www.oracle.com Open in urlscan Pro
2a02:26f0:3100:785::a15  Public Scan

Submitted URL: http://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
Effective URL: https://www.oracle.com/security-alerts/cpuapr2023.html
Submission: On March 07 via api from IN — Scanned from DE

Form analysis 1 forms found in the DOM

Name: u30searchFormGET https://search.oracle.com/results

<form name="u30searchForm" id="u30searchForm" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="https://search.oracle.com/results">
  <div class="u30s1">
    <button id="u30closesearch" aria-label="Close Search" type="button">
      <span>Close Search</span>
      <svg width="9" height="14" viewBox="0 0 9 14" fill="none" xmlns="http://www.w3.org/2000/svg">
        <path d="M8 13L2 7L8 1" stroke="#161513" stroke-width="2"></path>
      </svg>
    </button>
    <span class="u30input">
      <div class="u30inputw1">
        <input id="u30input" name="q" value="" type="text" placeholder="Search" autocomplete="off" aria-autocomplete="both" aria-label="Search Oracle.com" role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-controls="u30searchw3">
      </div>
      <input type="hidden" name="size" value="10">
      <input type="hidden" name="page" value="1">
      <input type="hidden" name="tab" value="all">
      <span id="u30searchw3title" class="u30visually-hidden">Search Oracle.com</span>
      <div id="u30searchw3" data-pagestitle="SUGGESTED LINKS" data-autosuggesttitle="SUGGESTED SEARCHES" data-allresultstxt="All results for" data-allsearchpath="https://search.oracle.com/results?q=u30searchterm&amp;size=10&amp;page=1&amp;tab=all"
        role="listbox" aria-labelledby="u30searchw3title" style="margin-left: 0px;">
        <ul id="u30quicklinks" class="autocomplete-items" role="group" aria-labelledby="u30quicklinks-title">
          <li role="presentation" class="u30auto-title" id="u30quicklinks-title">QUICK LINKS</li>
          <li role="option"><a href="/cloud/" data-lbl="quick-links:oci">Oracle Cloud Infrastructure</a>
          </li>
          <li role=" option"><a href="/applications/" data-lbl="quick-links:applications">Oracle Fusion Cloud Applications</a></li>
          <li role="option"><a href="/database/technologies/" data-lbl="quick-links:database">Oracle Database</a></li>
          <li role="option"><a href="/java/technologies/downloads/" data-lbl="quick-links:download-java">Download Java</a>
          </li>
          <li role="option"><a href="/careers/" data-lbl="quick-links:careers">Careers at Oracle</a></li>
        </ul>
      </div>
      <span class="u30submit">
        <input class="u30searchbttn" type="submit" value="Submit Search">
      </span>
      <button id="u30clear" type="reset" aria-label="Clear Search">
        <svg width="20" height="20" viewBox="0 0 20 20" aria-hidden="true" fill="none" xmlns="http://www.w3.org/2000/svg">
          <path d="M7 7L13 13M7 13L13 7M19 10C19 14.9706 14.9706 19 10 19C5.02944 19 1 14.9706 1 10C1 5.02944 5.02944 1 10 1C14.9706 1 19 5.02944 19 10Z" stroke="#161513" stroke-width="2"></path>
        </svg>
      </button>
    </span>
  </div>
</form>

Text Content

 * Skip to content
 * Accessibility Policy

 * Products
   
 * Industries
   
 * Resources
   
 * Customers
   
 * Partners
   
 * Developers
   
 * Company
   

Close Search

Search Oracle.com
 * QUICK LINKS
 * Oracle Cloud Infrastructure
 * Oracle Fusion Cloud Applications
 * Oracle Database
 * Download Java
 * Careers at Oracle


Search
Country
Close

Would you like to visit an Oracle country site closer to you?

Visit Oracle Germany
No thanks, I'll stay here
See this page for a different country/region
View Accounts
Back
Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier
Oracle Account
 * Sign-In
 * Create an Account

 * Help
 * Sign Out

Contact Sales
Menu Menu




ORACLE CRITICAL PATCH UPDATE ADVISORY - APRIL 2023


DESCRIPTION

A Critical Patch Update is a collection of patches for multiple security
vulnerabilities. These patches address vulnerabilities in Oracle code and in
third-party components included in Oracle products. These patches are usually
cumulative, but each advisory describes only the security patches added since
the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier published
security patches. Refer to “Critical Patch Updates, Security Alerts and
Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released security patches.
In some instances, it has been reported that attackers have been successful
because targeted customers had failed to apply available Oracle patches. Oracle
therefore strongly recommends that customers remain on actively-supported
versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 433 new security patches across the product
families listed below. Please note that an MOS note summarizing the content of
this Critical Patch Update and other Oracle Software Security Assurance
activities is located at April 2023 Critical Patch Update: Executive Summary and
Analysis.


AFFECTED PRODUCTS AND PATCH INFORMATION

Security vulnerabilities addressed by this Critical Patch Update affect the
products listed below. The product area is shown in the Patch Availability
Document column.

Please click on the links in the Patch Availability Document column below to
access the documentation for patch availability information and installation
instructions.

Affected Products and Versions Patch Availability Document JD Edwards
EnterpriseOne Orchestrator, versions prior to 9.2.7.3 JD Edwards JD Edwards
EnterpriseOne Tools, versions prior to 9.2.7.3 JD Edwards JD Edwards World
Security, version A9.4 JD Edwards Management Cloud Engine, version 22.1.0.0.0
Management Cloud Engine MySQL Cluster, versions 7.5.29 and prior, 7.6.25 and
prior, 8.0.32 and prior MySQL MySQL Connectors, versions 8.0.32 and prior MySQL
MySQL Enterprise Monitor, versions 8.0.33 and prior MySQL MySQL Server, versions
5.7.41 and prior, 8.0.32 and prior MySQL MySQL Workbench, versions 8.0.32 and
prior MySQL Oracle Access Manager, version 12.2.1.4.0 Fusion Middleware Oracle
Agile PLM, version 9.3.6 Oracle Supply Chain Products Oracle Application Testing
Suite, version 13.3.0.1 Oracle Enterprise Manager Oracle Argus Insight, versions
prior to 8.2.3 Health Sciences Oracle Argus Safety, versions prior to 8.2.3
Health Sciences Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1,
22.1, 22.2 Contact Support Oracle Banking Corporate Lending, versions 14.0-14.3,
14.5-14.7 Contact Support Oracle Banking Corporate Lending Process Management,
versions 14.4-14.7 Contact Support Oracle Banking Digital Experience, versions
18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 Contact Support Oracle Banking
Payments, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Trade
Finance, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Treasury
Management, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Virtual
Account Management, versions 14.5, 14.6, 14.7 Contact Support Oracle BI
Publisher, versions 6.4.0.0.0, 12.2.1.4.0 Oracle Analytics Oracle Big Data
Spatial and Graph, versions prior to 23.1 Database Oracle Blockchain Platform,
versions prior to 21.1.3 Oracle Blockchain Platform Oracle Business Intelligence
Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Clinical Remote Data Capture, version 5.4.0.2 Health Sciences Oracle
Coherence, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle Commerce
Guided Search, version 11.3.2 Oracle Commerce Oracle Commerce Platform, versions
11.3.0, 11.3.1, 11.3.2 Oracle Commerce Oracle Communications Cloud Native
Configuration Console, versions 22.4.1, 23.1.0 Oracle Communications Cloud
Native Core Console Oracle Communications Cloud Native Core Automated Test
Suite, versions 22.3.1, 22.4.0 Oracle Communications Cloud Native Core Automated
Test Suite Oracle Communications Cloud Native Core Binding Support Function,
versions 22.4.0-22.4.4, 23.1.0-23.1.1 Oracle Communications Cloud Native Core
Binding Support Function Oracle Communications Cloud Native Core Console,
versions 22.3.0, 22.4.0 Oracle Communications Cloud Native Core Console Oracle
Communications Cloud Native Core Network Exposure Function, versions 22.4.2,
23.1.0 Oracle Communications Cloud Native Core Network Exposure Function Oracle
Communications Cloud Native Core Network Function Cloud Native Environment,
version 22.4.0 Oracle Communications Cloud Native Core Network Function Cloud
Native Environment Oracle Communications Cloud Native Core Network Repository
Function, version 23.1.0 Oracle Communications Cloud Native Core Network
Repository Function Oracle Communications Cloud Native Core Policy, versions
22.4.0-22.4.4, 23.1.0-23.1.1 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions
22.4.0, 22.4.1, 22.4.2, 23.1.0 Oracle Communications Cloud Native Core Security
Edge Protection Proxy Oracle Communications Cloud Native Core Service
Communication Proxy, versions 22.3.0, 22.4.0 Oracle Communications Cloud Native
Core Service Communication Proxy Oracle Communications Cloud Native Core Unified
Data Repository, versions 22.4.1, 23.1.0 Oracle Communications Cloud Native Core
Unified Data Repository Oracle Communications Convergent Charging Controller,
versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0 Oracle Communications Convergent
Charging Controller Oracle Communications Core Session Manager, versions 8.45,
9.15 Oracle Communications Core Session Manager Oracle Communications Diameter
Signaling Router, version 8.6.0.0 Oracle Communications Diameter Signaling
Router Oracle Communications Element Manager, versions 9.0.0, 9.0.1 Oracle
Communications Element Manager Oracle Communications IP Service Activator,
versions 7.4.0, 7.5.0 Oracle Communications IP Service Activator Oracle
Communications Network Charging and Control, versions 6.0.1.0.0,
12.0.1.0.0-12.0.6.0.0 Oracle Communications Network Charging and Control Oracle
Communications Operations Monitor, version 5.0 Oracle Communications Operations
Monitor Oracle Communications Order and Service Management, version 7.4.1 Oracle
Communications Order and Service Management Oracle Communications Policy
Management, version 12.6.0.0.0 Oracle Communications Policy Management Oracle
Communications Services Gatekeeper, version 7.0.0.0.0 Oracle Communications
Services Gatekeeper Oracle Communications Session Border Controller, versions
9.0, 9.1 Oracle Communications Session Border Controller Oracle Communications
Session Report Manager, versions 9.0.0, 9.0.1 Oracle Communications Session
Report Manager Oracle Communications Session Router, versions 9.0, 9.1 Oracle
Communications Session Router Oracle Communications Subscriber-Aware Load
Balancer, versions 9.0, 9.1 Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Assurance, versions 5.5.0-5.5.10, 6.0.0-6.0.2
Oracle Communications Unified Assurance Oracle Communications Unified Inventory
Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0 Oracle Communications Unified
Inventory Management Oracle Communications User Data Repository, version
12.6.1.0.0 Oracle Communications User Data Repository Oracle Data Integrator,
version 12.2.1.4.0 Fusion Middleware Oracle Database Server, versions 19c, 21c
Database Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0,
12.7.0.0.0, 12.7.1.0.0 Oracle Insurance Applications Oracle E-Business Suite,
versions 12.2.3-12.2.12 Oracle E-Business Suite Oracle Enterprise Communications
Broker, versions 3.3, 4.0 Oracle Enterprise Communications Broker Oracle
Enterprise Manager Ops Center, version 12.4.0.0 Oracle Enterprise Manager Oracle
Enterprise Session Router, version 9.1 Oracle Enterprise Session Router Oracle
Essbase, version 21.4 Database Oracle Financial Services Analytical Applications
Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2 Oracle Financial Services Analytical Applications
Infrastructure Oracle Financial Services Analytical Applications Reconciliation
Framework, versions 8.0.7.1.2, 8.1.1.1.7 Oracle Financial Services Analytical
Applications Reconciliation Framework Oracle Financial Services Asset Liability
Management, version 8.0.7.8.0 Oracle Financial Services Asset Liability
Management Oracle Financial Services Balance Computation Engine, version
8.1.1.1.1 Oracle Financial Services Balance Computation Engine Oracle Financial
Services Balance Sheet Planning, version 8.0.8.1.4 Oracle Financial Services
Balance Sheet Planning Oracle Financial Services Behavior Detection Platform,
versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Behavior
Detection Platform Oracle Financial Services Compliance Studio, version 8.1.2.4
Oracle Financial Services Compliance Studio Oracle Financial Services Crime and
Compliance Management Studio, version 8.0.8.3.5 Oracle Financial Services Crime
and Compliance Management Studio Oracle Financial Services Currency Transaction
Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1 Oracle Financial
Services Currency Transaction Reporting Oracle Financial Services Data
Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1 Oracle
Financial Services Data Governance for US Regulatory Reporting Oracle Financial
Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1 Oracle
Financial Services Data Integration Hub Oracle Financial Services Deposit
Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1,
8.0.8.3.1 Oracle Financial Services Deposit Insurance Calculations for Liquidity
Risk Management Oracle Financial Services Enterprise Case Management, versions
8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Enterprise Case
Management Oracle Financial Services Enterprise Financial Performance Analytics,
version 8.0.7.8.1 Oracle Financial Services Enterprise Financial Performance
Analytics Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1
Oracle Financial Services Funds Transfer Pricing Oracle Financial Services
Institutional Performance Analytics, version 8.0.7.8.1 Oracle Financial Services
Institutional Performance Analytics Oracle Financial Services Liquidity Risk
Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1 Oracle Financial
Services Liquidity Risk Measurement and Management Oracle Financial Services
Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1 Oracle
Financial Services Hedge Management and IFRS Valuations Oracle Financial
Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0 Oracle
Financial Services Model Management and Governance Oracle Financial Services
Profitability Management, version 8.0.7.8.1 Oracle Financial Services
Profitability Management Oracle Financial Services Regulatory Reporting,
versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Regulatory
Reporting Oracle Financial Services Regulatory Reporting with AgileREPORTER,
version 8.1.1.2.0 Oracle Financial Services Regulatory Reporting with
AgileREPORTER Oracle Financial Services Retail Performance Analytics, version
8.0.7.8.1 Oracle Financial Services Retail Performance Analytics Oracle
Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8,
2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0 Oracle Financial Services Revenue Management and
Billing Oracle Financial Services Trade-Based Anti Money Laundering Enterprise
Edition, version 8.0.8.0.0 Oracle Financial Services Trade-Based Anti Money
Laundering Enterprise Edition Oracle FLEXCUBE Core Banking, versions 11.6, 11.7,
11.8, 11.10, 11.11 Contact Support Oracle FLEXCUBE Universal Banking, versions
14.0-14.3, 14.5-14.7 Contact Support Oracle GoldenGate, versions prior to
19.1.0.0.230418, prior to 21.10.0.0.0 Database Oracle GoldenGate Studio, version
[Fusion Middleware] 12.2.1.4.0 Database Oracle GraalVM Enterprise Edition,
versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1 Java SE Oracle Graph
Server and Client, versions prior to 23.1.0, prior to 23.2.0 Database Oracle
Health Sciences InForm, versions prior to 6.3.1.3, prior to 7.0.0.1 Health
Sciences Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1,
8.2.2 HealthCare Applications Oracle Healthcare Master Person Index, versions
5.0.0-5.0.4 HealthCare Applications Oracle Healthcare Translational Research,
versions 4.1.0, 4.1.1 HealthCare Applications Oracle Hospitality OPERA 5
Property Services, version 5.6 Oracle Hospitality OPERA 5 Property Services
Oracle HTTP Server, version 12.2.1.4.0 Fusion Middleware Oracle Hyperion
Financial Reporting, version 11.2.12 Oracle Enterprise Performance Management
Oracle Hyperion Infrastructure Technology, version 11.2.12 Oracle Enterprise
Performance Management Oracle Identity Manager, version 12.2.1.4.0 Fusion
Middleware Oracle iLearning, version 6.3.1 iLearning Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity, version 1.0.1.8
Oracle Insurance Applications Oracle Java SE, versions 8u361, 8u361-perf,
11.0.18, 17.0.6, 20 Java SE Oracle JDeveloper, version 12.2.1.4.0 Fusion
Middleware Oracle Managed File Transfer, version 12.2.1.4.0 Fusion Middleware
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 Fusion
Middleware Oracle NoSQL Database, versions prior to 19.5.32 NoSQL Database
Oracle Outside In Technology, version 8.5.6 Fusion Middleware Oracle REST Data
Services, versions prior to 23.1.0 Database Oracle Retail Customer Management
and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6 Retail Applications
Oracle Retail Fiscal Management, version 14.2 Retail Applications Oracle Retail
Invoice Matching, versions 15.0.3, 16.0.3 Retail Applications Oracle Retail
Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3 Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3 Retail
Applications Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3
Retail Applications Oracle Retail Sales Audit, version 15.0.3.1 Retail
Applications Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4,
20.0.3, 21.0.2 Retail Applications Oracle Retail Xstore Point of Service,
versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2 Retail Applications Oracle
SD-WAN Aware, version 9.0.1.6.0 Oracle SD-WAN Aware Oracle SD-WAN Edge, versions
9.1.1.3.0, 9.1.1.4.0 Oracle SD-WAN Edge Oracle SOA Suite, version 12.2.1.4.0
Fusion Middleware Oracle Solaris, versions 10, 11 Systems Oracle SQL Developer,
versions prior to 22.4.0, prior to 23.1.0 Database Oracle TimesTen In-Memory
Database, versions prior to 22.1.1.7.0 Database Oracle Utilities Application
Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0 Oracle Utilities Applications Oracle Utilities Network
Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2 Oracle
Utilities Applications Oracle VM VirtualBox, versions prior to 6.1.44, prior to
7.0.8 Virtualization Oracle WebCenter Portal, version 12.2.1.4.0 Fusion
Middleware Oracle WebCenter Sites, version 12.2.1.4.0 Fusion Middleware Oracle
WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2 PeopleSoft PeopleSoft
Enterprise PeopleTools, versions 8.58, 8.59, 8.60 PeopleSoft Primavera P6
Enterprise Project Portfolio Management, versions 18.8.0-18.8.26,
19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, 22.12.0-22.12.3 Oracle
Construction and Engineering Suite Primavera Unifier, versions 18.8.0-18.8.18,
19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, 22.12.0-22.12.3 Oracle
Construction and Engineering Suite Siebel Applications, versions 21.10 and
prior, 22.10 and prior, 23.3 and prior Siebel

