Critical Patch Update Notice for All Oracle Products in April 2022

Critical Patch Update Notice for All Oracle Products in April 2022

April 21, 2022 | Jie Ji

Overview

On April 20, 2022, NSFOCUS’s CERT monitoring found that Oracle officially released the April Critical Patch Update announcement CPU (Critical Patch Update). A total of 520 vulnerabilities of varying degrees were fixed. This security update involves Oracle WebLogic Server. , Oracle MySQL, Oracle Java SE, Oracle FusionMiddleware, Oracle Retail Applications and many other common products. Oracle strongly recommends that customers apply critical patch update fixes as soon as possible to remediate vulnerabilities.

Reference link: https://www.oracle.com/security-alerts/cpuapr2022.html

Key Vulnerabilities

According to the popularity of the product and the importance of the vulnerability, the most influential vulnerabilities contained in this update are screened out. Please pay attention to the relevant users:

Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2022-23305)

Due to a reference to a third-party dependency “Apache Log4j” in Oracle WebLogic Server, an unauthenticated attacker sends malicious requests to the affected server over the HTTP protocol, ultimately resulting in arbitrary code execution on the target server. The CVSS score was 9.8.

Oracle Coherence Remote Code Execution Vulnerability (CVE-2022-21420)

A remote code execution vulnerability exists in Oracle Coherence. An unauthenticated attacker can compromise Oracle Coherence by sending malicious requests to the affected server through the T3 protocol, ultimately resulting in arbitrary code execution on the target server. The CVSS score was 9.8. Products using the Oracle Coherence library are affected by this vulnerability, and the Oracle Coherence library is integrated by default in the installation package of WebLogic Server 11g Release (10.3.4) and above.

Oracle WebLogic Server Denial of Service Vulnerability (CVE-2022-21441)

There is a denial of service vulnerability in Oracle WebLogic Server. An unauthenticated attacker sends malicious requests to the affected server through the T3/IIOP protocol, which may cause Oracle WebLogic Server to hang or program crashes, resulting in a denial of service.

Oracle WebLogic Server Denial of Service Vulnerability (CVE-2022-23437)

Due to the reference to the third-party tool “Apache Xerces-J” in Oracle WebLogic Server, an unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which may cause Oracle WebLogic Server to hang or program crashes, thereby cause a denial of service. This vulnerability requires interaction with the victim.

Oracle WebLogic Server Authentication Bypass Vulnerability (CVE-2022-21453/CVE-2021-41184)

There is an authentication vulnerability in Oracle WebLogic Server. An unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which can achieve unauthorized access or addition, deletion, and modification operations to some Oracle WebLogic Server accessible data. Unauthorized access to a subset of Oracle WebLogic Server accessible data. This attack requires interaction with the victim, in addition, the vulnerability may affect other products.

Multiple vulnerabilities in Oracle MySQL

This security update released 43 security patches for Oracle MySQL, 11 of which were exploited remotely without user authentication, that is, over the network without user credentials. The high-risk vulnerability numbers are as follows:

  • CVE-2022-23305
  • CVE-2022-22965
  • CVE-2022-0778

Multiple vulnerabilities in Oracle Financial Services Applications

This security update releases 41 security patches for Oracle Financial Services Applications. Nineteen of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2022-22965
  • CVE-2022-23305

Multiple vulnerabilities in Oracle Insurance Applications:

This security update releases seven security patches for Oracle Insurance Applications. Five of the vulnerabilities could be exploited remotely without user authentication. Attackers can access the network through HTTP and send malicious requests to control components in the product to achieve full access to critical data. The high-risk vulnerability numbers are as follows:

  • CVE-2021-2351
  • CVE-2021-36090

Oracle Communications Multiple Vulnerabilities:

The security update released 39 security patches for Oracle Communications, 22 of which could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2022-21431
  • CVE-2022-23305
  • CVE-2022-23990
  • CVE-2022-23305

Multiple vulnerabilities in Oracle Communications Applications

This security update releases 33 security patches for Oracle Communications Applications. Twenty-two of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerabilities are as follows:

