ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Oracle Critical Patch Update

Oracle patch update

This live blog contains information regarding the Oracle critical patch update, dated july 2022. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 21 2022.

Update July 21, 2022

15:00 |On the 18th of July 2022, Oracle released their most recent quarterly patch update, containing 349 new security patches across several product families. In total 188 CVE’s are addressed. The most severe vulnerabilities reside in the following products:

  • Oracle Commerce
  • Oracle Communications
  • Oracle Fusion Middleware
  • Oracle Retail Applications

We advise to check the advisory by Oracle and, if your products are listed, apply the required patches as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

The three highlighted vulnerabilities allow a remote unauthenticated attacker to perform code execution. There is evidence these vulnerabilities are being exploited in the wild.

  • CVE-2022-22947 – CVSS score 10
  • CVE-2022-22965 – CVSS score 9,8
  • CVE-2018-1273 – CVSS Score 9,8

The other 23 vulnerabilities with a CVSS score of 9,8 also imply a significant risk. Please review the advisory of Oracle for full details on all products and corresponding vulnerabilities.

It is recommended to install the patch if it is available for your product(s). When a patch is not available for a given vulnerability, the following general advice applies:

  • Apply a work-around, if provided by a supplier
  • Restrict network access to the system until a patch is available

Detail info

With the July critical patch update, Oracle released 349 security updates across their product families, fixing 188 vulnerabilities. Vulnerability CVE-2022-22947 has a CVSS score of 10, the highest possible rating. In addition, 25 vulnerabilities have a rating of 9,8. The CVSS scale runs for 0 till 10. A score of 9.8 or higher is rare and implies a high risk of exploiting with a high impact.

In this article we highlight the following three vulnerabilities, as they are being exploited in the wild:

  • CVE-2022-22947 – CVSS score 10
  • CVE-2022-22965 – CVSS score 9,8
  • CVE-2018-1273 – CVSS Score 9,8

CISA has listed these three vulnerabilities in their Known Exploited Vulnerabilities (KEV) catalog. A vulnerability listed in the KEV catalog is actively exploited in the wild. All three vulnerabilities are related to previous vulnerabilities in the Spring Framework, about which we published an article earlier: Spring framework vulnerabilities.

These vulnerabilities reside in the following products:

  • Oracle Commerce
  • Oracle Communications
  • Oracle Fusion Middleware
  • Oracle Retail Applications

Oracle has published an advisory listing the affected products and versions. The advice is to check whether you are using these products and to install the available patches. The Oracle advisory can be found here.

Background

More information:

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.