Oracle has released its Critical Patch Update for April 2022 to include 520 vulnerability fixes across multiple products. The updates also include fixes for Log4j and Spring Framework vulnerabilities.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the April 2022 Critical Patch Update (CPU), Oracle has addressed 29 vulnerabilities across multiple Oracle Database products.
The Oracle Database update includes fixes for one High severity vulnerability CVE-2022-21410 (CVSS 7.2) that affects the Oracle Database – Enterprise Edition Sharding component. The remaining vulnerabilities are rated Moderate or Low severity.
In addition, Oracle patched 43 new vulnerabilities in Oracle MySQL, 11 of these vulnerabilities may be remotely exploitable without authentication.
One of the patches addressed a Critical Log4j vulnerability CVE-2022-23305 (CVSS 9.8) in MySQL Enterprise Monitor.
A second Critical patch fixed a Spring Framework vulnerability CVE-2022-22965 (CVSS 9.8) also affecting MySQL Enterprise Monitor.
Oracle Java patches
Oracle patched 7 vulnerabilities in Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication and three are rated High severity.
Vulnerability risk levels range from Medium to Low severity (and CVSS score of 3.7 to 7.5).
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 10 new security vulnerabilities in Oracle Enterprise Manager, 7 of these can be exploited remotely without user credentials.
Three Critical vulnerabilities were addressed (along with affected component):
- CVE-2022-23305: Oracle Management Service (Apache Log4j)
- CVE-2018-1285: Load Testing for Web Apps (Apache log4net)
- CVE-2021-40438: User Interface (Apache HTTP Server)
An additional three flaws rated High severity affected multiple other Oracle Enterprise Manager products.
Oracle Communications Applications
Moreover, Oracle also addressed 39 new vulnerabilities in Oracle Communications Applications. Attackers could remotely exploit 22 of these vulnerabilities without user authentication.
In all, five Critical vulnerabilities affect multiple Oracle Communications components:
- CVE-2022-21431: Billing and Revenue Management Connection Manager
- CVE-2022-23305: Messaging Server ISC (Apache Log4j)
- CVE-2022-23990: MetaSolv Solution User Interface (LibExpat)
- CVE-2022-23305: Network Integrity Cartridge Deployer Tool (Apache Log4j)
- CVE-2022-23305: Unified Inventory Management Logging (Apache Log4j).
Oracle Fusion Middleware patches
Also, Oracle has patched 54 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 41 of these vulnerabilities without user authentication.
In all, Oracle patched 13 Critical vulnerabilities, 10 of those Apache Log4j vulnerability CVE-2022-23305, in multiple Fusion components.
- CVE-2021-35587: Oracle Access Manager
- CVE-2020-17530: Oracle Business Intelligence Enterprise Edition
- CVE-2022-21306: Oracle WebLogic Server
- CVE-2021-40438: Oracle HTTP Server.
Overall, the 520 April 2022 patches are up from the 497 patches released in the January 2022 CPU.
Finally, check out the the Oracle April 2022 CPU for additional details on vulnerabilities that affect multiple other Oracle products.
Related Articles
- Oracle Critical Patch Update for January 2022
- Spring fixes Critical Spring Framework “Spring4Shell” and Spring Cloud Function vulnerabilities
- Apache releases security update for another Log4j RCE vulnerability (CVE-2021-44832)
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)