Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle January 2022 Critical Patch Update Addresses 266 CVEs

Oracle addresses 266 CVEs in its first quarterly update of 2022 with 497 patches, including 25 critical updates.

Background

On January 18, Oracle released its Critical Patch Update (CPU) for January 2022, the first quarterly update of the year. This CPU contains fixes for 266 CVEs in 497 security updates across 39 Oracle product families. Out of the 497 security updates published this quarter, 6.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.5%, followed by high severity patches at 41.9%.

This quarter’s update includes 33 critical patches across 25 CVEs.

SeverityIssues PatchedCVEs
Critical3325
High20863
Medium231154
Low2524
Total497266

Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 84, accounting for 16.9% of the total patches, followed by Oracle MySQL at 78 patches, which accounted for 15.7% of the total patches.

Oracle fixes Log4Shell and associated vulnerabilities across some of its product suites

As part of the January 2022 CPU, Oracle addressed CVE-2021-44228, the Apache Log4Shell vulnerability disclosed in December 2021 as well as associated Log4j vulnerabilities that have been disclosed in the weeks since.

Oracle did not explicitly provide details within this release regarding CVE-2021-44228 and which components were affected. Instead, they broadly highlighted that applying the January 2022 CPU would address CVE-2021-44228 and CVE-2021-45046 across the following products:

  • Oracle Communications
  • Oracle Construction and Engineering
  • Oracle Financial Services Applications
  • Oracle Fusion Middleware
  • Oracle Retail Applications
  • Oracle Siebel CRM

While it’s not clear if Oracle has completed an assessment of all product families to address all occurrences of the recently disclosed Log4j vulnerabilities, we will continue to monitor for further updates. In addition to the broader message, Oracle provided some details around affected products for the other associated Log4j vulnerabilities:

CVEProductComponentRemote Exploit without Auth
CVE-2021-45105Oracle Communications WebRTC Session ControllerSignaling Engine, Media Engine (Apache Log4j)Yes
CVE-2021-45105Oracle Communications Services GatekeeperAPI Portal (Apache Log4j)Yes
CVE-2021-45105Instantis EnterpriseTrackLogging (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Integration BusRIB Kernel (Apache Log4j)Yes
CVE-2021-45105Oracle Financial Services Analytical Applications InfrastructureOthers (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Invoice MatchingSecurity (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Service BackboneRSB Installation (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Order BrokerSystem Administration (Apache Log4j)Yes
CVE-2021-45105Oracle WebCenter PortalSecurity Framework (Apache Log4j)Yes
CVE-2021-45105Oracle Managed File TransferMFT Runtime Server (Apache Log4j)Yes
CVE-2021-45105Oracle Business Intelligence Enterprise EditionAnalytics Server (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Order Management SystemUpgrade Install (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Point-of-ServiceAdministration (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Predictive Application ServerRPAS Server (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Price ManagementSecurity (Apache Log4j)Yes
CVE-2021-45105Oracle Communications Service BrokerIntegration (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Returns ManagementSecurity (Apache Log4j)Yes
CVE-2021-45105Oracle Financial Services Model Management and GovernanceInstaller & Configuration (Apache Log4j)Yes
CVE-2021-45105Oracle Retail EFTLinkInstallation (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Back OfficeSecurity (Apache Log4j)Yes
CVE-2021-45105Oracle Retail Central OfficeSecurity (Apache Log4j)Yes
CVE-2021-44832Oracle Communications Interactive Session RecorderRSS (Apache Log4j)No
CVE-2021-44832Primavera UnifierLogging (Apache Log4j)No
CVE-2021-44832Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)No
CVE-2021-44832Oracle Communications Diameter Signaling RouterVirtual Network Function Manager, API Gateway (Apache Log4j)No
CVE-2021-44832Primavera GatewayAdmin (Apache Log4j)No
CVE-2021-44832Primavera P6 Enterprise Project Portfolio ManagementWeb Access (Apache Log4j)No
CVE-2021-44832Siebel UI FrameworkEnterprise Cache (Apache Log4j)No
CVE-2021-44832Oracle Retail Fiscal ManagementNF Issuing (Apache Log4j)No
CVE-2021-44832Oracle Retail Assortment PlanningApplication Core (Apache Log4j)No
CVE-2021-4104Oracle Retail AllocationGeneral (Apache Log4j)No
CVE-2021-4104Oracle Utilities Testing AcceleratorTools (Apache Log4j)No
CVE-2021-4104Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)No

Oracle CPU Patch Breakdown

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without Auth
Oracle Communications8450
Oracle MySQL783
Oracle Financial Services Applications4837
Oracle Retail Applications4334
Oracle Fusion Middleware3935
Oracle Communications Applications3322
Oracle Construction and Engineering2215
Oracle Java SE1818
Oracle PeopleSoft1310
Oracle Utilities Applications137
Oracle Systems117
Oracle Supply Chain108
Oracle E-Business Suite95
Oracle Health Sciences Applications88
Oracle Enterprise Manager76
Oracle Insurance Applications76
Oracle Commerce66
Oracle TimesTen In-Memory Database53
Oracle Database Server40
Oracle Essbase43
Oracle HealthCare Applications44
Oracle Support Tools44
Oracle GoldenGate33
Oracle Hospitality Applications33
Oracle Big Data Graph22
Oracle Graph Server and Client22
Oracle REST Data Services21
Oracle Secure Backup22
Oracle Siebel CRM21
Oracle Virtualization20
Oracle Airlines Data Model11
Oracle Communications Data Model11
Oracle NoSQL Database10
Oracle Spatial Studio11
Oracle Food and Beverage Applications11
Oracle Hyperion11
Oracle iLearning11
Oracle JD Edwards10
Oracle Policy Automation11

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2022 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

FREE FOR 30 DAYS


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

Buy Tenable.cs

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.