Affected Products and Versions Patch Availability Document JD Edwards
EnterpriseOne Orchestrator, versions prior to 9.2.7.3 JD Edwards JD Edwards
EnterpriseOne Tools, versions prior to 9.2.7.3 JD Edwards JD Edwards World
Security, version A9.4 JD Edwards Management Cloud Engine, version 22.1.0.0.0
Management Cloud Engine MySQL Cluster, versions 7.5.29 and prior, 7.6.25 and
prior, 8.0.32 and prior MySQL MySQL Connectors, versions 8.0.32 and prior MySQL
MySQL Enterprise Monitor, versions 8.0.33 and prior MySQL MySQL Server, versions
5.7.41 and prior, 8.0.32 and prior MySQL MySQL Workbench, versions 8.0.32 and
prior MySQL Oracle Access Manager, version 12.2.1.4.0 Fusion Middleware Oracle
Agile PLM, version 9.3.6 Oracle Supply Chain Products Oracle Application Testing
Suite, version 13.3.0.1 Oracle Enterprise Manager Oracle Argus Insight, versions
prior to 8.2.3 Health Sciences Oracle Argus Safety, versions prior to 8.2.3
Health Sciences Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1,
22.1, 22.2 Contact Support Oracle Banking Corporate Lending, versions 14.0-14.3,
14.5-14.7 Contact Support Oracle Banking Corporate Lending Process Management,
versions 14.4-14.7 Contact Support Oracle Banking Digital Experience, versions
18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 Contact Support Oracle Banking
Payments, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Trade
Finance, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Treasury
Management, versions 14.5, 14.6, 14.7 Contact Support Oracle Banking Virtual
Account Management, versions 14.5, 14.6, 14.7 Contact Support Oracle BI
Publisher, versions 6.4.0.0.0, 12.2.1.4.0 Oracle Analytics Oracle Big Data
Spatial and Graph, versions prior to 23.1 Database Oracle Blockchain Platform,
versions prior to 21.1.3 Oracle Blockchain Platform Oracle Business Intelligence
Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Clinical Remote Data Capture, version 5.4.0.2 Health Sciences Oracle
Coherence, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle Commerce
Guided Search, version 11.3.2 Oracle Commerce Oracle Commerce Platform, versions
11.3.0, 11.3.1, 11.3.2 Oracle Commerce Oracle Communications Cloud Native
Configuration Console, versions 22.4.1, 23.1.0 Oracle Communications Cloud
Native Core Console Oracle Communications Cloud Native Core Automated Test
Suite, versions 22.3.1, 22.4.0 Oracle Communications Cloud Native Core Automated
Test Suite Oracle Communications Cloud Native Core Binding Support Function,
versions 22.4.0-22.4.4, 23.1.0-23.1.1 Oracle Communications Cloud Native Core
Binding Support Function Oracle Communications Cloud Native Core Console,
versions 22.3.0, 22.4.0 Oracle Communications Cloud Native Core Console Oracle
Communications Cloud Native Core Network Exposure Function, versions 22.4.2,
23.1.0 Oracle Communications Cloud Native Core Network Exposure Function Oracle
Communications Cloud Native Core Network Function Cloud Native Environment,
version 22.4.0 Oracle Communications Cloud Native Core Network Function Cloud
Native Environment Oracle Communications Cloud Native Core Network Repository
Function, version 23.1.0 Oracle Communications Cloud Native Core Network
Repository Function Oracle Communications Cloud Native Core Policy, versions
22.4.0-22.4.4, 23.1.0-23.1.1 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions
22.4.0, 22.4.1, 22.4.2, 23.1.0 Oracle Communications Cloud Native Core Security
Edge Protection Proxy Oracle Communications Cloud Native Core Service
Communication Proxy, versions 22.3.0, 22.4.0 Oracle Communications Cloud Native
Core Service Communication Proxy Oracle Communications Cloud Native Core Unified
Data Repository, versions 22.4.1, 23.1.0 Oracle Communications Cloud Native Core
Unified Data Repository Oracle Communications Convergent Charging Controller,
versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0 Oracle Communications Convergent
Charging Controller Oracle Communications Core Session Manager, versions 8.45,
9.15 Oracle Communications Core Session Manager Oracle Communications Diameter
Signaling Router, version 8.6.0.0 Oracle Communications Diameter Signaling
Router Oracle Communications Element Manager, versions 9.0.0, 9.0.1 Oracle
Communications Element Manager Oracle Communications IP Service Activator,
versions 7.4.0, 7.5.0 Oracle Communications IP Service Activator Oracle
Communications Network Charging and Control, versions 6.0.1.0.0,
12.0.1.0.0-12.0.6.0.0 Oracle Communications Network Charging and Control Oracle
Communications Operations Monitor, version 5.0 Oracle Communications Operations
Monitor Oracle Communications Order and Service Management, version 7.4.1 Oracle
Communications Order and Service Management Oracle Communications Policy
Management, version 12.6.0.0.0 Oracle Communications Policy Management Oracle
Communications Services Gatekeeper, version 7.0.0.0.0 Oracle Communications
Services Gatekeeper Oracle Communications Session Border Controller, versions
9.0, 9.1 Oracle Communications Session Border Controller Oracle Communications
Session Report Manager, versions 9.0.0, 9.0.1 Oracle Communications Session
Report Manager Oracle Communications Session Router, versions 9.0, 9.1 Oracle
Communications Session Router Oracle Communications Subscriber-Aware Load
Balancer, versions 9.0, 9.1 Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Assurance, versions 5.5.0-5.5.10, 6.0.0-6.0.2
Oracle Communications Unified Assurance Oracle Communications Unified Inventory
Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0 Oracle Communications Unified
Inventory Management Oracle Communications User Data Repository, version
12.6.1.0.0 Oracle Communications User Data Repository Oracle Data Integrator,
version 12.2.1.4.0 Fusion Middleware Oracle Database Server, versions 19c, 21c
Database Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0,
12.7.0.0.0, 12.7.1.0.0 Oracle Insurance Applications Oracle E-Business Suite,
versions 12.2.3-12.2.12 Oracle E-Business Suite Oracle Enterprise Communications
Broker, versions 3.3, 4.0 Oracle Enterprise Communications Broker Oracle
Enterprise Manager Ops Center, version 12.4.0.0 Oracle Enterprise Manager Oracle
Enterprise Session Router, version 9.1 Oracle Enterprise Session Router Oracle
Essbase, version 21.4 Database Oracle Financial Services Analytical Applications
Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2 Oracle Financial Services Analytical Applications
Infrastructure Oracle Financial Services Analytical Applications Reconciliation
Framework, versions 8.0.7.1.2, 8.1.1.1.7 Oracle Financial Services Analytical
Applications Reconciliation Framework Oracle Financial Services Asset Liability
Management, version 8.0.7.8.0 Oracle Financial Services Asset Liability
Management Oracle Financial Services Balance Computation Engine, version
8.1.1.1.1 Oracle Financial Services Balance Computation Engine Oracle Financial
Services Balance Sheet Planning, version 8.0.8.1.4 Oracle Financial Services
Balance Sheet Planning Oracle Financial Services Behavior Detection Platform,
versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Behavior
Detection Platform Oracle Financial Services Compliance Studio, version 8.1.2.4
Oracle Financial Services Compliance Studio Oracle Financial Services Crime and
Compliance Management Studio, version 8.0.8.3.5 Oracle Financial Services Crime
and Compliance Management Studio Oracle Financial Services Currency Transaction
Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1 Oracle Financial
Services Currency Transaction Reporting Oracle Financial Services Data
Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1 Oracle
Financial Services Data Governance for US Regulatory Reporting Oracle Financial
Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1 Oracle
Financial Services Data Integration Hub Oracle Financial Services Deposit
Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1,
8.0.8.3.1 Oracle Financial Services Deposit Insurance Calculations for Liquidity
Risk Management Oracle Financial Services Enterprise Case Management, versions
8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Enterprise Case
Management Oracle Financial Services Enterprise Financial Performance Analytics,
version 8.0.7.8.1 Oracle Financial Services Enterprise Financial Performance
Analytics Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1
Oracle Financial Services Funds Transfer Pricing Oracle Financial Services
Institutional Performance Analytics, version 8.0.7.8.1 Oracle Financial Services
Institutional Performance Analytics Oracle Financial Services Liquidity Risk
Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1 Oracle Financial
Services Liquidity Risk Measurement and Management Oracle Financial Services
Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1 Oracle
Financial Services Hedge Management and IFRS Valuations Oracle Financial
Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0 Oracle
Financial Services Model Management and Governance Oracle Financial Services
Profitability Management, version 8.0.7.8.1 Oracle Financial Services
Profitability Management Oracle Financial Services Regulatory Reporting,
versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4 Oracle Financial Services Regulatory
Reporting Oracle Financial Services Regulatory Reporting with AgileREPORTER,
version 8.1.1.2.0 Oracle Financial Services Regulatory Reporting with
AgileREPORTER Oracle Financial Services Retail Performance Analytics, version
8.0.7.8.1 Oracle Financial Services Retail Performance Analytics Oracle
Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8,
2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0 Oracle Financial Services Revenue Management and
Billing Oracle Financial Services Trade-Based Anti Money Laundering Enterprise
Edition, version 8.0.8.0.0 Oracle Financial Services Trade-Based Anti Money
Laundering Enterprise Edition Oracle FLEXCUBE Core Banking, versions 11.6, 11.7,
11.8, 11.10, 11.11 Contact Support Oracle FLEXCUBE Universal Banking, versions
14.0-14.3, 14.5-14.7 Contact Support Oracle GoldenGate, versions prior to
19.1.0.0.230418, prior to 21.10.0.0.0 Database Oracle GoldenGate Studio, version
[Fusion Middleware] 12.2.1.4.0 Database Oracle GraalVM Enterprise Edition,
versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1 Java SE Oracle Graph
Server and Client, versions prior to 23.1.0, prior to 23.2.0 Database Oracle
Health Sciences InForm, versions prior to 6.3.1.3, prior to 7.0.0.1 Health
Sciences Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1,
8.2.2 HealthCare Applications Oracle Healthcare Master Person Index, versions
5.0.0-5.0.4 HealthCare Applications Oracle Healthcare Translational Research,
versions 4.1.0, 4.1.1 HealthCare Applications Oracle Hospitality OPERA 5
Property Services, version 5.6 Oracle Hospitality OPERA 5 Property Services
Oracle HTTP Server, version 12.2.1.4.0 Fusion Middleware Oracle Hyperion
Financial Reporting, version 11.2.12 Oracle Enterprise Performance Management
Oracle Hyperion Infrastructure Technology, version 11.2.12 Oracle Enterprise
Performance Management Oracle Identity Manager, version 12.2.1.4.0 Fusion
Middleware Oracle iLearning, version 6.3.1 iLearning Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity, version 1.0.1.8
Oracle Insurance Applications Oracle Java SE, versions 8u361, 8u361-perf,
11.0.18, 17.0.6, 20 Java SE Oracle JDeveloper, version 12.2.1.4.0 Fusion
Middleware Oracle Managed File Transfer, version 12.2.1.4.0 Fusion Middleware
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 Fusion
Middleware Oracle NoSQL Database, versions prior to 19.5.32 NoSQL Database
Oracle Outside In Technology, version 8.5.6 Fusion Middleware Oracle REST Data
Services, versions prior to 23.1.0 Database Oracle Retail Customer Management
and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6 Retail Applications
Oracle Retail Fiscal Management, version 14.2 Retail Applications Oracle Retail
Invoice Matching, versions 15.0.3, 16.0.3 Retail Applications Oracle Retail
Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3 Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3 Retail
Applications Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3
Retail Applications Oracle Retail Sales Audit, version 15.0.3.1 Retail
Applications Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4,
20.0.3, 21.0.2 Retail Applications Oracle Retail Xstore Point of Service,
versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2 Retail Applications Oracle
SD-WAN Aware, version 9.0.1.6.0 Oracle SD-WAN Aware Oracle SD-WAN Edge, versions
9.1.1.3.0, 9.1.1.4.0 Oracle SD-WAN Edge Oracle SOA Suite, version 12.2.1.4.0
Fusion Middleware Oracle Solaris, versions 10, 11 Systems Oracle SQL Developer,
versions prior to 22.4.0, prior to 23.1.0 Database Oracle TimesTen In-Memory
Database, versions prior to 22.1.1.7.0 Database Oracle Utilities Application
Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0 Oracle Utilities Applications Oracle Utilities Network
Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2 Oracle
Utilities Applications Oracle VM VirtualBox, versions prior to 6.1.44, prior to
7.0.8 Virtualization Oracle WebCenter Portal, version 12.2.1.4.0 Fusion
Middleware Oracle WebCenter Sites, version 12.2.1.4.0 Fusion Middleware Oracle
WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2 PeopleSoft PeopleSoft
Enterprise PeopleTools, versions 8.58, 8.59, 8.60 PeopleSoft Primavera P6
Enterprise Project Portfolio Management, versions 18.8.0-18.8.26,
19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, 22.12.0-22.12.3 Oracle
Construction and Engineering Suite Primavera Unifier, versions 18.8.0-18.8.18,
19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, 22.12.0-22.12.3 Oracle
Construction and Engineering Suite Siebel Applications, versions 21.10 and
prior, 22.10 and prior, 23.3 and prior Siebel

NOTE:

 * Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle
   customers should refer to the Oracle and Sun Systems Product Suite Critical
   Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for
   information on minimum revisions of security patches required to resolve
   ZFSSA issues published in Critical Patch Updates and Solaris Third Party
   Bulletins.
 * Solaris Third Party Bulletins are used to announce security patches for third
   party software distributed with Oracle Solaris. Solaris 10 customers should
   refer to the latest patch-sets which contain critical security patches
   detailed in Systems Patch Availability Document. Please see Reference Index
   of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more
   information.
 * Users running Java SE with a browser can download the latest release from
   https://java.com. Users on the Windows and Mac OS X platforms can also use
   automatic updates to get the latest release.


RISK MATRIX CONTENT

Risk matrices list only security vulnerabilities that are newly addressed by the
patches associated with this advisory. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories and Alerts. An
English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. Each vulnerability is identified by a CVE ID. A vulnerability that
affects multiple products will appear with the same CVE ID in all risk matrices.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a
Critical Patch Update. Oracle does not disclose detailed information about this
security analysis to customers, but the resulting Risk Matrix and associated
documentation provide information about the type of vulnerability, the
conditions required to exploit it, and the potential impact of a successful
exploit. Oracle provides this information, in part, so that customers may
conduct their own risk analysis based on the particulars of their product usage.
For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components that
are not exploitable in the context of their inclusion in their respective Oracle
product beneath the product's risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.


WORKAROUNDS

Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply Critical Patch Update security patches as soon as possible.
Until you apply the Critical Patch Update patches, it may be possible to reduce
the risk of successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages from
users that do not need the privileges may help reduce the risk of successful
attack. Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems. Neither
approach should be considered a long-term solution as neither corrects the
underlying problem.


SKIPPED CRITICAL PATCH UPDATES

Oracle strongly recommends that customers apply security patches as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security patches announced in this
Critical Patch Update, please review previous Critical Patch Update advisories
to determine appropriate actions.


CRITICAL PATCH UPDATE SUPPORTED PRODUCTS AND VERSIONS

Patches released through the Critical Patch Update program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. Oracle recommends that customers plan
product upgrades to ensure that patches released through the Critical Patch
Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities. As a result, Oracle recommends that
customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched
in accordance with the Software Error Correction Support Policy explained in My
Oracle Support Note 209768.1. Please review the Technical Support Policies for
further guidelines regarding support policies and phases of support.


CREDIT STATEMENT

The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle:

 * 0xrumbe, zd of ThreatBook Labs: CVE-2023-21931
 * 4ra1n of Chaitin Tech: CVE-2023-21931, CVE-2023-21960, CVE-2023-21964
 * Adam Reziouk of Airbus Cyber Vulnerabilities Service: CVE-2023-21968
 * Adam Willard: CVE-2023-21909
 * ADLab of Venustech: CVE-2023-21931, CVE-2023-21979
 * Alex Rubin of Amazon Web Services IT Security: CVE-2023-21980
 * AnhNH of Sacombank: CVE-2023-21952, CVE-2023-21965
 * Aobo Wang of Chaitin Security Research Lab: CVE-2023-21998
 * aw0yo of Cyber KunLun: CVE-2023-21979
 * BeichenDream: CVE-2023-21939
 * Ben Smyth: CVE-2023-21930
 * Bien Pham of Qrious Security working with Trend Micro's Zero Day Initiative:
   CVE-2023-21987, CVE-2023-21991
 * bluE0: CVE-2023-21931
 * c0ny1 : CVE-2023-21939
 * ChauUHM of Sacombank: CVE-2023-21952, CVE-2023-21965
 * CSOC-FTEL: CVE-2023-21906, CVE-2023-21915
 * Dan Urson of Amazon Web Services IT Security: CVE-2023-21980
 * Dungdm (piers2) of Viettel Cyber Security working with Trend Micro's Zero Day
   Initiative: CVE-2023-21989, CVE-2023-21990
 * Emad Al-Mousa of Saudi Aramco: CVE-2023-21918, CVE-2023-21969
 * Jean-Michel Huguet from NATO Cyber Security Centre (NCSC): CVE-2023-21985
 * Jerome Nokin from NATO Cyber Security Centre (NCSC): CVE-2023-21985
 * Jie Liang of WingTecher Lab of Tsinghua University: CVE-2023-21913
 * Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2023-21913
 * Jonathan Looney of Netflix: CVE-2023-21967
 * Khanh Nguyen: CVE-2023-21902
 * Khanh Nguyen Duy Quoc: CVE-2023-21970
 * Kun Yang of Chaitin Security Research Lab: CVE-2023-21998
 * Lai Han: CVE-2023-21931, CVE-2023-21979
 * Liboheng of Tophant Starlight laboratory: CVE-2023-21931, CVE-2023-21979
 * Linrong Cao of Noah-Lab of 360: CVE-2023-21912
 * Lu Yu of Chaitin Security Research Lab: CVE-2023-21999, CVE-2023-22000
 * Luo Likang of NSFOCUS TIANJI Lab: CVE-2023-22001
 * Martin Rakhmanov of Amazon Web Services IT Security: CVE-2023-21980
 * Nguyen Binh Minh of CSOC-FTEL: CVE-2023-21903, CVE-2023-21904, CVE-2023-21905
 * Nguyen Binh Yen of CSOC-FTEL: CVE-2023-21907, CVE-2023-21908
 * P1ay2win of Qianxin Wuji Lab: CVE-2023-21931
 * Ramki Ramakrishna of Amazon: CVE-2023-21954
 * Richard A. Chaaya (RAC): CVE-2023-22002
 * Roman Wagner of Code Intelligence: CVE-2023-21971
 * Sharique Raza: CVE-2023-21978
 * Shubham Shah, Sean Yeoh, Jason Haddix, Brendan Scarvell: CVE-2023-21932
 * sw0rd1ight: CVE-2023-21964
 * thiscodecc of MoyunSec TopBreaker Labs and Bing of MoyunSec: CVE-2023-21931
 * Thomas Bouzerar (MajorTomSec) from Synacktiv: CVE-2023-21987, CVE-2023-21988
 * tr1ple (AntGroup FG): CVE-2023-21931
 * TungHT of Sacombank: CVE-2023-21952, CVE-2023-21965
 * Wang Ke of Zhejiang University: CVE-2023-21917
 * X1r0z: CVE-2023-21931
 * Y4tacker: CVE-2023-21960
 * Yu Wang of BMH Security Team: CVE-2023-21931
 * Zhangyi Chen of Noah-Lab of 360: CVE-2023-21912
 * Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2023-21913
 * Zu-Ming Jiang: CVE-2023-21935

SECURITY-IN-DEPTH CONTRIBUTORS

Oracle acknowledges people who have contributed to our Security-In-Depth program
(see FAQ). People are acknowledged for Security-In-Depth contributions if they
provide information, observations or suggestions pertaining to security
vulnerability issues that result in significant modification of Oracle code or
documentation in future releases, but are not of such a critical nature that
they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions
to Oracle's Security-In-Depth program:

 * 4ra1n of Chaitin Tech
 * Adam Reziouk of Airbus Cyber Vulnerabilities Service
 * BeichenDream
 * Evgeny Astigeevich of Amazon Development Centre (London) Ltd
 * Okeen Armua
 * Philippe Antoine of Telecom Nancy
 * PJ Fanning

ON-LINE PRESENCE SECURITY CONTRIBUTORS

Oracle acknowledges people who have contributed to our On-Line Presence Security
program (see FAQ). People are acknowledged for contributions relating to
Oracle's on-line presence if they provide information, observations or
suggestions pertaining to security-related issues that result in significant
modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's
On-Line Presence Security program:

 * Ahmed Ramzy
 * Arras Aniss
 * Ayansh Sinha (CyberDad)
 * Dema Alsaif
 * Dinesh Kumar (dhina016)
 * Hannu Forsten [3 reports]
 * Ishan Vyas
 * Ivan Andres Valdivieso Castillo
 * Jaspreet Singh
 * Kieran Foley
 * Krishna Chaitanya Velicheti
 * Pim Dieleman of Cadran Consultancy B.V.
 * Qualcomm Cyber SOC
 * Rens of Rsecure
 * Sanket Sherkhane
 * Seth Duda of SquareWorks Consulting


CRITICAL PATCH UPDATE SCHEDULE

Critical Patch Updates are released on the third Tuesday of January, April,
July, and October. The next four dates are:

 * 18 July 2023
 * 17 October 2023
 * 16 January 2024
 * 16 April 2024


REFERENCES

 * Oracle Critical Patch Updates, Security Alerts and Bulletins
 * Critical Patch Update - April 2023 Documentation Map
 * Oracle Critical Patch Updates and Security Alerts - Frequently Asked
   Questions
 * Risk Matrix Definitions
 * Use of Common Vulnerability Scoring System (CVSS) by Oracle
 * English text version of the risk matrices
 * CVRF XML version of the risk matrices
 * CSAF JSON version of the risk matrices
 * Map of CVE to Advisory/Alert
 * Oracle Lifetime support Policy
 * JEP 290 Reference Blocklist Filter

 


MODIFICATION HISTORY

Date Note 2023-April-25 Rev 2. Updated Protocol for WebLogic and Credit updates.
2023-April-18 Rev 1. Initial Release.

Date Note 2023-April-25 Rev 2. Updated Protocol for WebLogic and Credit updates.
2023-April-18 Rev 1. Initial Release.

ORACLE DATABASE PRODUCTS RISK MATRICES

This Critical Patch Update contains 23 new security patches for Oracle Database
Products divided as follows:

 * 5 new security patches for Oracle Database Products
 * No new security patches for Oracle Big Data Spatial and Graph, but third
   party patches are provided
 * 7 new security patches for Oracle Blockchain Platform
 * 4 new security patches for Oracle Essbase
 * 2 new security patches for Oracle GoldenGate
 * 1 new security patch for Oracle Graph Server and Client
 * 1 new security patch for Oracle NoSQL Database
 * 1 new security patch for Oracle REST Data Services
 * 2 new security patches for Oracle SQL Developer
 * No new security patches for Oracle TimesTen In-Memory Database, but third
   party patches are provided

ORACLE DATABASE SERVER RISK MATRIX

This Critical Patch Update contains 5 new security patches, plus additional
third party patches noted below, for Oracle Database Products.  None of these
vulnerabilities may be remotely exploitable without authentication, i.e., none
may be exploited over a network without requiring user credentials.  None of
these patches are applicable to client-only installations, i.e., installations
that do not have the Oracle Database Server installed. The English text form of
this Risk Matrix can be found here.

CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21934 Java VM User Account TLS No 6.8 Network High Low None Un-
changed High High None 19c, 21c   CVE-2023-21918 Oracle Database Recovery
Manager Local SYSDBA Oracle Net No 6.8 Network Low High None Changed None None
High 19c, 21c   CVE-2023-24998 Oracle Database Workload Manager (Apache Commons
FileUpload) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 21c   CVE-2023-24998 Spatial and Graph (Apache Commons
Fileupload) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c   CVE-2022-45061 Oracle Database OML4PY (Python)
Authenticated User HTTP No 4.3 Network Low Low None Un-
changed None None Low 21c  

CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21934 Java VM User Account TLS No 6.8 Network High Low None Un-
changed High High None 19c, 21c   CVE-2023-21918 Oracle Database Recovery
Manager Local SYSDBA Oracle Net No 6.8 Network Low High None Changed None None
High 19c, 21c   CVE-2023-24998 Oracle Database Workload Manager (Apache Commons
FileUpload) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 21c   CVE-2023-24998 Spatial and Graph (Apache Commons
Fileupload) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c   CVE-2022-45061 Oracle Database OML4PY (Python)
Authenticated User HTTP No 4.3 Network Low Low None Un-
changed None None Low 21c  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-45061 also addresses CVE-2022-37454 and
   CVE-2022-42919.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Database (Apache Tomcat): CVE-2022-45143.
 * Oracle SQLcl (SnakeYAML): CVE-2022-1471.


 

ORACLE BIG DATA SPATIAL AND GRAPH RISK MATRIX

This Critical Patch Update contains no new security patches for exploitable
vulnerabilities but does include third party patches, noted below, for the
following non-exploitable 3rd party CVEs for Oracle Big Data Spatial and Graph. 
Please refer to previous Critical Patch Update Advisories if the last Critical
Patch Update was not applied for Oracle Big Data Spatial and Graph.  The English
text form of this Risk Matrix can be found here.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Big Data Spatial and Graph
   * Big Data Graph (Apache Tomcat): CVE-2022-45143.


 

ORACLE BLOCKCHAIN PLATFORM RISK MATRIX

This Critical Patch Update contains 7 new security patches, plus additional
third party patches noted below, for Oracle Blockchain Platform.  5 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23017 Oracle Blockchain Platform BCS Console (nginx) UDP Yes
7.7 Network High None None Un-
changed High High Low Prior to 21.1.3   CVE-2022-28327 Oracle Blockchain
Platform BCS Console (Golang Go) HTTP Yes 7.5 Network Low None None Un-
changed None None High Prior to 21.1.3   CVE-2022-25647 Oracle Blockchain
Platform BCS Console (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High Prior to 21.1.3   CVE-2020-35169 Oracle Blockchain
Platform BCS Console (Dell BSAFE Micro Edition Suite) Oracle Net Yes 7.4 Network
High None None Un-
changed High High None Prior to 21.1.3   CVE-2022-32215 Oracle Blockchain
Platform BCS Console (Node.js) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None Prior to 21.1.3   CVE-2020-36518 Oracle Blockchain Platform
BCS Console (jackson-databind) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 21.1.3   CVE-2021-36090 Oracle Blockchain
Platform BCS Console (Apache Commons Compress) HTTP No 4.9 Network Low High None
Un-
changed None None High Prior to 21.1.3  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23017 Oracle Blockchain Platform BCS Console (nginx) UDP Yes
7.7 Network High None None Un-
changed High High Low Prior to 21.1.3   CVE-2022-28327 Oracle Blockchain
Platform BCS Console (Golang Go) HTTP Yes 7.5 Network Low None None Un-
changed None None High Prior to 21.1.3   CVE-2022-25647 Oracle Blockchain
Platform BCS Console (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High Prior to 21.1.3   CVE-2020-35169 Oracle Blockchain
Platform BCS Console (Dell BSAFE Micro Edition Suite) Oracle Net Yes 7.4 Network
High None None Un-
changed High High None Prior to 21.1.3   CVE-2022-32215 Oracle Blockchain
Platform BCS Console (Node.js) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None Prior to 21.1.3   CVE-2020-36518 Oracle Blockchain Platform
BCS Console (jackson-databind) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 21.1.3   CVE-2021-36090 Oracle Blockchain
Platform BCS Console (Apache Commons Compress) HTTP No 4.9 Network Low High None
Un-
changed None None High Prior to 21.1.3  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2020-35169 also addresses CVE-2020-29504, CVE-2020-29506,
   CVE-2020-29507, CVE-2020-29508, CVE-2020-35163, CVE-2020-35164,
   CVE-2020-35165, CVE-2020-35166, CVE-2020-35167, CVE-2020-35168, and
   CVE-2021-21575.
 * The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516,
   and CVE-2021-35517.
 * The patch for CVE-2022-28327 also addresses CVE-2022-24675.
 * The patch for CVE-2022-32215 also addresses CVE-2022-32212, CVE-2022-32213,
   and CVE-2022-32222.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Blockchain Platform
   * BCS Console (JSON Schema): CVE-2021-3918.
   * BCS Backend (Eclipse Jersey): CVE-2021-28168.
   * BCS Console (Apache Commons Text): CVE-2022-42889.
   * BCS Console (Apache Kafka): CVE-2022-34917.
   * BCS Console (Apache ZooKeeper): CVE-2020-7712.
   * BCS Console (Eclipse Jetty): CVE-2022-2048, CVE-2022-2047, and
     CVE-2022-2191.
   * BCS Console (FreeType): CVE-2022-27404, CVE-2022-27405, and CVE-2022-27406.
   * BCS Console (Google Protobuf-Java): CVE-2022-3171.
   * BCS Console (H2 Database): CVE-2022-23221.
   * BCS Console (LibExpat): CVE-2022-25315, CVE-2022-25235, CVE-2022-25236,
     CVE-2022-25313, and CVE-2022-25314.
   * BCS Console (Lodash): CVE-2021-23337 and CVE-2020-28500.
   * BCS Console (Moment.js): CVE-2022-31129.
   * BCS Console (Netty): CVE-2022-41881, CVE-2022-24823, and CVE-2022-41915.
   * BCS Console (Python): CVE-2021-29921, CVE-2018-25032, and CVE-2020-10735.
   * BCS Console (SnakeYAML): CVE-2022-38752, CVE-2022-25857, CVE-2022-38749,
     CVE-2022-38750, and CVE-2022-38751.
   * BCS Console (cURL): CVE-2022-27782, CVE-2022-27778, CVE-2022-27779,
     CVE-2022-27780, CVE-2022-27781, and CVE-2022-30115.
   * BCS Console (glibc): CVE-2022-23219, CVE-2021-38604, CVE-2021-43396, and
     CVE-2022-23218.
   * BCS Console (jQueryUI): CVE-2021-41184, CVE-2021-41182, and CVE-2021-41183.
   * BCS Console (libgcrypt): CVE-2021-40528 and CVE-2021-33560.
   * BCS Console (libxml2): CVE-2022-40304, CVE-2019-20388, CVE-2020-24977,
     CVE-2020-7595, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2022-23308,
     CVE-2022-29824, and CVE-2022-40303.


 

ORACLE ESSBASE RISK MATRIX

This Critical Patch Update contains 4 new security patches, plus additional
third party patches noted below, for Oracle Essbase.  All of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-0215 Oracle Essbase Build (OpenSSL) HTTPS Yes 5.9 Network High
None None Un-
changed None None High 21.4   CVE-2023-21942 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4   CVE-2023-21943 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4   CVE-2023-21944 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-0215 Oracle Essbase Build (OpenSSL) HTTPS Yes 5.9 Network High
None None Un-
changed None None High 21.4   CVE-2023-21942 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4   CVE-2023-21943 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4   CVE-2023-21944 Oracle Essbase Security and
Provisioning HTTP Yes 5.3 Network High None Required Un-
changed High None None 21.4  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2023-0215 also addresses CVE-2022-4304, CVE-2022-4450, and
   CVE-2023-0286.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Essbase
   * Build (Apache Calcite): CVE-2022-39135.
   * Essbase Web Platform (Apache CXF): CVE-2022-46364.
   * Essbase Web Platform (cURL): CVE-2023-23916, CVE-2023-23914, and
     CVE-2023-23915.


 

ORACLE GOLDENGATE RISK MATRIX

This Critical Patch Update contains 2 new security patches, plus additional
third party patches noted below, for Oracle GoldenGate.  1 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23457 Oracle GoldenGate Studio GoldenGate Studio (Enterprise
Security API) Multiple Yes 9.8 Network Low None None Un-
changed High High High Fusion Middleware: 12.2.1.4.0   CVE-2022-42003 Oracle
GoldenGate Oracle GoldenGate (jackson-databind) HTTP No 6.5 Network Low Low None
Un-
changed None None High Prior to 19.1.0.0.230418, Prior to 21.10.0.0.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23457 Oracle GoldenGate Studio GoldenGate Studio (Enterprise
Security API) Multiple Yes 9.8 Network Low None None Un-
changed High High High Fusion Middleware: 12.2.1.4.0   CVE-2022-42003 Oracle
GoldenGate Oracle GoldenGate (jackson-databind) HTTP No 6.5 Network Low Low None
Un-
changed None None High Prior to 19.1.0.0.230418, Prior to 21.10.0.0.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-23457 also addresses CVE-2022-24891.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle GoldenGate
   * Oracle GoldenGate (Apache Mina SSHD): CVE-2022-45047.


 

ORACLE GRAPH SERVER AND CLIENT RISK MATRIX

This Critical Patch Update contains 1 new security patch, plus additional third
party patches noted below, for Oracle Graph Server and Client.  This
vulnerability is not remotely exploitable without authentication, i.e., may not
be exploited over a network without requiring user credentials.  The English
text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Oracle Graph Server and Client Packaging
(jackson-databind) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 23.1.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Oracle Graph Server and Client Packaging
(jackson-databind) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 23.1.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Graph Server and Client
   * PGX Java Client (Apache Commons Text): CVE-2022-42889.
   * Packaging (Apache Tomcat): CVE-2022-45143.


 

ORACLE NOSQL DATABASE RISK MATRIX

This Critical Patch Update contains 1 new security patch, plus additional third
party patches noted below, for Oracle NoSQL Database.  This vulnerability is not
remotely exploitable without authentication, i.e., may not be exploited over a
network without requiring user credentials.  The English text form of this Risk
Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Oracle NoSQL Database Administration (jackson-databind)
HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 19.5.32  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Oracle NoSQL Database Administration (jackson-databind)
HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 19.5.32  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle NoSQL Database
   * Administration (Apache Mina SSHD): CVE-2022-45047.


 

ORACLE REST DATA SERVICES RISK MATRIX

This Critical Patch Update contains 1 new security patch for Oracle REST Data
Services.  This vulnerability is not remotely exploitable without
authentication, i.e., may not be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-24998 Oracle REST Data Services Oracle REST Data Services
(Apache Commons FileUpload) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 23.1.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-24998 Oracle REST Data Services Oracle REST Data Services
(Apache Commons FileUpload) HTTP No 6.5 Network Low Low None Un-
changed None None High Prior to 23.1.0  


 

ORACLE SQL DEVELOPER RISK MATRIX

This Critical Patch Update contains 2 new security patches, plus additional
third party patches noted below, for Oracle SQL Developer.  1 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21969 Oracle SQL Developer Installation Local Logon No 6.7
Local Low High None Un-
changed High High High Prior to 23.1.0   CVE-2022-42003 Oracle SQL Developer
Infrastructure (jackson-databind) HTTP Yes 5.9 Network High None None Un-
changed None None High Prior to 23.1.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21969 Oracle SQL Developer Installation Local Logon No 6.7
Local Low High None Un-
changed High High High Prior to 23.1.0   CVE-2022-42003 Oracle SQL Developer
Infrastructure (jackson-databind) HTTP Yes 5.9 Network High None None Un-
changed None None High Prior to 23.1.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle SQL Developer
   * General Infrastructure (Apache POI): CVE-2022-26336.
   * General Infrastructure (Apache Batik): CVE-2022-42890 and CVE-2022-41704.
   * Installation (Apache Commons Text): CVE-2022-42889.
   * Installation (Apache Kafka): CVE-2023-25194 and CVE-2022-34917.
   * Installation (Apache Mina SSHD): CVE-2022-45047.
   * Installation (SnakeYAML): CVE-2022-1471.


 

ORACLE TIMESTEN IN-MEMORY DATABASE RISK MATRIX

This Critical Patch Update contains no new security patches for exploitable
vulnerabilities but does include third party patches, noted below, for the
following non-exploitable 3rd party CVEs for Oracle TimesTen In-Memory
Database.  Please refer to previous Critical Patch Update Advisories if the last
Critical Patch Update was not applied for Oracle TimesTen In-Memory Database. 
The English text form of this Risk Matrix can be found here.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle TimesTen In-Memory Database
   * Oracle TimesTen In-Memory Database (Go): CVE-2022-41715, CVE-2022-2879, and
     CVE-2022-2880.


 

ORACLE COMMERCE RISK MATRIX

This Critical Patch Update contains 6 new security patches for Oracle Commerce. 
All of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials.  The
English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-42575 Oracle Commerce Platform Platform (OWASP Java HTML
Sanitizer ) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.3.0, 11.3.1, 11.3.2   CVE-2022-40152 Oracle Commerce
Guided Search Content Acquisition System (Apache CXF) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 11.3.2   CVE-2022-45143 Oracle Commerce Guided Search
Content Acquisition System, Workbench (Apache Tomcat) HTTP Yes 7.5 Network Low
None None Un-
changed None High None 11.3.2   CVE-2022-42003 Oracle Commerce Guided Search
Content Acquisition System, Workbench (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 11.3.2   CVE-2022-24729 Oracle Commerce Guided Search
Workbench (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2   CVE-2022-23437 Oracle Commerce Guided Search
Content Acquisition System, Workbench (Apache Xerces2 Java) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 11.3.2  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-42575 Oracle Commerce Platform Platform (OWASP Java HTML
Sanitizer ) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.3.0, 11.3.1, 11.3.2   CVE-2022-40152 Oracle Commerce
Guided Search Content Acquisition System (Apache CXF) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 11.3.2   CVE-2022-45143 Oracle Commerce Guided Search
Content Acquisition System, Workbench (Apache Tomcat) HTTP Yes 7.5 Network Low
None None Un-
changed None High None 11.3.2   CVE-2022-42003 Oracle Commerce Guided Search
Content Acquisition System, Workbench (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 11.3.2   CVE-2022-24729 Oracle Commerce Guided Search
Workbench (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2   CVE-2022-23437 Oracle Commerce Guided Search
Content Acquisition System, Workbench (Apache Xerces2 Java) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 11.3.2  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-42575 also addresses CVE-2022-22950.
 * The patch for CVE-2022-24729 also addresses CVE-2022-24728.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE COMMUNICATIONS APPLICATIONS RISK MATRIX

This Critical Patch Update contains 18 new security patches, plus additional
third party patches noted below, for Oracle Communications Applications.  13 of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
may be exploited over a network without requiring user credentials.  The English
text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35168 Oracle Communications IP Service Activator Other (Dell
BSAFE Micro Edition Suite) Oracle Net Yes 9.8 Network Low None None Un-
changed High High High 7.4.0, 7.5.0   CVE-2022-1471 Oracle Communications
Unified Assurance Vision (SnakeYAML) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-1471 Oracle
Communications Unified Inventory Management TMF APIs (SnakeYAML) HTTP Yes 9.8
Network Low None None Un-
changed High High High 7.4.1, 7.4.2, 7.5.0   CVE-2022-36760 Oracle
Communications Unified Assurance Core (Apache HTTP Server) HTTPS Yes 9.0 Network
High None None Changed High High High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2020-7009
Oracle Communications Unified Assurance Core (Elasticsearch) HTTPS No 8.8
Network Low Low None Un-
changed High High High 5.5.0-5.5.9, 6.0.0-6.0.1   CVE-2022-31123 Oracle
Communications Convergent Charging Controller Common fns (Grafana) None No 7.8
Local Low None Required Un-
changed High High High 12.0.4-12.0.6   CVE-2022-31123 Oracle Communications
Network Charging and Control Common fns (Grafana) None No 7.8 Local Low None
Required Un-
changed High High High 12.0.4-12.0.6   CVE-2022-39271 Oracle Communications
Order and Service Management Security (Traefik) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 7.4.1   CVE-2022-42004 Oracle Communications Unified
Assurance Core (Apache Kafka) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-3171 Oracle
Communications Unified Assurance Core (Google Protobuf-Java) HTTPS Yes 7.5
Network Low None None Un-
changed None None High 5.5.0-5.5.9, 6.0.0-6.0.1   CVE-2023-0662 Oracle
Communications Unified Assurance Core (PHP) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 6.0.0-6.0.2   CVE-2019-11287 Oracle Communications
Unified Assurance Core (Pivotal RabbitMQ) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2023-1370 Oracle
Communications Unified Assurance Vision (json-smart) HTTPS Yes 7.5 Network Low
None None Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-41966 Oracle
Communications Unified Inventory Management Security Component (XStream) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 7.4.0, 7.4.1, 7.4.2, 7.5.0   CVE-2022-46908 Oracle
Communications Convergent Charging Controller Common fns (SQLite) None No 7.3
Local Low Low None Un-
changed High High Low 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0   CVE-2022-46908 Oracle
Communications Network Charging and Control Common fns (SQLite) None No 7.3
Local Low Low None Un-
changed High High Low 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0   CVE-2022-31081 Oracle
Communications Unified Assurance Core (HTTP::Daemon) HTTPS Yes 6.5 Network Low
None None Un-
changed Low Low None 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2021-41183 Oracle
Communications Unified Assurance Vision (jQueryUI) HTTPS Yes 6.1 Network Low
None Required Changed Low Low None 5.5.0-5.5.10, 6.0.0-6.0.2  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35168 Oracle Communications IP Service Activator Other (Dell
BSAFE Micro Edition Suite) Oracle Net Yes 9.8 Network Low None None Un-
changed High High High 7.4.0, 7.5.0   CVE-2022-1471 Oracle Communications
Unified Assurance Vision (SnakeYAML) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-1471 Oracle
Communications Unified Inventory Management TMF APIs (SnakeYAML) HTTP Yes 9.8
Network Low None None Un-
changed High High High 7.4.1, 7.4.2, 7.5.0   CVE-2022-36760 Oracle
Communications Unified Assurance Core (Apache HTTP Server) HTTPS Yes 9.0 Network
High None None Changed High High High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2020-7009
Oracle Communications Unified Assurance Core (Elasticsearch) HTTPS No 8.8
Network Low Low None Un-
changed High High High 5.5.0-5.5.9, 6.0.0-6.0.1   CVE-2022-31123 Oracle
Communications Convergent Charging Controller Common fns (Grafana) None No 7.8
Local Low None Required Un-
changed High High High 12.0.4-12.0.6   CVE-2022-31123 Oracle Communications
Network Charging and Control Common fns (Grafana) None No 7.8 Local Low None
Required Un-
changed High High High 12.0.4-12.0.6   CVE-2022-39271 Oracle Communications
Order and Service Management Security (Traefik) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 7.4.1   CVE-2022-42004 Oracle Communications Unified
Assurance Core (Apache Kafka) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-3171 Oracle
Communications Unified Assurance Core (Google Protobuf-Java) HTTPS Yes 7.5
Network Low None None Un-
changed None None High 5.5.0-5.5.9, 6.0.0-6.0.1   CVE-2023-0662 Oracle
Communications Unified Assurance Core (PHP) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 6.0.0-6.0.2   CVE-2019-11287 Oracle Communications
Unified Assurance Core (Pivotal RabbitMQ) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2023-1370 Oracle
Communications Unified Assurance Vision (json-smart) HTTPS Yes 7.5 Network Low
None None Un-
changed None None High 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2022-41966 Oracle
Communications Unified Inventory Management Security Component (XStream) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 7.4.0, 7.4.1, 7.4.2, 7.5.0   CVE-2022-46908 Oracle
Communications Convergent Charging Controller Common fns (SQLite) None No 7.3
Local Low Low None Un-
changed High High Low 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0   CVE-2022-46908 Oracle
Communications Network Charging and Control Common fns (SQLite) None No 7.3
Local Low Low None Un-
changed High High Low 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0   CVE-2022-31081 Oracle
Communications Unified Assurance Core (HTTP::Daemon) HTTPS Yes 6.5 Network Low
None None Un-
changed Low Low None 5.5.0-5.5.10, 6.0.0-6.0.2   CVE-2021-41183 Oracle
Communications Unified Assurance Vision (jQueryUI) HTTPS Yes 6.1 Network Low
None Required Changed Low Low None 5.5.0-5.5.10, 6.0.0-6.0.2  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2020-35168 also addresses CVE-2020-29508, CVE-2020-35163,
   CVE-2020-35164, CVE-2020-35166, and CVE-2020-35167.
 * The patch for CVE-2021-41183 also addresses CVE-2021-41182, CVE-2021-41184,
   and CVE-2022-31160.
 * The patch for CVE-2022-31123 also addresses CVE-2022-31130, CVE-2022-39201,
   and CVE-2022-39229.
 * The patch for CVE-2022-36760 also addresses CVE-2022-37436.
 * The patch for CVE-2022-41966 also addresses CVE-2022-40151.
 * The patch for CVE-2022-42004 also addresses CVE-2021-37136, CVE-2021-37137,
   and CVE-2022-42003.
 * The patch for CVE-2023-0662 also addresses CVE-2023-0567 and CVE-2023-0568.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Communications IP Service Activator
   * Other (zlib): CVE-2022-37434.
 * Oracle Communications Unified Assurance
   * Vision (Embedded JavaScript Templates): CVE-2022-29078.