  • CVE-2022-21431
  • CVE-2022-23305
  • CVE-2022-23990

Multiple vulnerabilities in Oracle E-Business Suite

This security update releases five security patches for Oracle E-Business Suite. Two of the vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2022-23305

Multiple vulnerabilities in Oracle Retail Applications

This security update releases 43 security patches for Oracle Retail Applications. Thirty-four of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2022-22965

Oracle’s official April critical patch update vulnerabilities are summarized as follows:

ProductNumber of vulnerabilitiesNumber of unauthorized remote exploitsHighest CVSS score
Oracle Database Products Risk Matrices507.2
Oracle Database Server507.2
Oracle Autonomous Health Framework107.8
Oracle Blockchain Platform15149.8
Oracle GoldenGate549.1
Oracle REST Data Services104.2
Oracle SQL Developer216.6
Oracle Commerce738.8
Oracle Communications Applications392210
Oracle Communications1499810
Oracle Construction and Engineering317.6
Oracle E-Business Suite529.8
Oracle Enterprise Manager1079.8
Oracle Financial Services Applications41199.8
Oracle Fusion Middleware54419.8
Oracle Health Sciences Applications319.8
Oracle HealthCare Applications1059.8
Oracle Hospitality Applications628.8
Oracle Hyperion1249.8
Oracle iLearning116.5
Oracle Insurance Applications758.3
Oracle Java SE777.5
Oracle JD Edwards889.8
Oracle MySQL43119.8
Oracle PeopleSoft1488.8
Oracle Retail Applications30159.8
Oracle Supply Chain1159.8
Oracle Support Tools316.5
Oracle Systems20149.8
Oracle Taleo106.6
Oracle Utilities Applications106.6
Oracle Virtualization619

Mitigation

Patch update

Please refer to the appendix “Affected Products and Patch Information” to download the affected product update patch in time, and refer to the readme file in the patch installation package to install and update to ensure long-term effective protection.

Note: Oracle’s official patch requires users to hold a licensed account of the genuine software. After using this account to log in to https://support.oracle.com, the latest patch can be downloaded.

Weblogic temporary mitigation

If the relevant users are temporarily unable to install patches or do not communicate with the JVM through the T3 protocol, the following measures can be used to block attacks that exploit T3 protocol vulnerabilities:

WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections. You can configure rules through this connection filter to control access to T3 and T3s protocols. Detailed operation steps as follows:

1. Enter the WebLogic console, in the base_domain configuration page, enter the “Security” tab page, click “Filter”, enter the connection filter configuration.

2. In the connection filter, enter: weblogic.security.net.ConnectionFilterImpl, refer to the following writing method, and configure the rules that conform to the actual situation of the enterprise in the connection filter rules:

127.0.0.1 * * allow t3 t3s

Native IP ** allow t3 t3s

IPs allowed to access  * * allow t3 t3s   * * * deny t3 t3s

Connection filter rules have the following format: target localAddress localPort action protocols, where:

  • target specifies one or more servers to filter.
  • localAddress defines the server’s host address. (If specified as an asterisk (*), the returned matches will be all local IP addresses.)
  • localPort defines the port the server is listening on. (If an asterisk is specified, the match will return all ports available on the server).
  • action specifies the action to perform. (The value must be “allow” or “deny”.)
  • protocols is a list of protocol names to match. (One of the following protocols must be specified: http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.

3. If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption, and it is recommended that relevant personnel evaluate the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows:

Enter the bin directory under the directory where the domain is located, and run the stopWebLogic.cmd file in Windows to stop the WebLogic service, and in Linux, run stopWebLogic.sh.

After the execution of the termination script is completed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic to complete the restart of the WebLogic service.

