Oracle October Critical Patch Update for All Product Families

November 16, 2021 | Jie Ji

Overview

On October 20, 2021, NSFOCUS detected that Oracle released the October Critical Patch Update (CPU), which fixed 419 vulnerabilities of varying risk levels. The update involves multiple commonly used products, such as Oracle MySQL, Oracle WebLogic Server, Oracle Java SE, Oracle Fusion Middleware and Oracle Retail Applications. Oracle strongly recommends that users fix these vulnerabilities by applying Critical Patch Update patches as soon as possible.

Reference link: https://www.oracle.com/security-alerts/cpuoct2021.html

Description of Major Vulnerabilities

Based on the product popularity and vulnerability importance, we present high-impact vulnerabilities covered in the updates, and affected users are advised to focus on:

Oracle MySQL multiple vulnerabilities:

This CPU contains 66 security patches for Oracle MySQL. Ten of these vulnerabilities may be remotely exploitable without requiring user authentication, that is, they can be exploited via the network without user credentials. The CVE IDs of these vulnerabilities are listed as follows:

CVE-2021-22931

CVE-2021-3711

CVE-2021-3518

CVE-2021-22926

CVE-2021-36222

CVE-2021-35583

CVE-2021-3712

CVE-2021-33037

CVE-2021-29425

CVE-2021-35613

Oracle Financial Services Applications multiple vulnerabilities:

This security update contains 44 security patches for Oracle Financial Services Applications. Twenty-six of these vulnerabilities may be remotely exploitable without requiring user authentication. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2020-5413

CVE-2020-10683

CVE-2021-21345

Oracle Insurance Applications multiple vulnerabilities:

This CPU contains 16 security patches for Oracle Insurance Applications. Eleven of these vulnerabilities may be remotely exploitable without requiring user authentication. Attackers with HTTP access to the network can control the components in the products and have the full access to critical data by sending malicious requests. The CVE IDs of these serious vulnerabilities are listed as follows:

CVE-2016-1000031

CVE-2019-13990

CVE-2020-10683

CVE-2019-17195

Oracle Communications multiple vulnerabilities:

This CPU contains 71 security patches for Oracle Communications. Fifty-six of these vulnerabilities may be remotely exploitable without requiring user authentication. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-21345

CVE-2021-21783

CVE-2017-9841

CVE-2021-21783

CVE-2021-11998

CVE-2021-17530

CVE-2021-23017

Oracle Fusion Middleware multiple vulnerabilities:

This CPU contains 38 security patches for Oracle Fusion Middleware. Thirty of these vulnerabilities may be remotely exploitable without requiring user authentication. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2019-13990

CVE-2018-8088

CVE-2021-35617

Oracle Retail Applications multiple vulnerabilities:

This update contains 26 security patches for Oracle Retail Applications. Nine of these vulnerabilities may be remotely exploitable without requiring user authentication. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-2351

Oracle October Critical Patch Update is summarized as follows:

Product	Number of Vulnerabilities	Number of Remote Exploits Without Authentication	Highest CVSS Score
Oracle Database Products Risk Matrices	9	2	8.2
Oracle Database Server	9	2	8.2
Oracle Essbase	5	3	10
Oracle GoldenGate	1	1	6.5
Oracle Graph Server and Client	1	1	7.5
Oracle REST Data Services	1	1	7.5
Oracle Secure Backup	1	1	7.4
Oracle Commerce	2	0	5.4
Oracle Communications Applications	19	14	9.8
Oracle Communications	71	56	9.9
Oracle Construction and Engineering	12	7	9.8
Oracle E-Business Suite	18	4	8.1
Oracle Enterprise Manager	8	5	9.8
Oracle Financial Services Applications	44	26	9.9
Oracle Fusion Middleware	38	30	9.8
Oracle Health Sciences Applications	6	3	9.8
Oracle Hospitality Applications	1	1	6.1
Oracle Hyperion	6	5	6.1
Oracle Insurance Applications	16	11	9.8
Oracle Java SE	15	13	8.6
Oracle JD Edwards	11	8	7.5
Oracle MySQL	66	10	9.8
Oracle PeopleSoft	17	8	9.1
Oracle Retail Applications	26	9	8.3
Oracle Siebel CRM	6	5	7.5
Oracle Supply Chain	5	3	7.5
Oracle Systems	5	2	9.8
Oracle Utilities Applications	1	0	5.5
Oracle Virtualization	8	1	7.8

Mitigation

Affected users should refer to the Appendix “Information about Affected Products and Patches” to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection. Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patch.

