Vulnerability Description
On April 21, 2021, NSFOCUS detected that Oracle released the April 2021 Critical Patch Update (CPU), which fixed 400 vulnerabilities of varying risk levels. This CPU involves multiple commonly used products, such as Oracle Database Server, Oracle Java SE, Oracle Fusion Middleware, Oracle MySQL, and Oracle Communications. Oracle strongly recommends users fix these vulnerabilities by applying Critical Patch Update patches as soon as possible.
Reference link:
https://www.oracle.com/security-alerts/cpuapr2021.html
Description of Critical Vulnerabilities
Based on the product popularity and vulnerability importance, we have selected the vulnerabilities with a huge impact from the updates for affected users.
Oracle MySQL multiple vulnerabilities:
This CPU contains 49 security patches for Oracle MySQL. Nine of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:
CVE-2020-17527
CVE-2020-17530
CVE-2020-1971
CVE-2020-28196
CVE-2020-8277
CVE-2021-2307
CVE-2021-23841
CVE-2021-3449
CVE-2021-3450
Oracle Communications Applications multiple vulnerabilities:
This CPU contains 13 security patches for Oracle Communications Applications. 12 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:
CVE-2020-11612
CVE-2019-0228
CVE-2020-28052
Oracle E-Business Suite multiple vulnerabilities:
This CPU contains 70 security patches for Oracle E-Business Suite. 22 of these vulnerabilities may be remotely exploitable without requiring user credentials. Attackers could gain network access via HTTP to compromise products in Oracle E-Business Suite, resulting in unauthorized creation access to critical data or complete access to accessible data of all products. The CVE IDs of high-risk vulnerabilities are listed as follows:
CVE-2021-2200
CVE-2021-2205
Oracle Virtualization multiple vulnerabilities:
This CPU contains 24 security patches for Oracle Virtualization. Five of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:
CVE-2021-2177
CVE-2021-2221
CVE-2021-2248
Oracle Fusion Middleware multiple vulnerabilities:
This CPU contains 45 security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:
CVE-2020-9480
CVE-2020-10683
CVE-2021-2302
CVE-2020-11612
CVE-2021-2136
CVE-2021-2135
Oracle Retail Applications multiple vulnerabilities:
This CPU contains 35 security patches for Oracle Retail Applications. 31 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:
CVE-2019-0228
CVE-2020-10683
Oracle April 2021 Critical Patch Update is summarized as follows:
| Product | Number of Vulnerabilities | Number of Remote Exploits Without Authentication | CVSS Base Score |
| Oracle Database Products Risk Matrices | 10 | 4 | 7.5 |
| Oracle Database Server | 10 | 4 | 7.5 |
| Oracle Global Lifecycle Management | 1 | 1 | 6.5 |
| Oracle NoSQL Database | 4 | 3 | 7.5 |
| Oracle REST Data Services | 1 | 1 | 5.3 |
| Oracle Spatial Studio | 2 | 1 | 5.3 |
| Oracle SQL Developer | 1 | 1 | 7.5 |
| Oracle Commerce | 4 | 4 | 7.5 |
| Oracle Communications Applications | 13 | 12 | 9.8 |
| Oracle Communications | 22 | 9 | 9.8 |
| Oracle Construction and Engineering | 8 | 6 | 9.8 |
| Oracle E-Business Suite | 70 | 22 | 9.1 |
| Oracle Enterprise Manager | 9 | 8 | 9.8 |
| Oracle Financial Services Applications | 15 | 10 | 9.8 |
| Oracle Food and Beverage Applications | 2 | 1 | 7.5 |
| Oracle Fusion Middleware | 45 | 36 | 9.8 |
| Oracle Health Sciences Applications | 3 | 3 | 9.1 |
| Oracle Hospitality Applications | 6 | 4 | 9.8 |
| Oracle Hyperion | 2 | 1 | 9.6 |
| Oracle iLearning | 1 | 0 | 5.5 |
| Oracle Insurance Applications | 1 | 1 | 7.3 |
| Oracle Java SE | 4 | 4 | 7.5 |
| Oracle JD Edwards | 10 | 10 | 9.8 |
| Oracle MySQL | 49 | 10 | 9.8 |
| Oracle PeopleSoft | 18 | 13 | 8.3 |
| Oracle Retail Applications | 35 | 31 | 9.8 |
| Oracle Siebel CRM | 8 | 7 | 8.1 |
| Oracle Storage Gateway | 6 | 2 | 10 |
| Oracle Supply Chain | 5 | 5 | 9.8 |
| Oracle Support Tools | 1 | 0 | 4.9 |
| Oracle Systems | 5 | 1 | 10 |
| Oracle Utilities Applications | 5 | 5 | 9.8 |
| Oracle Virtualization | 24 | 5 | 10 |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