Reference link: https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377

Appendix

Affected products and version numbersPatches available
Engineered Systems Utilities, versions 12.1.0.2, 19c, 21chttps://support.oracle.com/rs?type=doc&id=2844795.1
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0https://support.oracle.com/rs?type=doc&id=2844807.1
Enterprise Manager for Peoplesoft, versions 13.4.1.1, 13.5.1.1https://support.oracle.com/rs?type=doc&id=2844807.1
Enterprise Manager for Storage Management, version 13.4.0.0https://support.oracle.com/rs?type=doc&id=2844807.1
Enterprise Manager Ops Center, version 12.4.0.0https://support.oracle.com/rs?type=doc&id=2844807.1
Helidon, versions 1.4.7, 1.4.10, 2.0.0-RC1https://support.oracle.com/rs?type=doc&id=2645279.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3https://support.oracle.com/rs?type=doc&id=2856639.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.3https://support.oracle.com/rs?type=doc&id=2858978.1
JD Edwards World Security, version A9.4https://support.oracle.com/rs?type=doc&id=2858978.1
Management Cloud Engine, versions 1.5.0 and priorhttps://support.oracle.com/rs?type=doc&id=2859067.1
Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2853458.2
MySQL Cluster, versions 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and priorhttps://support.oracle.com/rs?type=doc&id=2856097.1
MySQL Connectors, versions 8.0.28 and priorhttps://support.oracle.com/rs?type=doc&id=2856097.1
MySQL Enterprise Monitor, versions 8.0.29 and priorhttps://support.oracle.com/rs?type=doc&id=2856097.1
MySQL Server, versions 5.7.37 and prior, 8.0.28 and priorhttps://support.oracle.com/rs?type=doc&id=2856097.1
MySQL Workbench, versions 8.0.28 and priorhttps://support.oracle.com/rs?type=doc&id=2856097.1
Oracle Advanced Supply Chain Planning, versions 12.1, 12.2https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Agile Engineering Data Management, version 6.2.1.0https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Agile PLM, version 9.3.6https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Agile PLM MCAD Connector, version 3.6https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Application Express, versions prior to 22.1https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Application Testing Suite, version 13.3.0.1https://support.oracle.com/rs?type=doc&id=2844807.1
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0https://support.oracle.com
Oracle Banking Enterprise Default Management, versions 2.7.1, 2.10.0, 2.12.0https://support.oracle.com/rs?type=doc&id=2861653.1
Oracle Banking Loans Servicing, version 2.12.0https://support.oracle.com
Oracle Banking Party Management, version 2.7.0https://support.oracle.com/rs?type=doc&id=2861653.1
Oracle Banking Payments, version 14.5https://support.oracle.com
Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.12.0https://support.oracle.com/rs?type=doc&id=2861653.1
Oracle Banking Trade Finance, version 14.5https://support.oracle.com
Oracle Banking Treasury Management, version 14.5https://support.oracle.com
Oracle Blockchain Platform, versions prior to 21.1.2https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853459.2
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Commerce Guided Search, version 11.3.2https://support.oracle.com/rs?type=doc&id=2859309.1
Oracle Communications ASAP, version 7.3https://support.oracle.com/rs?type=doc&id=2856716.1
Oracle Communications Billing and Revenue Management, versions 12.0.0.4, 12.0.0.5https://support.oracle.com/rs?type=doc&id=2856675.1
Oracle Communications Cloud Native Core Automated Test Suite, versions 1.8.0, 1.9.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2859046.1
Oracle Communications Cloud Native Core Binding Support Function, version 1.11.0https://support.oracle.com/rs?type=doc&id=2859047.1
Oracle Communications Cloud Native Core Console, versions 1.9.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2859048.1
Oracle Communications Cloud Native Core Network Exposure Function, version 22.1.0https://support.oracle.com/rs?type=doc&id=2863903.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.10.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2861795.1
Oracle Communications Cloud Native Core Network Repository Function, versions 1.15.0, 1.15.1, 22.1.0https://support.oracle.com/rs?type=doc&id=2861796.1