Appendix: Information about Affected Products and Patches

Affected Products and Versions	Patches
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Enterprise Manager for Oracle Database, version 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Enterprise Manager Ops Center, version 12.4.0.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Essbase Administration Services, versions prior to 11.1.2.4.46	https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Financial Management, versions 11.1.2.4, 11.2.6.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.6.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Infrastructure Technology, version 11.2.6.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Planning, versions 11.1.2.4, 11.2.6.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	https://support.oracle.com/rs?type=doc&id=2809438.1
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.6.0	https://support.oracle.com/rs?type=doc&id=2810363.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.0	https://support.oracle.com/rs?type=doc&id=2810363.1
JD Edwards World Security, version A9.4	https://support.oracle.com/rs?type=doc&id=2810363.1
MySQL Client, versions 8.0.26 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Cluster, versions 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Connectors, versions 8.0.26 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Enterprise Monitor, versions 8.0.25 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Server, versions 5.7.35 and prior, 8.0.26 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Workbench, versions 8.0.26 and prior	https://support.oracle.com/rs?type=doc&id=2809354.1
Oracle Agile PLM, versions 9.3.3, 9.3.6	https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Application Express, versions prior to 21.1.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Application Testing Suite, version 13.3.0.1	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2	https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Banking Cash Management, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Corporate Lending Process Management, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Credit Facilities Process Management, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0	https://support.oracle.com/rs?type=doc&id=2808888.1
Oracle Banking Extensibility Workbench, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0	https://support.oracle.com/rs?type=doc&id=2808888.1
Oracle Banking Supply Chain Finance, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Trade Finance Process Management, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Banking Virtual Account Management, versions 14.2, 14.3, 14.5	https://support.oracle.com/
Oracle Business Activity Monitoring, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Commerce Guided Search, version 11.3.2	https://support.oracle.com/rs?type=doc&id=2811064.1
Oracle Commerce Merchandising, version 11.3.2	https://support.oracle.com/rs?type=doc&id=2811064.1
Oracle Communications Application Session Controller, version 3.9	https://support.oracle.com/rs?type=doc&id=2815518.1
Oracle Communications Billing and Revenue Management, versions 7.5.0.0.0, 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications BRM – Elastic Charging Engine, version 12.0.0.3	https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications Calendar Server, version 8.0.0.6.0	https://support.oracle.com/rs?type=doc&id=2808816.1
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0	https://support.oracle.com/rs?type=doc&id=2809116.1
Oracle Communications Cloud Native Core Policy, version 1.11.0	https://support.oracle.com/rs?type=doc&id=2809114.1
Oracle Communications Control Plane Monitor, versions 3.4, 4.2, 4.3, 4.4	https://support.oracle.com/rs?type=doc&id=2809423.1
Oracle Communications Converged Application Server – Service Controller, version 6.2	https://support.oracle.com/rs?type=doc&id=2809113.1
Oracle Communications Design Studio, version 7.4.2	https://support.oracle.com/rs?type=doc&id=2808817.1
Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.0.0	https://support.oracle.com/rs?type=doc&id=2809085.1
Oracle Communications EAGLE	https://support.oracle.com/rs?type=doc&id=2809087.1
Oracle Communications EAGLE FTP Table Base Retrieval, version 4.5	https://support.oracle.com/rs?type=doc&id=2809115.1
Oracle Communications EAGLE LNP Application Processor, versions 46.7, 46.8, 46.9	https://support.oracle.com/rs?type=doc&id=2809093.1
Oracle Communications Element Manager, versions 8.2.0.0-8.2.4.0	https://support.oracle.com/rs?type=doc&id=2809094.1
Oracle Communications Fraud Monitor, versions 3.4-4.4	https://support.oracle.com/rs?type=doc&id=2809422.1
Oracle Communications Interactive Session Recorder, version 6.4	https://support.oracle.com/rs?type=doc&id=2809118.1
Oracle Communications LSMS, versions 13.1-13.4	https://support.oracle.com/rs?type=doc&id=2809119.1
Oracle Communications Messaging Server, version 8.1	https://support.oracle.com/rs?type=doc&id=2808816.1
Oracle Communications MetaSolv Solution, version 6.3.1	https://support.oracle.com/rs?type=doc&id=2808878.1
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2808879.1
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4	https://support.oracle.com/rs?type=doc&id=2809120.1
Oracle Communications Policy Management, version 12.5.0	https://support.oracle.com/rs?type=doc&id=2809110.1
Oracle Communications Pricing Design Center, version 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications Services Gatekeeper, version 7.0	https://support.oracle.com/rs?type=doc&id=2809111.1
Oracle Communications Session Border Controller, versions 8.4, 9.0	https://support.oracle.com/rs?type=doc&id=2809267.1
Oracle Communications Session Report Manager, versions 8.0.0.0-8.2.5.0	https://support.oracle.com/rs?type=doc&id=2811990.1
