This live blog contains information regarding the Oracle critical patch update from January 2022. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Update January 21, 2022
14:00 | On the 19th of January 2022 Oracle released their most recent quarterly patch update, fixing 497 new vulnerabilities. The most severe vulnerabilities reside in:
- Oracle Enterprise Manager;
- Oracle Financial Services Applications;
- Oracle Fusion Middleware.
We advise to check their advisory if your products are listed and apply the required patches as soon as possible.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Potential risk
In total, Oracle fixed 497 vulnerabilities with the January update. The vulnerabilities are spread over approximately 41 products. There are 3 products with a vulnerability with a CVSS-score of 9.8. The CVSS scale runs for 0 till 10. A score of 9.8 or higher is rare and implies a high risk of exploiting with a high impact.
These vulnerabilities (CVE-2021-3177, CVE-2019-17495, CVE-2020-17530, CVE-2022-21306 and CVE-2021-35587 ) allow a remote unauthenticated attacker to perform code execution or access and modify sensitive data.
Currently there is no evidence that these vulnerabilities are being exploited in the wild. However, the release of patches often enables attackers to develop exploits. A public exploit for either of these vulnerabilities is expected.
Detail info
In total, Oracle fixed 497 vulnerabilities with the January update. The vulnerabilities are spread over approximately 41 products. There are 3 products with a vulnerability with a CVSS-score of 9.8. The CVSS scale runs for 0 till 10. A score of 9.8 or higher is rare and implies a high risk of exploiting with a high impact. An overview of the most severe vulnerabilities with a CVSS-score of 9.8 residing in Oracle Enterprise Manager, Oracle Financial Services Applications and Oracle Fusion Middleware can be found below:
- The CVE-2021-3177 vulnerability for the Oracle Enterprise Manager products is a remote code execution vulnerability and allows an unauthenticated remote attacker to execute code.
- The CVE-2019-17495 vulnerability for the Oracle Financial Services Applications is a vulnerability which allows an unauthenticated attacker to access or modify sensitive data remotely.
- Oracle Fusion Middleware is vulnerable for CVE-2020-17530, CVE-2022-21306 and CVE-2021-35587 which allows an unauthenticated attacker with network access to execute code.
- These vulnerabilities allow a remote unauthenticated attacker to perform code execution or access and modify sensitive data.
Currently there is no evidence that these vulnerabilities are being exploited in the wild. However, the release of patches often enables attackers to develop exploits. A public exploit for either of these vulnerabilities is expected.
Oracle has published an article that lists the affected products and versions. The advice is to check whether you are using these products and to install the available updates.
The article can be found here: https://www.oracle.com/security-alerts/cpujan2022.html
It is recommended to install the patch if it is available for your product(s). When a patch is not available for a given vulnerability, the following general advice applies:
- Apply a work-around, if provided by a supplier;
- Restrict network access to the system until a patch is available.
Background
More information:
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
