Oracle January 2021 Critical Patch Update for All Product Families

Oracle January 2021 Critical Patch Update for All Product Families

January 24, 2021 | Adeline Zhang

Overview

On January 20, 2021, NSFOCUS detected that Oracle released the January 2021 Critical Patch Update (CPU), which fixed 329 vulnerabilities of varying risk levels. This CPU involves multiple commonly used products, such as Oracle WebLogic Server, Oracle Database Server, Oracle Java SE, Oracle Fusion Middleware, Oracle MySQL, Oracle Enterprise Manager, and Oracle Systems. Oracle strongly recommends users fix these vulnerabilities by applying Critical Patch Update patches as soon as possible.

Reference link:

https://www.oracle.com/security-alerts/cpujan2021.html

Description of Critical Vulnerabilities

Based on product popularity and vulnerability importance, we have selected the vulnerabilities with a huge impact from the updates for affected users.

Oracle WebLogic Server multiple severe vulnerabilities:

This CPU fixes multiple deserialization vulnerabilities in WebLogic. These vulnerabilities allow unauthenticated attackers to send maliciously crafted requests via HTTP, IIOP, and T3 protocols, thereby executing arbitrary code on Oracle WebLogic Server. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2021-1994

CVE-2021-2047

CVE-2021-2064

CVE-2021-2108

CVE-2021-2075

CVE-2020-14756

CVE-2021-2109 (Details disclosed)

Oracle Communications multiple severe vulnerabilities:

This CPU contains 12 security patches for Oracle Communications. Seven of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2019-7164

CVE-2020-24750

Oracle E-Business Suite multiple severe vulnerabilities:

This CPU contains 31 security patches for Oracle E-Business Suite. 29 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2021-2029

CVE-2021-2100

CVE-2021-2101

Oracle Enterprise Manager multiple severe vulnerabilities:

This CPU contains eight security patches for Oracle Enterprise Manager. All of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2019-13990

CVE-2020-11973

CVE-2016-1000031

CVE-2020-11984

CVE-2020-10683

Oracle Financial Services Applications multiple severe vulnerabilities:

This CPU contains 50 security patches for Oracle Financial Services Applications. 41 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2020-11612

CVE-2019-10744

CVE-2020-8174

CVE-2019-3773

CVE-2019-0230

CVE-2020-1945

Oracle Retail Applications multiple severe vulnerabilities:

This CPU contains 32 security patches for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2020-10683

CVE-2020-9546

CVE-2020-9546

CVE-2020-1945

CVE-2020-5421

CVE-2017-8028

Oracle Database Server multiple severe vulnerabilities (CVE-2021-2035, CVE-2021-2018):

This CPU contains eight security patches for Oracle Retail Applications. One of these vulnerabilities may be remotely exploitable without requiring user credentials.

Oracle January 2021 Critical Patch Update is summarized as follows:

ProductNumber of VulnerabilitiesNumber of Remote Exploits Without AuthenticationCVSS Base Score
Oracle Database server818.8
Oracle Communications Applications868.1
Oracle Communications1279.8
Oracle Construction and Engineering759.8
Oracle E-Business Suite31299.8
Oracle Enterprise Manager889.8
Oracle Financial Services Applications50419.8
Oracle Food and Beverage Applications219.8
Oracle Fusion Middleware60479.8
Oracle GraalVM227.5
Oracle Health Sciences Applications539.8
Oracle Hyperion759.8
Oracle Insurance Applications316.5
Oracle Java SE115.3
Oracle JD Edwards557.5
Oracle MySQL4357.5
Oracle PeopleSoft868.4
Oracle Retail Applications32209.8
Oracle Siebel CRM417.6
Oracle Supply Chain11118.2
Oracle Systems439.8
Oracle Utilities Applications119.8
Oracle Virtualization1708.2

Mitigation

Affected users should refer to “Appendix: Information about Affected Products and Patches” to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.

