Oracle has released a critical patch update for multiple vulnerabilities in its April 2022 Patch Tuesday. This patch update consists of 520 security patches in various Oracle product families.
Out of these 520 security patches, 415 are for non-Oracle CVEs that include fixes for security issues in third-party products that are exploitable in the context of their Oracle product distributions. 182 of the 415 non-Oracle CVEs are high and critical severity vulnerabilities.
This month’s advisory covers multiple Oracle product families, including Oracle Database Server, Oracle Blockchain Platform, Oracle SQL Developer, Oracle Commerce, Oracle Communications Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle HTTP Server, Oracle Virtualization, and many more.
The update provides several security updates for Oracle Database products, including:
- Five new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.2. (None of these updates apply to client-only deployments of the Oracle Database.)
- One new security update for Oracle Autonomous Health Framework with a maximum reported CVSS Base Score of 7.8.
- 15 new security updates for Oracle Blockchain Platform with a maximum reported CVSS Base Score of 9.8.
- Five new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 9.1.
- One new security update for Oracle REST (representational state transfer) Data Services with a maximum reported CVSS Base Score of 4.2.
- Two new security updates for Oracle SQL Developer with a maximum reported CVSS Base Score of 6.6.
Some of the important vulnerabilities patched in the security update
- Oracle Coherence: CVE-2021-37137, CVE-2021-43797, CVE-2022-21420
- Oracle VM VirtualBox for Windows: CVE-2022-21491, CVE-2022-21465, CVE-2022-21471, CVE-2022-21487, CVE-2022-21488
- Oracle PeopleSoft Enterprise PeopleTools Product: CVE-2021-37714, CVE-2021-40690, CVE-2021-44832, CVE-2021-43797, CVE-2022-21458, CVE-2022-21470, CVE-2021-4160, CVE-2021-41165, CVE-2021-44533, CVE-2020-8908
- Oracle Java Standard Edition (SE): CVE-2022-0778, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443
- Oracle WebLogic Server: CVE-2020-8908, CVE-2021-27568, CVE-2021-28170, CVE-2021-41184, CVE-2022-21441, CVE-2022-21453, CVE-2022-23305, CVE-2022-23437
- Oracle Database 21c: CVE-2021-22569, CVE-2021-2464, CVE-2021-30129, CVE-2019-12402, CVE-2021-42340, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-23990, CVE-2022-23852, CVE-2022-21411
- Oracle MySQL: CVE-2022-0778, CVE-2022-21417, CVE-2022-21427, CVE-2022-21444, CVE-2022-21451, CVE-2022-21454, CVE-2022-21460, CVE-2021-22570, CVE-2022-21412, CVE-2022-21413, CVE-2022-21414, CVE-2022-21415, CVE-2022-21418, CVE-2022-21423, CVE-2022-21425, CVE-2022-21435, CVE-2022-21436, CVE-2022-21437, CVE-2022-21438, CVE-2022-21440, CVE-2022-21452, CVE-2022-21457, CVE-2022-21459, CVE-2022-21462, CVE-2022-21478, CVE-2022-21479
- Oracle Database 19c: CVE-2021-22569, CVE-2022-21410, CVE-2021-2464, CVE-2022-21498, CVE-2021-42340, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-23990, CVE-2022-23852, CVE-2022-21411
- Oracle Database 22.214.171.124: CVE-2021-2464, CVE-2022-21498, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-23990, CVE-2022-23852, CVE-2022-21411
- Oracle Solaris 11.4: CVE-2022-21446, CVE-2022-21493, CVE-2022-21461, CVE-2022-21463, CVE-2022-21416, CVE-2022-21494
- Oracle Hypertext Transfer Protocol Server (HTTP Server): CVE-2021-39275, CVE-2021-22901, CVE-2020-24977, CVE-2021-44224
Visit the Oracle Critical Patch Update Advisory – April 2022 page to access the full description of each vulnerability and the systems that it affects.
Customers can scan their network with QIDs 376551, 376550, 376549, 376548, 376547, 376546, 87489, 20256, 20255, 20254, 20253, 296056 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.