www.oracle.com
Open in
urlscan Pro
2a02:26f0:11a:489::a15
Public Scan
URL:
https://www.oracle.com/security-alerts/cpuoct2022.html
Submission: On January 04 via api from US — Scanned from DE
Submission: On January 04 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: u30searchForm — GET /search
<form name="u30searchForm" id="u30searchForm" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="/search">
<input type="hidden" name="Nty" value="1">
<input type="hidden" name="Dy" value="1">
<!--<input type="hidden" name="Ntk" value="SI-Global">-->
<input type="hidden" name="Ntk" value="SI-ALL5">
<input type="hidden" name="cty" value="us">
<input type="hidden" name="lang" value="en">
<input type="hidden" name="NoBstNoRec" value="no">
<div class="u30s1">
<button id="u30closesearch" aria-label="Close Search" type="button">
<span>Close Search</span>
<svg width="9" height="14" viewBox="0 0 9 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M8 13L2 7L8 1" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
<span class="u30input">
<div class="u30inputw1">
<input id="u30input" name="Ntt" value="" type="text" placeholder="Search" autocomplete="off" aria-autocomplete="both" aria-activedescendant="" aria-label="Search Oracle.com" role="combobox" aria-expanded="false" aria-owns="u30autosuggest"
aria-haspopup="listbox">
</div>
<div id="u30searchw3" style="margin-left: -249px; width: calc(100vw - 0px); max-width: 1600px;">
<ul role="listbox" id="u30autosuggest" style="padding-left: 249px; padding-right: 0px;">
</ul>
<div id="u30results" style="padding-left: 0px; padding-right: 0px;">
<button id="u30closeresults" aria-label="Close Results" type="button">
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
<path d="M7,7 L17,17"></path>
<path d="M17,7 L7,17"></path>
</svg>
<span>Close</span>
</button>
<div id="u30resultsw1">
</div>
<div id="u30noresults">
<div class="u30result noresults">
<div>We’re sorry. We could not find a match for your search.</div>
<p>We suggest you try the following to help find what you’re looking for:</p>
<ul class="u30nr1">
<li>Check the spelling of your keyword search.</li>
<li>Use synonyms for the keyword you typed, for example, try "application" instead of "software."</li>
<li>Start a new search.</li>
</ul>
</div>
</div>
<ul id="u30skel" style="left: 0px; right: 0px;">
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</div>
</div>
<span class="u30submit">
<input class="u30searchbttn" type="submit" value="Submit Search">
</span>
<button id="u30clear" type="reset" aria-label="Clear Search">
<span>Clear Search</span>
<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M7 7L13 13M7 13L13 7M19 10C19 14.9706 14.9706 19 10 19C5.02944 19 1 14.9706 1 10C1 5.02944 5.02944 1 10 1C14.9706 1 19 5.02944 19 10Z" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
</span>
</div>
</form>Text Content
* Skip to content
* Click to view our Accessibility Policy
* Products
* Oracle Cloud Infrastructure Oracle Cloud Infrastructure
* OCI Overview
* AI and Machine Learning
* Analytics and BI
* Big Data
* Cloud Regions
* Compliance
* Compute
* Containers and Functions
* Cost Management and Governance
* Data Lake
* Database Services
* Developer Services
* DevOps
* Government Cloud
* Hybrid Cloud
* Integration
* Networking
* Observability and Management
* OCI | Microsoft Azure Partnership
* Security
* Storage
* VMware
* Oracle Cloud Applications Oracle Cloud Applications
* Applications Overview
* Enterprise Resource Planning (ERP)
* Financial Management
* Procurement
* Project Management
* Risk Management and Compliance
* Enterprise Performance Management
* Supply Chain & Manufacturing (SCM)
* Supply Chain Planning
* Inventory Management
* Manufacturing
* Maintenance
* Product Lifecycle Management
* More SCM applications
* Customer Experience (CX)
* Advertising
* Marketing
* Sales
* Service
* CX Industry Solutions
* Content Management
* Human Capital Management (HCM)
* Human Resources
* Talent Management
* Workforce Management
* Payroll
* Fusion Analytics
* NetSuite
* Hardware and Software Hardware and Software
* Java
* Oracle Database
* MySQL
* Linux
* On-Premises Applications
* All Software
* Servers and Storage
* Exadata
* Industries
* Industry Solutions and Resources Industry Solutions and Resources
* Oracle Industry Lab
* Customer success
* Join the community
* Product documentation
* Industries Industries
* All industries
* Automotive
* Communications
* Construction and Engineering
* Consumer Goods
* Education
* Energy and Water
* Financial Services
* Food and Beverage
* Government
* Health
* High Technology
* Hospitality
* Industrial Manufacturing
* Life Sciences
* Media and Entertainment
* Oil and Gas
* Professional Services
* Public Safety
* Retail
* Travel and Transportation
* Wholesale Distribution
* Resources
* Support Support
* Customer Experience Overview
* Support
* Community
* Renew Support
* Critical Patch Updates
* Oracle Support Rewards
* My Oracle Support Login
* Cloud Console Login
* Services Services
* Implementation and Migration Services
* Run and Innovate Services
* Training and Certification
* Help Center Help Center
* Documentation
* Reference Architectures
* Tutorials and Hands-On Labs
* Step-by-Step Videos
* Downloads Downloads
* Customer Downloads
* Developer Downloads
* Java Downloads
* Java Runtime Environment (JRE) Consumer Downloads
* Working with Us Working with Us
* Contracts and Policies
* Trust Center
* Invoicing
* Financing
* Customers
* Customer Programs Customer Programs
* Become a reference
* Join the community
* Write a review
* Customer Awards
* Oracle Support Rewards
* Customer Stories Customer Stories
* Explore all customer successes
* New customer partnerships
* Oracle’s business transformation success: Oracle@Oracle
* Advertising and CX customer success
* ERP customer success
* HCM customer success
* Autonomous Database customer success
* Oracle Cloud Infrastructure (OCI) customer success
* Partners
* Resources for Customers Partner Resources for Customers
* Global Cloud Partners
* Find a Partner
* Cloud Marketplace
* Resources for Partners Resources for Partners
* Build on Oracle Cloud Infrastructure
* Integrate with Oracle SaaS
* Expand services offerings on Oracle Cloud
* Become a Partner: OPN Journey Builder
* Oracle PartnerNetwork
* Log in to the OPN Portal
One with Oracle
Continuous innovation with Oracle partner ecosystem to deliver desired
outcome for our customers.
Learn about the Oracle | Microsoft Partnership - Oracle Database Service for
Azure
* Developers
Developers
* * Developer Resource Center
* Developer Community
* Developer Blog
* Developer Live
* Developer Events
* Events
Events
* Oracle CloudWorld
* Oracle Live
* Developer Live
* Customer Spotlight
* Search all events
* View all podcasts
* Cloud Infrastructure events
* CX events
* ERP events
* HCM events
* SCM events
* Company
* Company Company
* Executive Leadership
* Investor Relations
* Analyst Reports
* Corporate Responsibility
* Careers
* Diversity and Inclusion
* Corporate Governance
* Preview/Beta Testing
*
* Blogs
* Events
* News
* Research
* Oracle Education Foundation
* Oracle Academy
* Sustainability
* COVID-19 and Health Sciences
Close Search
Close
We’re sorry. We could not find a match for your search.
We suggest you try the following to help find what you’re looking for:
* Check the spelling of your keyword search.
* Use synonyms for the keyword you typed, for example, try "application"
instead of "software."
* Start a new search.
*
*
*
*
*
*
*
*
*
*
Clear Search
Search
View Accounts
Back
Cloud Account Sign in to Cloud
Oracle Account
* Sign-In
* Create an Account
* Help
* Sign Out
Contact Sales
Menu Menu
ORACLE CRITICAL PATCH UPDATE ADVISORY - OCTOBER 2022
DESCRIPTION
A Critical Patch Update is a collection of patches for multiple security
vulnerabilities. These patches address vulnerabilities in Oracle code and in
third-party components included in Oracle products. These patches are usually
cumulative, but each advisory describes only the security patches added since
the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier published
security patches. Refer to “Critical Patch Updates, Security Alerts and
Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released security patches.
In some instances, it has been reported that attackers have been successful
because targeted customers had failed to apply available Oracle patches. Oracle
therefore strongly recommends that customers remain on actively-supported
versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 370 new security patches across the product
families listed below. Please note that an MOS note summarizing the content of
this Critical Patch Update and other Oracle Software Security Assurance
activities is located at October 2022 Critical Patch Update: Executive Summary
and Analysis.
AFFECTED PRODUCTS AND PATCH INFORMATION
Security vulnerabilities addressed by this Critical Patch Update affect the
products listed below. The product area is shown in the Patch Availability
Document column.
Please click on the links in the Patch Availability Document column below to
access the documentation for patch availability information and installation
instructions.
Affected Products and Versions Patch Availability Document Application
Management Pack for Oracle E-Business Suite, version 13.4.1.0.0 Oracle
E-Business Suite Big Data Spatial and Graph Database Enterprise Manager Base
Platform, versions 13.4.0.0, 13.5.0.0 Enterprise Manager Enterprise Manager for
Virtualization, versions 13.4.0.0, 13.5.0.0 Enterprise Manager Enterprise
Manager Ops Center, version 12.4.0.0 Enterprise Manager JD Edwards EnterpriseOne
Orchestrator, versions 9.2.6.4 and prior JD Edwards JD Edwards EnterpriseOne
Tools, versions 9.2.6.4 and prior JD Edwards MySQL Connectors, versions 8.0.30
and prior MySQL MySQL Enterprise Backup, versions 4.1.4 and prior MySQL MySQL
Enterprise Monitor, versions 8.0.31 and prior MySQL MySQL Installer, versions
1.6.3 and prior MySQL MySQL Server, versions 5.7.39 and prior, 8.0.30 and prior
MySQL MySQL Shell, versions 8.0.30 and prior MySQL MySQL Workbench, versions
8.0.30 and prior MySQL Oracle Access Manager, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware Oracle Agile Engineering Data Management, version 6.2.1.0
Oracle Supply Chain Products Oracle Agile PLM, version 9.3.6 Oracle Supply Chain
Products Oracle Airlines Data Model Oracle Airlines Data Model Oracle
Application Express Database Oracle AutoVue, version 21.0.2 Oracle Supply Chain
Products Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
Oracle Supply Chain Products Oracle Banking Enterprise Default Management,
version 2.12.0 Oracle Banking Platform Oracle Banking Loans Servicing, versions
2.8.0, 2.12.0 Contact Support Oracle Banking Party Management, version 2.7.0
Oracle Banking Platform Oracle Banking Platform, versions 2.7.1, 2.9.0, 2.12.0
Oracle Banking Platform Oracle BI Publisher, versions 5.9.0.0, 6.4.0.0.0,
12.2.1.3.0, 12.2.1.4.0 Oracle Analytics Oracle Business Activity
Monitoring(Oracle BAM), versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle
Business Intelligence Enterprise Edition, versions 5.9.0.0, 6.4.0.0 Oracle
Analytics Oracle Business Process Management Suite, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware Oracle Commerce Platform, versions 11.3.0-11.3.2 Oracle
Commerce Oracle Communications Billing and Revenue Management, versions
12.0.0.4.0-12.0.0.7.0 Oracle Communications Billing and Revenue Management
Oracle Communications Cloud Native Core Binding Support Function, version 22.3.0
Oracle Communications Cloud Native Core Binding Support Function Oracle
Communications Cloud Native Core Console, version 22.2.0 Oracle Communications
Cloud Native Core Console Oracle Communications Cloud Native Core Network
Exposure Function, versions 22.2.1, 22.3.0 Oracle Communications Cloud Native
Core Network Exposure Function Oracle Communications Cloud Native Core Network
Function Cloud Native Environment, versions 1.9.0, 22.1, 22.1.0, 22.2, 22.2.0,
22.2.1 Oracle Communications Cloud Native Core Network Function Cloud Native
Environment Oracle Communications Cloud Native Core Network Repository Function,
version 22.2.2 Oracle Communications Cloud Native Core Network Repository
Function Oracle Communications Cloud Native Core Policy, version 22.3.0 Oracle
Communications Cloud Native Core Policy Oracle Communications Cloud Native Core
Security Edge Protection Proxy, versions 22.1.1, 22.2.0, 22.2.1, 22.3.0 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Oracle
Communications Cloud Native Core Service Communication Proxy, versions 22.2.3,
22.3.1, 22.4.0 Oracle Communications Cloud Native Core Service Communication
Proxy Oracle Communications Cloud Native Core Unified Data Repository, versions
22.1.1, 22.2.1, 22.3.0 Oracle Communications Cloud Native Core Unified Data
Repository Oracle Communications Converged Application Server - Service
Controller, version 6.2 Oracle Communications Converged Application Server -
Service Controller Oracle Communications Convergence, version 3.0.3.0 Oracle
Communications Convergence Oracle Communications Convergent Charging Controller,
versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 Oracle Communications Convergent
Charging Controller Oracle Communications Data Model, version 12.2.0.1 Oracle
Communications Data Model Oracle Communications Design Studio, version 7.4.2
Oracle Communications Design Studio Oracle Communications Diameter Signaling
Router, version 8.6.0.0 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, version 9.0 Oracle Communications Element
Manager Oracle Communications Evolved Communications Application Server, version
7.1 Oracle Communications Evolved Communications Application Server Oracle
Communications Instant Messaging Server, version 10.0.1.6.0 Oracle
Communications Instant Messaging Server Oracle Communications Interactive
Session Recorder, version 6.4 Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 8.1 Oracle Communications
Messaging Server Oracle Communications MetaSolv Solution, version 6.3.1 Oracle
Communications MetaSolv Solution Oracle Communications Network Charging and
Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 Oracle Communications Network
Charging and Control Oracle Communications Order and Service Management,
versions 7.3, 7.4 Oracle Communications Order and Service Management Oracle
Communications Policy Management, version 12.6.0.0.0 Oracle Communications
Policy Management Oracle Communications Pricing Design Center, versions
12.0.0.4.0-12.0.0.7.0 Oracle Communications Pricing Design Center Oracle
Communications Services Gatekeeper, version 7.0.0.0.0 Oracle Communications
Services Gatekeeper Oracle Communications Session Border Controller, versions
8.4, 9.0, 9.1 Oracle Communications Session Border Controller Oracle
Communications Session Report Manager, version 9.0 Oracle Communications Session
Report Manager Oracle Communications Unified Assurance, versions prior to
5.5.7.0.0, 6.0.0.0.0 Oracle Communications Unified Assurance Oracle
Communications User Data Repository, versions 12.4.0, 12.6.0, 12.6.1 Oracle
Communications User Data Repository Oracle Communications WebRTC Session
Controller, versions 7.2.0, 7.2.1 Oracle Communications WebRTC Session
Controller Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Database Server, versions 19c, 21c Database Oracle Documaker
Enterprise Edition, versions 12.6-12.7 Oracle Insurance Applications Oracle
E-Business Suite, versions 12.2.3-12.2.11 Oracle E-Business Suite Oracle
Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Enterprise Operations Monitor, versions 4.4, 5.0 Oracle Enterprise
Operations Monitor Oracle Essbase, version 21.3 Database Oracle Financial
Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0,
8.1.1.0, 8.1.2.0, 8.1.2.1 Oracle Financial Services Analytical Applications
Infrastructure Oracle Financial Services Behavior Detection Platform, versions
8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2 Oracle Financial
Services Behavior Detection Platform Oracle Financial Services Enterprise Case
Management, versions 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 Oracle Financial Services Enterprise Case Management Oracle Financial
Services Model Management and Governance, versions 8.0.8.0, 8.1.0.0, 8.1.1.0
Oracle Financial Services Model Management and Governance Oracle Financial
Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0,
8.0.8.0 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise
Edition Oracle GoldenGate, version 19c Database Oracle GraalVM Enterprise
Edition, versions 20.3.7, 21.3.3, 22.2.0 Java SE Oracle Healthcare Data
Repository, versions 8.1.1, 8.1.2, 8.1.3 HealthCare Applications Oracle
Healthcare Foundation, versions 8.1, 8.2 HealthCare Applications Oracle
Healthcare Master Person Index, versions 5.0.0-5.0.3 HealthCare Applications
Oracle Healthcare Translational Research, version 4.1 HealthCare Applications
Oracle Hospitality Cruise Fleet Management System, version 9.1.5 Oracle
Hospitality Cruise Fleet Management Oracle Hospitality Cruise Shipboard Property
Management System, versions 20.2.0, 20.2.2 Oracle Hospitality Cruise Shipboard
Property Management System Oracle Hospitality Suite8, versions 8.10.2, 8.11.0,
8.12.0, 8.13.0, 8.14.0 Oracle Hospitality Suite8 Oracle HTTP Server, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Hyperion Infrastructure
