{"id":18811,"date":"2022-04-20T07:10:17","date_gmt":"2022-04-20T15:10:17","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/20\/news-12544\/"},"modified":"2022-04-20T07:10:17","modified_gmt":"2022-04-20T15:10:17","slug":"news-12544","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/20\/news-12544\/","title":{"rendered":"Oracle releases massive Critical Patch Update containing 520 security patches"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 20 Apr 2022 14:53:54 +0000<\/strong><\/p>\n

Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.<\/p>\n

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.<\/p>\n

Oracle Communications Applications<\/h2>\n

The update contains 39 new security patches for Oracle Communications Applications.\u00a022 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.<\/p>\n

CVE-2022-21431<\/strong><\/a> is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS score<\/a> of 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.<\/p>\n

CVE-2022-23305<\/strong><\/a> is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity\u00a0and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.<\/p>\n

CVE-2022-23990<\/strong><\/a> is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the doProlog<\/code> function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.<\/p>\n

Oracle Blockchain Platform<\/h2>\n

The update contains 15 new security patches for Oracle Blockchain Platform.\u00a014 of these vulnerabilities may be remotely exploitable without authentication.<\/p>\n

CVE-2021-23017<\/strong><\/a> is a security issue in nginx resolver<\/a> with a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.<\/p>\n

Oracle GoldenGate<\/h2>\n

The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate.\u00a0 4 of these vulnerabilities may be remotely exploitable without authentication.<\/p>\n

CVE-2021-26291<\/strong><\/a> is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.<\/p>\n

Oracle Communications<\/h2>\n

The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications.\u00a098 of these vulnerabilities may be remotely exploitable without authentication.<\/p>\n

CVE-2022-22947<\/a><\/strong> is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.<\/p>\n

Oracle Java SE<\/h2>\n

The update contains 7 new security patches for Oracle Java SE.\u00a0All of these vulnerabilities may be remotely exploitable without authentication.<\/p>\n

CVE-2022-21449<\/strong><\/a> is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was published by ForgeRock<\/a>.<\/p>\n

Mitigation<\/h2>\n

For a complete list of the security vulnerabilities have a look at the Oracle security alerts page<\/a>. Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it\u2019s definitely worth looking into.<\/p>\n

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the Oracle page<\/a> to access the documentation for patch availability information and installation instructions.<\/p>\n

Stay safe, everyone!<\/p>\n

The post Oracle releases massive Critical Patch Update containing 520 security patches<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 20 Apr 2022 14:53:54 +0000<\/strong><\/p>\n

Oracle’s April Critical Patch UPdate contains 520 new security patches. We spell out some of the most important vulnerabilities.<\/p>\n

The post Oracle releases massive Critical Patch Update containing 520 security patches<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[25756,25757,25758,25759,25760,25761,25762,24784,22783,11548],"class_list":["post-18811","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-critical-patch-update","tag-cve-2021-23017","tag-cve-2022-21431","tag-cve-2022-21449","tag-cve-2022-22947","tag-cve-2022-23305","tag-cve-2022-23990","tag-cvss","tag-exploits-and-vulnerabilities","tag-oracle"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18811"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18811\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18811"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}