What Occurred?
Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates need urgent attention if you are a user of an affected product.
Affected Oracle Product Families
Oracle Communications Applications
The update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without authentication. I.e., they may be exploited over a network without requiring user credentials.
- CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS score of 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.
- CVE-2022-23305 is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note: this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.
- CVE-2022-23990 is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the doProlog function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.
Oracle Blockchain
The update contains 15 new security patches for Oracle Blockchain Platform. Fourteen of these vulnerabilities may be remotely exploitable without authentication.
- CVE-2021-23017 is a security issue in nginx resolver with a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.
Oracle GoldenGate
The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate. Four of these vulnerabilities may be remotely exploitable without authentication.
- CVE-2021-26291 is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.
Oracle Communications
The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. Ninety-eight of these vulnerabilities may be remotely exploitable without authentication.
- CVE-2022-22947 is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Criticalness and Who is Affected
Anyone using oracle products that have been released in the patch is affected: Oracle Communications Applications, Oracle Java SE, Oracle Blockchain Platform, Oracle GoldenGate. Blue Team Alpha’s recommendation is patch on patch Tuesday. However, if an exploit comes out, patch sooner. Oracle is vulnerable and needs to be patched to mitigate risk of future exploitation. See Oracle’s newsletter for what needs to be patched based on subscribed services. Blue Team Alpha will update this blog when new information about exploits becomes available.