Oracle has released its Critical Patch Update for January 2022 to include 497 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
log4j updates
In addition to the January quarterly security update for Oracle products, Oracle also provided an update on log4j, previously released last month:
“Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers should review the Alert if they have not already done so.“
Oracle Database product patches
As part of the January 2022Â Critical Patch Update (CPU), Oracle has addressed 28 vulnerabilities in Oracle Database products.
The database update includes fixes for 4 Oracle Database vulnerabilities are rated Medium severity or Low severity. The good news is none of these vulnerabilities may be remotely exploitable without authentication.
In addition, Oracle patched 78 new vulnerabilities in Oracle MySQL, 3 of these vulnerabilities may be remotely exploitable without authentication.
One of the patches addressed a High risk vulnerability CVE-2021-3712 in MySQL Connectors. Another High risk update fixed a vulnerability CVE-2021-22946 in the Server: Compiling (cURL) component of MySQL Server. These issues range from a CVSS base score of 7.4 to 7.5.In addition, 2 other High severity flaws were also addressed.
Oracle Java patches
Oracle patched 18 vulnerabilities in Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.
Vulnerability risk levels range from Medium to Low severity (and CVSS score of 3.7 to 6.5).
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 7 new security vulnerabilities in Oracle Enterprise Manager, 6 of these can be exploited remotely without user credentials.
One of the patches addressed a Critical vulnerability CVE-2021-3177 in the Networking (Python) component of Enterprise Manager Ops Center. This issue has a CVSS score of 9.8.
An additional 6 flaws were rated High severity and affected multiple other Oracle Enterprise Manager products.
Oracle Communications Applications
Moreover, Oracle also addressed 33 new vulnerabilities in Oracle Communications Applications. Attackers could remotely exploit 22 of these vulnerabilities without user authentication.
In all, 5 Critical vulnerabilities in the Connection Manager component of Oracle Communications Billing and Revenue Management product:
- CVE-2022-21275
- CVE-2022-21389
- CVE-2022-21390
- CVE-2022-21276
- CVE-2022-21391.
Oracle Fusion Middleware patches
Also, Oracle has patched 39 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 35 of these vulnerabilities without user authentication.
In all, 4 Critical vulnerabilities in multiple Fusion components were addressed as summarized below:
- CVE-2021-35587: Oracle Access Manager
- CVE-2020-17530: Oracle Business Intelligence Enterprise Edition
- CVE-2022-21306: Oracle WebLogic Server
- CVE-2021-40438: Oracle HTTP Server.
All of these issues can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include total counts and Critical severity vulnerabilities) in the CPU for January 2022:
- Oracle Airlines Data Model (1 total, 0 critical)
- Oracle Big Data Graph (2 total, 0 critical)
- Oracle Communications (84 total, 4 critical)
- Oracle Communications Data (1 total, 0 critical)
- Oracle Construction and Engineering (22 total, 2 critical)
- Oracle E-Business (9 total, 0 critical)
- Oracle Essbase (4 total, 2 critical)
- Oracle Financial Services (48 total, 2 critical)
- Oracle Food and Beverage Applications (1 total, 0 critical)
- Oracle GoldenGate (3 total, 1 critical)
- Oracle Health Sciences Applications (8 total, 0 critical)
- Oracle HealthCare Applications (4 total, 0 critical)
- Oracle Hospitality Applications (3 total, 0 critical)
- Oracle Hyperion (1 total, 0 critical)
- Oracle iLearning (1 total, 0 critical)
- Oracle Insurance Applications (7 total, 2 critical)
- Oracle JD Edwards (1 total, 0 critical)
- Oracle NoSQL Database (1 total, 0 critical)
- Oracle PeopleSoft (13 total, 1 critical)
- Oracle Policy Automation (1 total, 0 critical)
- Oracle REST Data Services (2 total, 0 critical)
- Oracle Retail Applications (43 total, 0 critical)
- Oracle Secure Backup (2 total, 1 critical)
- Oracle Siebel CRM (2 total, 0 critical)
- Oracle Spatial Studio (1 total, 0 critical)
- Oracle Supply Chain (10 total, 0 critical)
- Oracle Support Tools (4 total, 1 critical)
- Oracle Systems (11 total, 0 critical)
- Oracle TimesTen In-Memory (5 total, 0 critical)
- Oracle Commerce (6 total, 0 critical)
- Oracle Supply Chain Products (5 total, 0 critical)
- Oracle Systems (5 total, 1 critical)
- Oracle Utilities Applications (13 total, 2 critical)
- Oracle Virtualization (2 total, 0 critical).
Overall, the 497 January 2022 patches are up from the 419 patches released in the October 2021 CPU.