Oracle Communications Cloud Native Core Network Slice Selection Function, versions 1.8.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2861807.1
Oracle Communications Cloud Native Core Policy, versions 1.14.0, 1.15.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2859049.1
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.7.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2859050.1
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.15.0https://support.oracle.com/rs?type=doc&id=2859052.1
Oracle Communications Cloud Native Core Unified Data Repository, versions 1.15.0, 22.1.0https://support.oracle.com/rs?type=doc&id=2859053.1
Oracle Communications Contacts Server, version 8.0.0.6.0https://support.oracle.com/rs?type=doc&id=2856674.1
Oracle Communications Convergence, versions 3.0.2.2, 3.0.3.0https://support.oracle.com/rs?type=doc&id=2856674.1
Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0https://support.oracle.com/rs?type=doc&id=2856694.1
Oracle Communications Design Studio, versions 7.3.5, 7.4.0-7.4.2https://support.oracle.com/rs?type=doc&id=2856707.1
Oracle Communications Diameter Intelligence Hub, versions 8.0.0-8.2.3https://support.oracle.com/rs?type=doc&id=2859054.1
Oracle Communications Diameter Signaling Router, version 8.4.0.0https://support.oracle.com/rs?type=doc&id=2859055.1
Oracle Communications EAGLE Application Processorhttps://support.oracle.com/rs?type=doc&id=2861811.1
Oracle Communications EAGLE Element Management System, version 46.6https://support.oracle.com/rs?type=doc&id=2859068.1
Oracle Communications EAGLE FTP Table Base Retrieval, version 4.5https://support.oracle.com/rs?type=doc&id=2861832.1
Oracle Communications EAGLE LNP Application Processor, versions 10.1, 10.2https://support.oracle.com/rs?type=doc&id=2861828.1
Oracle Communications EAGLE Software, versions 46.7.0, 46.8.0-46.8.2, 46.9.1-46.9.3https://support.oracle.com/rs?type=doc&id=2861808.1
Oracle Communications Element Manager, versions prior to 9.0https://support.oracle.com/rs?type=doc&id=2859056.1
Oracle Communications Evolved Communications Application Server, version 7.1https://support.oracle.com/rs?type=doc&id=2859057.1
Oracle Communications Instant Messaging Server, version 10.0.1.5.0https://support.oracle.com/rs?type=doc&id=2856674.1
Oracle Communications Interactive Session Recorder, version 6.4https://support.oracle.com/rs?type=doc&id=2859058.1
Oracle Communications IP Service Activator, version 7.4.0https://support.oracle.com/rs?type=doc&id=2856708.1
Oracle Communications Messaging Server, version 8.1https://support.oracle.com/rs?type=doc&id=2856674.1
Oracle Communications MetaSolv Solution, version 6.3.1https://support.oracle.com/rs?type=doc&id=2856717.1
Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0https://support.oracle.com/rs?type=doc&id=2856694.1
Oracle Communications Network Integrity, versions 7.3.2, 7.3.5, 7.3.6https://support.oracle.com/rs?type=doc&id=2856673.1
Oracle Communications Operations Monitor, versions 4.3, 4.4, 5.0https://support.oracle.com/rs?type=doc&id=2859059.1
Oracle Communications Order and Service Management, versions 7.3, 7.4https://support.oracle.com/rs?type=doc&id=2856706.1
Oracle Communications Performance Intelligence Center (PIC) Software, versions 10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1https://support.oracle.com/rs?type=doc&id=2859060.1
Oracle Communications Policy Management, versions 12.5.0.0.0, 12.6.0.0.0https://support.oracle.com/rs?type=doc&id=2859061.1
Oracle Communications Pricing Design Center, versions 12.0.0.4, 12.0.0.5https://support.oracle.com/rs?type=doc&id=2856675.1
Oracle Communications Services Gatekeeper, version 7.0.0.0.0https://support.oracle.com/rs?type=doc&id=2859062.1
Oracle Communications Session Border Controller, versions 8.4, 9.0https://support.oracle.com/rs?type=doc&id=2858583.1
Oracle Communications Session Report Manager, versions prior to 9.0https://support.oracle.com/rs?type=doc&id=2859063.1
Oracle Communications Session Route Manager, versions prior to 9.0https://support.oracle.com/rs?type=doc&id=2859064.1
Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2https://support.oracle.com/rs?type=doc&id=2856709.1
Oracle Communications Unified Session Manager, versions 8.2.5, 8.4.5https://support.oracle.com/rs?type=doc&id=2858584.1
