Oracle October 2022 Patch Tuesday edition is out. The security update contains a total of 370 critical security patches affecting various Oracle product families.
In this month’s update, 290 out of 370 security updates addressed are non-Oracle CVEs, or security flaws in third-party products (such as open-source components), which are exploitable in the context of their Oracle product distributions. Like the past Critical Patch Update releases, many non-Oracle CVEs are rated as high and critical vulnerabilities (170 of the 290 non-Oracle CVEs).
The advisory covers multiple Oracle product families, including Oracle Database Server, Oracle Virtualization, Oracle Supply Chain, Oracle Retail Applications, Oracle JD Edwards, Oracle MySQL, Oracle Java SE, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, and many more.
This edition contains critical security updates for multiple Oracle product families, including:
-
- Nine new security updates for Oracle Java SE with a maximum reported CVSS Base Score of 9.1.
- Two new security updates for Oracle Essbase with a maximum reported CVSS Base Score of 7.5.
- Two new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 9.8.
- One new security update for Oracle Secure Backup with a maximum reported CVSS Base Score of 9.8.
- Eight new security updates for Oracle PeopleSoft with a maximum reported CVSS Base Score of 8.1.
- Ten new security updates for Oracle JD Edwards with a maximum reported CVSS Base Score of 9.8.
- Five new security updates for Oracle E-Business Suite with a maximum reported CVSS Base Score of 9.8.
- 56 new security updates for Oracle Fusion Middleware with a maximum reported CVSS Base Score of 9.8.
- Five new security updates for Oracle Enterprise Manager with a maximum reported CVSS Base Score of 9.8.
- Eight new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.2.
- None of these updates apply to client-only deployments of the Oracle Database.
Some of the important vulnerabilities patched in the security update
- Oracle Coherence: CVE-2022-24823
- Oracle WebLogic Server: CVE-2020-28052, CVE-2022-21616, CVE-2022-22971, CVE-2022-23437, CVE-2020-17521
- Oracle Java Standard Edition (SE): CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619
- Oracle Hypertext Transfer Protocol Server (HTTP Server): CVE-2020-14155, CVE-2020-24977, CVE-2021-3537, CVE-2022-21593, CVE-2022-23943
- Oracle PeopleSoft Enterprise: CVE-2022-25647, CVE-2021-22144, CVE-2022-21639, CVE-2022-24823, CVE-2022-39407, CVE-2022-21602, CVE-2022-2097
- Oracle VM VirtualBox: CVE-2022-39422, CVE-2022-39423, CVE-2022-39421, CVE-2022-39427, CVE-2022-39424, CVE-2022-39425, CVE-2022-39426, CVE-2022-21620, CVE-2022-21621, CVE-2022-21627, CVE-2022-39422, CVE-2022-39423
- Oracle Database 21c: CVE-2022-21603, CVE-2020-36518, CVE-2022-1586, CVE-2022-39419, CVE-2021-41495, CVE-2021-41496, CVE-2022-34169, CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2020-13956, CVE-2022-34305, CVE-2021-25122, CVE-2021-25329, CVE-2021-4048, CVE-2021-3737, CVE-2021-30129, CVE-2022-2048, CVE-2022-2047, CVE-2019-2904, CVE-2022-1587, CVE-2022-21606
- Oracle Solaris: CVE-2022-2068, CVE-2022-1292, CVE-2020-28196, CVE-2022-39417, CVE-2022-29885, CVE-2022-34305, CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178, CVE-2022-36359, CVE-2022-38472, CVE-2022-38473, CVE-2022-38478, CVE-2022-31625, CVE-2022-31626, CVE-2022-31627, CVE-2022-2274, CVE-2022-2097, CVE-2022-2509, CVE-2022-37434, CVE-2022-26373
- Oracle MySQL: CVE-2022-21589, CVE-2022-21595, CVE-2022-21600, CVE-2022-21605, CVE-2022-21607, CVE-2022-21592, CVE-2022-21635, CVE-2022-21638, CVE-2022-21641, CVE-2022-2097, CVE-2022-21608, CVE-2022-21617, CVE-2022-21594, CVE-2022-21599, CVE-2022-21604, CVE-2022-21611, CVE-2022-21625, CVE-2022-21632, CVE-2022-21633, CVE-2022-21637, CVE-2022-21640, CVE-2022-39400, CVE-2022-39408, CVE-2022-39410
- Oracle Database 19c: CVE-2022-21596, CVE-2022-21603, CVE-2020-36518, CVE-2022-1586, CVE-2020-13956, CVE-2022-34305, CVE-2021-25122, CVE-2021-25329, CVE-2021-30129, CVE-2022-2047, CVE-2022-25647, CVE-2019-2904, CVE-2022-1587, CVE-2022-21606, CVE-2022-39419
Visit the Oracle Critical Patch Update Advisory – October 2022 page to access the full description of each vulnerability and the systems that it affects.
Customers can scan their network with QIDs 20270, 20271, 20272, 20273, 87524, 296083, 296084, 296085, 377642, 377645, 377646, 377647, 377648, 377649, 377650, 377651 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://www.oracle.com/security-alerts/cpuoct2022.html