Oracle Communications Session Route Manager, versions 8.0.0.0-8.2.5.0	https://support.oracle.com/rs?type=doc&id=2812072.1
Oracle Data Integrator, version 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21c	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Documaker, versions 12.6.0-12.6.4	https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	https://support.oracle.com/rs?type=doc&id=2484000.1
Oracle Enterprise Communications Broker, versions 3.2, 3.3	https://support.oracle.com/rs?type=doc&id=2809298.1
Oracle Enterprise Repository, version 11.1.1.7.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Enterprise Telephony Fraud Monitor, versions 3.4, 4.2, 4.3, 4.4	https://support.oracle.com/rs?type=doc&id=2810340.1
Oracle Ethernet Switch ES2-64, Oracle Ethernet Switch ES2-72, version 2.0.0.14	https://support.oracle.com/rs?type=doc&id=2809232.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.1	https://support.oracle.com/rs?type=doc&id=2809214.1
Oracle Financial Services Enterprise Case Management, versions 8.0.7.2.0, 8.0.8.1.0	https://support.oracle.com/
Oracle Financial Services Model Management and Governance, versions 8.0.8.0.0-8.1.0.0.0	https://support.oracle.com/rs?type=doc&id=2814201.1
Oracle FLEXCUBE Core Banking, versions 11.7, 11.8, 11.9, 11.10	https://support.oracle.com/
Oracle Global Lifecycle Management OPatch	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GoldenGate, versions prior to 19.1.0.0.0.210420	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GraalVM Enterprise Edition, versions 20.3.3, 21.2.0	https://support.oracle.com/rs?type=doc&id=2810386.1
Oracle Graph Server and Client, versions prior to 21.3.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Health Sciences Central Coding, versions 6.2.0, 6.3.0	https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Health Sciences InForm, version 6.3.0	https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0	https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Healthcare Foundation, versions 7.3, 8.0, 8.1	https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0	https://support.oracle.com/rs?type=doc&id=2806436.1
Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Insurance Calculation Engine, versions 11.0.0-11.3.1	https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle Insurance Policy Administration, versions 11.0.0-11.3.1	https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle Java SE, versions 7u311, 8u301, 11.0.12, 17	https://support.oracle.com/rs?type=doc&id=2810386.1
Oracle NoSQL Database	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Outside In Technology, version 8.5.5	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Real-Time Decision Server, versions 3.2.0.0, 11.1.1.9.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle REST Data Services, versions prior to 21.3	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Retail Advanced Inventory Planning, versions 14.1, 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Assortment Planning, version 16.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Back Office, versions 14.0, 14.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Central Office, versions 14.0, 14.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Extract Transform and Load, version 13.2.8	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.4.0, 16.0.3.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Merchandising System, versions 15.0.3, 19.0.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Point-of-Service, versions 14.0, 14.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Predictive Application Server, versions 14.1.3, 15.0.3, 16.0.3	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Returns Management, versions 14.0, 14.1	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Store Inventory Management, versions 14.1, 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Secure Backup, versions prior to 18.1.0.1.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Secure Global Desktop, version 5.6	https://support.oracle.com/rs?type=doc&id=2810981.1
Oracle Solaris, version 11	https://support.oracle.com/rs?type=doc&id=2809232.1
Oracle Spatial Studio	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle SQL Developer	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Transportation Management, version 6.4.3	https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0	https://support.oracle.com/rs?type=doc&id=2809748.1
Oracle VM VirtualBox, versions prior to 6.1.28	https://support.oracle.com/rs?type=doc&id=2810981.1
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebLogic Server Proxy Plug-In, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle ZFS Storage Appliance Kit, version 8.8	https://support.oracle.com/rs?type=doc&id=2809232.1
PeopleSoft Enterprise CC Common Application Objects, version 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Academic Advisement, version 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Student Records, version 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59	https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise SCM, version 9.2	https://support.oracle.com/rs?type=doc&id=2810361.1
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7	https://support.oracle.com/rs?type=doc&id=2809438.1
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12	https://support.oracle.com/rs?type=doc&id=2809438.1
Siebel Applications, versions 21.9 and prior	https://support.oracle.com/rs?type=doc&id=2810362.1
Tekelec Platform Distribution, versions 7.4.0-7.7.1	https://support.oracle.com/rs?type=doc&id=2809117.1
Tekelec Virtual Operating Environment, versions 3.4.0-3.7.1	https://support.oracle.com/rs?type=doc&id=2809138.1

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.