 

ORACLE COMMUNICATIONS RISK MATRIX

This Critical Patch Update contains 77 new security patches for Oracle
Communications.  65 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-43401 Oracle Communications Cloud Native Core Automated Test
Suite Installation (Jenkins Script Security) HTTP No 9.9 Network Low Low None
Changed High High High 22.3.1, 22.4.0   CVE-2022-43402 Oracle Communications
Cloud Native Core Automated Test Suite Installation (Jenkins) HTTP No 9.9
Network Low Low None Changed High High High 22.3.1, 22.4.0   CVE-2022-45047
Management Cloud Engine BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None
None Un-
changed High High High 22.1.0.0.0   CVE-2023-25613 Oracle Communications Cloud
Native Configuration Console Configuration (Apache Kerby) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 22.4.1, 23.1.0   CVE-2022-47629 Oracle Communications
Cloud Native Configuration Console Configuration (libksba) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 22.4.1   CVE-2022-45047 Oracle Communications Cloud
Native Core Automated Test Suite Installation (Apache Mina SSHD) HTTP Yes 9.8
Network Low None None Un-
changed High High High 22.3.1, 22.4.0   CVE-2022-47629 Oracle Communications
Cloud Native Core Network Exposure Function Oracle Linux (libksba) HTTP Yes 9.8
Network Low None None Un-
changed High High High 22.4.2   CVE-2022-47629 Oracle Communications Cloud
Native Core Policy Policy (libksba) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-47629 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(libksba) SSH Yes 9.8 Network Low None None Un-
changed High High High 22.4.0   CVE-2022-47629 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (libksba) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.4.1, 23.1.0   CVE-2022-46364 Oracle Communications
Diameter Signaling Router Virtual Network Function Manager (Apache CXF) HTTP Yes
9.8 Network Low None None Un-
changed High High High 8.6.0.0   CVE-2022-25315 Oracle Communications Diameter
Signaling Router Platform (LibExpat) XMPP Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0   CVE-2023-25690 Oracle Communications Element
Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-46364 Oracle Communications
Element Manager SOAP (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-31692 Oracle Communications
Element Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low None
None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-45047 Oracle Communications
Element Manager BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None None
Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-37434 Oracle Communications
Operations Monitor Mediation Engine (glibc) TCP/IP Yes 9.8 Network Low None None
Un-
changed High High High 5.0   CVE-2022-37434 Oracle Communications Policy
Management Core (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0.0   CVE-2023-25690 Oracle Communications Session
Report Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-46364 Oracle Communications
Session Report Manager SOAP (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-31692 Oracle Communications
Session Report Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low
None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-45047 Oracle Communications
Session Report Manager BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None
None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-1471 Oracle SD-WAN Edge Core
(SnakeYAML) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.4.0   CVE-2022-31692 Oracle SD-WAN Edge Internal
tools (Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.4.0   CVE-2022-1292 Oracle SD-WAN Edge Management
(OpenSSL) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.3.0   CVE-2022-37865 Oracle Communications Cloud
Native Core Automated Test Suite Installation (Apache Ivy) HTTP Yes 9.1 Network
Low None None Un-
changed None High High 22.3.1, 22.4.0   CVE-2021-46848 Oracle Communications
Cloud Native Core Policy Policy (GNU Libtasn1) HTTPS Yes 9.1 Network Low None
None Un-
changed High None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-42898 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Installation and
Configuration (Kerberos) Kerberos No 8.8 Network Low Low None Un-
changed High High High 23.1.0, 22.4.1   CVE-2022-28199 Oracle Communications
Session Border Controller Third Party (Dpdk) TCP/IP Yes 8.6 Network Low None
None Un-
changed Low Low High 9.0, 9.1   CVE-2022-40304 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (libxml2) None No 7.8 Local
Low None Required Un-
changed High High High 22.4.0-22.4.4, 23.1.0, 23.1.1   CVE-2022-40304 Oracle
Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (libxml2) None No 7.8 Local Low None Required Un-
changed High High High 22.4.0   CVE-2022-31123 Oracle Communications Policy
Management Core (Grafana) None No 7.8 Local Low None Required Un-
changed High High High 12.6.0.0.0   CVE-2022-42252 Management Cloud Engine
BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1.0.0.0   CVE-2023-23916 Oracle Communications Cloud
Native Configuration Console Configuration (cURL) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 22.4.1, 23.1.0   CVE-2022-23491 Oracle Communications
Cloud Native Core Automated Test Suite Installation (Certifi) HTTP Yes 7.5
Network Low None None Un-
changed None High None 22.3.1, 22.4.0   CVE-2022-40151 Oracle Communications
Cloud Native Core Binding Support Function Install/Upgrade (XStream) HTTPS Yes
7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-45143 Oracle
Communications Cloud Native Core Binding Support Function Policy (Apache Tomcat)
HTTPS Yes 7.5 Network Low None None Un-
changed None High None 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41881 Oracle
Communications Cloud Native Core Binding Support Function Policy (Netty) HTTPS
Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41966 Oracle
Communications Cloud Native Core Binding Support Function Policy (XStream) HTTPS
Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41966 Oracle
Communications Cloud Native Core Console Configuration (XStream) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.4.0, 22.3.0   CVE-2023-23916 Oracle Communications
Cloud Native Core Network Exposure Function Oracle Linux (cURL) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.4.2, 23.1.0   CVE-2023-24998 Oracle Communications
Cloud Native Core Network Exposure Function Platform (Apache Commons FileUpload)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.4.2, 23.1.0   CVE-2023-0361 Oracle Communications
Cloud Native Core Network Repository Function Installer (GnuTLS) HTTP Yes 7.5
Network Low None None Un-
changed High None None 23.1.0   CVE-2022-35737 Oracle Communications Cloud
Native Core Policy Policy (SQLite) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2023-25577 Oracle
Communications Cloud Native Core Policy Policy (Werkzeug) HTTPS Yes 7.5 Network
Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2023-23916 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(cURL) SSH Yes 7.5 Network Low None None Un-
changed None None High 23.1.0, 22.4.2   CVE-2023-24998 Oracle Communications
Cloud Native Core Security Edge Protection Proxy Configuration (Apache Commons
FileUpload) TCP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0, 22.4.1   CVE-2022-42003 Oracle Communications
Cloud Native Core Service Communication Proxy Install/Upgrade (jackson-databind)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.3.0   CVE-2023-23916 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (cURL) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.4.1   CVE-2022-45143 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 8.6.0.0   CVE-2023-24998 Oracle Communications Element
Manager BEServer (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle Communications
Element Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 9.0.0, 9.0.1   CVE-2022-42003 Oracle Communications
Element Manager BEServer (jackson-databind) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-3171 Oracle Communications Policy
Management Core (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-41966 Oracle Communications Policy
Management Core (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-42003 Oracle Communications Policy
Management Core (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-31129 Oracle Communications
Services Gatekeeper Third Party (Moment.js) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 7.0.0.0.0   CVE-2023-24998 Oracle Communications Session
Report Manager BEServer (Apache Commons FileUpload) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle Communications
Session Report Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 9.0.0, 9.0.1   CVE-2022-42003 Oracle Communications
Session Report Manager BEServer (jackson-databind) HTTPS Yes 7.5 Network Low
None None Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle SD-WAN Edge Internal
tools (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 9.1.1.4.0   CVE-2022-42003 Oracle SD-WAN Edge Internal
tools (jackson-databind) Multiple Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.4.0   CVE-2022-31630 Oracle Communications Diameter
Signaling Router Platform (PHP) None No 7.1 Local Low None Required Un-
changed High None High 8.6.0.0   CVE-2022-31630 Oracle SD-WAN Aware Management
(PHP) None No 7.1 Local Low None Required Un-
changed High None High 9.0.1.6.0   CVE-2022-37434 Oracle Communications Core
Session Manager Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 8.45, 9.15   CVE-2022-37434 Oracle Communications Session
Border Controller Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Communications Session
Router Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Communications
Subscriber-Aware Load Balancer Routing (zlib) HTTPS Yes 7.0 Network High None
None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Enterprise Communications
Broker Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 3.3, 4.0   CVE-2022-37434 Oracle Enterprise Session Router
Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.1   CVE-2023-23931 Oracle Communications Cloud Native
Core Network Exposure Function Platform (Cryptography) HTTP Yes 6.5 Network Low
None None Un-
changed None Low Low 22.4.2   CVE-2023-23931 Oracle Communications Cloud Native
Core Security Edge Protection Proxy Installation and Configuration
(Cryptography) TCP Yes 6.5 Network Low None None Un-
changed None Low Low 22.4.0, 23.1.0   CVE-2022-38752 Oracle Communications Cloud
Native Core Service Communication Proxy Install/Upgrade (SnakeYAML) HTTP No 6.5
Network Low Low None Un-
changed None None High 22.3.0, 22.4.0   CVE-2022-38752 Oracle SD-WAN Edge
Internal tools (SnakeYAML) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.4.0   CVE-2022-4415 Oracle Communications Cloud
Native Core Policy Policy (systemd) None No 5.5 Local Low Low None Un-
changed High None None 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2021-37519 Oracle
Communications User Data Repository Patches (memcached) None No 5.5 Local Low
None Required Un-
changed None None High 12.6.1.0.0   CVE-2023-28708 Oracle Communications Policy
Management Core (Apache Tomcat) HTTP Yes 4.3 Network Low None Required Un-
changed Low None None 12.6.0.0.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-43401 Oracle Communications Cloud Native Core Automated Test
Suite Installation (Jenkins Script Security) HTTP No 9.9 Network Low Low None
Changed High High High 22.3.1, 22.4.0   CVE-2022-43402 Oracle Communications
Cloud Native Core Automated Test Suite Installation (Jenkins) HTTP No 9.9
Network Low Low None Changed High High High 22.3.1, 22.4.0   CVE-2022-45047
Management Cloud Engine BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None
None Un-
changed High High High 22.1.0.0.0   CVE-2023-25613 Oracle Communications Cloud
Native Configuration Console Configuration (Apache Kerby) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 22.4.1, 23.1.0   CVE-2022-47629 Oracle Communications
Cloud Native Configuration Console Configuration (libksba) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 22.4.1   CVE-2022-45047 Oracle Communications Cloud
Native Core Automated Test Suite Installation (Apache Mina SSHD) HTTP Yes 9.8
Network Low None None Un-
changed High High High 22.3.1, 22.4.0   CVE-2022-47629 Oracle Communications
Cloud Native Core Network Exposure Function Oracle Linux (libksba) HTTP Yes 9.8
Network Low None None Un-
changed High High High 22.4.2   CVE-2022-47629 Oracle Communications Cloud
Native Core Policy Policy (libksba) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-47629 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(libksba) SSH Yes 9.8 Network Low None None Un-
changed High High High 22.4.0   CVE-2022-47629 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (libksba) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.4.1, 23.1.0   CVE-2022-46364 Oracle Communications
Diameter Signaling Router Virtual Network Function Manager (Apache CXF) HTTP Yes
9.8 Network Low None None Un-
changed High High High 8.6.0.0   CVE-2022-25315 Oracle Communications Diameter
Signaling Router Platform (LibExpat) XMPP Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0   CVE-2023-25690 Oracle Communications Element
Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-46364 Oracle Communications
Element Manager SOAP (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-31692 Oracle Communications
Element Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low None
None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-45047 Oracle Communications
Element Manager BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None None
Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-37434 Oracle Communications
Operations Monitor Mediation Engine (glibc) TCP/IP Yes 9.8 Network Low None None
Un-
changed High High High 5.0   CVE-2022-37434 Oracle Communications Policy
Management Core (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0.0   CVE-2023-25690 Oracle Communications Session
Report Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-46364 Oracle Communications
Session Report Manager SOAP (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-31692 Oracle Communications
Session Report Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low
None None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-45047 Oracle Communications
Session Report Manager BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None
None Un-
changed High High High 9.0.0, 9.0.1   CVE-2022-1471 Oracle SD-WAN Edge Core
(SnakeYAML) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.4.0   CVE-2022-31692 Oracle SD-WAN Edge Internal
tools (Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.4.0   CVE-2022-1292 Oracle SD-WAN Edge Management
(OpenSSL) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.3.0   CVE-2022-37865 Oracle Communications Cloud
Native Core Automated Test Suite Installation (Apache Ivy) HTTP Yes 9.1 Network
Low None None Un-
changed None High High 22.3.1, 22.4.0   CVE-2021-46848 Oracle Communications
Cloud Native Core Policy Policy (GNU Libtasn1) HTTPS Yes 9.1 Network Low None
None Un-
changed High None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-42898 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Installation and
Configuration (Kerberos) Kerberos No 8.8 Network Low Low None Un-
changed High High High 23.1.0, 22.4.1   CVE-2022-28199 Oracle Communications
Session Border Controller Third Party (Dpdk) TCP/IP Yes 8.6 Network Low None
None Un-
changed Low Low High 9.0, 9.1   CVE-2022-40304 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (libxml2) None No 7.8 Local
Low None Required Un-
changed High High High 22.4.0-22.4.4, 23.1.0, 23.1.1   CVE-2022-40304 Oracle
Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (libxml2) None No 7.8 Local Low None Required Un-
changed High High High 22.4.0   CVE-2022-31123 Oracle Communications Policy
Management Core (Grafana) None No 7.8 Local Low None Required Un-
changed High High High 12.6.0.0.0   CVE-2022-42252 Management Cloud Engine
BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1.0.0.0   CVE-2023-23916 Oracle Communications Cloud
Native Configuration Console Configuration (cURL) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 22.4.1, 23.1.0   CVE-2022-23491 Oracle Communications
Cloud Native Core Automated Test Suite Installation (Certifi) HTTP Yes 7.5
Network Low None None Un-
changed None High None 22.3.1, 22.4.0   CVE-2022-40151 Oracle Communications
Cloud Native Core Binding Support Function Install/Upgrade (XStream) HTTPS Yes
7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-45143 Oracle
Communications Cloud Native Core Binding Support Function Policy (Apache Tomcat)
HTTPS Yes 7.5 Network Low None None Un-
changed None High None 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41881 Oracle
Communications Cloud Native Core Binding Support Function Policy (Netty) HTTPS
Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41966 Oracle
Communications Cloud Native Core Binding Support Function Policy (XStream) HTTPS
Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2022-41966 Oracle
Communications Cloud Native Core Console Configuration (XStream) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.4.0, 22.3.0   CVE-2023-23916 Oracle Communications
Cloud Native Core Network Exposure Function Oracle Linux (cURL) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.4.2, 23.1.0   CVE-2023-24998 Oracle Communications
Cloud Native Core Network Exposure Function Platform (Apache Commons FileUpload)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.4.2, 23.1.0   CVE-2023-0361 Oracle Communications
Cloud Native Core Network Repository Function Installer (GnuTLS) HTTP Yes 7.5
Network Low None None Un-
changed High None None 23.1.0   CVE-2022-35737 Oracle Communications Cloud
Native Core Policy Policy (SQLite) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2023-25577 Oracle
Communications Cloud Native Core Policy Policy (Werkzeug) HTTPS Yes 7.5 Network
Low None None Un-
changed None None High 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2023-23916 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(cURL) SSH Yes 7.5 Network Low None None Un-
changed None None High 23.1.0, 22.4.2   CVE-2023-24998 Oracle Communications
Cloud Native Core Security Edge Protection Proxy Configuration (Apache Commons
FileUpload) TCP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0, 22.4.1   CVE-2022-42003 Oracle Communications
Cloud Native Core Service Communication Proxy Install/Upgrade (jackson-databind)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.3.0   CVE-2023-23916 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (cURL) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.4.1   CVE-2022-45143 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 8.6.0.0   CVE-2023-24998 Oracle Communications Element
Manager BEServer (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle Communications
Element Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 9.0.0, 9.0.1   CVE-2022-42003 Oracle Communications
Element Manager BEServer (jackson-databind) HTTPS Yes 7.5 Network Low None None
Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-3171 Oracle Communications Policy
Management Core (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-41966 Oracle Communications Policy
Management Core (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-42003 Oracle Communications Policy
Management Core (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0   CVE-2022-31129 Oracle Communications
Services Gatekeeper Third Party (Moment.js) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 7.0.0.0.0   CVE-2023-24998 Oracle Communications Session
Report Manager BEServer (Apache Commons FileUpload) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle Communications
Session Report Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 9.0.0, 9.0.1   CVE-2022-42003 Oracle Communications
Session Report Manager BEServer (jackson-databind) HTTPS Yes 7.5 Network Low
None None Un-
changed None None High 9.0.0, 9.0.1   CVE-2022-45143 Oracle SD-WAN Edge Internal
tools (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 9.1.1.4.0   CVE-2022-42003 Oracle SD-WAN Edge Internal
tools (jackson-databind) Multiple Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.4.0   CVE-2022-31630 Oracle Communications Diameter
Signaling Router Platform (PHP) None No 7.1 Local Low None Required Un-
changed High None High 8.6.0.0   CVE-2022-31630 Oracle SD-WAN Aware Management
(PHP) None No 7.1 Local Low None Required Un-
changed High None High 9.0.1.6.0   CVE-2022-37434 Oracle Communications Core
Session Manager Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 8.45, 9.15   CVE-2022-37434 Oracle Communications Session
Border Controller Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Communications Session
Router Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Communications
Subscriber-Aware Load Balancer Routing (zlib) HTTPS Yes 7.0 Network High None
None Un-
changed Low Low High 9.0, 9.1   CVE-2022-37434 Oracle Enterprise Communications
Broker Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 3.3, 4.0   CVE-2022-37434 Oracle Enterprise Session Router
Routing (zlib) HTTPS Yes 7.0 Network High None None Un-
changed Low Low High 9.1   CVE-2023-23931 Oracle Communications Cloud Native
Core Network Exposure Function Platform (Cryptography) HTTP Yes 6.5 Network Low
None None Un-
changed None Low Low 22.4.2   CVE-2023-23931 Oracle Communications Cloud Native
Core Security Edge Protection Proxy Installation and Configuration
(Cryptography) TCP Yes 6.5 Network Low None None Un-
changed None Low Low 22.4.0, 23.1.0   CVE-2022-38752 Oracle Communications Cloud
Native Core Service Communication Proxy Install/Upgrade (SnakeYAML) HTTP No 6.5
Network Low Low None Un-
changed None None High 22.3.0, 22.4.0   CVE-2022-38752 Oracle SD-WAN Edge
Internal tools (SnakeYAML) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.4.0   CVE-2022-4415 Oracle Communications Cloud
Native Core Policy Policy (systemd) None No 5.5 Local Low Low None Un-
changed High None None 22.4.0-22.4.4, 23.1.0-23.1.1   CVE-2021-37519 Oracle
Communications User Data Repository Patches (memcached) None No 5.5 Local Low
None Required Un-
changed None None High 12.6.1.0.0   CVE-2023-28708 Oracle Communications Policy
Management Core (Apache Tomcat) HTTP Yes 4.3 Network Low None Required Un-
changed Low None None 12.6.0.0.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-25315 also addresses CVE-2022-25235 and
   CVE-2022-25236.
 * The patch for CVE-2022-31123 also addresses CVE-2022-31130, CVE-2022-39201,
   and CVE-2022-39229.
 * The patch for CVE-2022-31630 also addresses CVE-2022-37454.
 * The patch for CVE-2022-31692 also addresses CVE-2022-31690.
 * The patch for CVE-2022-37865 also addresses CVE-2022-37866.
 * The patch for CVE-2022-38752 also addresses CVE-2022-25857, CVE-2022-38749,
   CVE-2022-38750, and CVE-2022-38751.
 * The patch for CVE-2022-40304 also addresses CVE-2022-40303.
 * The patch for CVE-2022-41881 also addresses CVE-2022-41915.
 * The patch for CVE-2022-41966 also addresses CVE-2022-40151.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.
 * The patch for CVE-2022-4415 also addresses CVE-2022-3821.
 * The patch for CVE-2022-46364 also addresses CVE-2022-46363.
 * The patch for CVE-2023-25577 also addresses CVE-2023-23934.
 * The patch for CVE-2023-25690 also addresses CVE-2023-27522.