Technology, version 11.2.9 Oracle Enterprise Performance Management Oracle
Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.2
Oracle Insurance Applications Oracle Java SE, versions 8u341, 8u345-perf,
11.0.16.1, 17.0.4.1, 19 Java SE Oracle MapViewer, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Middleware Common Libraries and Tools,
versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle NoSQL Database NoSQL
Database Oracle Outside In Technology, version 8.5.6 Fusion Middleware Oracle
Retail Assortment Planning, version 16.0.3 Retail Applications Oracle Retail
Back Office, version 14.1 Retail Applications Oracle Retail Central Office,
version 14.1 Retail Applications Oracle Retail Customer Insights, versions
15.0.2, 15.2, 16.0.2 Retail Applications Oracle Retail Customer Management and
Segmentation Foundation, versions 17.0, 18.0, 19.0 Retail Applications Oracle
Retail EFTLink, versions 20.0.1, 21.0.0 Retail Applications Oracle Retail Fiscal
Management, version 14.2 Retail Applications Oracle Retail Merchandising System,
versions 14.1.3.2, 15.0.3.1, 19.0.1 Retail Applications Oracle Retail Point Of
Service, version 14.1 Retail Applications Oracle Retail Predictive Application
Server, versions 14.1.3.47, 15.0.3.116, 16.0.3.260 Retail Applications Oracle
Retail Returns Management, version 14.1 Retail Applications Oracle Retail Sales
Audit, version 19.0.1 Retail Applications Oracle Retail Service Backbone,
versions 14.1.3.2, 15.0.3.1, 16.0.3 Retail Applications Oracle SD-WAN Aware,
version 9.0.1.3.0 Oracle SD-WAN Aware Oracle SD-WAN Edge, versions 7.0.7,
9.1.1.2.0 Oracle SD-WAN Edge Oracle Secure Backup, versions prior to 18.1.0.2.0
Oracle Secure Backup Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Solaris, version 11 Systems Oracle Solaris Cluster, version 4
Systems Oracle SQL Developer Database Oracle TimesTen In-Memory Database
Database Oracle Transportation Management, versions 6.4.3, 6.5.1 Oracle Supply
Chain Products Oracle Utilities Testing Accelerator, versions 6.0.0.1.3,
6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0 Oracle Utilities Applications Oracle VM
VirtualBox, versions prior to 6.1.40 Virtualization Oracle WebCenter Content,
version 12.2.1.3.0 Fusion Middleware Oracle WebCenter Portal, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle WebCenter Sites, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware PeopleSoft Enterprise
Common Components, version 9.2 PeopleSoft PeopleSoft Enterprise PeopleTools,
versions 8.58, 8.59, 8.60 PeopleSoft Primavera Gateway, versions 18.8.0-18.8.15,
19.12.0-19.12.14, 20.12.0-20.12.9, 21.12.0-21.12.7 Oracle Construction and
Engineering Suite Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12 Oracle
Construction and Engineering Suite Siebel Applications, versions 22.8 and prior
Siebel
Affected Products and Versions Patch Availability Document Application
Management Pack for Oracle E-Business Suite, version 13.4.1.0.0 Oracle
E-Business Suite Big Data Spatial and Graph Database Enterprise Manager Base
Platform, versions 13.4.0.0, 13.5.0.0 Enterprise Manager Enterprise Manager for
Virtualization, versions 13.4.0.0, 13.5.0.0 Enterprise Manager Enterprise
Manager Ops Center, version 12.4.0.0 Enterprise Manager JD Edwards EnterpriseOne
Orchestrator, versions 9.2.6.4 and prior JD Edwards JD Edwards EnterpriseOne
Tools, versions 9.2.6.4 and prior JD Edwards MySQL Connectors, versions 8.0.30
and prior MySQL MySQL Enterprise Backup, versions 4.1.4 and prior MySQL MySQL
Enterprise Monitor, versions 8.0.31 and prior MySQL MySQL Installer, versions
1.6.3 and prior MySQL MySQL Server, versions 5.7.39 and prior, 8.0.30 and prior
MySQL MySQL Shell, versions 8.0.30 and prior MySQL MySQL Workbench, versions
8.0.30 and prior MySQL Oracle Access Manager, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware Oracle Agile Engineering Data Management, version 6.2.1.0
Oracle Supply Chain Products Oracle Agile PLM, version 9.3.6 Oracle Supply Chain
Products Oracle Airlines Data Model Oracle Airlines Data Model Oracle
Application Express Database Oracle AutoVue, version 21.0.2 Oracle Supply Chain
Products Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
Oracle Supply Chain Products Oracle Banking Enterprise Default Management,
version 2.12.0 Oracle Banking Platform Oracle Banking Loans Servicing, versions
2.8.0, 2.12.0 Contact Support Oracle Banking Party Management, version 2.7.0
Oracle Banking Platform Oracle Banking Platform, versions 2.7.1, 2.9.0, 2.12.0
Oracle Banking Platform Oracle BI Publisher, versions 5.9.0.0, 6.4.0.0.0,
12.2.1.3.0, 12.2.1.4.0 Oracle Analytics Oracle Business Activity
Monitoring(Oracle BAM), versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle
Business Intelligence Enterprise Edition, versions 5.9.0.0, 6.4.0.0 Oracle
Analytics Oracle Business Process Management Suite, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware Oracle Commerce Platform, versions 11.3.0-11.3.2 Oracle
Commerce Oracle Communications Billing and Revenue Management, versions
12.0.0.4.0-12.0.0.7.0 Oracle Communications Billing and Revenue Management
Oracle Communications Cloud Native Core Binding Support Function, version 22.3.0
Oracle Communications Cloud Native Core Binding Support Function Oracle
Communications Cloud Native Core Console, version 22.2.0 Oracle Communications
Cloud Native Core Console Oracle Communications Cloud Native Core Network
Exposure Function, versions 22.2.1, 22.3.0 Oracle Communications Cloud Native
Core Network Exposure Function Oracle Communications Cloud Native Core Network
Function Cloud Native Environment, versions 1.9.0, 22.1, 22.1.0, 22.2, 22.2.0,
22.2.1 Oracle Communications Cloud Native Core Network Function Cloud Native
Environment Oracle Communications Cloud Native Core Network Repository Function,
version 22.2.2 Oracle Communications Cloud Native Core Network Repository
Function Oracle Communications Cloud Native Core Policy, version 22.3.0 Oracle
Communications Cloud Native Core Policy Oracle Communications Cloud Native Core
Security Edge Protection Proxy, versions 22.1.1, 22.2.0, 22.2.1, 22.3.0 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Oracle
Communications Cloud Native Core Service Communication Proxy, versions 22.2.3,
22.3.1, 22.4.0 Oracle Communications Cloud Native Core Service Communication
Proxy Oracle Communications Cloud Native Core Unified Data Repository, versions
22.1.1, 22.2.1, 22.3.0 Oracle Communications Cloud Native Core Unified Data
Repository Oracle Communications Converged Application Server - Service
Controller, version 6.2 Oracle Communications Converged Application Server -
Service Controller Oracle Communications Convergence, version 3.0.3.0 Oracle
Communications Convergence Oracle Communications Convergent Charging Controller,
versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 Oracle Communications Convergent
Charging Controller Oracle Communications Data Model, version 12.2.0.1 Oracle
Communications Data Model Oracle Communications Design Studio, version 7.4.2
Oracle Communications Design Studio Oracle Communications Diameter Signaling
Router, version 8.6.0.0 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, version 9.0 Oracle Communications Element
Manager Oracle Communications Evolved Communications Application Server, version
7.1 Oracle Communications Evolved Communications Application Server Oracle
Communications Instant Messaging Server, version 10.0.1.6.0 Oracle
Communications Instant Messaging Server Oracle Communications Interactive
Session Recorder, version 6.4 Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 8.1 Oracle Communications
Messaging Server Oracle Communications MetaSolv Solution, version 6.3.1 Oracle
Communications MetaSolv Solution Oracle Communications Network Charging and
Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 Oracle Communications Network
Charging and Control Oracle Communications Order and Service Management,
versions 7.3, 7.4 Oracle Communications Order and Service Management Oracle
Communications Policy Management, version 12.6.0.0.0 Oracle Communications
Policy Management Oracle Communications Pricing Design Center, versions
12.0.0.4.0-12.0.0.7.0 Oracle Communications Pricing Design Center Oracle
Communications Services Gatekeeper, version 7.0.0.0.0 Oracle Communications
Services Gatekeeper Oracle Communications Session Border Controller, versions
8.4, 9.0, 9.1 Oracle Communications Session Border Controller Oracle
Communications Session Report Manager, version 9.0 Oracle Communications Session
Report Manager Oracle Communications Unified Assurance, versions prior to
5.5.7.0.0, 6.0.0.0.0 Oracle Communications Unified Assurance Oracle
Communications User Data Repository, versions 12.4.0, 12.6.0, 12.6.1 Oracle
Communications User Data Repository Oracle Communications WebRTC Session
Controller, versions 7.2.0, 7.2.1 Oracle Communications WebRTC Session
Controller Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Database Server, versions 19c, 21c Database Oracle Documaker
Enterprise Edition, versions 12.6-12.7 Oracle Insurance Applications Oracle
E-Business Suite, versions 12.2.3-12.2.11 Oracle E-Business Suite Oracle
Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Enterprise Operations Monitor, versions 4.4, 5.0 Oracle Enterprise
Operations Monitor Oracle Essbase, version 21.3 Database Oracle Financial
Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0,
8.1.1.0, 8.1.2.0, 8.1.2.1 Oracle Financial Services Analytical Applications
Infrastructure Oracle Financial Services Behavior Detection Platform, versions
8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2 Oracle Financial
Services Behavior Detection Platform Oracle Financial Services Enterprise Case
Management, versions 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 Oracle Financial Services Enterprise Case Management Oracle Financial
Services Model Management and Governance, versions 8.0.8.0, 8.1.0.0, 8.1.1.0
Oracle Financial Services Model Management and Governance Oracle Financial
Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0,
8.0.8.0 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise
Edition Oracle GoldenGate, version 19c Database Oracle GraalVM Enterprise
Edition, versions 20.3.7, 21.3.3, 22.2.0 Java SE Oracle Healthcare Data
Repository, versions 8.1.1, 8.1.2, 8.1.3 HealthCare Applications Oracle
Healthcare Foundation, versions 8.1, 8.2 HealthCare Applications Oracle
Healthcare Master Person Index, versions 5.0.0-5.0.3 HealthCare Applications
Oracle Healthcare Translational Research, version 4.1 HealthCare Applications
Oracle Hospitality Cruise Fleet Management System, version 9.1.5 Oracle
Hospitality Cruise Fleet Management Oracle Hospitality Cruise Shipboard Property
Management System, versions 20.2.0, 20.2.2 Oracle Hospitality Cruise Shipboard
Property Management System Oracle Hospitality Suite8, versions 8.10.2, 8.11.0,
8.12.0, 8.13.0, 8.14.0 Oracle Hospitality Suite8 Oracle HTTP Server, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Hyperion Infrastructure
Technology, version 11.2.9 Oracle Enterprise Performance Management Oracle
Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.2
Oracle Insurance Applications Oracle Java SE, versions 8u341, 8u345-perf,
11.0.16.1, 17.0.4.1, 19 Java SE Oracle MapViewer, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Middleware Common Libraries and Tools,
versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle NoSQL Database NoSQL
Database Oracle Outside In Technology, version 8.5.6 Fusion Middleware Oracle
Retail Assortment Planning, version 16.0.3 Retail Applications Oracle Retail
Back Office, version 14.1 Retail Applications Oracle Retail Central Office,
version 14.1 Retail Applications Oracle Retail Customer Insights, versions
15.0.2, 15.2, 16.0.2 Retail Applications Oracle Retail Customer Management and
Segmentation Foundation, versions 17.0, 18.0, 19.0 Retail Applications Oracle
Retail EFTLink, versions 20.0.1, 21.0.0 Retail Applications Oracle Retail Fiscal
Management, version 14.2 Retail Applications Oracle Retail Merchandising System,
versions 14.1.3.2, 15.0.3.1, 19.0.1 Retail Applications Oracle Retail Point Of
Service, version 14.1 Retail Applications Oracle Retail Predictive Application
Server, versions 14.1.3.47, 15.0.3.116, 16.0.3.260 Retail Applications Oracle
Retail Returns Management, version 14.1 Retail Applications Oracle Retail Sales
Audit, version 19.0.1 Retail Applications Oracle Retail Service Backbone,
versions 14.1.3.2, 15.0.3.1, 16.0.3 Retail Applications Oracle SD-WAN Aware,
version 9.0.1.3.0 Oracle SD-WAN Aware Oracle SD-WAN Edge, versions 7.0.7,
9.1.1.2.0 Oracle SD-WAN Edge Oracle Secure Backup, versions prior to 18.1.0.2.0
Oracle Secure Backup Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Solaris, version 11 Systems Oracle Solaris Cluster, version 4
Systems Oracle SQL Developer Database Oracle TimesTen In-Memory Database
Database Oracle Transportation Management, versions 6.4.3, 6.5.1 Oracle Supply
Chain Products Oracle Utilities Testing Accelerator, versions 6.0.0.1.3,
6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0 Oracle Utilities Applications Oracle VM
VirtualBox, versions prior to 6.1.40 Virtualization Oracle WebCenter Content,
version 12.2.1.3.0 Fusion Middleware Oracle WebCenter Portal, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle WebCenter Sites, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware PeopleSoft Enterprise
Common Components, version 9.2 PeopleSoft PeopleSoft Enterprise PeopleTools,
versions 8.58, 8.59, 8.60 PeopleSoft Primavera Gateway, versions 18.8.0-18.8.15,
19.12.0-19.12.14, 20.12.0-20.12.9, 21.12.0-21.12.7 Oracle Construction and
Engineering Suite Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12 Oracle
Construction and Engineering Suite Siebel Applications, versions 22.8 and prior
Siebel
NOTE:
* Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle
customers should refer to the Oracle and Sun Systems Product Suite Critical
Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for
information on minimum revisions of security patches required to resolve
ZFSSA issues published in Critical Patch Updates and Solaris Third Party
bulletins.
* Solaris Third Party Bulletins are used to announce security patches for third
party software distributed with Oracle Solaris. Solaris 10 customers should
refer to the latest patch-sets which contain critical security patches
detailed in Systems Patch Availability Document. Please see Reference Index
of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more
information.
* Users running Java SE with a browser can download the latest release from
https://java.com. Users on the Windows and Mac OS X platforms can also use
automatic updates to get the latest release.
RISK MATRIX CONTENT
Risk matrices list only security vulnerabilities that are newly addressed by the
patches associated with this advisory. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories and Alerts. An
English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. Each vulnerability is identified by a CVE#. A vulnerability that
affects multiple products will appear with the same CVE# in all risk matrices.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a
Critical Patch Update. Oracle does not disclose detailed information about this
security analysis to customers, but the resulting Risk Matrix and associated
documentation provide information about the type of vulnerability, the
conditions required to exploit it, and the potential impact of a successful
exploit. Oracle provides this information, in part, so that customers may
conduct their own risk analysis based on the particulars of their product usage.
For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third-party components that
are not exploitable in the context of their inclusion in their respective Oracle
product beneath the product's risk matrix.
The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.
WORKAROUNDS
Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply Critical Patch Update security patches as soon as possible.
Until you apply the Critical Patch Update patches, it may be possible to reduce
the risk of successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages from
users that do not need the privileges may help reduce the risk of successful
attack. Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems. Neither
approach should be considered a long-term solution as neither corrects the
underlying problem.
SKIPPED CRITICAL PATCH UPDATES
Oracle strongly recommends that customers apply security patches as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security patches announced in this
Critical Patch Update, please review previous Critical Patch Update advisories
to determine appropriate actions.
CRITICAL PATCH UPDATE SUPPORTED PRODUCTS AND VERSIONS
Patches released through the Critical Patch Update program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. Oracle recommends that customers plan
product upgrades to ensure that patches released through the Critical Patch
Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities. As a result, Oracle recommends that
customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched
in accordance with the Software Error Correction Support Policy explained in My
Oracle Support Note 209768.1. Please review the Technical Support Policies for
further guidelines regarding support policies and phases of support.
