Oracle has released its Critical Patch Update for October 2022 to include 370 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the October 2022 Critical Patch Update (CPU), Oracle has addressed 14 vulnerabilities across multiple Oracle Database products.
The Oracle Database update includes fixes for 8 vulnerabilities, two rated High severity and one Medium rated flaw (CVE-2022-21606) that could be remotely exploitable without authentication.
In addition, Oracle patched 37 new vulnerabilities in Oracle MySQL, 11 of these vulnerabilities may be remotely exploitable without authentication.
One of the addressed issues was a Critical severity MySQL Enterprise Backup: Security (cURL) vulnerability CVE-2022-32207 (CVSS score 9.8).
Two other MySQL High risk vulnerabilities (CVE-2022-31129 and CVE-2022-35737) were also fixed.
Oracle Java patches
Oracle patched 9 vulnerabilities in Oracle Java SE, all of these vulnerabilities may be remotely exploitable without authentication. One of these Critical Java SE flaws (CVE-2022-32215) affects Oracle GraalVM Enterprise Edition Node (Node.js) and has CVSS score of 9.1.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 5 new security vulnerabilities in Oracle Enterprise Manager, 4 of these can be exploited remotely without user credentials.
Two Critical Oracle Enterprise Manager vulnerabilities were addressed (along with affected product and component):
- CVE-2018-1285: Enterprise Manager Base Platform Application Service Level Management (Apache log4net).
- CVE-2021-23450: Enterprise Manager Ops Center Networking (dojo).
Each of these issues have a CVSS score of 9.8.
Oracle Communications Applications
Moreover, Oracle also addressed 27 new vulnerabilities in Oracle Communications Applications. Attackers could remotely exploit 21 of these vulnerabilities without user authentication.
Six of the Oracle Communications Applications vulnerabilities are rated Critical severity (along with affected product and component):
- CVE-2021-23450: Oracle Communications Convergence Framework (dojo)
- CVE-2021-43527: Oracle Communications Messaging Server Security (NSS)
- CVE-2022-23632: Oracle Communications Order and Service Management Security (Traefik)
- CVE-2021-3918: Oracle Communications Unified Assurance REST API (json-schema)
- CVE-2022-31813: Oracle Communications Unified Assurance User Interface (Apache HTTP Server)
- CVE-2022-2068: Oracle Communications Unified Assurance User Interface (OpenSSL).
All of these Critical vulnerabilities have a CVSS score of 9.8.
Oracle Fusion Middleware patches
Also, Oracle has patched 5 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 4 of these vulnerabilities without user authentication.
In all, Oracle patched 3 Critical vulnerabilities (along with affected product and component):
- CVE-2022-23305: Application Management Pack for Oracle E-Business Suite EBS EM Plugin (Apache Log4j)
- CVE-2022-21587: Oracle Web Applications Desktop Integrator Upload
- CVE-2022-39428: Oracle Web Applications Desktop Integrator Upload.
Overall, the 370 October 2022 patches are up from the 349 patches released in the July 2022 CPU.
Finally, check out the the Oracle October 2022 CPU for additional details on vulnerabilities that affect multiple other Oracle products.
- Oracle Critical Patch Update for July 2022
- Microsoft October 2022 Security Updates addresses 84 vulnerabilities (13 rated Critical, 2 zero-days)
- Apache patches Struts 2 RCE vulnerability (CVE-2021-31805)
- Spring fixes Critical Spring Framework “Spring4Shell” and Spring Cloud Function vulnerabilities
- Apache releases security update for another Log4j RCE vulnerability (CVE-2021-44832)
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)