 

ORACLE CONSTRUCTION AND ENGINEERING RISK MATRIX

This Critical Patch Update contains 4 new security patches for Oracle
Construction and Engineering.  3 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials.  The English text form of this Risk Matrix
can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-27404 Primavera P6 Enterprise Project Portfolio Management
Document Viewing using Outside In technology (FreeType) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18,
21.12.0-21.12.12, 22.12.0-22.12.3   CVE-2022-27404 Primavera Unifier Document
Management (FreeType) HTTP Yes 9.8 Network Low None None Un-
changed High High High 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16,
21.12.0-21.12.14, 22.12.0-22.12.3   CVE-2022-36033 Primavera Unifier User
Interface (jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None
18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14,
22.12.0-22.12.3   CVE-2021-23413 Primavera Unifier User Interface (JSZip) HTTP
No 4.3 Network Low Low None Un-
changed None None Low 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16,
21.12.0-21.12.14, 22.12.0-22.12.3  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-27404 Primavera P6 Enterprise Project Portfolio Management
Document Viewing using Outside In technology (FreeType) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18,
21.12.0-21.12.12, 22.12.0-22.12.3   CVE-2022-27404 Primavera Unifier Document
Management (FreeType) HTTP Yes 9.8 Network Low None None Un-
changed High High High 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16,
21.12.0-21.12.14, 22.12.0-22.12.3   CVE-2022-36033 Primavera Unifier User
Interface (jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None
18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14,
22.12.0-22.12.3   CVE-2021-23413 Primavera Unifier User Interface (JSZip) HTTP
No 4.3 Network Low Low None Un-
changed None None Low 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16,
21.12.0-21.12.14, 22.12.0-22.12.3  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-27404 also addresses CVE-2022-27405 and
   CVE-2022-27406.


 

ORACLE E-BUSINESS SUITE RISK MATRIX

This Critical Patch Update contains 4 new security patches for Oracle E-Business
Suite.  None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without requiring
user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
E-Business Suite products is dependent on the Oracle Database and Oracle Fusion
Middleware versions being used. Oracle Database and Oracle Fusion Middleware
security updates are not listed in the Oracle E-Business Suite risk matrix.
However, since vulnerabilities affecting Oracle Database and Oracle Fusion
Middleware versions may affect Oracle E-Business Suite products, Oracle
recommends that customers apply the April 2023 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Oracle E-Business
Suite. For information on what patches need to be applied to your environments,
refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge
Document (April 2023), My Oracle Support Note 2484000.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21978 Oracle Application Object Library GUI HTTP No 6.5 Network
Low Low Required Changed Low Low Low 12.2.3-12.2.11   CVE-2023-21973 Oracle
iProcurement E-Content Manager Catalog HTTP No 5.4 Network Low Low Required
Changed Low Low None 12.2.3-12.2.12   CVE-2023-21959 Oracle iReceivables
Attachments HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.3-12.2.12   CVE-2023-21997 Oracle User Management
Proxy User Delegation HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.3-12.2.12  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21978 Oracle Application Object Library GUI HTTP No 6.5 Network
Low Low Required Changed Low Low Low 12.2.3-12.2.11   CVE-2023-21973 Oracle
iProcurement E-Content Manager Catalog HTTP No 5.4 Network Low Low Required
Changed Low Low None 12.2.3-12.2.12   CVE-2023-21959 Oracle iReceivables
Attachments HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.3-12.2.12   CVE-2023-21997 Oracle User Management
Proxy User Delegation HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.3-12.2.12  


 

ORACLE ENTERPRISE MANAGER RISK MATRIX

This Critical Patch Update contains 4 new security patches for Oracle Enterprise
Manager.  3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  None of these patches are applicable to client-only installations,
i.e., installations that do not have Oracle Enterprise Manager installed. The
English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
Enterprise Manager products is dependent on the Oracle Database and Oracle
Fusion Middleware versions being used. Oracle Database and Oracle Fusion
Middleware security updates are not listed in the Oracle Enterprise Manager risk
matrix. However, since vulnerabilities affecting Oracle Database and Oracle
Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle
recommends that customers apply the April 2023 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Enterprise Manager.
For information on what patches need to be applied to your environments, refer
to Critical Patch Update April 2023 Patch Availability Document for Oracle
Products, My Oracle Support Note 2923367.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-40690 Oracle Application Testing Suite Load Testing for Web
Apps (Apache Santuario XML Security For Java) Multiple Yes 7.5 Network Low None
None Un-
changed High None None 13.3.0.1   CVE-2022-41966 Oracle Enterprise Manager Ops
Center Networking (XStream) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 12.4.0.0   CVE-2022-23437 Oracle Application Testing
Suite Load Testing for Web Apps (Apache Xerces2 Java) Multiple Yes 6.5 Network
Low None Required Un-
changed None None High 13.3.0.1   CVE-2021-36374 Oracle Application Testing
Suite Load Testing for Web Apps (Apache Ant) None No 5.5 Local Low None Required
Un-
changed None None High 13.3.0.1  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-40690 Oracle Application Testing Suite Load Testing for Web
Apps (Apache Santuario XML Security For Java) Multiple Yes 7.5 Network Low None
None Un-
changed High None None 13.3.0.1   CVE-2022-41966 Oracle Enterprise Manager Ops
Center Networking (XStream) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 12.4.0.0   CVE-2022-23437 Oracle Application Testing
Suite Load Testing for Web Apps (Apache Xerces2 Java) Multiple Yes 6.5 Network
Low None Required Un-
changed None None High 13.3.0.1   CVE-2021-36374 Oracle Application Testing
Suite Load Testing for Web Apps (Apache Ant) None No 5.5 Local Low None Required
Un-
changed None None High 13.3.0.1  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-36374 also addresses CVE-2020-11979, CVE-2020-1945,
   and CVE-2021-36373.
 * The patch for CVE-2022-41966 also addresses CVE-2021-43859 and
   CVE-2022-40151.


 

ORACLE FINANCIAL SERVICES APPLICATIONS RISK MATRIX

This Critical Patch Update contains 76 new security patches for Oracle Financial
Services Applications.  59 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Banking Corporate Lending Process Management Base
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4-14.7   CVE-2022-46364 Oracle Banking Digital
Experience UI General (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 21.1, 22.1, 22.2   CVE-2022-42889 Oracle Financial
Services Compliance Studio Application (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 8.1.2.4   CVE-2023-25194 Oracle Banking APIs IDM -
Authentication (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 22.1, 22.2   CVE-2023-25194 Oracle Banking Digital
Experience UI General (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 22.1, 22.2   CVE-2023-25194 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Kafka) HTTP No 8.8
Network Low Low None Un-
changed High High High 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2023-25194 Oracle Financial Services Behavior Detection
Platform Application (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2023-25194
Oracle Financial Services Regulatory Reporting Application (Apache Kafka) HTTP
No 8.8 Network Low Low None Un-
changed High High High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2020-11988
Oracle Financial Services Revenue Management and Billing Infrastructure (Apache
XML Graphics Commons) HTTP Yes 8.2 Network Low None None Un-
changed High Low None 2.7, 2.8, 2.9   CVE-2023-24998 Oracle Banking APIs IDM -
Authentication (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking APIs IDM - Authentication (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Corporate Lending Core (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-3171 Oracle Banking
Corporate Lending Core (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-2048 Oracle Banking
Corporate Lending Process Management Base (Eclipse Jetty) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 14.4-14.7   CVE-2022-22979 Oracle Banking Corporate
Lending Process Management Base (Spring Cloud Function) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.4-14.7   CVE-2022-42890 Oracle Banking Digital
Experience UI General (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed High None None 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2023-24998
Oracle Banking Digital Experience UI General (Apache Commons FileUpload) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Digital Experience UI General (Google Gson) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-41881
Oracle Banking Digital Experience UI General (Netty) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-42003
Oracle Banking Digital Experience UI General (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Payments Infrastructure (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Payments
Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-25647 Oracle Banking Trade
Finance Infrastructure (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Trade
Finance Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-25647 Oracle Banking Treasury
Management Infra Code (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Treasury
Management Infra Code (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-42890 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Apache Batik)
HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2022-42003 Oracle Financial Services Analytical
Applications Infrastructure Infrastructure (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2022-42003 Oracle Financial Services Behavior Detection
Platform Application (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2022-43680
Oracle Financial Services Behavior Detection Platform Third Party (LibExpat)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2022-43680
Oracle Financial Services Currency Transaction Reporting Application (LibExpat)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1  
CVE-2022-42003 Oracle Financial Services Enterprise Case Management Application
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.1.2.4, 8.1.2.3, 8.1.1.1, 8.0.8.2   CVE-2022-42252
Oracle Financial Services Model Management and Governance Application (Apache
Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 8.1.0.0, 8.1.2.0   CVE-2022-40146 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache Batik) HTTP Yes
7.5 Network Low None None Un-
changed High None None 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2021-36090 Oracle Financial Services Revenue Management and Billing
Infrastructure (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7, 2.8, 2.9   CVE-2022-34169 Oracle Financial Services
Revenue Management and Billing Infrastructure (Apache Xalan-Java) HTTP Yes 7.5
Network Low None None Un-
changed None High None 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2021-43859 Oracle Financial Services Revenue Management and Billing
Infrastructure (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7, 2.7.1, 2.8, 2.9, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2022-43680 Oracle Financial Services Trade-Based Anti Money Laundering
Enterprise Edition Application (LibExpat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.0.0   CVE-2022-24839 Oracle FLEXCUBE Core Banking
Securities (NekoHTML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.6, 11.7, 11.8, 11.10, 11.11   CVE-2022-25647 Oracle
FLEXCUBE Universal Banking Infrastructure (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-3171 Oracle FLEXCUBE
Universal Banking Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-46908 Oracle Financial
Services Compliance Studio Application (SQLite) None No 7.3 Local Low Low None
Un-
changed High High Low 8.1.2.4   CVE-2022-22971 Oracle Banking Corporate Lending
Process Management Base (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.4-14.7   CVE-2022-38752 Oracle Financial Services
Model Management and Governance Application (SnakeYAML) HTTP No 6.5 Network Low
Low None Un-
changed None None High 8.1.0.0, 8.1.2.0   CVE-2022-23437 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache Xerces2 Java)
HTTP Yes 6.5 Network Low None Required Un-
changed None None High 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2022-36033 Oracle Banking Digital Experience UI General (jsoup) HTTP Yes 6.1
Network Low None Required Changed Low Low None 18.2, 18.3, 19.1, 19.2, 21.1,
22.1, 22.2   CVE-2022-36033 Oracle Banking Trade Finance Infrastructure (jsoup)
HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.5, 14.6, 14.7  
CVE-2022-36033 Oracle Banking Treasury Management Infrastructure (jsoup) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 14.5, 14.6, 14.7  
CVE-2023-21905 Oracle Banking Virtual Account Management Routing Hub HTTP No 6.1
Network Low High Required Un-
changed High High None 14.5, 14.6, 14.7   CVE-2023-21906 Oracle Banking Virtual
Account Management SMS Module HTTP No 6.1 Network Low High Required Un-
changed High High None 14.5, 14.6, 14.7   CVE-2021-41184 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 8.0.7.0, 8.0.8.0,
8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2   CVE-2021-41184 Oracle
Financial Services Analytical Applications Reconciliation Framework Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.1.2, 8.1.1.1.7   CVE-2021-41184 Oracle Financial Services Asset Liability
Management Application (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.0.7.8.0   CVE-2021-41184 Oracle Financial Services Balance
Computation Engine Application (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.1.1.1.1   CVE-2021-41184 Oracle Financial Services
Balance Sheet Planning Application (jQueryUI) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.0.8.1.4   CVE-2021-41184 Oracle Financial
Services Data Governance for US Regulatory Reporting Application (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 8.1.2.0, 8.1.2.1  
CVE-2021-41184 Oracle Financial Services Data Integration Hub Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.1.0.1.4, 8.1.2.2.1, 8.0.7.3.1   CVE-2021-41184 Oracle Financial Services
Deposit Insurance Calculations for Liquidity Risk Management Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.3.1, 8.0.8.3.1   CVE-2021-41184 Oracle Financial Services Enterprise
Financial Performance Analytics Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle Financial
Services Funds Transfer Pricing Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle Financial
Services Institutional Performance Analytics Application (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle
Financial Services Liquidity Risk Measurement and Management Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.3.1, 8.0.8.3.1   CVE-2021-41184 Oracle Financial Services Loan Loss
Forecasting and Provisioning Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1, 8.0.8.2.1   CVE-2021-41184 Oracle
Financial Services Profitability Management Application (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.0.7.8.1   CVE-2022-29577 Oracle
Financial Services Regulatory Reporting with AgileREPORTER Application
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1.2.0
  CVE-2021-41184 Oracle Financial Services Retail Performance Analytics
Application (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 8.0.7.8.1   CVE-2022-36033 Oracle FLEXCUBE Universal Banking Infrastructure
(jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0-14.3,
14.5-14.7   CVE-2023-21907 Oracle Banking Virtual Account Management OBVAM Trn
Journal Domain HTTP No 6.0 Network High High Required Un-
changed High Low High 14.5, 14.6, 14.7   CVE-2023-21908 Oracle Banking Virtual
Account Management OBVAM Trn Journal Domain HTTP No 6.0 Network High High
Required Un-
changed High Low High 14.5, 14.6, 14.7   CVE-2019-12415 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache POI) None No 5.5
Local Low Low None Un-
changed High None None 2.7, 2.8, 2.9   CVE-2023-21903 Oracle Banking Virtual
Account Management OBVAM Internal Tfr Domain HTTP No 5.3 Network High High
Required Un-
changed High Low Low 14.5, 14.6, 14.7   CVE-2023-21904 Oracle Banking Virtual
Account Management OBVAM Trn Journal Domain HTTP No 5.3 Network High High
Required Un-
changed High Low Low 14.5, 14.6, 14.7   CVE-2021-29425 Oracle Financial Services
Revenue Management and Billing Infrastructure (Apache Commons IO) HTTP Yes 4.8
Network High None None Un-
changed Low Low None 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 4.0   CVE-2023-21915 Oracle
Banking Payments Book/Internal Transfer HTTP No 4.6 Network Low Low Required Un-
changed Low Low None 14.5, 14.6, 14.7   CVE-2023-21902 Oracle Financial Services
Behavior Detection Platform Application HTTP No 4.3 Network Low Low None Un-
changed Low None None 8.0.8.1   CVE-2023-28708 Oracle Financial Services Crime
and Compliance Management Studio Studio (Apache Tomcat) HTTP Yes 4.3 Network Low
None Required Un-
changed Low None None 8.0.8.3.5  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Banking Corporate Lending Process Management Base
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4-14.7   CVE-2022-46364 Oracle Banking Digital
Experience UI General (Apache CXF) HTTP Yes 9.8 Network Low None None Un-
changed High High High 21.1, 22.1, 22.2   CVE-2022-42889 Oracle Financial
Services Compliance Studio Application (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 8.1.2.4   CVE-2023-25194 Oracle Banking APIs IDM -
Authentication (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 22.1, 22.2   CVE-2023-25194 Oracle Banking Digital
Experience UI General (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 22.1, 22.2   CVE-2023-25194 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Kafka) HTTP No 8.8
Network Low Low None Un-
changed High High High 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2023-25194 Oracle Financial Services Behavior Detection
Platform Application (Apache Kafka) HTTP No 8.8 Network Low Low None Un-
changed High High High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2023-25194
Oracle Financial Services Regulatory Reporting Application (Apache Kafka) HTTP
No 8.8 Network Low Low None Un-
changed High High High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2020-11988
Oracle Financial Services Revenue Management and Billing Infrastructure (Apache
XML Graphics Commons) HTTP Yes 8.2 Network Low None None Un-
changed High Low None 2.7, 2.8, 2.9   CVE-2023-24998 Oracle Banking APIs IDM -
Authentication (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking APIs IDM - Authentication (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Corporate Lending Core (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-3171 Oracle Banking
Corporate Lending Core (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-2048 Oracle Banking
Corporate Lending Process Management Base (Eclipse Jetty) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 14.4-14.7   CVE-2022-22979 Oracle Banking Corporate
Lending Process Management Base (Spring Cloud Function) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.4-14.7   CVE-2022-42890 Oracle Banking Digital
Experience UI General (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed High None None 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2023-24998
Oracle Banking Digital Experience UI General (Apache Commons FileUpload) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Digital Experience UI General (Google Gson) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-41881
Oracle Banking Digital Experience UI General (Netty) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-42003
Oracle Banking Digital Experience UI General (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2   CVE-2022-25647
Oracle Banking Payments Infrastructure (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Payments
Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-25647 Oracle Banking Trade
Finance Infrastructure (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Trade
Finance Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-25647 Oracle Banking Treasury
Management Infra Code (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-3171 Oracle Banking Treasury
Management Infra Code (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5, 14.6, 14.7   CVE-2022-42890 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Apache Batik)
HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2022-42003 Oracle Financial Services Analytical
Applications Infrastructure Infrastructure (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0,
8.1.2.1, 8.1.2.2   CVE-2022-42003 Oracle Financial Services Behavior Detection
Platform Application (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2022-43680
Oracle Financial Services Behavior Detection Platform Third Party (LibExpat)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4   CVE-2022-43680
Oracle Financial Services Currency Transaction Reporting Application (LibExpat)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1  
CVE-2022-42003 Oracle Financial Services Enterprise Case Management Application
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.1.2.4, 8.1.2.3, 8.1.1.1, 8.0.8.2   CVE-2022-42252
Oracle Financial Services Model Management and Governance Application (Apache
Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 8.1.0.0, 8.1.2.0   CVE-2022-40146 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache Batik) HTTP Yes
7.5 Network Low None None Un-
changed High None None 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2021-36090 Oracle Financial Services Revenue Management and Billing
Infrastructure (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7, 2.8, 2.9   CVE-2022-34169 Oracle Financial Services
Revenue Management and Billing Infrastructure (Apache Xalan-Java) HTTP Yes 7.5
Network Low None None Un-
changed None High None 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2021-43859 Oracle Financial Services Revenue Management and Billing
Infrastructure (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7, 2.7.1, 2.8, 2.9, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2022-43680 Oracle Financial Services Trade-Based Anti Money Laundering
Enterprise Edition Application (LibExpat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.0.0   CVE-2022-24839 Oracle FLEXCUBE Core Banking
Securities (NekoHTML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.6, 11.7, 11.8, 11.10, 11.11   CVE-2022-25647 Oracle
FLEXCUBE Universal Banking Infrastructure (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-3171 Oracle FLEXCUBE
Universal Banking Infrastructure (Google Protobuf-Java) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 14.0-14.3, 14.5-14.7   CVE-2022-46908 Oracle Financial
Services Compliance Studio Application (SQLite) None No 7.3 Local Low Low None
Un-
changed High High Low 8.1.2.4   CVE-2022-22971 Oracle Banking Corporate Lending
Process Management Base (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.4-14.7   CVE-2022-38752 Oracle Financial Services
Model Management and Governance Application (SnakeYAML) HTTP No 6.5 Network Low
Low None Un-
changed None None High 8.1.0.0, 8.1.2.0   CVE-2022-23437 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache Xerces2 Java)
HTTP Yes 6.5 Network Low None Required Un-
changed None None High 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0  
CVE-2022-36033 Oracle Banking Digital Experience UI General (jsoup) HTTP Yes 6.1
Network Low None Required Changed Low Low None 18.2, 18.3, 19.1, 19.2, 21.1,
22.1, 22.2   CVE-2022-36033 Oracle Banking Trade Finance Infrastructure (jsoup)
HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.5, 14.6, 14.7  
CVE-2022-36033 Oracle Banking Treasury Management Infrastructure (jsoup) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 14.5, 14.6, 14.7  
CVE-2023-21905 Oracle Banking Virtual Account Management Routing Hub HTTP No 6.1
Network Low High Required Un-
changed High High None 14.5, 14.6, 14.7   CVE-2023-21906 Oracle Banking Virtual
Account Management SMS Module HTTP No 6.1 Network Low High Required Un-
changed High High None 14.5, 14.6, 14.7   CVE-2021-41184 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 8.0.7.0, 8.0.8.0,
8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2   CVE-2021-41184 Oracle
Financial Services Analytical Applications Reconciliation Framework Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.1.2, 8.1.1.1.7   CVE-2021-41184 Oracle Financial Services Asset Liability
Management Application (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.0.7.8.0   CVE-2021-41184 Oracle Financial Services Balance
Computation Engine Application (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.1.1.1.1   CVE-2021-41184 Oracle Financial Services
Balance Sheet Planning Application (jQueryUI) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.0.8.1.4   CVE-2021-41184 Oracle Financial
Services Data Governance for US Regulatory Reporting Application (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 8.1.2.0, 8.1.2.1  
CVE-2021-41184 Oracle Financial Services Data Integration Hub Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.1.0.1.4, 8.1.2.2.1, 8.0.7.3.1   CVE-2021-41184 Oracle Financial Services
Deposit Insurance Calculations for Liquidity Risk Management Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.3.1, 8.0.8.3.1   CVE-2021-41184 Oracle Financial Services Enterprise
Financial Performance Analytics Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle Financial
Services Funds Transfer Pricing Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle Financial
Services Institutional Performance Analytics Application (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.0.7.8.1   CVE-2021-41184 Oracle
Financial Services Liquidity Risk Measurement and Management Application
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.0.7.3.1, 8.0.8.3.1   CVE-2021-41184 Oracle Financial Services Loan Loss
Forecasting and Provisioning Application (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 8.0.7.8.1, 8.0.8.2.1   CVE-2021-41184 Oracle
Financial Services Profitability Management Application (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.0.7.8.1   CVE-2022-29577 Oracle
Financial Services Regulatory Reporting with AgileREPORTER Application
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1.2.0
  CVE-2021-41184 Oracle Financial Services Retail Performance Analytics
Application (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 8.0.7.8.1   CVE-2022-36033 Oracle FLEXCUBE Universal Banking Infrastructure
(jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0-14.3,
14.5-14.7   CVE-2023-21907 Oracle Banking Virtual Account Management OBVAM Trn
Journal Domain HTTP No 6.0 Network High High Required Un-
changed High Low High 14.5, 14.6, 14.7   CVE-2023-21908 Oracle Banking Virtual
Account Management OBVAM Trn Journal Domain HTTP No 6.0 Network High High
Required Un-
changed High Low High 14.5, 14.6, 14.7   CVE-2019-12415 Oracle Financial
Services Revenue Management and Billing Infrastructure (Apache POI) None No 5.5
Local Low Low None Un-
changed High None None 2.7, 2.8, 2.9   CVE-2023-21903 Oracle Banking Virtual
Account Management OBVAM Internal Tfr Domain HTTP No 5.3 Network High High
Required Un-
changed High Low Low 14.5, 14.6, 14.7   CVE-2023-21904 Oracle Banking Virtual
Account Management OBVAM Trn Journal Domain HTTP No 5.3 Network High High
Required Un-
changed High Low Low 14.5, 14.6, 14.7   CVE-2021-29425 Oracle Financial Services
Revenue Management and Billing Infrastructure (Apache Commons IO) HTTP Yes 4.8
Network High None None Un-
changed Low Low None 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 4.0   CVE-2023-21915 Oracle
Banking Payments Book/Internal Transfer HTTP No 4.6 Network Low Low Required Un-
changed Low Low None 14.5, 14.6, 14.7   CVE-2023-21902 Oracle Financial Services
Behavior Detection Platform Application HTTP No 4.3 Network Low Low None Un-
changed Low None None 8.0.8.1   CVE-2023-28708 Oracle Financial Services Crime
and Compliance Management Studio Studio (Apache Tomcat) HTTP Yes 4.3 Network Low
None Required Un-
changed Low None None 8.0.8.3.5  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516,
   and CVE-2021-35517.
 * The patch for CVE-2021-41184 also addresses CVE-2021-41182 and
   CVE-2021-41183.
 * The patch for CVE-2022-2048 also addresses CVE-2022-2047 and CVE-2022-2191.
 * The patch for CVE-2022-22971 also addresses CVE-2022-22970.
 * The patch for CVE-2022-22978 also addresses CVE-2022-22976.
 * The patch for CVE-2022-41881 also addresses CVE-2022-41915.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.
 * The patch for CVE-2022-42890 also addresses CVE-2022-41704.
 * The patch for CVE-2022-46364 also addresses CVE-2022-46363.