CREDIT STATEMENT
The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle:
* 4ra1n of Chaitin Tech: CVE-2022-21598, CVE-2022-21616, CVE-2022-21622,
CVE-2022-21623
* Anonymous researcher working with Trend Micro's Zero Day Initiative:
CVE-2022-39412
* Billy Jheng Bing-Jhong (st424204) working with Trend Micro Zero Day
Initiative: CVE-2022-39422, CVE-2022-39423
* Christine Joy Infante of Vantage Point Security Pte. Ltd: CVE-2022-21612,
CVE-2022-21613, CVE-2022-21614, CVE-2022-21615
* Dohyun Lee (l33d0hyun) of SecuriTeam Secure Disclosure Labs: CVE-2022-39421
* Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2022-21596
* Exist (exist91240480) working with Trend Micro Zero Day Initiative:
CVE-2022-39427
* George R: CVE-2022-21592
* Hangfan Zhang: CVE-2022-21594
* Houssam Sahli of Red Canari: CVE-2022-21629, CVE-2022-21630, CVE-2022-21631
* kn32 working with Trend Micro Zero Day Initiative: CVE-2022-39424,
CVE-2022-39425, CVE-2022-39426
* Kun Yang of Chaitin Security Research Lab: CVE-2022-21620, CVE-2022-21621,
CVE-2022-21627
* l1k3beef: CVE-2022-21587
* Lu Yu of Chaitin Security Research Lab: CVE-2022-21620, CVE-2022-21621,
CVE-2022-21627
* Ninad from bugcrowd ASG team: CVE-2022-21606
* Ruhai Zhang of Beijing DBSEC Technology Co., Ltd: CVE-2022-21608
* Rui Zhong: CVE-2022-21594
* Samuel Tan of Vantage Point Security Pte. Ltd: CVE-2022-21612,
CVE-2022-21613, CVE-2022-21614, CVE-2022-21615
* Y4tacker: CVE-2022-21616
* ycdxsb of VARAS@IIE: CVE-2022-39402, CVE-2022-39403, CVE-2022-39404
* Yongheng Chen: CVE-2022-21594
* Zu-Ming Jiang: CVE-2022-21607
SECURITY-IN-DEPTH CONTRIBUTORS
Oracle acknowledges people who have contributed to our Security-In-Depth program
(see FAQ). People are acknowledged for Security-In-Depth contributions if they
provide information, observations or suggestions pertaining to security
vulnerability issues that result in significant modification of Oracle code or
documentation in future releases, but are not of such a critical nature that
they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions
to Oracle's Security-In-Depth program:
* 4ra1n of Chaitin Tech
* Emad Al-Mousa of Saudi Aramco [3 reports]
* John Jiang of Tencent
* Matt Luscombe
* Motasim Taha
* Nikhil Rathore
* Sai Gopal
* Xuelei Fan
* ycdxsb of VARAS@IIE
ON-LINE PRESENCE SECURITY CONTRIBUTORS
Oracle acknowledges people who have contributed to our On-Line Presence Security
program (see FAQ). People are acknowledged for contributions relating to
Oracle's on-line presence if they provide information, observations or
suggestions pertaining to security-related issues that result in significant
modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle's
On-Line Presence Security program:
* Abdalrahman Ali
* Abdlallah Mohammed
* Ahmed Al-Saleem
* Chester van den Bogaard
* Dexter Rim
* Hassam
* Jan Kopřiva of Nettles Consulting
* Jil Hirenkumar Shah
* Parag Bagul
* Pratik Shetty
* Raguraman R
* Rasel Mir (araselmir)
* Secure Web
* Yagnik Bhuva
CRITICAL PATCH UPDATE SCHEDULE
Critical Patch Updates are released on the third Tuesday of January, April,
July, and October. The next four dates are:
* 17 January 2023
* 18 April 2023
* 18 July 2023
* 17 October 2023
REFERENCES
* Oracle Critical Patch Updates, Security Alerts and Bulletins
* Critical Patch Update - October 2022 Documentation Map
* Oracle Critical Patch Updates and Security Alerts - Frequently Asked
Questions
* Risk Matrix Definitions
* Use of Common Vulnerability Scoring System (CVSS) by Oracle
* English text version of the risk matrices
* CVRF XML version of the risk matrices
* CSAF JSON version of the risk matrices
* Map of CVE to Advisory/Alert
* Oracle Lifetime support Policy
* JEP 290 Reference Blocklist Filter
MODIFICATION HISTORY
Date Note 2022-December-12 Rev 3. Updated the affected versions for Oracle Data
Integrator 2022-October-27 Rev 2. Added Credit for CVE-2022-21607
2022-October-18 Rev 1. Initial Release.
Date Note 2022-December-12 Rev 3. Updated the affected versions for Oracle Data
Integrator 2022-October-27 Rev 2. Added Credit for CVE-2022-21607
2022-October-18 Rev 1. Initial Release.
ORACLE DATABASE PRODUCTS RISK MATRICES
This Critical Patch Update contains 14 new security patches for Oracle Database
Products divided as follows:
* 8 new security patches for Oracle Database Products
* No new security patches for Oracle Airlines Data Model, but third party
patches are provided
* No new security patches for Oracle Big Data Graph, but third party patches
are provided
* 1 new security patch for Oracle Communications Data Model
* 2 new security patches for Oracle Essbase
* 2 new security patches for Oracle GoldenGate
* No new security patches for Oracle NoSQL Database, but third party patches
are provided
* 1 new security patch for Oracle Secure Backup
* No new security patches for Oracle SQL Developer, but third party patches are
provided
* No new security patches for Oracle TimesTen In-Memory Database, but third
party patches are provided
ORACLE DATABASE SERVER RISK MATRIX
This Critical Patch Update contains 8 new security patches plus additional third
party patches noted below for Oracle Database Products. 1 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. None of these
patches are applicable to client-only installations, i.e., installations that do
not have the Oracle Database Server installed. The English text form of this
Risk Matrix can be found here.
Oracle has released client Database fixes for CVEs which we believe are not
exploitable in the context of the Database. The Database server includes a full
copy of all the client bits, so any patch that is client applicable, also has to
be applied on the server side.
CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-21596 Oracle Database - Advanced Queuing DBA user Oracle Net No
7.2 Network Low High None Un-
changed High High High 19c CVE-2022-21603 Oracle Database - Sharding Local
Logon Local Logon No 7.2 Network Low High None Un-
changed High High High 19c, 21c CVE-2020-36518 Oracle Database - Fleet
Patching (jackson-databind) REST User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c CVE-2022-1587 Oracle Notification Server
(PCRE2) Subscriber HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c See Note 1 CVE-2020-36518 Spatial and Graph
(jackson-databind) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c CVE-2022-21606 Oracle Services for Microsoft
Transaction Server None HTTP Yes 6.1 Network Low None Required Changed Low Low
None 19c See Note 1 CVE-2022-39419 Java VM Create Procedure Oracle Net No 4.3
Network Low Low None Un-
changed Low None None 19c, 21c CVE-2021-41495 Oracle Database - Machine
Learning (Numpy) Create Session Oracle Net No 4.3 Network Low Low None Un-
changed None None Low 21c
CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-21596 Oracle Database - Advanced Queuing DBA user Oracle Net No
7.2 Network Low High None Un-
changed High High High 19c CVE-2022-21603 Oracle Database - Sharding Local
Logon Local Logon No 7.2 Network Low High None Un-
changed High High High 19c, 21c CVE-2020-36518 Oracle Database - Fleet
Patching (jackson-databind) REST User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c CVE-2022-1587 Oracle Notification Server
(PCRE2) Subscriber HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c See Note 1 CVE-2020-36518 Spatial and Graph
(jackson-databind) Authenticated User HTTP No 6.5 Network Low Low None Un-
changed None None High 19c, 21c CVE-2022-21606 Oracle Services for Microsoft
Transaction Server None HTTP Yes 6.1 Network Low None Required Changed Low Low
None 19c See Note 1 CVE-2022-39419 Java VM Create Procedure Oracle Net No 4.3
Network Low Low None Un-
changed Low None None 19c, 21c CVE-2021-41495 Oracle Database - Machine
Learning (Numpy) Create Session Oracle Net No 4.3 Network Low Low None Un-
changed None None Low 21c
NOTES:
1. This vulnerability applies to Windows systems only.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-41495 also addresses CVE-2021-41496.
* The patch for CVE-2022-1587 also addresses CVE-2022-1586.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* GraalVM Multilingual Engine: CVE-2022-34169, CVE-2022-21540, CVE-2022-21541,
CVE-2022-21549 and CVE-2022-25647.
* Oracle Application Express (Moment.js): CVE-2022-31129.
* Oracle Database (Apache HttpClient): CVE-2020-13956.
* Oracle Database (Apache Tomcat): CVE-2022-34305.
* Oracle Database - Fleet Patching (Apache Tomcat): CVE-2021-25122 and
CVE-2021-25329.
* Oracle Database - RDBMS (OpenBLAS): CVE-2021-4048.
* Oracle Database - RDBMS (Python): CVE-2021-3737.
* Oracle Database - RDBMS Security (Apache MINA SSHD): CVE-2021-30129.
* Oracle Database - Workload Manager (Eclipse Jetty): CVE-2022-2048 and
CVE-2022-2047.
* Oracle Database - ZFSSAADM (Google Gson): CVE-2022-25647.
* Oracle Database Configuration Assistant: CVE-2019-2904.
* Oracle Retail Data Model (Apache Log4j): CVE-2021-4104.
ORACLE AIRLINES DATA MODEL RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle Airlines Data Model. Please refer to
previous Critical Patch Update Advisories if the last Critical Patch Update was
not applied for Oracle Airlines Data Model. The English text form of this Risk
Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Airlines Data Model
* Installation (Apache Commons BeanUtils): CVE-2019-10086.
* Installation (Apache Commons IO): CVE-2021-29425.
* Installation (Apache Groovy): CVE-2020-17521.
* Installation (Apache Log4j): CVE-2021-4104.
* Installation (Nimbus JOSE+JWT): CVE-2019-17195.
* Installation (Spring Framework): CVE-2021-22118 and CVE-2020-5421.
* Installation (jackson-databind): CVE-2020-9546, CVE-2020-10650,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969,
CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14195,
CVE-2020-25649, CVE-2020-36189, CVE-2020-9547 and CVE-2020-9548.
ORACLE BIG DATA GRAPH RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle Big Data Graph. Please refer to
previous Critical Patch Update Advisories if the last Critical Patch Update was
not applied for Oracle Big Data Graph. The English text form of this Risk
Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Big Data Spatial and Graph
* Big Data Graph (Apache Tomcat): CVE-2022-34305.
ORACLE COMMUNICATIONS DATA MODEL RISK MATRIX
This Critical Patch Update contains 1 new security patch plus additional third
party patches noted below for Oracle Communications Data Model. This
vulnerability is not remotely exploitable without authentication, i.e., may not
be exploited over a network without requiring user credentials. The English
text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11987 Oracle Communications Data Model Utilities (Apache Batik)
HTTP No 4.3 Network Low Low None Un-
changed None Low None 12.2.0.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11987 Oracle Communications Data Model Utilities (Apache Batik)
HTTP No 4.3 Network Low Low None Un-
changed None Low None 12.2.0.1
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-11987 also addresses CVE-2019-17566.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Communications Data Model
* Utilities (Apache Axis): CVE-2019-0227 and CVE-2018-8032.
* Utilities (Apache Commons BeanUtils): CVE-2019-10086.
ORACLE ESSBASE RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle Essbase.
1 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-22946 Oracle Essbase Build (cURL) HTTPS Yes 7.5 Network Low
None None Un-
changed High None None 21.3 CVE-2021-44832 Oracle Essbase Essbase Web Platform
(Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 21.3
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-22946 Oracle Essbase Build (cURL) HTTPS Yes 7.5 Network Low
None None Un-
changed High None None 21.3 CVE-2021-44832 Oracle Essbase Essbase Web Platform
(Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 21.3
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-22946 also addresses CVE-2021-22947.
* The patch for CVE-2021-44832 also addresses CVE-2021-44228.
ORACLE GOLDENGATE RISK MATRIX
This Critical Patch Update contains 2 new security patches plus additional third
party patches noted below for Oracle GoldenGate. 1 of these vulnerabilities may
be remotely exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials. The English text form of this Risk
Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35169 Oracle GoldenGate Oracle GoldenGate Microservices (Dell
BSAFE Micro Edition Suite) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 19c CVE-2018-18893 Oracle Goldengate Stream Analytics
(JinJava) HTTP No 4.3 Network Low Low None Un-
changed Low None None 19c
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-35169 Oracle GoldenGate Oracle GoldenGate Microservices (Dell
BSAFE Micro Edition Suite) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 19c CVE-2018-18893 Oracle Goldengate Stream Analytics
(JinJava) HTTP No 4.3 Network Low Low None Un-
changed Low None None 19c
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-35169 also addresses CVE-2020-29508, CVE-2020-35163,
CVE-2020-35164, CVE-2020-35166, CVE-2020-35167, and CVE-2020-35168.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle GoldenGate
* Stream Analytics (Apache Tomcat): CVE-2022-23181.
ORACLE NOSQL DATABASE RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle NoSQL Database. Please refer to
previous Critical Patch Update Advisories if the last Critical Patch Update was
not applied for Oracle NoSQL Database. The English text form of this Risk
Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle NoSQL Database
* Administration (Google Gson): CVE-2022-25647.
* Administration (jackson-databind): CVE-2020-36518.
ORACLE SECURE BACKUP RISK MATRIX
This Critical Patch Update contains 1 new security patch plus additional third
party patches noted below for Oracle Secure Backup. This vulnerability is
remotely exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials. The English text form of this Risk
Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-31813 Oracle Secure Backup Oracle Secure Backup (Apache HTTP
Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 18.1.0.2.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-31813 Oracle Secure Backup Oracle Secure Backup (Apache HTTP
Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 18.1.0.2.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-31813 also addresses CVE-2022-26377, CVE-2022-28614,
CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, and CVE-2022-30556.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Secure Backup
* Oracle Secure Backup (PHP): CVE-2021-21708.
ORACLE SQL DEVELOPER RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle SQL Developer. Please refer to
previous Critical Patch Update Advisories if the last Critical Patch Update was
not applied for Oracle SQL Developer. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle SQL Developer
* Install (Apache Batik): CVE-2020-11987.
* Install (Apache Kafka): CVE-2021-38153 and CVE-2021-26291.
ORACLE TIMESTEN IN-MEMORY DATABASE RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle TimesTen In-Memory Database. Please
refer to previous Critical Patch Update Advisories if the last Critical Patch
Update was not applied for Oracle TimesTen In-Memory Database. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle TimesTen In-Memory Database
* Kubernetes Operator (Golang Go): CVE-2022-28327 and CVE-2022-24675.
ORACLE COMMERCE RISK MATRIX
This Critical Patch Update contains 3 new security patches for Oracle Commerce.
2 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Commerce Platform Dynamo Application Framework
(dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.3.0-11.3.2 CVE-2022-23437 Oracle Commerce Platform
Endeca Integration (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 11.3.2 CVE-2022-22971 Oracle Commerce Platform Endeca
Integration (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 11.3.0-11.3.2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Commerce Platform Dynamo Application Framework
(dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.3.0-11.3.2 CVE-2022-23437 Oracle Commerce Platform
Endeca Integration (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 11.3.2 CVE-2022-22971 Oracle Commerce Platform Endeca
Integration (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 11.3.0-11.3.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22965, and
CVE-2022-22970.
ORACLE COMMUNICATIONS APPLICATIONS RISK MATRIX
This Critical Patch Update contains 27 new security patches for Oracle
Communications Applications. 21 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23450 Oracle Communications Convergence Framework (dojo) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 3.0.3.0 CVE-2021-43527 Oracle Communications Messaging
Server Security (NSS) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.1 CVE-2022-23632 Oracle Communications Order and
Service Management Security (Traefik) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.4 CVE-2021-3918 Oracle Communications Unified
Assurance REST API (json-schema) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-31813 Oracle
Communications Unified Assurance User Interface (Apache HTTP Server) HTTP Yes
9.8 Network Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-2068 Oracle
Communications Unified Assurance User Interface (OpenSSL) HTTPS Yes 9.8 Network
Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2018-1311 Oracle
Communications Convergent Charging Controller Common (Apache Xerces-C) HTTP Yes
8.1 Network High None None Un-
changed High High High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2018-1311 Oracle
Communications Network Charging and Control Gateway (Apache Xerces-C) HTTP Yes
8.1 Network High None None Un-
changed High High High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-31129 Oracle
Communications Billing and Revenue Management Billing Care (Moment.js) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.0.0.4.0-12.0.0.6.0 CVE-2022-35737 Oracle
Communications Convergent Charging Controller Common (SQLite) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-31129 Oracle
Communications Design Studio PSR Designer (Moment.js) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 7.4.2 CVE-2020-36518 Oracle Communications Instant
Messaging Server PresenceAPI (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 10.0.1.6.0 CVE-2022-35737 Oracle Communications Network
Charging and Control Common (SQLite) HTTP Yes 7.5 Network Low None None Un-
changed None None High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-25857 Oracle
Communications Pricing Design Center REST Service Manager (SnakeYAML) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.0.0.5.0-12.0.0.7.0 CVE-2020-36518 Oracle
Communications Pricing Design Center REST Service Manager (jackson-databind)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.0.0.4.0-12.0.0.7.0 CVE-2022-2048 Oracle
Communications Unified Assurance Message Bus (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-23181 Oracle
Communications Instant Messaging Server Installation (Apache Tomcat) None No 7.0
Local High Low None Un-
changed High High High 10.0.1.6.0 CVE-2021-44832 Oracle Communications Instant
Messaging Server Installation (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 10.0.1.6.0 CVE-2021-44832 Oracle Communications
MetaSolv Solution Framework (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 6.3.1 CVE-2021-44832 Oracle Communications Order and
Service Management Installer (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 7.3, 7.4 CVE-2022-21601 Oracle Communications Billing
and Revenue Management Connection Manager TCP Yes 6.5 Network Low None None Un-
changed Low None Low 12.0.0.4.0-12.0.0.7.0 CVE-2022-23437 Oracle
Communications MetaSolv Solution Framework (Apache Xerces-J) HTTP Yes 6.5
Network Low None Required Un-
changed None None High 6.3.1 CVE-2022-23437 Oracle Communications Order and
Service Management Installer (Apache Xerces-J) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 7.3, 7.4 CVE-2022-34305 Oracle Communications Unified
Assurance REST API (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2021-21295 Oracle
Communications Pricing Design Center REST Service Manager (Netty) HTTP Yes 5.9
Network High None None Un-
changed None High None 12.0.0.4.0-12.0.0.6.0 CVE-2022-24823 Oracle
Communications Design Studio PSR Designer (Netty) None No 5.5 Local Low Low None
Un-
changed High None None 7.4.2 CVE-2022-24823 Oracle Communications Pricing
Design Center Rest Service Manager (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.0.0.4.0-12.0.0.6.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23450 Oracle Communications Convergence Framework (dojo) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 3.0.3.0 CVE-2021-43527 Oracle Communications Messaging
Server Security (NSS) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.1 CVE-2022-23632 Oracle Communications Order and
Service Management Security (Traefik) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.4 CVE-2021-3918 Oracle Communications Unified
Assurance REST API (json-schema) HTTP Yes 9.8 Network Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-31813 Oracle
Communications Unified Assurance User Interface (Apache HTTP Server) HTTP Yes
9.8 Network Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-2068 Oracle
Communications Unified Assurance User Interface (OpenSSL) HTTPS Yes 9.8 Network
Low None None Un-
changed High High High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2018-1311 Oracle
Communications Convergent Charging Controller Common (Apache Xerces-C) HTTP Yes
8.1 Network High None None Un-
changed High High High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2018-1311 Oracle
Communications Network Charging and Control Gateway (Apache Xerces-C) HTTP Yes
8.1 Network High None None Un-
changed High High High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-31129 Oracle
Communications Billing and Revenue Management Billing Care (Moment.js) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.0.0.4.0-12.0.0.6.0 CVE-2022-35737 Oracle
Communications Convergent Charging Controller Common (SQLite) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-31129 Oracle
Communications Design Studio PSR Designer (Moment.js) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 7.4.2 CVE-2020-36518 Oracle Communications Instant
Messaging Server PresenceAPI (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 10.0.1.6.0 CVE-2022-35737 Oracle Communications Network
Charging and Control Common (SQLite) HTTP Yes 7.5 Network Low None None Un-
changed None None High 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0 CVE-2022-25857 Oracle
Communications Pricing Design Center REST Service Manager (SnakeYAML) HTTP Yes
7.5 Network Low None None Un-
changed None None High 12.0.0.5.0-12.0.0.7.0 CVE-2020-36518 Oracle
Communications Pricing Design Center REST Service Manager (jackson-databind)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.0.0.4.0-12.0.0.7.0 CVE-2022-2048 Oracle
Communications Unified Assurance Message Bus (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2022-23181 Oracle
Communications Instant Messaging Server Installation (Apache Tomcat) None No 7.0
Local High Low None Un-
changed High High High 10.0.1.6.0 CVE-2021-44832 Oracle Communications Instant
Messaging Server Installation (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 10.0.1.6.0 CVE-2021-44832 Oracle Communications
MetaSolv Solution Framework (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 6.3.1 CVE-2021-44832 Oracle Communications Order and
Service Management Installer (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 7.3, 7.4 CVE-2022-21601 Oracle Communications Billing
and Revenue Management Connection Manager TCP Yes 6.5 Network Low None None Un-
changed Low None Low 12.0.0.4.0-12.0.0.7.0 CVE-2022-23437 Oracle
Communications MetaSolv Solution Framework (Apache Xerces-J) HTTP Yes 6.5
Network Low None Required Un-
changed None None High 6.3.1 CVE-2022-23437 Oracle Communications Order and
Service Management Installer (Apache Xerces-J) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 7.3, 7.4 CVE-2022-34305 Oracle Communications Unified
Assurance REST API (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None Prior to 5.5.7.0.0, 6.0.0.0.0 CVE-2021-21295 Oracle
Communications Pricing Design Center REST Service Manager (Netty) HTTP Yes 5.9
Network High None None Un-
changed None High None 12.0.0.4.0-12.0.0.6.0 CVE-2022-24823 Oracle
Communications Design Studio PSR Designer (Netty) None No 5.5 Local Low Low None
Un-
changed High None None 7.4.2 CVE-2022-24823 Oracle Communications Pricing
Design Center Rest Service Manager (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.0.0.4.0-12.0.0.6.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-21295 also addresses CVE-2021-21409, and
CVE-2021-43797.