Oracle Communications User Data Repository, version 12.4https://support.oracle.com/rs?type=doc&id=2862337.1
Oracle Communications WebRTC Session Controller, version 7.2.1https://support.oracle.com/rs?type=doc&id=2861922.1
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Database Server, versions 12.1.0.2, 19c, 21chttps://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Documaker, versions 12.6.0, 12.6.2-12.6.4, 12.7.0https://support.oracle.com/rs?type=doc&id=2857284.1
Oracle E-Business Suite, versions 12.2.4-12.2.11, [EBS Cloud Manager and Backup Module] prior to 22.1.1.1, [Enterprise Command Center] 7.0, [Enterprise Information Discovery] 7-9https://support.oracle.com/rs?type=doc&id=2484000.1
Oracle Enterprise Communications Broker, versions 3.2, 3.3https://support.oracle.com/rs?type=doc&id=2858599.1
Oracle Enterprise Session Border Controller, versions 8.4, 9.0https://support.oracle.com/rs?type=doc&id=2858583.1
Oracle Ethernet Switch ES1-24, version 1.3.1https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle Ethernet Switch TOR-72, version 1.2.2https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0https://support.oracle.com/rs?type=doc&id=2856189.1
Oracle Financial Services Behavior Detection Platform, versions 8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0https://support.oracle.com/rs?type=doc&id=2863604.1
Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0https://support.oracle.com/rs?type=doc&id=2856550.1
Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0https://support.oracle.com/rs?type=doc&id=2860692.1
Oracle FLEXCUBE Universal Banking, versions 11.83.3, 12.1-12.4, 14.0-14.3, 14.5https://support.oracle.com
Oracle Global Lifecycle Management OPatchhttps://support.oracle.com/rs?type=doc&id=2853458.2
Oracle GoldenGate, versions prior to 12.3.0.1.2, prior to 23.1https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle GoldenGate Application Adapters, versions prior to 23.1https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle GoldenGate Big Data and Application Adapters, versions prior to 23.1https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle GraalVM Enterprise Edition, versions 20.3.5, 21.3.1, 22.0.0.2https://support.oracle.com/rs?type=doc&id=2855980.1
Oracle Health Sciences Empirica Signal, versions 9.1.0.6, 9.2.0.0https://support.oracle.com/rs?type=doc&id=2854079.1
Oracle Health Sciences InForm, versions 6.2.1.1, 6.3.2.1, 7.0.0.0https://support.oracle.com/rs?type=doc&id=2854079.1
Oracle Health Sciences InForm Publisher, versions 6.2.1.1, 6.3.1.1https://support.oracle.com/rs?type=doc&id=2854079.1
Oracle Health Sciences Information Manager, versions 3.0.1-3.0.4https://support.oracle.com/rs?type=doc&id=2862542.1
Oracle Healthcare Data Repository, versions 8.1.0, 8.1.1https://support.oracle.com/rs?type=doc&id=2862542.1
Oracle Healthcare Foundation, versions 7.3.0.1-7.3.0.4https://support.oracle.com/rs?type=doc&id=2862542.1
Oracle Healthcare Master Person Index, version 5.0.1https://support.oracle.com/rs?type=doc&id=2862542.1
Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1https://support.oracle.com/rs?type=doc&id=2862542.1
Oracle Hospitality Suite8, versions 8.10.2, 8.11.0-8.14.0https://support.oracle.com/rs?type=doc&id=2857213.1
Oracle Hospitality Token Proxy Service, version 19.2https://support.oracle.com/rs?type=doc&id=2859245.1
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Hyperion BI+, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Calculation Manager, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Data Relationship Management, versions prior to 11.2.8.0, prior to 11.2.9.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Financial Management, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Infrastructure Technology, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Planning, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Profitability and Cost Management, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Hyperion Tax Provision, versions prior to 11.2.8.0https://support.oracle.com/rs?type=doc&id=2775466.2
Oracle Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Identity Manager Connector, versions 9.1.0, 11.1.1.5.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle iLearning, versions 6.2, 6.3https://support.oracle.com/rs?type=doc&id=2859330.1
Oracle Insurance Data Gateway, version 1.0.1https://support.oracle.com/rs?type=doc&id=2857284.1
