Oracle has released its Critical Patch Update for July 2022 to include 349 vulnerability fixes across multiple products. The updates also include fixes for Log4j and Spring Framework vulnerabilities.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the July 2022 Critical Patch Update (CPU), Oracle has addressed 23 vulnerabilities across multiple Oracle Database products.
The Oracle Database update includes fixes for 9 vulnerabilities, one of those is a Critical severity vulnerability CVE-2020-35169 (CVSS 9.1) that affects the Oracle Database – Enterprise Edition. This flaw could be remotely exploitable without authentication. The remaining vulnerabilities are rated High (2) Moderate (5), or Low (1) severity.
In addition, Oracle patched 34 new vulnerabilities in Oracle MySQL, 10 of these vulnerabilities may be remotely exploitable without authentication.
Three MySQL Critical vulnerabilities were addressed (along with affected product and component):
- CVE-2021-31805: MySQL Enterprise Monitor Monitoring (Apache Struts)
- CVE-2022-1292: MySQL Server Server Packaging (OpenSSL)
- CVE-2022-1292: MySQL Workbench (OpenSSL).
In April this year, the Apache Software Foundation has patched an Apache Struts 2 vulnerability CVE-2021-31805 that could allow lead to remote code execution. As a result, a cyber attacker could exploit this vulnerability to steal sensitive information.
Apache described the problem as related to Forced OGNL evaluation and requires a fix to a previously released patch for Struts 2.
Oracle Java patches
Oracle patched 5 vulnerabilities in Oracle Java SE. Four of these vulnerabilities may be remotely exploitable without authentication. One of those issues (CVE-2022-34169) affects the JAXP (Xalan-J) component and is rated High severity.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 6 new security vulnerabilities in Oracle Enterprise Manager, all of these can be exploited remotely without user credentials.
Two Critical vulnerabilities were addressed (along with affected product and component):
- CVE-2022-22721: Enterprise Manager Ops Center Networking (Apache HTTP Server)
- CVE-2022-1292 Enterprise Manager Ops Center Networking (OpenSSL).
Oracle Communications Applications
Moreover, Oracle also addressed 17 new vulnerabilities in Oracle Communications Applications. Attackers could remotely exploit 12 of these vulnerabilities without user authentication.
It is noteworthy that two of the patches address Critical Apache Log4j vulnerabilities and one Critical Spring Framework flaw, that in general have been known to be highly exploitable:
- CVE-2022-23305: Oracle Communications Instant Messaging Server – XMPP Server (Apache Log4j)
- CVE-2022-23305: Oracle Communications Offline Mediation Controller – Charging Server (Apache Log4j)
- CVE-2022-22965: Oracle Communications Unified Inventory Management TMF APIs (Spring Framework)
- CVE-2022-23632: Oracle Communications Unified Inventory Management Cloud Native (Traefik).
All of these Critical vulnerabilities have a CVSS score of 9.8.
Oracle Fusion Middleware patches
Also, Oracle has patched 38 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 32 of these vulnerabilities without user authentication.
In all, Oracle patched 10 Critical vulnerabilities, one of those address a Spring Framework vulnerability (CVE-2022-22965), in Oracle WebLogic Server.
Overall, the 349 July 2022 patches are down significantly from the 520 patches released in the April 2022 CPU.
Finally, check out the the Oracle July 2022 CPU for additional details on vulnerabilities that affect multiple other Oracle products.
- Oracle Critical Patch Update for April 2022
- Apache patches Struts 2 RCE vulnerability (CVE-2021-31805)
- Spring fixes Critical Spring Framework “Spring4Shell” and Spring Cloud Function vulnerabilities
- Apache releases security update for another Log4j RCE vulnerability (CVE-2021-44832)
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)