* The patch for CVE-2021-44832 also addresses CVE-2021-44228.
* The patch for CVE-2022-23181 also addresses CVE-2020-9484.
* The patch for CVE-2022-24823 also addresses CVE-2021-21290.
* The patch for CVE-2022-25857 also addresses CVE-2022-38749, CVE-2022-38750,
CVE-2022-38751, and CVE-2022-38752.
* The patch for CVE-2022-31813 also addresses CVE-2022-26377, CVE-2022-28330,
CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, and
CVE-2022-30556.
ORACLE COMMUNICATIONS RISK MATRIX
This Critical Patch Update contains 74 new security patches plus additional
third party patches noted below for Oracle Communications. 64 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Communications Cloud Native Core Security Edge
Protection Proxy Signaling (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 22.2.0 CVE-2022-1292 Oracle Communications Cloud Native
Core Security Edge Protection Proxy Installer (OpenSSL) HTTPS Yes 9.8 Network
Low None None Un-
changed High High High 22.2.1 CVE-2022-23218 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (glibc) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.1.1 CVE-2022-31813 Oracle Communications Diameter
Signaling Router Platform (Apache HTTP Server) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 8.6.0.0 CVE-2021-21708 Oracle Communications Diameter
Signaling Router Platform (PHP) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0 CVE-2022-31813 Oracle Communications Element
Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0 CVE-2022-22978 Oracle Communications Element
Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low None None Un-
changed High High High 9.0 CVE-2022-22978 Oracle Communications Interactive
Session Recorder Platform (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 6.4 CVE-2021-31805 Oracle Communications Policy
Management Configuration Management Platform (Apache Struts) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.6.0.0.0 CVE-2021-21783 Oracle Communications User
Data Repository Platform (gSOAP) GSOAP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2022-31813 Oracle Communications User Data
Repository Platform (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2021-43527 Oracle Communications User Data
Repository Platform (NSS) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2021-23450 Oracle Communications WebRTC
Session Controller Platform (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.2.0, 7.2.1 CVE-2022-31813 Oracle Enterprise
Operations Monitor User Login (Apache HTTP Server) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 4.4, 5.0 CVE-2021-44790 Oracle SD-WAN Edge Management
(Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.0.7 CVE-2022-22978 Oracle SD-WAN Edge Management
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.2.0 CVE-2022-1586 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Signaling (PCRE2) TCP Yes 9.1 Network
Low None None Un-
changed High None High 22.2.1 CVE-2022-1586 Oracle Communications Cloud Native
Core Unified Data Repository Signaling (PCRE2) HTTP Yes 9.1 Network Low None
None Un-
changed High None High 22.3.0 CVE-2019-3862 Oracle Communications User Data
Repository Platform (libssh2) SSH-2 Yes 9.1 Network Low None None Un-
changed High None High 12.4.0 CVE-2020-13936 Oracle Communications User Data
Repository Platform (Apache Velocity Engine) HTTP No 8.8 Network Low Low None
Un-
changed High High High 12.6.1 CVE-2020-10878 Oracle Communications User Data
Repository Platform (PERL) HTTP Yes 8.6 Network Low None None Un-
changed Low Low High 12.4.0 CVE-2021-2351 Oracle Communications User Data
Repository Security (OJDBC) Oracle Net Yes 8.3 Network High None Required
Changed High High High 12.4.0 CVE-2022-1154 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment DBTier (vim) None No 7.8 Local
Low None Required Un-
changed High High High 22.1.0, 22.2.0 CVE-2021-4034 Oracle SD-WAN Edge
Platform (Polkit) None No 7.8 Local Low Low None Un-
changed High High High 7.0.7 CVE-2022-25647 Oracle Communications Cloud Native
Core Binding Support Function Signaling (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.3.0 CVE-2022-25647 Oracle Communications Cloud
Native Core Console Installer (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 22.2.0 CVE-2022-25857 Oracle Communications Cloud
Native Core Console Installer (SnakeYAML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.2.0 CVE-2022-2191 Oracle Communications Cloud Native
Core Network Exposure Function Platform (Eclipse Jetty) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.2.1 CVE-2022-25857 Oracle Communications Cloud
Native Core Network Exposure Function Platform (SnakeYAML) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 22.3.0 CVE-2022-24785 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (Moment.js)
HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1, 22.2 CVE-2022-27782 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (cURL) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 22.1.0, 22.2.0 CVE-2022-24761 Oracle Communications
Cloud Native Core Network Function Cloud Native Environment DBTier (waitress)
HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1.0, 22.2.0 CVE-2018-25032 Oracle Communications
Cloud Native Core Network Function Cloud Native Environment DBTier (zlib) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 22.1.0, 22.2.0 CVE-2022-2191 Oracle Communications
Cloud Native Core Network Repository Function Installation (Eclipse Jetty) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 22.2.2 CVE-2022-25647 Oracle Communications Cloud
Native Core Policy Signaling (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 22.3.0 CVE-2022-25857 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Signaling (SnakeYAML) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.3.0 CVE-2018-25032 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Installer (zlib) TCP Yes 7.5 Network
Low None None Un-
changed None None High 22.1.1 CVE-2022-25857 Oracle Communications Cloud
Native Core Service Communication Proxy Signaling (SnakeYAML) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.2.3, 22.3.1, 22.4.0 CVE-2022-25857 Oracle
Communications Cloud Native Core Unified Data Repository Security (SnakeYAML)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.2.1,22.3.0 CVE-2022-2191 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.3.0 CVE-2021-28165 Oracle Communications Converged
Application Server - Service Controller Platform (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.2 CVE-2018-25032 Oracle Communications Diameter
Signaling Router Platform (zlib) SSH Yes 7.5 Network Low None None Un-
changed None None High 8.6.0.0 CVE-2022-29885 Oracle Communications Element
Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.0 CVE-2022-2048 Oracle Communications Element Manager
GEN (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.0 CVE-2020-36518 Oracle Communications Evolved
Communications Application Server Platform (jackson-databind) JSON Yes 7.5
Network Low None None Un-
changed None None High 7.1 CVE-2020-36518 Oracle Communications Policy
Management Configuration Management Platform (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 12.6.0.0.0 CVE-2020-36518 Oracle Communications
Services Gatekeeper Core (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 7.0.0.0.0 CVE-2021-40690 Oracle Communications Services
Gatekeeper OAuth (Apache Santuario XML Security for Java) HTTP Yes 7.5 Network
Low None None Un-
changed High None None 7.0.0.0.0 CVE-2018-25032 Oracle Communications Session
Border Controller System (zlib) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.4, 9.0, 9.1 CVE-2022-25647 Oracle Communications
WebRTC Session Controller Platform (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 7.2.0, 7.2.1 CVE-2022-23219 Oracle Communications
Session Border Controller Routing (glibc) HTTP Yes 7.0 Network High None None
Un-
changed Low Low High 8.4, 9.0, 9.1 CVE-2021-44832 Oracle Communications Cloud
Native Core Binding Support Function Signaling (Apache Log4j) HTTP No 6.6
Network High High None Un-
changed High High High 22.3.0 CVE-2021-44832 Oracle Communications Cloud
Native Core Policy Signaling (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 22.3.0 CVE-2022-32206 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (cURL) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 22.3.0 CVE-2022-29824 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (libxml2)
HTTP Yes 6.5 Network Low None Required Un-
changed None None High 22.2.1, 22.2.0 CVE-2022-32206 Oracle Communications
Cloud Native Core Security Edge Protection Proxy Configuration (cURL) TCP Yes
6.5 Network Low None Required Un-
changed None None High 22.2.1 CVE-2022-32206 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (cURL) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 22.3.0 CVE-2022-22971 Oracle Communications Element
Manager Security (Spring Framework) LDAP No 6.5 Network Low Low None Un-
changed None None High 9.0 CVE-2022-22971 Oracle Communications Interactive
Session Recorder Platform (Spring Framework) HTTPS No 6.5 Network Low Low None
Un-
changed None None High 6.4 CVE-2020-6950 Oracle Communications User Data
Repository Platform (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 12.4.0 CVE-2022-22971 Oracle SD-WAN Edge Management
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.2.0 CVE-2022-36033 Oracle Communications Cloud
Native Core Console Installer (jsoup) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 22.2.0 CVE-2022-34305 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.6.0.0 CVE-2022-34305 Oracle Communications Session
Report Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 9.0 CVE-2022-34305 Oracle Communications User Data
Repository Platform (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 12.4.0 CVE-2020-11022 Oracle Communications User Data
Repository Platform (HTTP) HTTP Yes 6.1 Network Low None Required Changed Low
Low None 12.4.0 CVE-2021-41184 Oracle SD-WAN Aware Management (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 9.0.1.3.0 CVE-2021-3597
Oracle Communications Cloud Native Core Binding Support Function Signaling
(undertow) HTTP Yes 5.9 Network High None None Un-
changed None None High 22.3.0 CVE-2021-40528 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (GnuPG
Libgcrypt) HTTP Yes 5.9 Network High None None Un-
changed High None None 22.1.0,22.2.0 CVE-2021-3597 Oracle Communications Cloud
Native Core Policy Signaling (undertow) HTTP Yes 5.9 Network High None None Un-
changed None None High 22.3.0 CVE-2021-3426 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment Configuration (Python) TCP No 5.7
Adjacent
Network Low Low None Un-
changed High None None 1.9.0 CVE-2022-21123 Oracle Communications Diameter
Signaling Router Platform (Microcode Controller) None No 5.5 Local Low Low None
Un-
changed High None None 8.6.0.0 CVE-2020-29582 Oracle Communications User Data
Repository Platform (JetBrains Kotlin) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.6.0 CVE-2021-21707 Oracle Communications User Data
Repository Platform (PHP) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.4.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Communications Cloud Native Core Security Edge
Protection Proxy Signaling (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 22.2.0 CVE-2022-1292 Oracle Communications Cloud Native
Core Security Edge Protection Proxy Installer (OpenSSL) HTTPS Yes 9.8 Network
Low None None Un-
changed High High High 22.2.1 CVE-2022-23218 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (glibc) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.1.1 CVE-2022-31813 Oracle Communications Diameter
Signaling Router Platform (Apache HTTP Server) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 8.6.0.0 CVE-2021-21708 Oracle Communications Diameter
Signaling Router Platform (PHP) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0 CVE-2022-31813 Oracle Communications Element
Manager FEServer (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0 CVE-2022-22978 Oracle Communications Element
Manager Authentication (Spring Security) LDAP Yes 9.8 Network Low None None Un-
changed High High High 9.0 CVE-2022-22978 Oracle Communications Interactive
Session Recorder Platform (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 6.4 CVE-2021-31805 Oracle Communications Policy
Management Configuration Management Platform (Apache Struts) HTTP Yes 9.8
Network Low None None Un-
changed High High High 12.6.0.0.0 CVE-2021-21783 Oracle Communications User
Data Repository Platform (gSOAP) GSOAP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2022-31813 Oracle Communications User Data
Repository Platform (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2021-43527 Oracle Communications User Data
Repository Platform (NSS) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.4.0 CVE-2021-23450 Oracle Communications WebRTC
Session Controller Platform (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.2.0, 7.2.1 CVE-2022-31813 Oracle Enterprise
Operations Monitor User Login (Apache HTTP Server) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 4.4, 5.0 CVE-2021-44790 Oracle SD-WAN Edge Management
(Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 7.0.7 CVE-2022-22978 Oracle SD-WAN Edge Management
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.1.1.2.0 CVE-2022-1586 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Signaling (PCRE2) TCP Yes 9.1 Network
Low None None Un-
changed High None High 22.2.1 CVE-2022-1586 Oracle Communications Cloud Native
Core Unified Data Repository Signaling (PCRE2) HTTP Yes 9.1 Network Low None
None Un-
changed High None High 22.3.0 CVE-2019-3862 Oracle Communications User Data
Repository Platform (libssh2) SSH-2 Yes 9.1 Network Low None None Un-
changed High None High 12.4.0 CVE-2020-13936 Oracle Communications User Data
Repository Platform (Apache Velocity Engine) HTTP No 8.8 Network Low Low None
Un-
changed High High High 12.6.1 CVE-2020-10878 Oracle Communications User Data
Repository Platform (PERL) HTTP Yes 8.6 Network Low None None Un-
changed Low Low High 12.4.0 CVE-2021-2351 Oracle Communications User Data
Repository Security (OJDBC) Oracle Net Yes 8.3 Network High None Required
Changed High High High 12.4.0 CVE-2022-1154 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment DBTier (vim) None No 7.8 Local
Low None Required Un-
changed High High High 22.1.0, 22.2.0 CVE-2021-4034 Oracle SD-WAN Edge
Platform (Polkit) None No 7.8 Local Low Low None Un-
changed High High High 7.0.7 CVE-2022-25647 Oracle Communications Cloud Native
Core Binding Support Function Signaling (Google Gson) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.3.0 CVE-2022-25647 Oracle Communications Cloud
Native Core Console Installer (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 22.2.0 CVE-2022-25857 Oracle Communications Cloud
Native Core Console Installer (SnakeYAML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.2.0 CVE-2022-2191 Oracle Communications Cloud Native
Core Network Exposure Function Platform (Eclipse Jetty) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 22.2.1 CVE-2022-25857 Oracle Communications Cloud
Native Core Network Exposure Function Platform (SnakeYAML) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 22.3.0 CVE-2022-24785 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (Moment.js)
HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1, 22.2 CVE-2022-27782 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (cURL) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 22.1.0, 22.2.0 CVE-2022-24761 Oracle Communications
Cloud Native Core Network Function Cloud Native Environment DBTier (waitress)
HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.1.0, 22.2.0 CVE-2018-25032 Oracle Communications
Cloud Native Core Network Function Cloud Native Environment DBTier (zlib) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 22.1.0, 22.2.0 CVE-2022-2191 Oracle Communications
Cloud Native Core Network Repository Function Installation (Eclipse Jetty) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 22.2.2 CVE-2022-25647 Oracle Communications Cloud
Native Core Policy Signaling (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 22.3.0 CVE-2022-25857 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Signaling (SnakeYAML) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.3.0 CVE-2018-25032 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Installer (zlib) TCP Yes 7.5 Network
Low None None Un-
changed None None High 22.1.1 CVE-2022-25857 Oracle Communications Cloud
Native Core Service Communication Proxy Signaling (SnakeYAML) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.2.3, 22.3.1, 22.4.0 CVE-2022-25857 Oracle
Communications Cloud Native Core Unified Data Repository Security (SnakeYAML)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.2.1,22.3.0 CVE-2022-2191 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High 22.3.0 CVE-2021-28165 Oracle Communications Converged
Application Server - Service Controller Platform (Eclipse Jetty) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.2 CVE-2018-25032 Oracle Communications Diameter
Signaling Router Platform (zlib) SSH Yes 7.5 Network Low None None Un-
changed None None High 8.6.0.0 CVE-2022-29885 Oracle Communications Element
Manager BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.0 CVE-2022-2048 Oracle Communications Element Manager
GEN (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.0 CVE-2020-36518 Oracle Communications Evolved
Communications Application Server Platform (jackson-databind) JSON Yes 7.5
Network Low None None Un-
changed None None High 7.1 CVE-2020-36518 Oracle Communications Policy
Management Configuration Management Platform (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 12.6.0.0.0 CVE-2020-36518 Oracle Communications
Services Gatekeeper Core (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 7.0.0.0.0 CVE-2021-40690 Oracle Communications Services
Gatekeeper OAuth (Apache Santuario XML Security for Java) HTTP Yes 7.5 Network
Low None None Un-
changed High None None 7.0.0.0.0 CVE-2018-25032 Oracle Communications Session
Border Controller System (zlib) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.4, 9.0, 9.1 CVE-2022-25647 Oracle Communications
WebRTC Session Controller Platform (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 7.2.0, 7.2.1 CVE-2022-23219 Oracle Communications
Session Border Controller Routing (glibc) HTTP Yes 7.0 Network High None None
Un-
changed Low Low High 8.4, 9.0, 9.1 CVE-2021-44832 Oracle Communications Cloud
Native Core Binding Support Function Signaling (Apache Log4j) HTTP No 6.6
Network High High None Un-
changed High High High 22.3.0 CVE-2021-44832 Oracle Communications Cloud
Native Core Policy Signaling (Apache Log4j) HTTP No 6.6 Network High High None
Un-
changed High High High 22.3.0 CVE-2022-32206 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (cURL) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 22.3.0 CVE-2022-29824 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (libxml2)
HTTP Yes 6.5 Network Low None Required Un-
changed None None High 22.2.1, 22.2.0 CVE-2022-32206 Oracle Communications
Cloud Native Core Security Edge Protection Proxy Configuration (cURL) TCP Yes
6.5 Network Low None Required Un-
changed None None High 22.2.1 CVE-2022-32206 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (cURL) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 22.3.0 CVE-2022-22971 Oracle Communications Element
Manager Security (Spring Framework) LDAP No 6.5 Network Low Low None Un-
changed None None High 9.0 CVE-2022-22971 Oracle Communications Interactive
Session Recorder Platform (Spring Framework) HTTPS No 6.5 Network Low Low None
Un-
changed None None High 6.4 CVE-2020-6950 Oracle Communications User Data
Repository Platform (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 12.4.0 CVE-2022-22971 Oracle SD-WAN Edge Management
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.2.0 CVE-2022-36033 Oracle Communications Cloud
Native Core Console Installer (jsoup) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 22.2.0 CVE-2022-34305 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.6.0.0 CVE-2022-34305 Oracle Communications Session
Report Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 9.0 CVE-2022-34305 Oracle Communications User Data
Repository Platform (Apache Tomcat) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 12.4.0 CVE-2020-11022 Oracle Communications User Data
Repository Platform (HTTP) HTTP Yes 6.1 Network Low None Required Changed Low
Low None 12.4.0 CVE-2021-41184 Oracle SD-WAN Aware Management (jQueryUI) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 9.0.1.3.0 CVE-2021-3597
Oracle Communications Cloud Native Core Binding Support Function Signaling
(undertow) HTTP Yes 5.9 Network High None None Un-
changed None None High 22.3.0 CVE-2021-40528 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (GnuPG
Libgcrypt) HTTP Yes 5.9 Network High None None Un-
changed High None None 22.1.0,22.2.0 CVE-2021-3597 Oracle Communications Cloud
Native Core Policy Signaling (undertow) HTTP Yes 5.9 Network High None None Un-
changed None None High 22.3.0 CVE-2021-3426 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment Configuration (Python) TCP No 5.7
Adjacent
Network Low Low None Un-
changed High None None 1.9.0 CVE-2022-21123 Oracle Communications Diameter
Signaling Router Platform (Microcode Controller) None No 5.5 Local Low Low None
Un-
changed High None None 8.6.0.0 CVE-2020-29582 Oracle Communications User Data
Repository Platform (JetBrains Kotlin) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.6.0 CVE-2021-21707 Oracle Communications User Data
Repository Platform (PHP) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.4.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-3862 also addresses CVE-2019-3855, CVE-2019-3856,
CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861,
and CVE-2019-3863.