 

ORACLE FUSION MIDDLEWARE RISK MATRIX

This Critical Patch Update contains 49 new security patches for Oracle Fusion
Middleware.  44 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update
patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID
2806740.2.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45047 Oracle Business Process Management Suite Installer
(Apache Mina SSHD) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-22965 Oracle Data Integrator Third
Party (Spring Framework) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-37434 Oracle HTTP Server SSL Module
(zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-22965 Oracle Managed File Transfer
MFT Runtime Server (Spring Framework) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-33980 Oracle Middleware Common
Libraries and Tools Third Party (Apache Commons Configuration) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-29599 Oracle Middleware Common
Libraries and Tools Third Party (Apache Maven) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 12.2.1.4.0   CVE-2022-40304 Oracle HTTP Server SSL Module
(libxml2) None No 7.8 Local Low None Required Un-
changed High High High 12.2.1.4.0   CVE-2022-40149 Oracle Access Manager Build
Scripts (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2019-20916 Oracle Access Manager Third
Party (Jython) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-42890 Oracle Business Process
Management Suite Installer (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42003 Oracle Business Process
Management Suite Installer (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0   CVE-2022-41881 Oracle Coherence Core (Netty)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2022-42003 Oracle Coherence
Core (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2021-34798 Oracle HTTP
Server SSL Module (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-43551 Oracle HTTP Server SSL Module
(cURL) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42003 Oracle Identity Manager
Installer (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-45693 Oracle Identity Manager Third
Party (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2018-14371 Oracle JDeveloper ADF Faces
(Eclipse Mojarra) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42890 Oracle Middleware Common
Libraries and Tools Third Party (Apache Batik) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 12.2.1.4.0   CVE-2023-24998 Oracle Middleware Common
Libraries and Tools Third Party (Apache Commons FileUpload) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-41966 Oracle SOA Suite Security
(XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-41881 Oracle WebCenter Portal
Security Framework (Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-40151 Oracle WebCenter Portal
Security Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-42003 Oracle WebCenter Portal
Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2023-24998 Oracle WebLogic Server
Console (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2022-40152
Oracle WebLogic Server Samples (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2021-36090 Oracle WebLogic
Server Third Party (Apache Commons Compress) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2023-24998 Oracle WebLogic
Server Third Party (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2022-45685
Oracle WebLogic Server Third Party (Jettison) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2021-31684
Oracle WebLogic Server Third Party (json-smart) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21996 Oracle WebLogic
Server Web Services HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21931
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21964
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21979
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2020-25638
Oracle WebLogic Server Core (JBoss Enterprise Application Platform) HTTP Yes 7.4
Network High None None Un-
changed High High None 14.1.1.0.0   CVE-2022-46908 Oracle Outside In Technology
Third Party (SQLite) None No 7.3 Local Low Low None Un-
changed High High Low 8.5.6   CVE-2021-37533 Oracle Middleware Common Libraries
and Tools Remote Diagnostic Agent (Apache Commons Net) HTTP Yes 6.5 Network Low
None Required Un-
changed High None None 12.2.1.4.0   CVE-2020-6950 Oracle WebLogic Server Third
Party (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0   CVE-2022-36033 Oracle Business
Process Management Suite Installer (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-34305 Oracle Managed File
Transfer MFT Runtime Server (Apache Tomcat) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-36033 Oracle Middleware
Common Libraries and Tools Third Party (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-36033 Oracle WebCenter
Portal Security Framework (jsoup) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 12.2.1.4.0   CVE-2020-13954 Oracle WebCenter Sites Samples (Apache
CXF) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0  
CVE-2023-21956 Oracle WebLogic Server Web Container HTTP Yes 6.1 Network Low
None Required Changed Low Low None 12.2.1.4.0, 14.1.1.0.0   CVE-2023-22899
Oracle Access Manager Third Party (Zip4j) HTTP Yes 5.9 Network High None None
Un-
changed None High None 12.2.1.4.0   CVE-2023-21960 Oracle WebLogic Server Core
HTTP Yes 5.6 Network High None None Un-
changed Low Low Low 12.2.1.3.0, 12.2.1.4.0   CVE-2021-36374 Oracle Middleware
Common Libraries and Tools Third Party (Apache Ant) None No 5.5 Local Low None
Required Un-
changed None None High 12.2.1.4.0   CVE-2021-22569 Oracle WebLogic Server Third
Party (Google Protobuf-Java) None No 5.5 Local Low None Required Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2022-31160 Oracle WebLogic
Server Console (jQueryUI) HTTP No 3.9 Local High High None Changed Low Low None
12.2.1.4.0, 14.1.1.0.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45047 Oracle Business Process Management Suite Installer
(Apache Mina SSHD) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-22965 Oracle Data Integrator Third
Party (Spring Framework) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-37434 Oracle HTTP Server SSL Module
(zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-22965 Oracle Managed File Transfer
MFT Runtime Server (Spring Framework) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-33980 Oracle Middleware Common
Libraries and Tools Third Party (Apache Commons Configuration) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.2.1.4.0   CVE-2022-29599 Oracle Middleware Common
Libraries and Tools Third Party (Apache Maven) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 12.2.1.4.0   CVE-2022-40304 Oracle HTTP Server SSL Module
(libxml2) None No 7.8 Local Low None Required Un-
changed High High High 12.2.1.4.0   CVE-2022-40149 Oracle Access Manager Build
Scripts (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2019-20916 Oracle Access Manager Third
Party (Jython) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-42890 Oracle Business Process
Management Suite Installer (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42003 Oracle Business Process
Management Suite Installer (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0   CVE-2022-41881 Oracle Coherence Core (Netty)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2022-42003 Oracle Coherence
Core (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2021-34798 Oracle HTTP
Server SSL Module (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-43551 Oracle HTTP Server SSL Module
(cURL) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42003 Oracle Identity Manager
Installer (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-45693 Oracle Identity Manager Third
Party (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2018-14371 Oracle JDeveloper ADF Faces
(Eclipse Mojarra) HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0   CVE-2022-42890 Oracle Middleware Common
Libraries and Tools Third Party (Apache Batik) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 12.2.1.4.0   CVE-2023-24998 Oracle Middleware Common
Libraries and Tools Third Party (Apache Commons FileUpload) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-41966 Oracle SOA Suite Security
(XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-41881 Oracle WebCenter Portal
Security Framework (Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-40151 Oracle WebCenter Portal
Security Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2022-42003 Oracle WebCenter Portal
Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2023-24998 Oracle WebLogic Server
Console (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2022-40152
Oracle WebLogic Server Samples (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2021-36090 Oracle WebLogic
Server Third Party (Apache Commons Compress) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2023-24998 Oracle WebLogic
Server Third Party (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2022-45685
Oracle WebLogic Server Third Party (Jettison) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2021-31684
Oracle WebLogic Server Third Party (json-smart) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21996 Oracle WebLogic
Server Web Services HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21931
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21964
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2023-21979
Oracle WebLogic Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0   CVE-2020-25638
Oracle WebLogic Server Core (JBoss Enterprise Application Platform) HTTP Yes 7.4
Network High None None Un-
changed High High None 14.1.1.0.0   CVE-2022-46908 Oracle Outside In Technology
Third Party (SQLite) None No 7.3 Local Low Low None Un-
changed High High Low 8.5.6   CVE-2021-37533 Oracle Middleware Common Libraries
and Tools Remote Diagnostic Agent (Apache Commons Net) HTTP Yes 6.5 Network Low
None Required Un-
changed High None None 12.2.1.4.0   CVE-2020-6950 Oracle WebLogic Server Third
Party (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0   CVE-2022-36033 Oracle Business
Process Management Suite Installer (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-34305 Oracle Managed File
Transfer MFT Runtime Server (Apache Tomcat) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-36033 Oracle Middleware
Common Libraries and Tools Third Party (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.4.0   CVE-2022-36033 Oracle WebCenter
Portal Security Framework (jsoup) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 12.2.1.4.0   CVE-2020-13954 Oracle WebCenter Sites Samples (Apache
CXF) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0  
CVE-2023-21956 Oracle WebLogic Server Web Container HTTP Yes 6.1 Network Low
None Required Changed Low Low None 12.2.1.4.0, 14.1.1.0.0   CVE-2023-22899
Oracle Access Manager Third Party (Zip4j) HTTP Yes 5.9 Network High None None
Un-
changed None High None 12.2.1.4.0   CVE-2023-21960 Oracle WebLogic Server Core
HTTP Yes 5.6 Network High None None Un-
changed Low Low Low 12.2.1.3.0, 12.2.1.4.0   CVE-2021-36374 Oracle Middleware
Common Libraries and Tools Third Party (Apache Ant) None No 5.5 Local Low None
Required Un-
changed None None High 12.2.1.4.0   CVE-2021-22569 Oracle WebLogic Server Third
Party (Google Protobuf-Java) None No 5.5 Local Low None Required Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0   CVE-2022-31160 Oracle WebLogic
Server Console (jQueryUI) HTTP No 3.9 Local High High None Changed Low Low None
12.2.1.4.0, 14.1.1.0.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2018-14371 also addresses CVE-2019-17091.
 * The patch for CVE-2019-20916 also addresses CVE-2018-18074, CVE-2018-20060,
   CVE-2018-20225, and CVE-2019-20907.
 * The patch for CVE-2020-25638 also addresses CVE-2020-10693.
 * The patch for CVE-2021-34798 also addresses CVE-2022-28614.
 * The patch for CVE-2021-36374 also addresses CVE-2021-36373.
 * The patch for CVE-2022-40151 also addresses CVE-2022-41966.
 * The patch for CVE-2022-40304 also addresses CVE-2022-40303.
 * The patch for CVE-2022-41881 also addresses CVE-2022-41915.
 * The patch for CVE-2022-41966 also addresses CVE-2022-40151.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.
 * The patch for CVE-2022-42890 also addresses CVE-2022-41704.
 * The patch for CVE-2022-43551 also addresses CVE-2022-42915 and
   CVE-2022-42916.
 * The patch for CVE-2022-45685 also addresses CVE-2022-45693.
 * The patch for CVE-2022-45693 also addresses CVE-2022-40150 and
   CVE-2022-45685.


 

ORACLE ANALYTICS RISK MATRIX

This Critical Patch Update contains 20 new security patches, plus additional
third party patches noted below, for Oracle Analytics.  12 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-37434 Oracle Business Intelligence Enterprise Edition Analytics
Server (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0   CVE-2022-42889 Oracle Business Intelligence
Enterprise Edition BI Application Archive (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 6.4.0.0.0   CVE-2022-1587 Oracle Business Intelligence
Enterprise Edition Analytics Server (PCRE2) HTTP Yes 9.1 Network Low None None
Un-
changed High None High 6.4.0.0.0   CVE-2022-32215 Oracle Business Intelligence
Enterprise Edition BI Lifecycle (Node.js) HTTP Yes 9.1 Network Low None None Un-
changed High High None 6.4.0.0.0   CVE-2021-4048 Oracle Business Intelligence
Enterprise Edition Machine Learning (OpenBLAS) HTTP Yes 9.1 Network Low None
None Un-
changed High None High 6.4.0.0.0   CVE-2020-28052 Oracle Business Intelligence
Enterprise Edition Analytics Web General (Bouncy Castle Java Library) HTTPS Yes
8.1 Network High None None Un-
changed High High High 12.2.1.4.0   CVE-2021-40690 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache CXF) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 6.4.0.0.0   CVE-2022-42003 Oracle Business Intelligence
Enterprise Edition Analytics Server (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 6.4.0.0.0   CVE-2021-36090 Oracle Business Intelligence
Enterprise Edition Content Storage Service (Apache Commons Compress) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2019-10086 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 6.4.0.0.0   CVE-2021-23926 Oracle Business Intelligence
Enterprise Edition Visual Analyzer (Apache POI) HTTP No 7.3 Network Low Low
Required Un-
changed High None High 12.2.1.4.0   CVE-2023-21910 Oracle Business Intelligence
Enterprise Edition Analytics Web General HTTP No 6.5 Network Low Low None Un-
changed High None None 6.4.0.0.0, 12.2.1.4.0   CVE-2022-34169 Oracle Business
Intelligence Enterprise Edition JAXP (Apache Xalan-J) HTTP Yes 6.5 Network High
None None Un-
changed Low None High 12.2.1.4.0   CVE-2022-31160 Oracle Business Intelligence
Enterprise Edition Pod Admin (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 5.9.0.0.0, 6.4.0.0.0   CVE-2023-21970 Oracle BI Publisher
Security HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2023-21952 Oracle Business Intelligence
Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2023-21965 Oracle Business Intelligence
Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2021-27568 Oracle Business Intelligence
Enterprise Edition BI Application Archive (json-smart) HTTP No 5.3 Network High
Low None Un-
changed None None High 6.4.0.0.0   CVE-2018-1000656 Oracle Business Intelligence
Enterprise Edition Machine Learning (Flask) HTTP No 4.8 Network High Low
Required Un-
changed None None High 6.4.0.0.0   CVE-2023-21941 Oracle BI Publisher Web Server
HTTP No 4.3 Network Low Low None Un-
changed Low None None 6.4.0.0.0, 12.2.1.4.0  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-37434 Oracle Business Intelligence Enterprise Edition Analytics
Server (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0   CVE-2022-42889 Oracle Business Intelligence
Enterprise Edition BI Application Archive (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 6.4.0.0.0   CVE-2022-1587 Oracle Business Intelligence
Enterprise Edition Analytics Server (PCRE2) HTTP Yes 9.1 Network Low None None
Un-
changed High None High 6.4.0.0.0   CVE-2022-32215 Oracle Business Intelligence
Enterprise Edition BI Lifecycle (Node.js) HTTP Yes 9.1 Network Low None None Un-
changed High High None 6.4.0.0.0   CVE-2021-4048 Oracle Business Intelligence
Enterprise Edition Machine Learning (OpenBLAS) HTTP Yes 9.1 Network Low None
None Un-
changed High None High 6.4.0.0.0   CVE-2020-28052 Oracle Business Intelligence
Enterprise Edition Analytics Web General (Bouncy Castle Java Library) HTTPS Yes
8.1 Network High None None Un-
changed High High High 12.2.1.4.0   CVE-2021-40690 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache CXF) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 6.4.0.0.0   CVE-2022-42003 Oracle Business Intelligence
Enterprise Edition Analytics Server (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 6.4.0.0.0   CVE-2021-36090 Oracle Business Intelligence
Enterprise Edition Content Storage Service (Apache Commons Compress) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.2.1.4.0   CVE-2019-10086 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 6.4.0.0.0   CVE-2021-23926 Oracle Business Intelligence
Enterprise Edition Visual Analyzer (Apache POI) HTTP No 7.3 Network Low Low
Required Un-
changed High None High 12.2.1.4.0   CVE-2023-21910 Oracle Business Intelligence
Enterprise Edition Analytics Web General HTTP No 6.5 Network Low Low None Un-
changed High None None 6.4.0.0.0, 12.2.1.4.0   CVE-2022-34169 Oracle Business
Intelligence Enterprise Edition JAXP (Apache Xalan-J) HTTP Yes 6.5 Network High
None None Un-
changed Low None High 12.2.1.4.0   CVE-2022-31160 Oracle Business Intelligence
Enterprise Edition Pod Admin (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 5.9.0.0.0, 6.4.0.0.0   CVE-2023-21970 Oracle BI Publisher
Security HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2023-21952 Oracle Business Intelligence
Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2023-21965 Oracle Business Intelligence
Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low Required Un-
changed High None None 6.4.0.0.0   CVE-2021-27568 Oracle Business Intelligence
Enterprise Edition BI Application Archive (json-smart) HTTP No 5.3 Network High
Low None Un-
changed None None High 6.4.0.0.0   CVE-2018-1000656 Oracle Business Intelligence
Enterprise Edition Machine Learning (Flask) HTTP No 4.8 Network High Low
Required Un-
changed None None High 6.4.0.0.0   CVE-2023-21941 Oracle BI Publisher Web Server
HTTP No 4.3 Network Low Low None Un-
changed Low None None 6.4.0.0.0, 12.2.1.4.0  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-36090 also addresses CVE-2019-12402, CVE-2021-35515,
   CVE-2021-35516, and CVE-2021-35517.
 * The patch for CVE-2022-1587 also addresses CVE-2022-1586.
 * The patch for CVE-2022-32215 also addresses CVE-2022-32212, CVE-2022-32213,
   and CVE-2022-32222.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Business Intelligence Enterprise Edition
   * BIInfer (Jackson-mapper-asl): CVE-2019-10172.


 

ORACLE HEALTH SCIENCES APPLICATIONS RISK MATRIX

This Critical Patch Update contains 10 new security patches for Oracle Health
Sciences Applications.  3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-18935 Oracle Argus Insight Core (Telerik UI for ASP.NET AJAX)
HTTP No 8.8 Network Low Low None Un-
changed High High High Prior to 8.2.3   CVE-2019-18935 Oracle Argus Safety Core
(Telerik UI for ASP.NET AJAX) HTTP No 8.8 Network Low Low None Un-
changed High High High Prior to 8.2.3   CVE-2023-21923 Oracle Health Sciences
InForm Core HTTP No 8.3 Network Low Low None Un-
changed High High Low Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21922 Oracle
Health Sciences InForm Core HTTP Yes 6.8 Network High None Required Un-
changed High High None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21993
Oracle Clinical Remote Data Capture Forms HTTP No 6.5 Network Low Low None Un-
changed High None None 5.4.0.2   CVE-2021-41184 Oracle Health Sciences InForm
Core (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21924 Oracle Health Sciences
InForm Core HTTP No 5.9 Network Low High Required Changed Low Low Low Prior to
6.3.1.3, Prior to 7.0.0.1   CVE-2023-21926 Oracle Health Sciences InForm Core
None No 5.5 Local Low None Required Un-
changed High None None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21921
Oracle Health Sciences InForm Core HTTP No 5.4 Network Low Low None Un-
changed Low Low None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21925 Oracle
Health Sciences InForm Core HTTP Yes 5.3 Network Low None None Un-
changed None None Low Prior to 6.3.1.3, Prior to 7.0.0.1  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-18935 Oracle Argus Insight Core (Telerik UI for ASP.NET AJAX)
HTTP No 8.8 Network Low Low None Un-
changed High High High Prior to 8.2.3   CVE-2019-18935 Oracle Argus Safety Core
(Telerik UI for ASP.NET AJAX) HTTP No 8.8 Network Low Low None Un-
changed High High High Prior to 8.2.3   CVE-2023-21923 Oracle Health Sciences
InForm Core HTTP No 8.3 Network Low Low None Un-
changed High High Low Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21922 Oracle
Health Sciences InForm Core HTTP Yes 6.8 Network High None Required Un-
changed High High None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21993
Oracle Clinical Remote Data Capture Forms HTTP No 6.5 Network Low Low None Un-
changed High None None 5.4.0.2   CVE-2021-41184 Oracle Health Sciences InForm
Core (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None
Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21924 Oracle Health Sciences
InForm Core HTTP No 5.9 Network Low High Required Changed Low Low Low Prior to
6.3.1.3, Prior to 7.0.0.1   CVE-2023-21926 Oracle Health Sciences InForm Core
None No 5.5 Local Low None Required Un-
changed High None None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21921
Oracle Health Sciences InForm Core HTTP No 5.4 Network Low Low None Un-
changed Low Low None Prior to 6.3.1.3, Prior to 7.0.0.1   CVE-2023-21925 Oracle
Health Sciences InForm Core HTTP Yes 5.3 Network Low None None Un-
changed None None Low Prior to 6.3.1.3, Prior to 7.0.0.1  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-41184 also addresses CVE-2021-41182 and
   CVE-2021-41183.


