
| Oracle Big Data Graph | 2 | 2 |
| Oracle Graph Server and Client | 2 | 2 |
| Oracle REST Data Services | 2 | 1 |
| Oracle Secure Backup | 2 | 2 |
| Oracle Siebel CRM | 2 | 1 |
| Oracle Virtualization | 2 | 0 |
| Oracle Airlines Data Model | 1 | 1 |
| Oracle Communications Data Model | 1 | 1 |
| Oracle NoSQL Database | 1 | 0 |
| Oracle Spatial Studio | 1 | 1 |
| Oracle Food and Beverage Applications | 1 | 1 |
| Oracle Hyperion | 1 | 1 |
| Oracle iLearning | 1 | 1 |
| Oracle JD Edwards | 1 | 0 |
| Oracle Policy Automation | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2022 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- Oracle Critical Patch Update Advisory - January 2022
- Oracle October 2021 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: CSRB Calls Exchange Online Hack “Preventable,” While CISA, Others Warn About XZ Utils Backdoor Vulnerability
April 5, 2024Check out why the Cyber Safety Review Board has concluded that the Microsoft Exchange Online breach “should never have occurred.” Plus, warnings about the supply chain attack against the XZ Utils open source utility are flying. In addition, a report says ransomware attacks surged in February. And the U.S. government issues a comprehensive AI usage policy for federal agencies. And much more!
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
April 15, 2024How operational technology can revolutionize logistics, supply chain management, and overall efficiency.
- Risk-based Vulnerability Management
- Vulnerability Management