* The patch for CVE-2020-10878 also addresses CVE-2020-10543, and
CVE-2020-12723.
* The patch for CVE-2020-11022 also addresses CVE-2019-1543, and
CVE-2020-11023.
* The patch for CVE-2021-28165 also addresses CVE-2021-28163, and
CVE-2021-28164.
* The patch for CVE-2021-41184 also addresses CVE-2021-41182, and
CVE-2021-41183.
* The patch for CVE-2021-44790 also addresses CVE-2021-26690, CVE-2021-26691,
CVE-2021-34798, and CVE-2021-39275.
* The patch for CVE-2022-1292 also addresses CVE-2022-2068, and CVE-2022-2097.
* The patch for CVE-2022-2048 also addresses CVE-2022-2047, and CVE-2022-2191.
* The patch for CVE-2022-21123 also addresses CVE-2022-21125, CVE-2022-21127,
and CVE-2022-21166.
* The patch for CVE-2022-2191 also addresses CVE-2022-2048.
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-22978 also addresses CVE-2022-22976.
* The patch for CVE-2022-23218 also addresses CVE-2022-23219.
* The patch for CVE-2022-23219 also addresses CVE-2021-38604, CVE-2021-43396,
and CVE-2022-23218.
* The patch for CVE-2022-27782 also addresses CVE-2022-27778, CVE-2022-27779,
CVE-2022-27780, CVE-2022-27781, and CVE-2022-30115.
* The patch for CVE-2022-31813 also addresses CVE-2022-26377, CVE-2022-28614,
CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, and CVE-2022-30556.
* The patch for CVE-2022-32206 also addresses CVE-2022-32208.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Communications Cloud Native Core Security Edge Protection Proxy
* Signaling (Kubernetes Client): CVE-2021-4178.
ORACLE CONSTRUCTION AND ENGINEERING RISK MATRIX
This Critical Patch Update contains 5 new security patches plus additional third
party patches noted below for Oracle Construction and Engineering. 2 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-9492 Primavera Unifier Document Management (Apache Solr) HTTP
No 8.8 Network Low Low None Un-
changed High High High 18.8, 19.12, 20.12, 21.12 CVE-2022-31129 Primavera
Gateway Admin (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.8.0-18.8.15, 19.12.0-19.12.14, 20.12.0-20.12.9,
21.12.0-21.12.7 CVE-2022-23457 Primavera Unifier User Interface (Enterprise
Security API) HTTP No 7.5 Network High Low None Un-
changed High High High 18.8, 19.12, 20.12, 21.12 CVE-2022-31129 Primavera
Unifier User Interface (Moment.js) HTTP Yes 5.3 Network Low None None Un-
changed None None Low 19.12, 20.12, 21.12 CVE-2022-33879 Primavera Unifier
Document Management (Apache Tika) None No 3.3 Local Low None Required Un-
changed None None Low 18.8, 19.12, 20.12, 21.12
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-9492 Primavera Unifier Document Management (Apache Solr) HTTP
No 8.8 Network Low Low None Un-
changed High High High 18.8, 19.12, 20.12, 21.12 CVE-2022-31129 Primavera
Gateway Admin (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.8.0-18.8.15, 19.12.0-19.12.14, 20.12.0-20.12.9,
21.12.0-21.12.7 CVE-2022-23457 Primavera Unifier User Interface (Enterprise
Security API) HTTP No 7.5 Network High Low None Un-
changed High High High 18.8, 19.12, 20.12, 21.12 CVE-2022-31129 Primavera
Unifier User Interface (Moment.js) HTTP Yes 5.3 Network Low None None Un-
changed None None Low 19.12, 20.12, 21.12 CVE-2022-33879 Primavera Unifier
Document Management (Apache Tika) None No 3.3 Local Low None Required Un-
changed None None Low 18.8, 19.12, 20.12, 21.12
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Primavera Unifier
* Document Management (Apache ZooKeeper): CVE-2020-7712.
* Platform, User Interface (Apache Velocity Engine): CVE-2020-13936.
ORACLE E-BUSINESS SUITE RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle E-Business
Suite. 4 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
E-Business Suite products is dependent on the Oracle Database and Oracle Fusion
Middleware versions being used. Oracle Database and Oracle Fusion Middleware
security updates are not listed in the Oracle E-Business Suite risk matrix.
However, since vulnerabilities affecting Oracle Database and Oracle Fusion
Middleware versions may affect Oracle E-Business Suite products, Oracle
recommends that customers apply the October 2022 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Oracle E-Business
Suite. For information on what patches need to be applied to your environments,
refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge
Document (October 2022), My Oracle Support Note 2484000.1.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Application Management Pack for Oracle E-Business Suite
EBS EM Plugin (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.4.1.0.0 See Note 1 CVE-2022-21587 Oracle Web
Applications Desktop Integrator Upload HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.3-12.2.11 CVE-2022-39428 Oracle Web Applications
Desktop Integrator Upload HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.3-12.2.11 CVE-2019-10086 Oracle Human Resources
Common Modules (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.3-12.2.11 CVE-2022-21636 Oracle Applications
Framework Session Management HTTP No 6.5 Network Low Low None Un-
changed High None None 12.2.6-12.2.11
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Application Management Pack for Oracle E-Business Suite
EBS EM Plugin (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.4.1.0.0 See Note 1 CVE-2022-21587 Oracle Web
Applications Desktop Integrator Upload HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.3-12.2.11 CVE-2022-39428 Oracle Web Applications
Desktop Integrator Upload HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.3-12.2.11 CVE-2019-10086 Oracle Human Resources
Common Modules (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.3-12.2.11 CVE-2022-21636 Oracle Applications
Framework Session Management HTTP No 6.5 Network Low Low None Un-
changed High None None 12.2.6-12.2.11
NOTES:
1. Please refer support Doc ID 2858304.1 for the patch.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302,
and CVE-2022-23307.
ORACLE ENTERPRISE MANAGER RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle Enterprise
Manager. 4 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. None of these patches are applicable to client-only installations,
i.e., installations that do not have Oracle Enterprise Manager installed. The
English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
Enterprise Manager products is dependent on the Oracle Database and Oracle
Fusion Middleware versions being used. Oracle Database and Oracle Fusion
Middleware security updates are not listed in the Oracle Enterprise Manager risk
matrix. However, since vulnerabilities affecting Oracle Database and Oracle
Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle
recommends that customers apply the October 2022 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Enterprise Manager.
For information on what patches need to be applied to your environments, refer
to Critical Patch Update October 2022 Patch Availability Document for Oracle
Products, My Oracle Support Note 2888514.1.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2018-1285 Enterprise Manager Base Platform Application Service Level
Management (Apache log4net) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.4.0.0 CVE-2021-23450 Enterprise Manager Ops Center
Networking (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0.0 CVE-2022-21623 Enterprise Manager Base
Platform Application Config Console HTTP Yes 7.5 Network Low None None Un-
changed None High None 13.4.0.0, 13.5.0.0 CVE-2021-4104 Enterprise Manager
Base Platform Application Service Level Management (Apache Log4j) HTTP No 7.5
Network High Low None Un-
changed High High High 13.4.0.0 CVE-2020-36518 Enterprise Manager for
Virtualization Plug-In Lifecycle (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 13.4.0.0, 13.5.0.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2018-1285 Enterprise Manager Base Platform Application Service Level
Management (Apache log4net) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.4.0.0 CVE-2021-23450 Enterprise Manager Ops Center
Networking (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.4.0.0 CVE-2022-21623 Enterprise Manager Base
Platform Application Config Console HTTP Yes 7.5 Network Low None None Un-
changed None High None 13.4.0.0, 13.5.0.0 CVE-2021-4104 Enterprise Manager
Base Platform Application Service Level Management (Apache Log4j) HTTP No 7.5
Network High Low None Un-
changed High High High 13.4.0.0 CVE-2020-36518 Enterprise Manager for
Virtualization Plug-In Lifecycle (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 13.4.0.0, 13.5.0.0
ORACLE FINANCIAL SERVICES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 24 new security patches for Oracle Financial
Services Applications. 16 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23457 Oracle Financial Services Analytical Applications
Infrastructure Others (Enterprise Security API) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2020-36518 Oracle Banking Enterprise Default Management Collections
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.12.0 CVE-2020-36518 Oracle Banking Loans Servicing
Web UI (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.8.0, 2.12.0 CVE-2020-36518 Oracle Banking Party
Management Web UI (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7.0 CVE-2022-25647 Oracle Banking Platform Security
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.9.0 CVE-2020-36518 Oracle Banking Platform Security
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7.1, 2.9.0, 2.12.0 CVE-2022-31129 Oracle Financial
Services Analytical Applications Infrastructure Others (Moment.js) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2022-31129 Oracle Financial Services Behavior Detection Platform User
Interface (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-31129 Oracle Financial Services Enterprise Case Management
Installer (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2021-40690 Oracle Financial Services Model Management and
Governance Installer & Configuration (Apache Santuario XML Security For Java)
HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.1.1.0 CVE-2022-25647 Oracle Financial Services Model
Management and Governance Installer & Configuration (Google Gson) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-31129 Oracle
Financial Services Model Management and Governance Installer (Moment.js) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.0, 8.1.0.0 CVE-2022-31129 Oracle Financial
Services Trade-Based Anti Money Laundering Enterprise Edition User Interface
(Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.0, 8.0.8.0 CVE-2022-23181 Oracle Financial
Services Model Management and Governance Installer & Configuration (Apache
Tomcat) None No 7.0 Local High Low None Un-
changed High High High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2021-44832 Oracle
Financial Services Model Management and Governance Installer & Configuration
(Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-22971 Oracle
Financial Services Analytical Applications Infrastructure Others (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2022-22971 Oracle Financial Services Behavior Detection Platform User
Interface (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-22971 Oracle Financial Services Enterprise Case Management
Installer (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-22971 Oracle Financial Services Model Management and
Governance Installer & Configuration (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-22971 Oracle
Financial Services Trade-Based Anti Money Laundering Enterprise Edition User
Interface (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.0, 8.0.8.0 CVE-2022-29577 Oracle Banking
Enterprise Default Management Collections (AntiSamy) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 2.12.0 CVE-2022-29577 Oracle Banking Party
Management Web UI (AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low
Low None 2.7.0 CVE-2022-29577 Oracle Banking Platform Security (AntiSamy) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 2.9.0 CVE-2022-24823
Oracle Financial Services Model Management and Governance Installer &
Configuration (Netty) None No 5.5 Local Low Low None Un-
changed High None None 8.0.8.0, 8.1.0.0, 8.1.1.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23457 Oracle Financial Services Analytical Applications
Infrastructure Others (Enterprise Security API) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2020-36518 Oracle Banking Enterprise Default Management Collections
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.12.0 CVE-2020-36518 Oracle Banking Loans Servicing
Web UI (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.8.0, 2.12.0 CVE-2020-36518 Oracle Banking Party
Management Web UI (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7.0 CVE-2022-25647 Oracle Banking Platform Security
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.9.0 CVE-2020-36518 Oracle Banking Platform Security
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.7.1, 2.9.0, 2.12.0 CVE-2022-31129 Oracle Financial
Services Analytical Applications Infrastructure Others (Moment.js) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2022-31129 Oracle Financial Services Behavior Detection Platform User
Interface (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-31129 Oracle Financial Services Enterprise Case Management
Installer (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2021-40690 Oracle Financial Services Model Management and
Governance Installer & Configuration (Apache Santuario XML Security For Java)
HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.1.1.0 CVE-2022-25647 Oracle Financial Services Model
Management and Governance Installer & Configuration (Google Gson) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-31129 Oracle
Financial Services Model Management and Governance Installer (Moment.js) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 8.0.8.0, 8.1.0.0 CVE-2022-31129 Oracle Financial
Services Trade-Based Anti Money Laundering Enterprise Edition User Interface
(Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.0.7.0, 8.0.8.0 CVE-2022-23181 Oracle Financial
Services Model Management and Governance Installer & Configuration (Apache
Tomcat) None No 7.0 Local High Low None Un-
changed High High High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2021-44832 Oracle
Financial Services Model Management and Governance Installer & Configuration
(Apache Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-22971 Oracle
Financial Services Analytical Applications Infrastructure Others (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
CVE-2022-22971 Oracle Financial Services Behavior Detection Platform User
Interface (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-22971 Oracle Financial Services Enterprise Case Management
Installer (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1,
8.1.2.2 CVE-2022-22971 Oracle Financial Services Model Management and
Governance Installer & Configuration (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 8.0.8.0, 8.1.0.0, 8.1.1.0 CVE-2022-22971 Oracle
Financial Services Trade-Based Anti Money Laundering Enterprise Edition User
Interface (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.0.7.0, 8.0.8.0 CVE-2022-29577 Oracle Banking
Enterprise Default Management Collections (AntiSamy) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 2.12.0 CVE-2022-29577 Oracle Banking Party
Management Web UI (AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low
Low None 2.7.0 CVE-2022-29577 Oracle Banking Platform Security (AntiSamy) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 2.9.0 CVE-2022-24823
Oracle Financial Services Model Management and Governance Installer &
Configuration (Netty) None No 5.5 Local Low Low None Un-
changed High None None 8.0.8.0, 8.1.0.0, 8.1.1.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-23457 also addresses CVE-2022-24891.