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0, 5.6.1https://support.oracle.com/rs?type=doc&id=2857284.1
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1https://support.oracle.com/rs?type=doc&id=2857284.1
Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1https://support.oracle.com/rs?type=doc&id=2857284.1
Oracle Internet Directory, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Java SE, versions 7u331, 8u321, 11.0.14, 17.0.2, 18https://support.oracle.com/rs?type=doc&id=2855980.1
Oracle JDeveloper, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle NoSQL Databasehttps://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Outside In Technology, version 8.5.5https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Payment Interface, versions 19.1, 20.3https://support.oracle.com/rs?type=doc&id=2859245.1
Oracle Product Lifecycle Analytics, version 3.6.1.0https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle REST Data Services, versions prior to 21.2https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Retail Bulk Data Integration, version 16.0.3https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Customer Insights, versions 15.0.2, 16.0.2https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Customer Management and Segmentation Foundation, versions 17.0-19.0https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Data Extractor for Merchandising, versions 15.0.2, 16.0.2https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail EFTLink, versions 17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.0.0https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Extract Transform and Load, version 13.2.8https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Invoice Matching, version 16.0.3https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Merchandising System, versions 16.0.3, 19.0.1https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Store Inventory Management, versions 14.0.4.13, 14.1.3.5, 14.1.3.14, 15.0.3.3, 15.0.3.8, 16.0.3.7https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Xstore Office Cloud Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1, 21.0.0https://support.oracle.com/rs?type=doc&id=2855697.1
Oracle SD-WAN Edge, versions 9.0, 9.1https://support.oracle.com/rs?type=doc&id=2863674.1
Oracle Secure Backuphttps://support.oracle.com/rs?type=doc&id=2844795.1
Oracle Secure Global Desktop, version 5.6https://support.oracle.com/rs?type=doc&id=2859130.1
Oracle Solaris, version 11https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle Solaris Cluster, version 4https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle SQL Developer, versions prior to 21.99https://support.oracle.com/rs?type=doc&id=2844795.1
Oracle StorageTek ACSLS, version 8.5.1https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle StorageTek Tape Analytics (STA), version 2.4https://support.oracle.com/rs?type=doc&id=2857179.1
Oracle Taleo Platform, versions prior to 22.1https://support.oracle.com/rs?type=doc&id=2862405.1
Oracle Transportation Management, versions 6.4.3, 6.5.1https://support.oracle.com/rs?type=doc&id=2858979.1
Oracle Tuxedo, version 12.2.2.0.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle Utilities Framework, versions 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0https://support.oracle.com/rs?type=doc&id=2856383.1
Oracle VM VirtualBox, versions prior to 6.1.34https://support.oracle.com/rs?type=doc&id=2859130.1
Oracle Web Services Manager, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2853458.2
Oracle ZFS Storage Appliance Kit, version 8.8https://support.oracle.com/rs?type=doc&id=2857179.1
OSS Support Tools, versions 2.12.42, 18.3https://support.oracle.com/rs?type=doc&id=2859097.1
PeopleSoft Enterprise CS Academic Advisement, version 9.2https://support.oracle.com/rs?type=doc&id=2858976.1
PeopleSoft Enterprise FIN Cash Management, version 9.2https://support.oracle.com/rs?type=doc&id=2858976.1
PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59https://support.oracle.com/rs?type=doc&id=2858976.1
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1https://support.oracle.com/rs?type=doc&id=2858976.1
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12https://support.oracle.com/rs?type=doc&id=2856639.1

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.