 

ORACLE HEALTHCARE APPLICATIONS RISK MATRIX

This Critical Patch Update contains 10 new security patches for Oracle
HealthCare Applications.  8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42889 Oracle Healthcare Foundation Self Service Analytics
(Apache Commons Text) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2   CVE-2022-42889 Oracle
Healthcare Master Person Index Self Service Analytics (Apache Commons Text) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 5.0.0-5.0.4   CVE-2022-1471 Oracle Healthcare
Translational Research DataStudio (SnakeYAML) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 4.1.0, 4.1.1   CVE-2023-23914 Oracle Healthcare
Translational Research DataStudio (cURL) HTTP Yes 9.1 Network Low None None Un-
changed High High None 4.1.0, 4.1.1   CVE-2022-42898 Oracle Healthcare
Translational Research DataStudio (Kerberos) HTTP No 8.8 Network Low Low None
Un-
changed High High High 4.1.0, 4.1.1   CVE-2022-3171 Oracle Healthcare
Translational Research DataStudio (Google Protobuf-Java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-3479 Oracle Healthcare
Translational Research DataStudio (NSS) HTTP Yes 7.5 Network Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-42003 Oracle Healthcare
Translational Research User Interface (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-46908 Oracle Healthcare
Translational Research DataStudio (SQLite) None No 7.3 Local Low Low None Un-
changed High High Low 4.1.0, 4.1.1   CVE-2023-25136 Oracle Healthcare
Translational Research DataStudio (OpenSSH) HTTP Yes 6.5 Network High None None
Un-
changed None Low High 4.1.0, 4.1.1  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42889 Oracle Healthcare Foundation Self Service Analytics
(Apache Commons Text) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2   CVE-2022-42889 Oracle
Healthcare Master Person Index Self Service Analytics (Apache Commons Text) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 5.0.0-5.0.4   CVE-2022-1471 Oracle Healthcare
Translational Research DataStudio (SnakeYAML) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 4.1.0, 4.1.1   CVE-2023-23914 Oracle Healthcare
Translational Research DataStudio (cURL) HTTP Yes 9.1 Network Low None None Un-
changed High High None 4.1.0, 4.1.1   CVE-2022-42898 Oracle Healthcare
Translational Research DataStudio (Kerberos) HTTP No 8.8 Network Low Low None
Un-
changed High High High 4.1.0, 4.1.1   CVE-2022-3171 Oracle Healthcare
Translational Research DataStudio (Google Protobuf-Java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-3479 Oracle Healthcare
Translational Research DataStudio (NSS) HTTP Yes 7.5 Network Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-42003 Oracle Healthcare
Translational Research User Interface (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 4.1.0, 4.1.1   CVE-2022-46908 Oracle Healthcare
Translational Research DataStudio (SQLite) None No 7.3 Local Low Low None Un-
changed High High Low 4.1.0, 4.1.1   CVE-2023-25136 Oracle Healthcare
Translational Research DataStudio (OpenSSH) HTTP Yes 6.5 Network High None None
Un-
changed None Low High 4.1.0, 4.1.1  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.
 * The patch for CVE-2023-23914 also addresses CVE-2023-23915 and
   CVE-2023-23916.


 

ORACLE HOSPITALITY APPLICATIONS RISK MATRIX

This Critical Patch Update contains 1 new security patch for Oracle Hospitality
Applications.  This vulnerability is not remotely exploitable without
authentication, i.e., may not be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21932 Oracle Hospitality OPERA 5 Property Services OXI HTTP No
7.2 Network High High None Changed High Low Low 5.6  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21932 Oracle Hospitality OPERA 5 Property Services OXI HTTP No
7.2 Network High High None Changed High Low Low 5.6  


 

ORACLE HYPERION RISK MATRIX

This Critical Patch Update contains 2 new security patches for Oracle Hyperion. 
1 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials.  The
English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-27404 Oracle Hyperion Financial Reporting Installation
(FreeType) Multiple Yes 9.8 Network Low None None Un-
changed High High High 11.2.12   CVE-2021-36374 Oracle Hyperion Infrastructure
Technology Installation and Configuration (Apache Ant) None No 5.5 Local Low
None Required Un-
changed None None High 11.2.12  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-27404 Oracle Hyperion Financial Reporting Installation
(FreeType) Multiple Yes 9.8 Network Low None None Un-
changed High High High 11.2.12   CVE-2021-36374 Oracle Hyperion Infrastructure
Technology Installation and Configuration (Apache Ant) None No 5.5 Local Low
None Required Un-
changed None None High 11.2.12  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-36374 also addresses CVE-2021-36373.
 * The patch for CVE-2022-27404 also addresses CVE-2022-27405 and
   CVE-2022-27406.


 

ORACLE ILEARNING RISK MATRIX

This Critical Patch Update contains 3 new security patches for Oracle
iLearning.  2 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2351 Oracle iLearning Installation (JDBC) Oracle Net Yes 8.3
Network High None Required Changed High High High 6.3.1   CVE-2022-23437 Oracle
iLearning Installation (Apache Xerces2 Java) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 6.3.1   CVE-2020-17521 Oracle iLearning Installation
(Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 6.3.1  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2351 Oracle iLearning Installation (JDBC) Oracle Net Yes 8.3
Network High None Required Changed High High High 6.3.1   CVE-2022-23437 Oracle
iLearning Installation (Apache Xerces2 Java) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 6.3.1   CVE-2020-17521 Oracle iLearning Installation
(Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 6.3.1  


 

ORACLE INSURANCE APPLICATIONS RISK MATRIX

This Critical Patch Update contains 9 new security patches for Oracle Insurance
Applications.  All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35168 Oracle Documaker Development Tools (Dell BSAFE Micro
Edition Suite) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-27404 Oracle Documaker Development Tools (FreeType) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-22965 Oracle Insurance Policy Administration Operational Data Store
for Life and Annuity Logger (Spring Framework) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 1.0.1.8   CVE-2020-11987 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (Apache Batik)
HTTP Yes 8.2 Network Low None None Un-
changed High Low None 1.0.1.8   CVE-2023-24998 Oracle Documaker Development
Tools (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-42003 Oracle Documaker Development Tools (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2020-25649 Oracle Insurance Policy Administration Operational Data Store
for Life and Annuity Logger (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 1.0.1.8   CVE-2019-10086 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (Apache
Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 1.0.1.8   CVE-2021-35043 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (AntiSamy)
HTTP Yes 6.1 Network Low None Required Changed Low Low None 1.0.1.8  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35168 Oracle Documaker Development Tools (Dell BSAFE Micro
Edition Suite) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-27404 Oracle Documaker Development Tools (FreeType) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-22965 Oracle Insurance Policy Administration Operational Data Store
for Life and Annuity Logger (Spring Framework) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 1.0.1.8   CVE-2020-11987 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (Apache Batik)
HTTP Yes 8.2 Network Low None None Un-
changed High Low None 1.0.1.8   CVE-2023-24998 Oracle Documaker Development
Tools (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2022-42003 Oracle Documaker Development Tools (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  CVE-2020-25649 Oracle Insurance Policy Administration Operational Data Store
for Life and Annuity Logger (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 1.0.1.8   CVE-2019-10086 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (Apache
Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 1.0.1.8   CVE-2021-35043 Oracle Insurance Policy
Administration Operational Data Store for Life and Annuity Logger (AntiSamy)
HTTP Yes 6.1 Network Low None Required Changed Low Low None 1.0.1.8  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491,
   CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181,
   CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185,
   CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, and CVE-2020-36189.
 * The patch for CVE-2020-35168 also addresses CVE-2020-29508, CVE-2020-35163,
   CVE-2020-35164, CVE-2020-35166, and CVE-2020-35167.
 * The patch for CVE-2022-27404 also addresses CVE-2022-27405 and
   CVE-2022-27406.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE JAVA SE RISK MATRIX

This Critical Patch Update contains 8 new security patches, plus additional
third party patches noted below, for Oracle Java SE.  7 of these vulnerabilities
may be remotely exploitable without authentication, i.e., may be exploited over
a network without requiring user credentials.  The English text form of this
Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start
application has administrator privileges (typical on Windows). When the user
does not run with administrator privileges (typical on Solaris and Linux), the
corresponding CVSS impact scores for Confidentiality, Integrity, and
Availability are "Low" instead of "High", lowering the CVSS Base Score. For
example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable
Java versions in your systems. Java SE Subscribers and customers running in
Oracle Cloud can use Java Management Service to update Java Runtimes and to do
further security reviews like identifying potentially vulnerable third party
libraries used by your Java programs. Existing Java Management Service user
click here to log in to your dashboard. The Java Management Service
Documentation provides a list of features available to everyone and those
available only to customers. Learn more about using Java Management Service to
monitor and secure your Java Installations.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21930 Oracle Java SE, Oracle GraalVM Enterprise Edition JSSE
TLS Yes 7.4 Network High None None Un-
changed High High None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21967 Oracle Java SE, Oracle GraalVM Enterprise Edition JSSE HTTPS Yes
5.9 Network High None None Un-
changed None None High Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21954 Oracle Java SE, Oracle GraalVM Enterprise Edition Hotspot
Multiple Yes 5.9 Network High None None Un-
changed High None None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21986 Oracle GraalVM Enterprise Edition Native Image None No 5.7 Local
Low None None Changed None Low Low Oracle GraalVM Enterprise Edition: 20.3.9,
21.3.5, 22.3.1   CVE-2023-21939 Oracle Java SE, Oracle GraalVM Enterprise
Edition Swing HTTP Yes 5.3 Network Low None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21938 Oracle Java SE, Oracle GraalVM Enterprise Edition Libraries
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4, 22.3.0 See Note 2
CVE-2023-21968 Oracle Java SE, Oracle GraalVM Enterprise Edition Libraries
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21937 Oracle Java SE, Oracle GraalVM Enterprise Edition Networking
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21930 Oracle Java SE, Oracle GraalVM Enterprise Edition JSSE
TLS Yes 7.4 Network High None None Un-
changed High High None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21967 Oracle Java SE, Oracle GraalVM Enterprise Edition JSSE HTTPS Yes
5.9 Network High None None Un-
changed None None High Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21954 Oracle Java SE, Oracle GraalVM Enterprise Edition Hotspot
Multiple Yes 5.9 Network High None None Un-
changed High None None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21986 Oracle GraalVM Enterprise Edition Native Image None No 5.7 Local
Low None None Changed None Low Low Oracle GraalVM Enterprise Edition: 20.3.9,
21.3.5, 22.3.1   CVE-2023-21939 Oracle Java SE, Oracle GraalVM Enterprise
Edition Swing HTTP Yes 5.3 Network Low None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21938 Oracle Java SE, Oracle GraalVM Enterprise Edition Libraries
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4, 22.3.0 See Note 2
CVE-2023-21968 Oracle Java SE, Oracle GraalVM Enterprise Edition Libraries
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1
CVE-2023-21937 Oracle Java SE, Oracle GraalVM Enterprise Edition Networking
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;
Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1 See Note 1

NOTES:

 1. This vulnerability applies to Java deployments, typically in clients running
    sandboxed Java Web Start applications or sandboxed Java applets, that load
    and run untrusted code (e.g., code that comes from the internet) and rely on
    the Java sandbox for security. This vulnerability can also be exploited by
    using APIs in the specified Component, e.g., through a web service which
    supplies data to the APIs.
 2. This vulnerability applies to Java deployments, typically in clients running
    sandboxed Java Web Start applications or sandboxed Java applets, that load
    and run untrusted code (e.g., code that comes from the internet) and rely on
    the Java sandbox for security. This vulnerability does not apply to Java
    deployments, typically in servers, that load and run only trusted code
    (e.g., code installed by an administrator).

 

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle GraalVM Enterprise Edition
   * Node (Node.js): CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, and
     CVE-2023-23936.


 

ORACLE JD EDWARDS RISK MATRIX

This Critical Patch Update contains 14 new security patches for Oracle JD
Edwards.  8 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-28738 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech -
Cloud Manager (Ruby) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 9.2.7.2   CVE-2022-2274 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure SEC (OpenSSL) JDENET Yes 9.8 Network Low None
None Un-
changed High High High Prior to 9.2.7.3   CVE-2022-2274 JD Edwards World
Security World Software Security (OpenSSL) HTTP Yes 9.8 Network Low None None
Un-
changed High High High A9.4   CVE-2022-21824 JD Edwards EnterpriseOne Tools E1
Dev Platform Tech - Cloud Manager (Node.js) HTTP Yes 8.2 Network Low None None
Un-
changed None Low High Prior to 9.2.7.2   CVE-2018-1311 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure (Apache Xerces-C++) JDENET Yes 8.1 Network High
None None Un-
changed High High High Prior to 9.2.7.3   CVE-2022-25857 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jruby) HTTP Yes 7.5
Network Low None None Un-
changed None None High Prior to 9.2.7.3   CVE-2022-42003 JD Edwards
EnterpriseOne Tools Web Runtime SEC (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High Prior to 9.2.7.3   CVE-2021-30129 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Mina SSHD) HTTP No 6.5 Network
Low Low None Un-
changed None None High Prior to 9.2.7.3   CVE-2021-41973 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Mina) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High Prior to 9.2.7.3   CVE-2020-15250 JD Edwards
EnterpriseOne Tools Business Logic Infra SEC (jUnit) None No 5.5 Local Low None
Required Un-
changed High None None Prior to 9.2.7.3   CVE-2021-36373 JD Edwards
EnterpriseOne Tools Deployment SEC (Apache Ant) None No 5.5 Local Low None
Required Un-
changed None None High Prior to 9.2.7.3   CVE-2023-21936 JD Edwards
EnterpriseOne Tools Web Runtime SEC HTTP No 5.4 Network Low Low Required Changed
Low Low None Prior to 9.2.7.3   CVE-2023-21927 JD Edwards EnterpriseOne Tools
Interoperability SEC HTTP No 4.3 Network Low Low None Un-
changed Low None None Prior to 9.2.7.3   CVE-2020-8908 JD Edwards EnterpriseOne
Orchestrator E1 IOT Orchestrator Security (Google Guava) None No 3.3 Local Low
Low None Un-
changed Low None None Prior to 9.2.7.3  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-28738 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech -
Cloud Manager (Ruby) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 9.2.7.2   CVE-2022-2274 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure SEC (OpenSSL) JDENET Yes 9.8 Network Low None
None Un-
changed High High High Prior to 9.2.7.3   CVE-2022-2274 JD Edwards World
Security World Software Security (OpenSSL) HTTP Yes 9.8 Network Low None None
Un-
changed High High High A9.4   CVE-2022-21824 JD Edwards EnterpriseOne Tools E1
Dev Platform Tech - Cloud Manager (Node.js) HTTP Yes 8.2 Network Low None None
Un-
changed None Low High Prior to 9.2.7.2   CVE-2018-1311 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure (Apache Xerces-C++) JDENET Yes 8.1 Network High
None None Un-
changed High High High Prior to 9.2.7.3   CVE-2022-25857 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jruby) HTTP Yes 7.5
Network Low None None Un-
changed None None High Prior to 9.2.7.3   CVE-2022-42003 JD Edwards
EnterpriseOne Tools Web Runtime SEC (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High Prior to 9.2.7.3   CVE-2021-30129 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Mina SSHD) HTTP No 6.5 Network
Low Low None Un-
changed None None High Prior to 9.2.7.3   CVE-2021-41973 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Mina) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High Prior to 9.2.7.3   CVE-2020-15250 JD Edwards
EnterpriseOne Tools Business Logic Infra SEC (jUnit) None No 5.5 Local Low None
Required Un-
changed High None None Prior to 9.2.7.3   CVE-2021-36373 JD Edwards
EnterpriseOne Tools Deployment SEC (Apache Ant) None No 5.5 Local Low None
Required Un-
changed None None High Prior to 9.2.7.3   CVE-2023-21936 JD Edwards
EnterpriseOne Tools Web Runtime SEC HTTP No 5.4 Network Low Low Required Changed
Low Low None Prior to 9.2.7.3   CVE-2023-21927 JD Edwards EnterpriseOne Tools
Interoperability SEC HTTP No 4.3 Network Low Low None Un-
changed Low None None Prior to 9.2.7.3   CVE-2020-8908 JD Edwards EnterpriseOne
Orchestrator E1 IOT Orchestrator Security (Google Guava) None No 3.3 Local Low
Low None Un-
changed Low None None Prior to 9.2.7.3  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-36373 also addresses CVE-2021-36374.
 * The patch for CVE-2022-21824 also addresses CVE-2021-44531, CVE-2021-44532,
   CVE-2021-44533, CVE-2022-32212, CVE-2022-32213, CVE-2022-32215, and
   CVE-2022-32222.
 * The patch for CVE-2022-2274 also addresses CVE-2022-1292, CVE-2022-2068,
   CVE-2022-2097, CVE-2022-3358, CVE-2022-3602, and CVE-2022-3786.
 * The patch for CVE-2022-25857 also addresses CVE-2020-15522, CVE-2020-28052,
   CVE-2022-38749, CVE-2022-38751, and CVE-2022-38752.
 * The patch for CVE-2022-28738 also addresses CVE-2022-28739.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE MYSQL RISK MATRIX