ORACLE FUSION MIDDLEWARE RISK MATRIX
This Critical Patch Update contains 56 new security patches for Oracle Fusion
Middleware. 43 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are
affected by the vulnerabilities listed in the Oracle Database section. The
exposure of Oracle Fusion Middleware products is dependent on the Oracle
Database version being used. Oracle Database security updates are not listed in
the Oracle Fusion Middleware risk matrix. However, since vulnerabilities
affecting Oracle Database versions may affect Oracle Fusion Middleware products,
Oracle recommends that customers apply the Critical Patch Update October 2022 to
the Oracle Database components of Oracle Fusion Middleware products. For
information on what patches need to be applied to your environments, refer to
Critical Patch Update October 2022 Patch Availability Document for Oracle
Products, My Oracle Support Note 2899414.2.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Business Intelligence Enterprise Edition BI
Application Archive (Apache Commons Configuration) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 5.9.0.0, 6.4.0.0 CVE-2019-17195 Oracle Data Integrator
WLS Configuration Template (Nimbus JOSE+JWT) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.4.0 CVE-2022-23943 Oracle HTTP Server SSL Module
(Apache HTTP Server) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23305 Oracle Middleware
Common Libraries and Tools Third Party Patch (Apache Log4j) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 12.2.1.3.0 CVE-2022-25315 Oracle Outside In Technology
Outside In Filters (LibExpat) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.5.6 CVE-2022-23305 Oracle WebCenter Content Web
Content Management (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0 CVE-2021-23450 Oracle WebCenter Portal
Security Framework (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-23450 Oracle WebCenter
Sites Centralized Thirdparty Jars (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-32532 Oracle WebCenter
Sites WebCenter Sites (Apache Shiro) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21613 Oracle Enterprise
Data Quality Dashboard HTTP Yes 8.8 Network Low None Required Changed High Low
Low 12.2.1.3.0, 12.2.1.4.0 CVE-2020-13936 Oracle Identity Management Suite
Installer (Apache Velocity Engine) HTTP No 8.8 Network Low Low None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-28052 Oracle Business
Process Management Suite Installer (Bouncy Castle Java Library) HTTPS Yes 8.1
Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21612 Oracle Enterprise
Data Quality Dashboard HTTP No 8.1 Network Low Low None Un-
changed High High None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-28052 Oracle WebLogic
Server Centralized Thirdparty Jars (Bouncy Castle Java Library) TLS Yes 8.1
Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2022-21590
Oracle BI Publisher Core Formatting API HTTP No 7.6 Network Low Low None Un-
changed High Low Low 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2021-40690
BI Publisher Web Server (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed High None None 5.9.0.0, 6.4.0.0.0 CVE-2022-39412 Oracle Access Manager
Admin Console HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0 CVE-2022-25647 Oracle BI Publisher Security
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-43859 Oracle Business Activity Monitoring(Oracle BAM) General (XStream)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle Business
Intelligence Enterprise Edition Analytics Server (CKEditor) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 5.9.0.0, 6.4.0.0 CVE-2020-36518 Oracle Business
Intelligence Enterprise Edition Analytics Server (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.4.0.0 CVE-2021-36090 Oracle Business Intelligence
Enterprise Edition Analytics Web ADF Integration (Apache Commons Compress) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 5.9.0.0 CVE-2022-25647 Oracle Data Integrator Runtime
Java agent for ODI (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21614 Oracle Enterprise
Data Quality Dashboard HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-25647 Oracle Middleware
Common Libraries and Tools Thirdparty Patch (Google Gson) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2018-25032 Oracle Outside In
Technology Outside In Filters (Python) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.5.6 CVE-2022-21622 Oracle SOA Suite Adapters HTTP Yes
7.5 Network Low None None Un-
changed None High None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-40690 Oracle WebCenter
Portal Security Framework (Apache Santuario XML Security For Java) HTTP Yes 7.5
Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle WebCenter
Portal Security Framework (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-43859 Oracle WebCenter
Portal Security Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-36518 Oracle WebCenter
Portal Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle WebCenter
Sites WebCenter Sites (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-43859 Oracle WebCenter
Sites WebCenter Sites (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21615 Oracle Enterprise
Data Quality Dashboard HTTP Yes 7.4 Network Low None Required Changed High None
None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21593 Oracle HTTP Server OHS Config
MBeans HTTP Yes 7.1 Network Low None Required Un-
changed High Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22971 Oracle Data
Integrator Runtime Java agent for ODI (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 12.2.1.4.0 CVE-2020-24977 Oracle HTTP Server Web
Listener (libxml2) HTTP Yes 6.5 Network Low None None Un-
changed Low None Low 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22971 Oracle Middleware
Common Libraries and Tools Thirdparty Patch (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23437 Oracle WebCenter
Portal Security Framework (Apache Xerces-J) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23437 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Xerces-J) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2022-22971
Oracle WebLogic Server Centralized Thirdparty Jars (Spring Framework) HTTP No
6.5 Network Low Low None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2021-41184
Oracle MapViewer Oracle Maps (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-3537 Oracle HTTP Server
SSL Module (libxml2) HTTPS Yes 5.9 Network High None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21609 Oracle Business
Intelligence Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low
Required Un-
changed High None None 5.9.0.0 CVE-2022-24823 Oracle Coherence Configuration
and Parsing (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2020-17521 Oracle Data
Integrator Runtime Java agent for ODI (Apache Groovy) None No 5.5 Local Low Low
None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-30126 Oracle WebCenter
Portal Security Framework (Apache Tika) None No 5.5 Local Low None Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24823 Oracle WebCenter
Portal Security Framework (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-17521 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Groovy) None No 5.5 Local Low Low
None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-39405 Oracle Access
Manager Authentication Engine HTTP Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.3.0 CVE-2021-34429 Oracle Data Integrator Runtime
Java agent for ODI (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-14155 Oracle HTTP Server
SSL Module (PCRE) HTTPS Yes 5.3 Network Low None None Un-
changed None None Low 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22968 Oracle WebLogic
Server Samples (Spring Framework) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.4.0, 14.1.1.0.0 CVE-2022-21616 Oracle WebLogic
Server Web Container None No 5.2 Local High High None Un-
changed Low Low High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2021-29425 Oracle
Data Integrator Runtime Java agent for ODI (Apache Commons IO) HTTP Yes 4.8
Network High None None Un-
changed Low Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-29425 Oracle WebLogic
Server Centralized Thirdparty Jars (Commons IO) HTTP Yes 4.8 Network High None
None Un-
changed Low Low None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Business Intelligence Enterprise Edition BI
Application Archive (Apache Commons Configuration) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 5.9.0.0, 6.4.0.0 CVE-2019-17195 Oracle Data Integrator
WLS Configuration Template (Nimbus JOSE+JWT) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.4.0 CVE-2022-23943 Oracle HTTP Server SSL Module
(Apache HTTP Server) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23305 Oracle Middleware
Common Libraries and Tools Third Party Patch (Apache Log4j) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 12.2.1.3.0 CVE-2022-25315 Oracle Outside In Technology
Outside In Filters (LibExpat) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.5.6 CVE-2022-23305 Oracle WebCenter Content Web
Content Management (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0 CVE-2021-23450 Oracle WebCenter Portal
Security Framework (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-23450 Oracle WebCenter
Sites Centralized Thirdparty Jars (dojo) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-32532 Oracle WebCenter
Sites WebCenter Sites (Apache Shiro) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21613 Oracle Enterprise
Data Quality Dashboard HTTP Yes 8.8 Network Low None Required Changed High Low
Low 12.2.1.3.0, 12.2.1.4.0 CVE-2020-13936 Oracle Identity Management Suite
Installer (Apache Velocity Engine) HTTP No 8.8 Network Low Low None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-28052 Oracle Business
Process Management Suite Installer (Bouncy Castle Java Library) HTTPS Yes 8.1
Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21612 Oracle Enterprise
Data Quality Dashboard HTTP No 8.1 Network Low Low None Un-
changed High High None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-28052 Oracle WebLogic
Server Centralized Thirdparty Jars (Bouncy Castle Java Library) TLS Yes 8.1
Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2022-21590
Oracle BI Publisher Core Formatting API HTTP No 7.6 Network Low Low None Un-
changed High Low Low 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2021-40690
BI Publisher Web Server (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed High None None 5.9.0.0, 6.4.0.0.0 CVE-2022-39412 Oracle Access Manager
Admin Console HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0 CVE-2022-25647 Oracle BI Publisher Security
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-43859 Oracle Business Activity Monitoring(Oracle BAM) General (XStream)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle Business
Intelligence Enterprise Edition Analytics Server (CKEditor) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 5.9.0.0, 6.4.0.0 CVE-2020-36518 Oracle Business
Intelligence Enterprise Edition Analytics Server (jackson-databind) HTTP Yes 7.5
Network Low None None Un-
changed None None High 6.4.0.0 CVE-2021-36090 Oracle Business Intelligence
Enterprise Edition Analytics Web ADF Integration (Apache Commons Compress) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 5.9.0.0 CVE-2022-25647 Oracle Data Integrator Runtime
Java agent for ODI (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21614 Oracle Enterprise
Data Quality Dashboard HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-25647 Oracle Middleware
Common Libraries and Tools Thirdparty Patch (Google Gson) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2018-25032 Oracle Outside In
Technology Outside In Filters (Python) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.5.6 CVE-2022-21622 Oracle SOA Suite Adapters HTTP Yes
7.5 Network Low None None Un-
changed None High None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-40690 Oracle WebCenter
Portal Security Framework (Apache Santuario XML Security For Java) HTTP Yes 7.5
Network Low None None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle WebCenter
Portal Security Framework (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-43859 Oracle WebCenter
Portal Security Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-36518 Oracle WebCenter
Portal Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24729 Oracle WebCenter
Sites WebCenter Sites (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-43859 Oracle WebCenter
Sites WebCenter Sites (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21615 Oracle Enterprise
Data Quality Dashboard HTTP Yes 7.4 Network Low None Required Changed High None
None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21593 Oracle HTTP Server OHS Config
MBeans HTTP Yes 7.1 Network Low None Required Un-
changed High Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22971 Oracle Data
Integrator Runtime Java agent for ODI (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 12.2.1.4.0 CVE-2020-24977 Oracle HTTP Server Web
Listener (libxml2) HTTP Yes 6.5 Network Low None None Un-
changed Low None Low 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22971 Oracle Middleware
Common Libraries and Tools Thirdparty Patch (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23437 Oracle WebCenter
Portal Security Framework (Apache Xerces-J) HTTP Yes 6.5 Network Low None
Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-23437 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Xerces-J) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2022-22971
Oracle WebLogic Server Centralized Thirdparty Jars (Spring Framework) HTTP No
6.5 Network Low Low None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2021-41184
Oracle MapViewer Oracle Maps (jQueryUI) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-3537 Oracle HTTP Server
SSL Module (libxml2) HTTPS Yes 5.9 Network High None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-21609 Oracle Business
Intelligence Enterprise Edition Analytics Server HTTP No 5.7 Network Low Low
Required Un-
changed High None None 5.9.0.0 CVE-2022-24823 Oracle Coherence Configuration
and Parsing (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2020-17521 Oracle Data
Integrator Runtime Java agent for ODI (Apache Groovy) None No 5.5 Local Low Low
None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-30126 Oracle WebCenter
Portal Security Framework (Apache Tika) None No 5.5 Local Low None Required Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2022-24823 Oracle WebCenter
Portal Security Framework (Netty) None No 5.5 Local Low Low None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-17521 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Groovy) None No 5.5 Local Low Low
None Un-
changed High None None 12.2.1.3.0, 12.2.1.4.0 CVE-2022-39405 Oracle Access
Manager Authentication Engine HTTP Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.3.0 CVE-2021-34429 Oracle Data Integrator Runtime
Java agent for ODI (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-14155 Oracle HTTP Server
SSL Module (PCRE) HTTPS Yes 5.3 Network Low None None Un-
changed None None Low 12.2.1.3.0, 12.2.1.4.0 CVE-2022-22968 Oracle WebLogic
Server Samples (Spring Framework) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.4.0, 14.1.1.0.0 CVE-2022-21616 Oracle WebLogic
Server Web Container None No 5.2 Local High High None Un-
changed Low Low High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2021-29425 Oracle
Data Integrator Runtime Java agent for ODI (Apache Commons IO) HTTP Yes 4.8
Network High None None Un-
changed Low Low None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-29425 Oracle WebLogic
Server Centralized Thirdparty Jars (Commons IO) HTTP Yes 4.8 Network High None
None Un-
changed Low Low None 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-14155 also addresses CVE-2019-20838.
* The patch for CVE-2020-24977 also addresses CVE-2019-19956.
* The patch for CVE-2021-3537 also addresses CVE-2019-20388, CVE-2020-24977,
CVE-2020-7595, CVE-2021-3517, and CVE-2021-3518.
* The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516,
and CVE-2021-35517.
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302,
and CVE-2022-23307.
* The patch for CVE-2022-23943 also addresses CVE-2019-10092, CVE-2020-1934,
and CVE-2022-22720.
* The patch for CVE-2022-24729 also addresses CVE-2022-24728.
* The patch for CVE-2022-24823 also addresses CVE-2021-21290.
* The patch for CVE-2022-25315 also addresses CVE-2022-23990, CVE-2022-25235,
CVE-2022-25236, CVE-2022-25313, and CVE-2022-25314.
* The patch for CVE-2022-30126 also addresses CVE-2022-25169.
ORACLE HEALTHCARE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle HealthCare
Applications. 4 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Healthcare Foundation Upload Service (Apache
Commons Configuration) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1, 8.2 CVE-2022-25647 Oracle Healthcare Data
Repository Install (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.1.1, 8.1.2, 8.1.3 CVE-2022-25647 Oracle Healthcare
Master Person Index Master Index (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 5.0.0-5.0.3 CVE-2020-36518 Oracle Healthcare
Translational Research Data Studio (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 4.1 CVE-2022-22971 Oracle Healthcare Master Person
Index Master Index (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 5.0.0-5.0.3
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Healthcare Foundation Upload Service (Apache
Commons Configuration) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1, 8.2 CVE-2022-25647 Oracle Healthcare Data
Repository Install (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.1.1, 8.1.2, 8.1.3 CVE-2022-25647 Oracle Healthcare
Master Person Index Master Index (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 5.0.0-5.0.3 CVE-2020-36518 Oracle Healthcare
Translational Research Data Studio (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 4.1 CVE-2022-22971 Oracle Healthcare Master Person
Index Master Index (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 5.0.0-5.0.3
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
ORACLE HOSPITALITY APPLICATIONS RISK MATRIX
This Critical Patch Update contains 4 new security patches for Oracle
Hospitality Applications. 2 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-36483 Oracle Hospitality Cruise Fleet Management System FMS
Suite (DevExpress) TCP No 8.8 Network Low Low None Un-
changed High High High 9.1.5 CVE-2022-31129 Oracle Hospitality Suite8
Webconnect (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0 CVE-2022-22971
Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS
(Spring Boot) HTTP No 6.5 Network Low Low None Un-
changed None None High 20.2.0 CVE-2022-34305 Oracle Hospitality Cruise
Shipboard Property Management System Next-Gen SPMS (Apache Tomcat) HTTP Yes 6.1
Network Low None Required Changed Low Low None 20.2.2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-36483 Oracle Hospitality Cruise Fleet Management System FMS
Suite (DevExpress) TCP No 8.8 Network Low Low None Un-
changed High High High 9.1.5 CVE-2022-31129 Oracle Hospitality Suite8
Webconnect (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0 CVE-2022-22971
Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS
(Spring Boot) HTTP No 6.5 Network Low Low None Un-
changed None None High 20.2.0 CVE-2022-34305 Oracle Hospitality Cruise
Shipboard Property Management System Next-Gen SPMS (Apache Tomcat) HTTP Yes 6.1
Network Low None Required Changed Low Low None 20.2.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22978.
ORACLE HYPERION RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Hyperion.
This vulnerability is remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Hyperion Infrastructure Technology Installation
and Configuration (Apache Commons Configuration) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 11.2.9
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-33980 Oracle Hyperion Infrastructure Technology Installation
and Configuration (Apache Commons Configuration) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 11.2.9
ORACLE INSURANCE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle Insurance
Applications. 3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-25647 Oracle Documaker Enterprise Edition Development Tools
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6-12.7 CVE-2020-36518 Oracle Documaker Enterprise
Edition Development Tools (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.6-12.7 CVE-2022-22971 Oracle Documaker Enterprise
Edition Interactive Docupresentment Server (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 12.6-12.7 CVE-2019-12415 Oracle Insurance Insbridge
Rating and Underwriting Framework Administrator IBFA (Apache POI) None No 5.5
Local Low Low None Un-
changed High None None 5.2.0, 5.4.0-5.6.2 CVE-2021-29425 Oracle Insurance
Insbridge Rating and Underwriting Framework Administrator IBFA (Apache Commons
IO) HTTP Yes 4.8 Network High None None Un-
changed Low Low None 5.2.0, 5.4.0-5.6.2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-25647 Oracle Documaker Enterprise Edition Development Tools
(Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6-12.7 CVE-2020-36518 Oracle Documaker Enterprise
Edition Development Tools (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.6-12.7 CVE-2022-22971 Oracle Documaker Enterprise
Edition Interactive Docupresentment Server (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 12.6-12.7 CVE-2019-12415 Oracle Insurance Insbridge
Rating and Underwriting Framework Administrator IBFA (Apache POI) None No 5.5
Local Low Low None Un-
changed High None None 5.2.0, 5.4.0-5.6.2 CVE-2021-29425 Oracle Insurance
Insbridge Rating and Underwriting Framework Administrator IBFA (Apache Commons
IO) HTTP Yes 4.8 Network High None None Un-
changed Low Low None 5.2.0, 5.4.0-5.6.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
ORACLE JAVA SE RISK MATRIX
This Critical Patch Update contains 9 new security patches for Oracle Java SE.