Appendix: Information about Affected Products and Patches

Affected Products and VersionsPatches
Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager for Fusion Applications, version 13.3.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager Ops Center, version 12.4.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Hyperion Financial Reporting, version 11.1.2.4https://support.oracle.com/rs?type=doc&id=2725756.1
Hyperion Infrastructure Technology, version 11.1.2.4https://support.oracle.com/rs?type=doc&id=2725756.1
Instantis EnterpriseTrack, versions 17.1-17.3https://support.oracle.com/rs?type=doc&id=2735245.1
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.1https://support.oracle.com/rs?type=doc&id=2739390.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.5.0https://support.oracle.com/rs?type=doc&id=2739390.1
MySQL Client, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and priorhttps://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Enterprise Monitor, versions 8.0.22 and priorhttps://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Server, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and priorhttps://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Workbench, versions 8.0.22 and priorhttps://support.oracle.com/rs?type=doc&id=2739278.1
Oracle Adaptive Access Manager, version 11.1.2.3.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Agile Engineering Data Management, version 6.2.1.0https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Agile PLM, versions 9.3.5, 9.3.6https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Agile Product Lifecycle Management for Process, version 6.1https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Application Express Opportunity Tracker, versions prior to 20.2https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Application Express Survey Builder, versions prior to 20.2https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Application Testing Suite, version 13.3.0.1https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Argus Safety, version 8.2.2https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Banking Corporate Lending Process Management, versions 14.1.0, 14.3.0, 14.4.0https://support.oracle.com
Oracle Banking Credit Facilities Process Management, versions 14.1.0, 14.3.0, 14.4.0https://support.oracle.com
Oracle Banking Extensibility Workbench, versions 14.3.0, 14.4.0https://support.oracle.com
Oracle Banking Liquidity Management, versions 14.0.0-14.4.0https://support.oracle.com
Oracle Banking Payments, version 14.4.0https://support.oracle.com
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0https://support.oracle.com/rs?type=doc&id=2735867.1
Oracle Banking Supply Chain Finance, versions 14.2.0-14.4.0https://support.oracle.com
Oracle Banking Trade Finance Process Management, versions 14.1.0, 14.3.0, 14.4.0https://support.oracle.com
Oracle Banking Virtual Account Management, versions 14.1.0, 14.3.0, 14.4.0https://support.oracle.com
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Communications Application Session Controller, version 3.9m0p2https://support.oracle.com/rs?type=doc&id=2737802.1
Oracle Communications ASAP, version 7.3https://support.oracle.com/rs?type=doc&id=2738918.1
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9, 12.0.0.3https://support.oracle.com/rs?type=doc&id=2738919.1
Oracle Communications Calendar Server, version 8.0.0.4.0https://support.oracle.com/rs?type=doc&id=2738920.1
Oracle Communications Contacts Server, version 8.0.0.5.0https://support.oracle.com/rs?type=doc&id=2738930.1
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.2.2https://support.oracle.com/rs?type=doc&id=2737803.1
Oracle Communications Element Manager, versions 8.2.1.0-8.2.2.1https://support.oracle.com/rs?type=doc&id=2737804.1
Oracle Communications MetaSolv Solution, versions 6.3.0-6.3.1https://support.oracle.com/rs?type=doc&id=2738931.1
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.2https://support.oracle.com/rs?type=doc&id=2738942.1
Oracle Communications Operations Monitor, versions 3.4, 4.1, 4.2, 4.3https://support.oracle.com/rs?type=doc&id=2737809.1
Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.2https://support.oracle.com/rs?type=doc&id=2737806.1
Oracle Communications Session Report Manager, versions 8.2.1.0-8.2.2.1https://support.oracle.com/rs?type=doc&id=2737808.1
Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5.10, 12.1, 12.2https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Configurator, versions 12.1, 12.2https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19chttps://support.oracle.com/rs?type=doc&id=2725756.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10https://support.oracle.com/rs?type=doc&id=2737201.1
Oracle Endeca Information Discovery Integrator, version 3.2.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Enterprise Communications Broker, versions 3.1, 3.2https://support.oracle.com/rs?type=doc&id=2739372.1
Oracle Enterprise Data Quality, versions 11.1.1.9.0, 12.2.1.3.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Enterprise Repository, version 11.1.1.7.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0https://support.oracle.com/rs?type=doc&id=2735798.1