This Critical Patch Update contains 34 new security patches, plus additional
third party patches noted below, for Oracle MySQL.  11 of these vulnerabilities
may be remotely exploitable without authentication, i.e., may be exploited over
a network without requiring user credentials.  The English text form of this
Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-37434 MySQL Server InnoDB (zlib) MySQL Protocol Yes 9.8 Network
Low None None Un-
changed High High High 5.7.41 and prior, 8.0.31 and prior   CVE-2022-43548 MySQL
Cluster Cluster: JS module (Node.js) Multiple Yes 8.1 Network High None None Un-
changed High High High 8.0.32 and prior   CVE-2023-0215 MySQL Connectors
Connector/C++ (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2023-0215 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2022-45143 MySQL Enterprise
Monitor Monitoring: General (Apache Tomcat) Multiple Yes 7.5 Network Low None
None Un-
changed None High None 8.0.33 and prior   CVE-2023-0215 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.33 and prior   CVE-2023-0215 MySQL Server Server:
Packaging (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 5.7.41 and prior, 8.0.32 and prior   CVE-2022-43551 MySQL
Server Server: Packaging (cURL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed High None None 5.7.41 and prior, 8.0.32 and prior   CVE-2023-21912 MySQL
Server Server: Security: Privileges MySQL Protocol Yes 7.5 Network Low None None
Un-
changed None None High 5.7.41 and prior, 8.0.30 and prior   CVE-2023-0215 MySQL
Workbench Workbench (OpenSSL) MySQL Workbench Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2023-21980 MySQL Server Client
programs MySQL Protocol No 7.1 Network High Low Required Un-
changed High High High 5.7.41 and prior, 8.0.32 and prior   CVE-2023-21946 MySQL
Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.32 and prior   CVE-2022-31160 MySQL Enterprise
Monitor Monitoring: Server (jQueryUI) Multiple Yes 6.1 Network Low None Required
Changed Low Low None 8.0.33 and prior   CVE-2023-21929 MySQL Server Server: DDL
MySQL Protocol No 5.5 Network Low High None Un-
changed None Low High 8.0.32 and prior   CVE-2023-21971 MySQL Connectors
Connector/J MySQL Protocol No 5.3 Network High High Required Un-
changed Low Low High 8.0.32 and prior   CVE-2023-21911 MySQL Server InnoDB MySQL
Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21962 MySQL Server Server:
Components Services MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21919 MySQL Server Server:
DDL MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21933 MySQL Server Server:
DDL MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21972 MySQL Server Server:
DML MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21966 MySQL Server Server:
JSON MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21913 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.31 and prior   CVE-2023-21917 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior   CVE-2023-21920 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21935 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21945 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21976 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21977 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21982 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21953 MySQL Server Server:
Partition MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21955 MySQL Server Server:
Partition MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21940 MySQL Server Server:
Components Services MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21947 MySQL Server Server:
Components Services MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21963 MySQL Server Server:
Connection Handling MySQL Protocol No 2.7 Network Low High None Un-
changed None None Low 5.7.40 and prior, 8.0.31 and prior  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-37434 MySQL Server InnoDB (zlib) MySQL Protocol Yes 9.8 Network
Low None None Un-
changed High High High 5.7.41 and prior, 8.0.31 and prior   CVE-2022-43548 MySQL
Cluster Cluster: JS module (Node.js) Multiple Yes 8.1 Network High None None Un-
changed High High High 8.0.32 and prior   CVE-2023-0215 MySQL Connectors
Connector/C++ (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2023-0215 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2022-45143 MySQL Enterprise
Monitor Monitoring: General (Apache Tomcat) Multiple Yes 7.5 Network Low None
None Un-
changed None High None 8.0.33 and prior   CVE-2023-0215 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.33 and prior   CVE-2023-0215 MySQL Server Server:
Packaging (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed None None High 5.7.41 and prior, 8.0.32 and prior   CVE-2022-43551 MySQL
Server Server: Packaging (cURL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed High None None 5.7.41 and prior, 8.0.32 and prior   CVE-2023-21912 MySQL
Server Server: Security: Privileges MySQL Protocol Yes 7.5 Network Low None None
Un-
changed None None High 5.7.41 and prior, 8.0.30 and prior   CVE-2023-0215 MySQL
Workbench Workbench (OpenSSL) MySQL Workbench Yes 7.5 Network Low None None Un-
changed None None High 8.0.32 and prior   CVE-2023-21980 MySQL Server Client
programs MySQL Protocol No 7.1 Network High Low Required Un-
changed High High High 5.7.41 and prior, 8.0.32 and prior   CVE-2023-21946 MySQL
Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.32 and prior   CVE-2022-31160 MySQL Enterprise
Monitor Monitoring: Server (jQueryUI) Multiple Yes 6.1 Network Low None Required
Changed Low Low None 8.0.33 and prior   CVE-2023-21929 MySQL Server Server: DDL
MySQL Protocol No 5.5 Network Low High None Un-
changed None Low High 8.0.32 and prior   CVE-2023-21971 MySQL Connectors
Connector/J MySQL Protocol No 5.3 Network High High Required Un-
changed Low Low High 8.0.32 and prior   CVE-2023-21911 MySQL Server InnoDB MySQL
Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21962 MySQL Server Server:
Components Services MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21919 MySQL Server Server:
DDL MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21933 MySQL Server Server:
DDL MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21972 MySQL Server Server:
DML MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21966 MySQL Server Server:
JSON MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21913 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.31 and prior   CVE-2023-21917 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior   CVE-2023-21920 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21935 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21945 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21976 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21977 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21982 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21953 MySQL Server Server:
Partition MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21955 MySQL Server Server:
Partition MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21940 MySQL Server Server:
Components Services MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21947 MySQL Server Server:
Components Services MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.32 and prior   CVE-2023-21963 MySQL Server Server:
Connection Handling MySQL Protocol No 2.7 Network Low High None Un-
changed None None Low 5.7.40 and prior, 8.0.31 and prior  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-43548 also addresses CVE-2022-3602 and CVE-2022-3786.
 * The patch for CVE-2023-0215 also addresses CVE-2022-4304, CVE-2022-4450, and
   CVE-2023-0286.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * MySQL Cluster
   * Cluster: General (zlib): CVE-2022-37434.


 

ORACLE PEOPLESOFT RISK MATRIX

This Critical Patch Update contains 10 new security patches for Oracle
PeopleSoft.  8 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14343 PeopleSoft Enterprise PeopleTools Porting (PyYAML) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 8.58, 8.59   CVE-2022-45047 PeopleSoft Enterprise
PeopleTools Webserver (Apache Mina SSHD) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.60   CVE-2022-41881 PeopleSoft Enterprise PeopleTools
Elastic Search (Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60   CVE-2022-34169 PeopleSoft Enterprise
PeopleTools Integration Broker (Apache Xalan-Java) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 8.58   CVE-2022-45685 PeopleSoft Enterprise PeopleTools
Security (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60   CVE-2021-37533 PeopleSoft Enterprise
PeopleTools Integration Broker (Apache Commons Net) HTTP Yes 6.5 Network Low
None Required Un-
changed High None None 8.58, 8.59, 8.60   CVE-2022-36033 PeopleSoft Enterprise
PeopleTools Elastic Search (jsoup) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.58, 8.59, 8.60   CVE-2023-21992 PeopleSoft Enterprise HCM
Human Resources Administer Workforce HTTP No 5.4 Network Low Low None Un-
changed Low Low None 9.2   CVE-2023-21916 PeopleSoft Enterprise PeopleTools Web
Server HTTP Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60   CVE-2023-21981 PeopleSoft Enterprise
PeopleTools Elastic Search HTTP No 4.9 Network Low High None Un-
changed High None None 8.58, 8.59, 8.60  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14343 PeopleSoft Enterprise PeopleTools Porting (PyYAML) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 8.58, 8.59   CVE-2022-45047 PeopleSoft Enterprise
PeopleTools Webserver (Apache Mina SSHD) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.60   CVE-2022-41881 PeopleSoft Enterprise PeopleTools
Elastic Search (Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60   CVE-2022-34169 PeopleSoft Enterprise
PeopleTools Integration Broker (Apache Xalan-Java) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 8.58   CVE-2022-45685 PeopleSoft Enterprise PeopleTools
Security (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60   CVE-2021-37533 PeopleSoft Enterprise
PeopleTools Integration Broker (Apache Commons Net) HTTP Yes 6.5 Network Low
None Required Un-
changed High None None 8.58, 8.59, 8.60   CVE-2022-36033 PeopleSoft Enterprise
PeopleTools Elastic Search (jsoup) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.58, 8.59, 8.60   CVE-2023-21992 PeopleSoft Enterprise HCM
Human Resources Administer Workforce HTTP No 5.4 Network Low Low None Un-
changed Low Low None 9.2   CVE-2023-21916 PeopleSoft Enterprise PeopleTools Web
Server HTTP Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60   CVE-2023-21981 PeopleSoft Enterprise
PeopleTools Elastic Search HTTP No 4.9 Network Low High None Un-
changed High None None 8.58, 8.59, 8.60  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-41881 also addresses CVE-2022-41915.
 * The patch for CVE-2022-45685 also addresses CVE-2022-45693.


 

ORACLE RETAIL APPLICATIONS RISK MATRIX

This Critical Patch Update contains 22 new security patches for Oracle Retail
Applications.  16 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45047 Oracle Retail Customer Management and Segmentation
Foundation Internal Operations (Apache Mina SSHD) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 19.0.0.6   CVE-2022-42889 Oracle Retail Merchandising
System Security (Apache Commons Text) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0.2, 16.0.3   CVE-2020-35168 Oracle Retail Predictive
Application Server RPAS Server (Dell BSAFE Micro Edition Suite) HTTP Yes 9.8
Network Low None None Un-
changed High High High 15.0.3, 16.0.3   CVE-2022-37434 Oracle Retail Predictive
Application Server RPAS Server (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 15.0.3, 16.0.3   CVE-2022-42889 Oracle Retail Xstore
Office Cloud Service DB, Perf, etc (Apache Commons Text) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42889 Oracle
Retail Xstore Point of Service Point of Sale (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-33980 Oracle
Retail Xstore Point of Service Xenvironment (Apache Commons Configuration) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42889 Oracle
Retail Xstore Point of Service Xenvironment (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-3171 Oracle
Retail Customer Management and Segmentation Foundation Internal Operations
(Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-42003 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-42003 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 15.0.3.1   CVE-2022-42003 Oracle Retail Sales Audit
others (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 15.0.3.1   CVE-2022-41966 Oracle Retail Xstore Point of
Service Xenvironment (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42003
Oracle Retail Xstore Point of Service Xenvironment (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-23181
Oracle Retail Xstore Point of Service Xenvironment (Apache Tomcat) None No 7.0
Local High Low None Un-
changed High High High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2021-44832
Oracle Retail Invoice Matching Security (Apache Log4j) HTTP No 6.6 Network High
High None Un-
changed High High High 15.0.3, 16.0.3   CVE-2021-44832 Oracle Retail Price
Management Security (Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3   CVE-2022-22971 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-22971 Oracle Retail Fiscal
Management Security (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.2   CVE-2022-23437 Oracle Retail Xstore Point of
Service Xenvironment (Apache Xerces2 Java) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 17.0.6   CVE-2022-22971 Oracle Retail Xstore Point of
Service Xenvironment (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-36033
Oracle Retail Customer Management and Segmentation Foundation Internal
Operations (jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None
18.0.0.12, 19.0.0.6  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45047 Oracle Retail Customer Management and Segmentation
Foundation Internal Operations (Apache Mina SSHD) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 19.0.0.6   CVE-2022-42889 Oracle Retail Merchandising
System Security (Apache Commons Text) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0.2, 16.0.3   CVE-2020-35168 Oracle Retail Predictive
Application Server RPAS Server (Dell BSAFE Micro Edition Suite) HTTP Yes 9.8
Network Low None None Un-
changed High High High 15.0.3, 16.0.3   CVE-2022-37434 Oracle Retail Predictive
Application Server RPAS Server (zlib) HTTP Yes 9.8 Network Low None None Un-
changed High High High 15.0.3, 16.0.3   CVE-2022-42889 Oracle Retail Xstore
Office Cloud Service DB, Perf, etc (Apache Commons Text) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42889 Oracle
Retail Xstore Point of Service Point of Sale (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-33980 Oracle
Retail Xstore Point of Service Xenvironment (Apache Commons Configuration) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42889 Oracle
Retail Xstore Point of Service Xenvironment (Apache Commons Text) HTTP Yes 9.8
Network Low None None Un-
changed High High High 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-3171 Oracle
Retail Customer Management and Segmentation Foundation Internal Operations
(Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-42003 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-42003 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 15.0.3.1   CVE-2022-42003 Oracle Retail Sales Audit
others (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 15.0.3.1   CVE-2022-41966 Oracle Retail Xstore Point of
Service Xenvironment (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-42003
Oracle Retail Xstore Point of Service Xenvironment (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-23181
Oracle Retail Xstore Point of Service Xenvironment (Apache Tomcat) None No 7.0
Local High Low None Un-
changed High High High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2021-44832
Oracle Retail Invoice Matching Security (Apache Log4j) HTTP No 6.6 Network High
High None Un-
changed High High High 15.0.3, 16.0.3   CVE-2021-44832 Oracle Retail Price
Management Security (Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3   CVE-2022-22971 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.0.12, 19.0.0.6   CVE-2022-22971 Oracle Retail Fiscal
Management Security (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.2   CVE-2022-23437 Oracle Retail Xstore Point of
Service Xenvironment (Apache Xerces2 Java) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 17.0.6   CVE-2022-22971 Oracle Retail Xstore Point of
Service Xenvironment (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2   CVE-2022-36033
Oracle Retail Customer Management and Segmentation Foundation Internal
Operations (jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None
18.0.0.12, 19.0.0.6  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2020-35168 also addresses CVE-2020-29508, CVE-2020-35163,
   CVE-2020-35164, CVE-2020-35166, and CVE-2020-35167.
 * The patch for CVE-2022-22971 also addresses CVE-2022-22970.
 * The patch for CVE-2022-41966 also addresses CVE-2022-40151.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE SIEBEL CRM RISK MATRIX

This Critical Patch Update contains 6 new security patches for Oracle Siebel
CRM.  3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Siebel CRM EAI (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.2 and prior   CVE-2022-42252 Siebel CRM Services
(Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 23.2 and prior   CVE-2021-3712 Siebel CRM Siebel Core -
Server Infrastructure (OpenSSL) HTTPS Yes 7.4 Network High None None Un-
changed High None High 22.10 and prior   CVE-2020-7712 Siebel CRM Loging (Apache
ZooKeeper) HTTP No 7.2 Network Low High None Un-
changed High High High 22.5 and prior   CVE-2023-21909 Siebel CRM UI Framework
HTTP No 6.5 Network Low Low None Un-
changed High None None 23.3 and prior   CVE-2021-37695 Siebel CRM Open UI
(CKEditor) HTTP No 5.4 Network Low Low Required Changed Low Low None 21.10 and
prior  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42003 Siebel CRM EAI (jackson-databind) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.2 and prior   CVE-2022-42252 Siebel CRM Services
(Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None High None 23.2 and prior   CVE-2021-3712 Siebel CRM Siebel Core -
Server Infrastructure (OpenSSL) HTTPS Yes 7.4 Network High None None Un-
changed High None High 22.10 and prior   CVE-2020-7712 Siebel CRM Loging (Apache
ZooKeeper) HTTP No 7.2 Network Low High None Un-
changed High High High 22.5 and prior   CVE-2023-21909 Siebel CRM UI Framework
HTTP No 6.5 Network Low Low None Un-
changed High None None 23.3 and prior   CVE-2021-37695 Siebel CRM Open UI
(CKEditor) HTTP No 5.4 Network Low Low Required Changed Low Low None 21.10 and
prior  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-37695 also addresses CVE-2021-32808 and
   CVE-2021-32809.
 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE SUPPLY CHAIN RISK MATRIX

This Critical Patch Update contains 2 new security patches for Oracle Supply
Chain.  Both of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45143 Oracle Agile PLM Security (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed None High None 9.3.6   CVE-2022-42003 Oracle Agile PLM Security
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45143 Oracle Agile PLM Security (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed None High None 9.3.6   CVE-2022-42003 Oracle Agile PLM Security
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42003 also addresses CVE-2022-42004.


 

ORACLE SYSTEMS RISK MATRIX

This Critical Patch Update contains 6 new security patches for Oracle Systems. 
None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without requiring
user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21948 Oracle Solaris Core None No 7.8 Local Low Low None Un-
changed High High High 10   CVE-2023-21985 Oracle Solaris Utility None No 7.7
Local Low High Required Changed High High High 10, 11   CVE-2023-21896 Oracle
Solaris NSSwitch None No 7.0 Local High Low None Un-
changed High High High 10, 11   CVE-2023-21984 Oracle Solaris Libraries HTTP No
6.5 Network Low Low None Un-
changed None None High 11   CVE-2023-22003 Oracle Solaris Utility None No 3.3
Local Low None Required Un-
changed None Low None 10, 11   CVE-2023-21928 Oracle Solaris IPS repository
daemon None No 1.8 Local High High Required Un-
changed None Low None 11  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21948 Oracle Solaris Core None No 7.8 Local Low Low None Un-
changed High High High 10   CVE-2023-21985 Oracle Solaris Utility None No 7.7
Local Low High Required Changed High High High 10, 11   CVE-2023-21896 Oracle
Solaris NSSwitch None No 7.0 Local High Low None Un-
changed High High High 10, 11   CVE-2023-21984 Oracle Solaris Libraries HTTP No
6.5 Network Low Low None Un-
changed None None High 11   CVE-2023-22003 Oracle Solaris Utility None No 3.3
Local Low None Required Un-
changed None Low None 10, 11   CVE-2023-21928 Oracle Solaris IPS repository
daemon None No 1.8 Local High High Required Un-
changed None Low None 11  


 

ORACLE UTILITIES APPLICATIONS RISK MATRIX

This Critical Patch Update contains 4 new security patches, plus additional
third party patches noted below, for Oracle Utilities Applications.  3 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.  The English text
form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Utilities Application Framework General (Apache
Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.3.0   CVE-2020-13936 Oracle Utilities Application
Framework General (Apache Velocity Engine) HTTP No 8.8 Network Low Low None Un-
changed High High High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  
CVE-2022-41966 Oracle Utilities Application Framework General (XStream) HTTP Yes
7.5 Network Low None None Un-
changed None None High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0   CVE-2021-41184 Oracle Utilities Network Management System
User Interface (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Utilities Application Framework General (Apache
Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.3.0   CVE-2020-13936 Oracle Utilities Application
Framework General (Apache Velocity Engine) HTTP No 8.8 Network Low Low None Un-
changed High High High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  
CVE-2022-41966 Oracle Utilities Application Framework General (XStream) HTTP Yes
7.5 Network Low None None Un-
changed None None High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0   CVE-2021-41184 Oracle Utilities Network Management System
User Interface (jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1  

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2021-41184 also addresses CVE-2021-41182 and
   CVE-2021-41183.
 * The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302,
   and CVE-2022-23307.
 * The patch for CVE-2022-41966 also addresses CVE-2022-40151.

ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:

 * Oracle Utilities Network Management System
   * System Wide (Apache Batik): CVE-2020-11987.
   * System Wide (Apache Commons Configuration): CVE-2022-33980.


 

ORACLE VIRTUALIZATION RISK MATRIX

This Critical Patch Update contains 11 new security patches for Oracle
Virtualization.  1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21990 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21987 Oracle
VM VirtualBox Core None No 7.8 Local High Low None Changed High High High Prior
to 6.1.44, Prior to 7.0.8   CVE-2022-42916 Oracle VM VirtualBox Core (cURL) HTTP
Yes 7.5 Network Low None None Un-
changed High None None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-22002 Oracle
VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior
to 6.1.44, Prior to 7.0.8   CVE-2023-21989 Oracle VM VirtualBox Core None No 6.0
Local Low High None Changed High None None Prior to 6.1.44, Prior to 7.0.8  
CVE-2023-21998 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed
Low Low None Prior to 6.1.44, Prior to 7.0.8 See Note 1 CVE-2023-22000 Oracle VM
VirtualBox Core None No 4.6 Local Low High None Changed Low Low None Prior to
6.1.44, Prior to 7.0.8   CVE-2023-22001 Oracle VM VirtualBox Core None No 4.6
Local Low High None Changed Low Low None Prior to 6.1.44, Prior to 7.0.8  
CVE-2023-21988 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed
Low None None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21999 Oracle VM
VirtualBox Core None No 3.6 Local High Low None Un-
changed Low Low None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21991 Oracle VM
VirtualBox Core None No 3.2 Local Low High None Changed Low None None Prior to
6.1.44, Prior to 7.0.8  

CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-21990 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21987 Oracle
VM VirtualBox Core None No 7.8 Local High Low None Changed High High High Prior
to 6.1.44, Prior to 7.0.8   CVE-2022-42916 Oracle VM VirtualBox Core (cURL) HTTP
Yes 7.5 Network Low None None Un-
changed High None None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-22002 Oracle
VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior
to 6.1.44, Prior to 7.0.8   CVE-2023-21989 Oracle VM VirtualBox Core None No 6.0
Local Low High None Changed High None None Prior to 6.1.44, Prior to 7.0.8  
CVE-2023-21998 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed
Low Low None Prior to 6.1.44, Prior to 7.0.8 See Note 1 CVE-2023-22000 Oracle VM
VirtualBox Core None No 4.6 Local Low High None Changed Low Low None Prior to
6.1.44, Prior to 7.0.8   CVE-2023-22001 Oracle VM VirtualBox Core None No 4.6
Local Low High None Changed Low Low None Prior to 6.1.44, Prior to 7.0.8  
CVE-2023-21988 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed
Low None None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21999 Oracle VM
VirtualBox Core None No 3.6 Local High Low None Un-
changed Low Low None Prior to 6.1.44, Prior to 7.0.8   CVE-2023-21991 Oracle VM
VirtualBox Core None No 3.2 Local Low High None Changed Low None None Prior to
6.1.44, Prior to 7.0.8  

NOTES:

 1. This vulnerability applies to Windows VMs only.

 

ADDITIONAL CVES ADDRESSED ARE:

 * The patch for CVE-2022-42916 also addresses CVE-2022-43551.

RESOURCES FOR

 * Careers
 * Developers
 * Investors
 * Partners
 * Researchers
 * Students and Educators

WHY ORACLE

 * Analyst Reports
 * Best cloud-based ERP
 * Cloud Economics
 * Corporate Responsibility
 * Diversity and Inclusion
 * Security Practices

LEARN

 * What is cloud computing?
 * What is CRM?
 * What is Docker?
 * What is Kubernetes?
 * What is Python?
 * What is SaaS?

NEWS AND EVENTS

 * News
 * Oracle CloudWorld
 * Oracle CloudWorld Tour
 * Oracle Health Summit
 * Oracle DevLive
 * Search all events

CONTACT US

 * DE Sales +49 6103 397 003
 * US Sales: +1.800.633.0738
 * How can we help?
 * Subscribe to emails
 * Integrity Helpline

--------------------------------------------------------------------------------

 * 
 * © 2024 Oracle
 * Privacy/Do Not Sell My Info
 * Cookie-Einstellungen
 * Ad Choices
 * Careers

 * 
 * 
 * 
 *