All of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-32215 Oracle GraalVM Enterprise Edition Node (Node.js) HTTPS
Yes 9.1 Network Low None None Un-
changed High High None Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21634 Oracle GraalVM Enterprise Edition LLVM Interpreter Multiple Yes
7.5 Network Low None None Un-
changed None None High Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21597 Oracle GraalVM Enterprise Edition JavaScript HTTP Yes 5.3
Network Low None None Un-
changed Low None None Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21628 Oracle Java SE, Oracle GraalVM Enterprise Edition Lightweight
HTTP Server HTTP Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 1
CVE-2022-21626 Oracle Java SE, Oracle GraalVM Enterprise Edition Security HTTPS
Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle
GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2 CVE-2022-21618
Oracle Java SE, Oracle GraalVM Enterprise Edition JGSS Kerberos Yes 5.3 Network
Low None None Un-
changed None Low None Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise
Edition: 21.3.3, 22.2.0 See Note 2 CVE-2022-39399 Oracle Java SE, Oracle GraalVM
Enterprise Edition Networking HTTP Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM
Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 1 CVE-2022-21624 Oracle Java
SE, Oracle GraalVM Enterprise Edition JNDI Multiple Yes 3.7 Network High None
None Un-
changed None Low None Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2
CVE-2022-21619 Oracle Java SE, Oracle GraalVM Enterprise Edition Security
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-32215 Oracle GraalVM Enterprise Edition Node (Node.js) HTTPS
Yes 9.1 Network Low None None Un-
changed High High None Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21634 Oracle GraalVM Enterprise Edition LLVM Interpreter Multiple Yes
7.5 Network Low None None Un-
changed None None High Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21597 Oracle GraalVM Enterprise Edition JavaScript HTTP Yes 5.3
Network Low None None Un-
changed Low None None Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0
CVE-2022-21628 Oracle Java SE, Oracle GraalVM Enterprise Edition Lightweight
HTTP Server HTTP Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 1
CVE-2022-21626 Oracle Java SE, Oracle GraalVM Enterprise Edition Security HTTPS
Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle
GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2 CVE-2022-21618
Oracle Java SE, Oracle GraalVM Enterprise Edition JGSS Kerberos Yes 5.3 Network
Low None None Un-
changed None Low None Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise
Edition: 21.3.3, 22.2.0 See Note 2 CVE-2022-39399 Oracle Java SE, Oracle GraalVM
Enterprise Edition Networking HTTP Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM
Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 1 CVE-2022-21624 Oracle Java
SE, Oracle GraalVM Enterprise Edition JNDI Multiple Yes 3.7 Network High None
None Un-
changed None Low None Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2
CVE-2022-21619 Oracle Java SE, Oracle GraalVM Enterprise Edition Security
Multiple Yes 3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1,
19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3, 22.2.0 See Note 2
NOTES:
1. This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on
the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator).
2. This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on
the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-32215 also addresses CVE-2022-32212, CVE-2022-32213,
CVE-2022-32214, CVE-2022-32222, CVE-2022-32223, CVE-2022-35255, and
CVE-2022-35256.
ORACLE JD EDWARDS RISK MATRIX
This Critical Patch Update contains 10 new security patches for Oracle JD
Edwards. 9 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-43527 JD Edwards EnterpriseOne Tools Enterprise Infrastructure
SEC (NSS) Multiple Yes 9.8 Network Low None None Un-
changed High High High 9.2.6.3 and prior CVE-2022-1292 JD Edwards
EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) TLS Yes 9.8 Network
Low None None Un-
changed High High High 9.2.6.3 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jackson-databind) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 9.2.6.4 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Tools Monitoring and Diagnostics SEC (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 9.2.6.4 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Tools Web Runtime SEC (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 9.2.6.4 and prior CVE-2022-23437 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (Apache Xerces-J) HTTP
Yes 6.5 Network Low None Required Un-
changed None None High 9.2.6.2 and prior CVE-2022-23437 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Xerces-J) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 9.2.6.3 and prior CVE-2022-21631 JD Edwards
EnterpriseOne Tools Design Tools SEC HTTP Yes 6.1 Network Low None Required
Changed Low Low None 9.2.6.4 and prior CVE-2022-21630 JD Edwards EnterpriseOne
Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low
None 9.2.6.4 and prior CVE-2022-21629 JD Edwards EnterpriseOne Tools Web
Runtime SEC HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2.6.4
and prior
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-43527 JD Edwards EnterpriseOne Tools Enterprise Infrastructure
SEC (NSS) Multiple Yes 9.8 Network Low None None Un-
changed High High High 9.2.6.3 and prior CVE-2022-1292 JD Edwards
EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) TLS Yes 9.8 Network
Low None None Un-
changed High High High 9.2.6.3 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jackson-databind) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 9.2.6.4 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Tools Monitoring and Diagnostics SEC (jackson-databind) HTTP Yes
7.5 Network Low None None Un-
changed None None High 9.2.6.4 and prior CVE-2020-36518 JD Edwards
EnterpriseOne Tools Web Runtime SEC (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 9.2.6.4 and prior CVE-2022-23437 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (Apache Xerces-J) HTTP
Yes 6.5 Network Low None Required Un-
changed None None High 9.2.6.2 and prior CVE-2022-23437 JD Edwards
EnterpriseOne Tools Interoperability SEC (Apache Xerces-J) HTTP Yes 6.5 Network
Low None Required Un-
changed None None High 9.2.6.3 and prior CVE-2022-21631 JD Edwards
EnterpriseOne Tools Design Tools SEC HTTP Yes 6.1 Network Low None Required
Changed Low Low None 9.2.6.4 and prior CVE-2022-21630 JD Edwards EnterpriseOne
Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low
None 9.2.6.4 and prior CVE-2022-21629 JD Edwards EnterpriseOne Tools Web
Runtime SEC HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2.6.4
and prior
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-1292 also addresses CVE-2022-0778.
ORACLE MYSQL RISK MATRIX
This Critical Patch Update contains 37 new security patches for Oracle MySQL.
11 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-32207 MySQL Enterprise Backup Enterprise Backup: Security
(cURL) Multiple Yes 9.8 Network Low None None Un-
changed High High High 4.1.4 and prior CVE-2022-31129 MySQL Enterprise Monitor
Monitoring: General (Moment.js) Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.31 and prior CVE-2022-35737 MySQL Workbench
Workbench (SQLite) MySQL Workbench Yes 7.5 Network Low None None Un-
changed None None High 8.0.30 and prior CVE-2022-21600 MySQL Server Server:
Optimizer MySQL Protocol No 7.2 Network Low High None Un-
changed High High High 8.0.27 and prior CVE-2022-21635 MySQL Server InnoDB
MySQL Protocol No 6.5 Network Low High None Un-
changed None High High 8.0.29 and prior CVE-2022-39408 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.30 and prior CVE-2022-39410 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.30 and prior CVE-2022-29824 MySQL Workbench
Workbench (libxml2) MySQL Workbench Yes 6.5 Network Low None Required Un-
changed None None High 8.0.30 and prior CVE-2022-34305 MySQL Enterprise
Monitor Monitoring: General (Apache Tomcat) Multiple Yes 6.1 Network Low None
Required Changed Low Low None 8.0.31 and prior CVE-2022-2097 MySQL Connectors
Connector/C++ (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-2097 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-2097 MySQL Enterprise Backup
Enterprise Backup (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed Low None None 4.1.4 and prior CVE-2022-2097 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed Low None None 8.0.31 and prior CVE-2022-2097 MySQL Server Server:
Packaging (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 5.7.39 and prior, 8.0.30 and prior CVE-2022-2097 MySQL
Workbench Workbench (OpenSSL) MySQL Workbench Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-21604 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21637 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21617 MySQL Server Server:
Connection Handling MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.39 and prior, 8.0.30 and prior CVE-2022-21605 MySQL
Server Server: Data Dictionary MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.28 and prior CVE-2022-21594 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21607 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.28 and prior CVE-2022-21608 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.39 and prior, 8.0.30 and prior CVE-2022-21638 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.29 and prior CVE-2022-21640 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21641 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.29 and prior CVE-2022-39400 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21633 MySQL Server Server:
Replication MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21632 MySQL Server Server:
Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21599 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21595 MySQL Server C API
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 5.7.36 and prior, 8.0.27 and prior CVE-2022-21625 MySQL
Server Server: Optimizer MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.30 and prior CVE-2022-21592 MySQL Server Server:
Security: Encryption MySQL Protocol No 4.3 Network Low Low None Un-
changed Low None None 5.7.39 and prior, 8.0.29 and prior CVE-2022-21589 MySQL
Server Server: Security: Privileges MySQL Protocol No 4.3 Network Low Low None
Un-
changed Low None None 5.7.39 and prior, 8.0.16 and prior CVE-2022-39402 MySQL
Shell Shell: Core Client None No 4.3 Local Low None None Changed Low None None
8.0.30 and prior CVE-2022-39404 MySQL Installer Installer: General None No 4.2
Local High Low Required Un-
changed Low Low Low 1.6.3 and prior CVE-2022-21611 MySQL Server InnoDB None No
4.1 Local High High None Un-
changed None None High 8.0.30 and prior CVE-2022-39403 MySQL Shell Shell: Core
Client None No 3.9 Local Low Low Required Un-
changed Low Low None 8.0.30 and prior
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-32207 MySQL Enterprise Backup Enterprise Backup: Security
(cURL) Multiple Yes 9.8 Network Low None None Un-
changed High High High 4.1.4 and prior CVE-2022-31129 MySQL Enterprise Monitor
Monitoring: General (Moment.js) Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.31 and prior CVE-2022-35737 MySQL Workbench
Workbench (SQLite) MySQL Workbench Yes 7.5 Network Low None None Un-
changed None None High 8.0.30 and prior CVE-2022-21600 MySQL Server Server:
Optimizer MySQL Protocol No 7.2 Network Low High None Un-
changed High High High 8.0.27 and prior CVE-2022-21635 MySQL Server InnoDB
MySQL Protocol No 6.5 Network Low High None Un-
changed None High High 8.0.29 and prior CVE-2022-39408 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.30 and prior CVE-2022-39410 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.30 and prior CVE-2022-29824 MySQL Workbench
Workbench (libxml2) MySQL Workbench Yes 6.5 Network Low None Required Un-
changed None None High 8.0.30 and prior CVE-2022-34305 MySQL Enterprise
Monitor Monitoring: General (Apache Tomcat) Multiple Yes 6.1 Network Low None
Required Changed Low Low None 8.0.31 and prior CVE-2022-2097 MySQL Connectors
Connector/C++ (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-2097 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-2097 MySQL Enterprise Backup
Enterprise Backup (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed Low None None 4.1.4 and prior CVE-2022-2097 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed Low None None 8.0.31 and prior CVE-2022-2097 MySQL Server Server:
Packaging (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed Low None None 5.7.39 and prior, 8.0.30 and prior CVE-2022-2097 MySQL
Workbench Workbench (OpenSSL) MySQL Workbench Yes 5.3 Network Low None None Un-
changed Low None None 8.0.30 and prior CVE-2022-21604 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21637 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21617 MySQL Server Server:
Connection Handling MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.39 and prior, 8.0.30 and prior CVE-2022-21605 MySQL
Server Server: Data Dictionary MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.28 and prior CVE-2022-21594 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21607 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.28 and prior CVE-2022-21608 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.39 and prior, 8.0.30 and prior CVE-2022-21638 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.29 and prior CVE-2022-21640 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21641 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.29 and prior CVE-2022-39400 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21633 MySQL Server Server:
Replication MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21632 MySQL Server Server:
Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21599 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.30 and prior CVE-2022-21595 MySQL Server C API
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 5.7.36 and prior, 8.0.27 and prior CVE-2022-21625 MySQL
Server Server: Optimizer MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.30 and prior CVE-2022-21592 MySQL Server Server:
Security: Encryption MySQL Protocol No 4.3 Network Low Low None Un-
changed Low None None 5.7.39 and prior, 8.0.29 and prior CVE-2022-21589 MySQL
Server Server: Security: Privileges MySQL Protocol No 4.3 Network Low Low None
Un-
changed Low None None 5.7.39 and prior, 8.0.16 and prior CVE-2022-39402 MySQL
Shell Shell: Core Client None No 4.3 Local Low None None Changed Low None None
8.0.30 and prior CVE-2022-39404 MySQL Installer Installer: General None No 4.2
Local High Low Required Un-
changed Low Low Low 1.6.3 and prior CVE-2022-21611 MySQL Server InnoDB None No
4.1 Local High High None Un-
changed None None High 8.0.30 and prior CVE-2022-39403 MySQL Shell Shell: Core
Client None No 3.9 Local Low Low Required Un-
changed Low Low None 8.0.30 and prior
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-32207 also addresses CVE-2022-32205, CVE-2022-32206,
and CVE-2022-32208.
ORACLE PEOPLESOFT RISK MATRIX
This Critical Patch Update contains 8 new security patches for Oracle
PeopleSoft. 4 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-39406 PeopleSoft Enterprise Common Components Approval
Framework HTTP No 8.1 Network Low Low None Un-
changed High High None 9.2 CVE-2022-25647 PeopleSoft Enterprise PeopleTools
Elastic Search (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60 CVE-2021-22144 PeopleSoft Enterprise
PeopleTools Elastic Search (Grok Parser) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.58, 8.59, 8.60 CVE-2022-21639 PeopleSoft Enterprise
PeopleTools Elastic Search Integration HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.59, 8.60 CVE-2022-24823 PeopleSoft Enterprise
PeopleTools Elastic Search (Netty) None No 5.5 Local Low Low None Un-
changed High None None 8.58, 8.59, 8.60 CVE-2022-39407 PeopleSoft Enterprise
PeopleTools Security None No 5.5 Local Low Low None Un-
changed High None None 8.58, 8.59, 8.60 CVE-2022-21602 PeopleSoft Enterprise
PeopleTools Portal HTTP Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60 CVE-2022-2097 PeopleSoft Enterprise
PeopleTools Security (OpenSSL) TLS Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-39406 PeopleSoft Enterprise Common Components Approval
Framework HTTP No 8.1 Network Low Low None Un-
changed High High None 9.2 CVE-2022-25647 PeopleSoft Enterprise PeopleTools
Elastic Search (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.58, 8.59, 8.60 CVE-2021-22144 PeopleSoft Enterprise
PeopleTools Elastic Search (Grok Parser) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.58, 8.59, 8.60 CVE-2022-21639 PeopleSoft Enterprise
PeopleTools Elastic Search Integration HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.59, 8.60 CVE-2022-24823 PeopleSoft Enterprise
PeopleTools Elastic Search (Netty) None No 5.5 Local Low Low None Un-
changed High None None 8.58, 8.59, 8.60 CVE-2022-39407 PeopleSoft Enterprise
PeopleTools Security None No 5.5 Local Low Low None Un-
changed High None None 8.58, 8.59, 8.60 CVE-2022-21602 PeopleSoft Enterprise
PeopleTools Portal HTTP Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60 CVE-2022-2097 PeopleSoft Enterprise
PeopleTools Security (OpenSSL) TLS Yes 5.3 Network Low None None Un-
changed Low None None 8.58, 8.59, 8.60
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-24823 also addresses CVE-2021-21290.