Oracle Financial Services Asset Liability Management, versions 8.0.7, 8.1.0https://support.oracle.com/rs?type=doc&id=2735839.1
Oracle Financial Services Data Integration Hub, versions 8.0.3, 8.0.6https://support.oracle.com/rs?type=doc&id=2735863.1
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0https://support.oracle.com/rs?type=doc&id=2735805.1
Oracle Financial Services Market Risk Measurement and Management, version 8.0.6https://support.oracle.com/rs?type=doc&id=2735816.1
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0https://support.oracle.com/rs?type=doc&id=2735805.1
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0, 2.9.0.1https://support.oracle.com/rs?type=doc&id=2741359.1
Oracle FLEXCUBE Core Banking, versions 11.5.0-11.9.0https://support.oracle.com
Oracle FLEXCUBE Universal Banking, version 14.4.0https://support.oracle.com
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Global Lifecycle Management OPatchhttps://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Global Lifecycle Managerhttps://support.oracle.com/rs?type=doc&id=2725756.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle GraalVM Enterprise Edition, versions 19.3.4, 20.3.0https://support.oracle.com/rs?type=doc&id=2734817.1
Oracle Health Sciences Information Manager, version 3.0.1https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle Healthcare Master Person Index, version 4.0.2.5https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle Hospitality Reporting and Analytics, version 9.1.0https://support.oracle.com/rs?type=doc&id=2731930.1
Oracle Hospitality Simphony, versions 18.2.7.2, 19.1.3https://support.oracle.com/rs?type=doc&id=2731524.1
Oracle Insurance Allocation Manager for Enterprise Profitability, version 8.1.0https://support.oracle.com/rs?type=doc&id=2735806.1
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.20, 5.1.1.3https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Insurance Policy Administration, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Java SE, versions 7u281, 8u271https://support.oracle.com/rs?type=doc&id=2736202.1
Oracle Java SE Embedded, version 8u271https://support.oracle.com/rs?type=doc&id=2736202.1
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Outside In Technology, versions 8.5.4, 8.5.5https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Real-Time Decision Server, version 3.2.1.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Retail Assortment Planning, version 16.0.3https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Bulk Data Integration, versions 15.0.3, 16.0.3https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0, 19.0https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Extract Transform and Load, versions 13.2.5, 13.2.8https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Financial Integration, versions 14.1.3, 15.0.3, 16.0.3https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Integration Bus, versions 14.1.3, 15.0.3, 16.0.3https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Invoice Matching, versions 13.2, 14.0, 14.1https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Merchandising System, version 15.0https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Order Broker, versions 15.0, 16.0https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Order Broker Cloud Service, version 15.0https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Sales Audit, version 14.1https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Service Backbone, versions 14.1.3, 15.0.3, 16.0.3https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Store Inventory Management, versions 14.0.4.0, 14.1.3.0, 14.1.3.9, 15.0.3.0, 16.0.3.0https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle SD-WAN Edge, version 9.0https://support.oracle.com/rs?type=doc&id=2739078.1
Oracle Secure Backuphttps://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Transportation Management, version 1.4.3https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0https://support.oracle.com/rs?type=doc&id=2736041.1
Oracle VM VirtualBox, versions prior to 6.1.18https://support.oracle.com/rs?type=doc&id=2739282.1
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle ZFS Storage Appliance Kit, version 8.8https://support.oracle.com/rs?type=doc&id=2740997.1
PeopleSoft Enterprise FIN Payables, version 9.2https://support.oracle.com/rs?type=doc&id=2739390.1
PeopleSoft Enterprise HCM Human Resources, version 9.2https://support.oracle.com/rs?type=doc&id=2739390.1
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58https://support.oracle.com/rs?type=doc&id=2739390.1
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10, 19.12.0-19.12.10https://support.oracle.com/rs?type=doc&id=2735245.1
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10https://support.oracle.com/rs?type=doc&id=2735245.1
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12https://support.oracle.com/rs?type=doc&id=2735245.1
Siebel Applications, versions 20.12 and priorhttps://support.oracle.com/rs?type=doc&id=2739390.1
StorageTek Tape Analytics SW Tool, version 2.3.1https://support.oracle.com/rs?type=doc&id=2740997.1

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.