Issued: Thursday, 21 April, 2022 |
Last Revision: Thursday, 21 April, 2022 |
Vendor: |
Product: |
Severity Level: |
Oracle has released its Critical Patch Update (CPU) for the month of Apr 2022. This CPU contains 520 patches, fixes for 221 vulnerabilities including 77 critical patches, spanning 31 Oracle product families.
Among the vulnerabilities addressed in this CPU, CVE-2022-22947 and CVE-2022-21431 are given highest CVSS3 scoring of 10. Both can be exploited without authentication through network access. Exploitation of CVE-2022-21431 could impact additional products.
Oracle has not issued any security patches for Oracle Global Lifecycle Management, Oracle NoSQL Database, and Oracle Secure Backup but CPU release from Oracle include third party patches for these products. Oracle also addressed Apache Log4j related vulnerabilities in this release that was disclosed earlier.
Many of the vulnerabilities addressed in this CPU can be remotely exploited without authentication.
In various Oracle products, this update mitigates critical, high, medium and low severity vulnerabilities.
Some notable products that are patched in Apr 2022 update includes- Oracle Communications product family (with highest number of patches) and Oracle Fusion Middleware.
CVE/Vulnerability | Description | CVSS3.0 Score |
Multiple | Remote code execution, etc. | 7,8,9 and 10 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Products and Versions |
Multiple | Oracle Communications Oracle Fusion Middleware Oracle MySQL Oracle Financial Services Applications Oracle Communications Applications Oracle Retail Applications Oracle Systems Oracle Blockchain Platform Oracle PeopleSoft Oracle Hyperion Oracle Supply Chain Oracle Enterprise Manager Oracle HealthCare Applications Oracle JD Edwards Oracle Commerce Oracle Insurance Applications Oracle Java SE Oracle Hospitality Applications Oracle Virtualization Oracle Database Server Oracle GoldenGate Oracle E-Business Suite Oracle Construction and Engineering Oracle Health Sciences Applications Oracle Support Tools Oracle SQL Developer Oracle Autonomous Health Framework Oracle REST Data Services Oracle iLearning Oracle Taleo Oracle Utilities Applications |
Table 2: Vulnerable versions
We encourage organizations to review the Oracle Apr 2022 Critical Patch Update (CPU), identify the affected products in their environment and apply the necessary updates.