ORACLE RETAIL APPLICATIONS RISK MATRIX
This Critical Patch Update contains 27 new security patches for Oracle Retail
Applications. 21 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Retail Fiscal Management Others (Apache Log4j)
HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.2 CVE-2021-28490 Oracle Retail Customer Management
and Segmentation Foundation Segment (OWASP CSRFGuard) HTTP Yes 8.8 Network Low
None Required Un-
changed High High High 18.0, 19.0 CVE-2021-43859 Oracle Retail Customer
Insights Other (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 15.0.2, 16.0.2 CVE-2022-25647 Oracle Retail Customer
Management and Segmentation Foundation Security (Google Gson) HTTP Yes 7.5
Network Low None None Un-
changed None None High 17.0, 18.0, 19.0 CVE-2022-25647 Oracle Retail EFTLink
Installation (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 20.0.1, 21.0.0 CVE-2022-2048 Oracle Retail EFTLink
Other (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 20.0.1, 21.0.0 CVE-2020-36518 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 15.0.3.1 CVE-2020-36518 Oracle Retail Service Backbone
RSB Installation (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.1.3.2, 15.0.3.1, 16.0.3 CVE-2022-22971 Oracle Retail
Assortment Planning Application Core (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 16.0.3 CVE-2022-23437 Oracle Retail Back Office
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2022-23437 Oracle Retail Central Office
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2020-6950 Oracle Retail Customer Insights
Other (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 15.0.2, 16.0.2 CVE-2022-22971 Oracle Retail Customer
Insights Other (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 15.0.2, 16.0.2 CVE-2022-23437 Oracle Retail Fiscal
Management OTHERS (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.2 CVE-2022-22971 Oracle Retail Merchandising System
Foundation (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 19.0.1 CVE-2022-23437 Oracle Retail Point Of Service
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2022-22971 Oracle Retail Predictive
Application Server RPAS Server (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 14.1.3.47, 15.0.3.116, 16.0.3.260 CVE-2022-23437 Oracle
Retail Returns Management Security (Apache Xerces-J) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 14.1 CVE-2022-29577 Oracle Retail Back Office Security
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.1
CVE-2021-41184 Oracle Retail Back Office Security (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 14.1 CVE-2022-29577 Oracle
Retail Central Office Security (AntiSamy) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 14.1 CVE-2021-41184 Oracle Retail Central Office Security
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.1
CVE-2022-29577 Oracle Retail Returns Management Security (AntiSamy) HTTP Yes 6.1
Network Low None Required Changed Low Low None 14.1 CVE-2021-41184 Oracle
Retail Returns Management Security (jQueryUI) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 14.1 CVE-2021-36374 Oracle Retail Merchandising
System Installation (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 14.1.3.2 CVE-2021-36374 Oracle Retail Sales Audit
others (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 19.0.1 CVE-2021-29425 Oracle Retail Customer Insights
Other (Apache Commons IO) HTTP Yes 4.8 Network High None None Un-
changed Low Low None 15.02, 16.0.2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Retail Fiscal Management Others (Apache Log4j)
HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.2 CVE-2021-28490 Oracle Retail Customer Management
and Segmentation Foundation Segment (OWASP CSRFGuard) HTTP Yes 8.8 Network Low
None Required Un-
changed High High High 18.0, 19.0 CVE-2021-43859 Oracle Retail Customer
Insights Other (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 15.0.2, 16.0.2 CVE-2022-25647 Oracle Retail Customer
Management and Segmentation Foundation Security (Google Gson) HTTP Yes 7.5
Network Low None None Un-
changed None None High 17.0, 18.0, 19.0 CVE-2022-25647 Oracle Retail EFTLink
Installation (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 20.0.1, 21.0.0 CVE-2022-2048 Oracle Retail EFTLink
Other (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 20.0.1, 21.0.0 CVE-2020-36518 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 15.0.3.1 CVE-2020-36518 Oracle Retail Service Backbone
RSB Installation (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.1.3.2, 15.0.3.1, 16.0.3 CVE-2022-22971 Oracle Retail
Assortment Planning Application Core (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 16.0.3 CVE-2022-23437 Oracle Retail Back Office
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2022-23437 Oracle Retail Central Office
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2020-6950 Oracle Retail Customer Insights
Other (Eclipse Mojarra) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 15.0.2, 16.0.2 CVE-2022-22971 Oracle Retail Customer
Insights Other (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 15.0.2, 16.0.2 CVE-2022-23437 Oracle Retail Fiscal
Management OTHERS (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.2 CVE-2022-22971 Oracle Retail Merchandising System
Foundation (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 19.0.1 CVE-2022-23437 Oracle Retail Point Of Service
Security (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 14.1 CVE-2022-22971 Oracle Retail Predictive
Application Server RPAS Server (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 14.1.3.47, 15.0.3.116, 16.0.3.260 CVE-2022-23437 Oracle
Retail Returns Management Security (Apache Xerces-J) HTTP Yes 6.5 Network Low
None Required Un-
changed None None High 14.1 CVE-2022-29577 Oracle Retail Back Office Security
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.1
CVE-2021-41184 Oracle Retail Back Office Security (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 14.1 CVE-2022-29577 Oracle
Retail Central Office Security (AntiSamy) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 14.1 CVE-2021-41184 Oracle Retail Central Office Security
(jQueryUI) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.1
CVE-2022-29577 Oracle Retail Returns Management Security (AntiSamy) HTTP Yes 6.1
Network Low None Required Changed Low Low None 14.1 CVE-2021-41184 Oracle
Retail Returns Management Security (jQueryUI) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 14.1 CVE-2021-36374 Oracle Retail Merchandising
System Installation (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 14.1.3.2 CVE-2021-36374 Oracle Retail Sales Audit
others (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 19.0.1 CVE-2021-29425 Oracle Retail Customer Insights
Other (Apache Commons IO) HTTP Yes 4.8 Network High None None Un-
changed Low Low None 15.02, 16.0.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-36374 also addresses CVE-2021-36373.
* The patch for CVE-2021-41184 also addresses CVE-2021-41182, and
CVE-2021-41183.
* The patch for CVE-2022-2048 also addresses CVE-2022-2047, and CVE-2022-2191.
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-23305 also addresses CVE-2021-4104, CVE-2022-23302,
and CVE-2022-23307.
ORACLE SIEBEL CRM RISK MATRIX
This Critical Patch Update contains 14 new security patches for Oracle Siebel
CRM. 12 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23926 Siebel Apps - Marketing Marketing (XMLBeans) HTTP Yes 9.1
Network Low None None Un-
changed High None High 22.8 and prior CVE-2018-5158 Siebel Industry - Life
Sciences eDetailing (PDF Viewer) HTTP Yes 8.8 Network Low None Required Un-
changed High High High 22.8 and prior CVE-2020-16856 Siebel Engineering - Rel
Eng Build System (Visual Studio) None No 7.8 Local Low None Required Un-
changed High High High 22.8 and prior CVE-2021-30639 Siebel Apps - Marketing
Marketing (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-25647 Siebel Core - Automation
Keyword Automation (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-24785 Siebel Core - Common
Components Calendar (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.8 and prior CVE-2022-25647 Siebel Core - Common
Components DISA (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-21598 Siebel Core - DB
Deployment and Configuration Repository Utilities HTTP Yes 7.5 Network Low None
None Un-
changed None High None 22.8 and prior CVE-2020-36518 Siebel UI Framework EAI
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-24729 Siebel UI Framework Open
UI (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-22971 Siebel Engineering -
Installer & Deployment Siebel Approval Manager (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 22.8 and prior CVE-2022-34305 Siebel UI Framework EAI
(Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed Low Low None 22.8
and prior CVE-2021-41182 Siebel UI Framework Open UI (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 22.8 and prior CVE-2021-29425
Siebel Apps - Marketing Marketing (Apache Commons IO) HTTP Yes 4.8 Network High
None None Un-
changed Low Low None 22.8 and prior
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-23926 Siebel Apps - Marketing Marketing (XMLBeans) HTTP Yes 9.1
Network Low None None Un-
changed High None High 22.8 and prior CVE-2018-5158 Siebel Industry - Life
Sciences eDetailing (PDF Viewer) HTTP Yes 8.8 Network Low None Required Un-
changed High High High 22.8 and prior CVE-2020-16856 Siebel Engineering - Rel
Eng Build System (Visual Studio) None No 7.8 Local Low None Required Un-
changed High High High 22.8 and prior CVE-2021-30639 Siebel Apps - Marketing
Marketing (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-25647 Siebel Core - Automation
Keyword Automation (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-24785 Siebel Core - Common
Components Calendar (Moment.js) HTTP Yes 7.5 Network Low None None Un-
changed None High None 22.8 and prior CVE-2022-25647 Siebel Core - Common
Components DISA (Google Gson) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-21598 Siebel Core - DB
Deployment and Configuration Repository Utilities HTTP Yes 7.5 Network Low None
None Un-
changed None High None 22.8 and prior CVE-2020-36518 Siebel UI Framework EAI
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-24729 Siebel UI Framework Open
UI (CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 22.8 and prior CVE-2022-22971 Siebel Engineering -
Installer & Deployment Siebel Approval Manager (Spring Framework) HTTP No 6.5
Network Low Low None Un-
changed None None High 22.8 and prior CVE-2022-34305 Siebel UI Framework EAI
(Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed Low Low None 22.8
and prior CVE-2021-41182 Siebel UI Framework Open UI (jQueryUI) HTTP Yes 6.1
Network Low None Required Changed Low Low None 22.8 and prior CVE-2021-29425
Siebel Apps - Marketing Marketing (Apache Commons IO) HTTP Yes 4.8 Network High
None None Un-
changed Low Low None 22.8 and prior
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-16856 also addresses CVE-2020-16874.
* The patch for CVE-2021-41182 also addresses CVE-2021-41183, and
CVE-2021-41184.
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-24729 also addresses CVE-2022-24728.
ORACLE SUPPLY CHAIN RISK MATRIX
This Critical Patch Update contains 13 new security patches for Oracle Supply
Chain. 9 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Agile Engineering Data Management Installation
Issues (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.2.1.0 CVE-2022-29885 Oracle Agile PLM Folders, Files
& Attachments (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2022-24729 Oracle Agile PLM WebClient
(CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2020-36518 Oracle Agile PLM WebClient
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2020-36518 Oracle AutoVue AutoVue Client and
Server (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.0.2 See Note 1 CVE-2022-2048 Oracle AutoVue Web
General (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.0.2 See Note 1 CVE-2022-2048 Oracle Autovue for Agile
Product Lifecycle Management Autovue Client (Eclipse Jetty) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 21.0.2 CVE-2020-36518 Oracle Autovue for Agile Product
Lifecycle Management Autovue Client (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 21.0.2 CVE-2022-23437 Oracle Transportation Management
XML Parser (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 6.4.3, 6.5.1 CVE-2022-39420 Oracle Transportation
Management Data, Functional Security HTTP No 5.4 Network Low Low None Un-
changed Low Low None 6.4.3, 6.5.1 CVE-2022-21591 Oracle Transportation
Management UI Infrastructure HTTP No 5.4 Network Low Low None Un-
changed None Low Low 6.4.3, 6.5.1 CVE-2022-39411 Oracle Transportation
Management Business Process Automation HTTP No 4.9 Network Low High None Un-
changed High None None 6.4.3, 6.5.1 CVE-2022-39409 Oracle Transportation
Management Business Process Automation HTTP No 2.7 Network Low High None Un-
changed None None Low 6.4.3, 6.5.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-23305 Oracle Agile Engineering Data Management Installation
Issues (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.2.1.0 CVE-2022-29885 Oracle Agile PLM Folders, Files
& Attachments (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2022-24729 Oracle Agile PLM WebClient
(CKEditor) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2020-36518 Oracle Agile PLM WebClient
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.3.6 CVE-2020-36518 Oracle AutoVue AutoVue Client and
Server (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.0.2 See Note 1 CVE-2022-2048 Oracle AutoVue Web
General (Eclipse Jetty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.0.2 See Note 1 CVE-2022-2048 Oracle Autovue for Agile
Product Lifecycle Management Autovue Client (Eclipse Jetty) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 21.0.2 CVE-2020-36518 Oracle Autovue for Agile Product
Lifecycle Management Autovue Client (jackson-databind) HTTP Yes 7.5 Network Low
None None Un-
changed None None High 21.0.2 CVE-2022-23437 Oracle Transportation Management
XML Parser (Apache Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 6.4.3, 6.5.1 CVE-2022-39420 Oracle Transportation
Management Data, Functional Security HTTP No 5.4 Network Low Low None Un-
changed Low Low None 6.4.3, 6.5.1 CVE-2022-21591 Oracle Transportation
Management UI Infrastructure HTTP No 5.4 Network Low Low None Un-
changed None Low Low 6.4.3, 6.5.1 CVE-2022-39411 Oracle Transportation
Management Business Process Automation HTTP No 4.9 Network Low High None Un-
changed High None None 6.4.3, 6.5.1 CVE-2022-39409 Oracle Transportation
Management Business Process Automation HTTP No 2.7 Network Low High None Un-
changed None None Low 6.4.3, 6.5.1
NOTES:
1. This vulnerability applies to Oracle AutoVue Office, Oracle AutoVue 2D
Professional, Oracle AutoVue 3D Professional Advanced, Oracle AutoVue EDA
Professional and Oracle AutoVue Electro-Mechanical Professional. Please
refer to Patch Availability Document for more details.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-2048 also addresses CVE-2022-2047, and CVE-2022-2191.
* The patch for CVE-2022-23305 also addresses CVE-2022-23302, and
CVE-2022-23307.
* The patch for CVE-2022-24729 also addresses CVE-2022-24728.
ORACLE SYSTEMS RISK MATRIX
This Critical Patch Update contains 8 new security patches for Oracle Systems.
4 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-40690 Oracle Solaris Cluster Tools (Apache XML Security For
Java) HTTP Yes 7.5 Network Low None None Un-
changed High None None 4 CVE-2020-36518 Oracle Solaris Cluster Tools
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 4 CVE-2021-44832 Oracle Solaris Cluster Tools (Apache
Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 4 CVE-2022-23437 Oracle Solaris Cluster Tools (Apache
Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 4 CVE-2022-29577 Oracle Solaris Cluster Tools
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 4
CVE-2022-39417 Oracle Solaris Filesystem None No 5.5 Local Low Low None Un-
changed None None High 11 CVE-2022-39401 Oracle Solaris Kernel None No 5.5
Local Low Low None Un-
changed None None High 11 CVE-2022-21610 Oracle Solaris LDoms None No 3.3
Local High Low Required Un-
changed Low None Low 11
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-40690 Oracle Solaris Cluster Tools (Apache XML Security For
Java) HTTP Yes 7.5 Network Low None None Un-
changed High None None 4 CVE-2020-36518 Oracle Solaris Cluster Tools
(jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 4 CVE-2021-44832 Oracle Solaris Cluster Tools (Apache
Log4j) HTTP No 6.6 Network High High None Un-
changed High High High 4 CVE-2022-23437 Oracle Solaris Cluster Tools (Apache
Xerces-J) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 4 CVE-2022-29577 Oracle Solaris Cluster Tools
(AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 4
CVE-2022-39417 Oracle Solaris Filesystem None No 5.5 Local Low Low None Un-
changed None None High 11 CVE-2022-39401 Oracle Solaris Kernel None No 5.5
Local Low Low None Un-
changed None None High 11 CVE-2022-21610 Oracle Solaris LDoms None No 3.3
Local High Low Required Un-
changed Low None Low 11
ORACLE UTILITIES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 6 new security patches for Oracle Utilities
Applications. 4 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Utilities Testing Accelerator Tools (Spring
Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-25647 Oracle
Utilities Testing Accelerator Tools (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-31129 Oracle
Utilities Testing Accelerator Tools (Moment.js) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4 CVE-2022-22971 Oracle Utilities
Testing Accelerator Generic (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-34305 Oracle
Utilities Testing Accelerator Tools (Apache Tomcat) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0
CVE-2022-24823 Oracle Utilities Testing Accelerator Tools (Netty) None No 5.5
Local Low Low None Un-
changed High None None 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-22978 Oracle Utilities Testing Accelerator Tools (Spring
Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-25647 Oracle
Utilities Testing Accelerator Tools (Google Gson) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-31129 Oracle
Utilities Testing Accelerator Tools (Moment.js) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4 CVE-2022-22971 Oracle Utilities
Testing Accelerator Generic (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3 CVE-2022-34305 Oracle
Utilities Testing Accelerator Tools (Apache Tomcat) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0
CVE-2022-24823 Oracle Utilities Testing Accelerator Tools (Netty) None No 5.5
Local Low Low None Un-
changed High None None 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-22971 also addresses CVE-2022-22970.
* The patch for CVE-2022-22978 also addresses CVE-2022-22976.
ORACLE VIRTUALIZATION RISK MATRIX
This Critical Patch Update contains 10 new security patches for Oracle
Virtualization. 3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-39427 Oracle VM VirtualBox Core None No 8.8 Local Low Low None
Changed High High High Prior to 6.1.40 See Note 1 CVE-2022-39424 Oracle VM
VirtualBox Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39425 Oracle VM VirtualBox
Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39426 Oracle VM VirtualBox
Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39422 Oracle VM VirtualBox
Core None No 7.5 Local High High None Changed High High High Prior to 6.1.38
CVE-2022-21620 Oracle VM VirtualBox Core None No 7.5 Local High High None
Changed High High High Prior to 6.1.40 CVE-2022-39421 Oracle VM VirtualBox
Core None No 7.3 Local Low Low Required Un-
changed High High High Prior to 6.1.40 See Note 1 CVE-2022-39423 Oracle VM
VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to
6.1.38 CVE-2022-21621 Oracle VM VirtualBox Core None No 6.0 Local Low High
None Changed None None High Prior to 6.1.40 CVE-2022-21627 Oracle VM
VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.40
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-39427 Oracle VM VirtualBox Core None No 8.8 Local Low Low None
Changed High High High Prior to 6.1.40 See Note 1 CVE-2022-39424 Oracle VM
VirtualBox Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39425 Oracle VM VirtualBox
Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39426 Oracle VM VirtualBox
Core VRDP Yes 8.1 Network High None None Un-
changed High High High Prior to 6.1.40 CVE-2022-39422 Oracle VM VirtualBox
Core None No 7.5 Local High High None Changed High High High Prior to 6.1.38
CVE-2022-21620 Oracle VM VirtualBox Core None No 7.5 Local High High None
Changed High High High Prior to 6.1.40 CVE-2022-39421 Oracle VM VirtualBox
Core None No 7.3 Local Low Low Required Un-
changed High High High Prior to 6.1.40 See Note 1 CVE-2022-39423 Oracle VM
VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to
6.1.38 CVE-2022-21621 Oracle VM VirtualBox Core None No 6.0 Local Low High
None Changed None None High Prior to 6.1.40 CVE-2022-21627 Oracle VM
VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.40
NOTES:
1. This vulnerability applies to Windows systems only.
RESOURCES FOR
* Careers
* Developers
* Investors
* Partners
* Researchers
* Students and Educators
WHY ORACLE
* Analyst Reports
* Best cloud-based ERP
* Cloud Economics
* Corporate Responsibility
* Diversity and Inclusion
* Security Practices
LEARN
* What is cloud computing?
* What is CRM?
* What is Docker?
* What is Kubernetes?
* What is Python?
* What is SaaS?
WHAT’S NEW
* News
* Oracle Applications Platform
* Oracle Supports Ukraine
* Oracle Red Bull Racing
* Oracle Sustainability
* Employee Experience Platform
CONTACT US
* US Sales: +1.800.633.0738
* How can we help?
* Subscribe to emails
* Events
* Blogs
--------------------------------------------------------------------------------
* Country/Region
*
* © 2023 Oracle
* Privacy/Do Not Sell My Info
* Cookie-Präferenzen
* Ad Choices
* Careers
*
*
*
*