Overview
On July 19, NSFOCUS CERT found that Oracle officially released the Critical Patch Update in July with 508 vulnerabilities included. This security update involved Oracle WebLogic Server, Oracle MySQL, Oracle Financial Services Applications, Oracle Enterprise Manager, Oracle Retail Applications and other commonly used products. Oracle strongly recommends its customers apply critical patches to update and fix vulnerabilities as soon as possible.
Reference link: https://www.oracle.com/security-alerts/cpujul2023.html
Key Vulnerabilities
Based on product popularity and vulnerability importance, we have identified vulnerabilities with significant impact in this update:
Oracle WebLogic Server Remote Code Execution Vulnerability (CVS 2023-26119):
Oracle WebLogic Server has a remote code execution vulnerability, which can be exploited by unauthenticated remote attackers, ultimately leading to the execution of arbitrary code on the target server. The CVSS score is 9.8.
Oracle WebLogic Server security feature bypass vulnerability (CVS 2023-22040):
There is a security feature bypass vulnerability in Oracle WebLogic Server, which allows remote attackers with high privileges to compromise the Oracle WebLogic server through multiple protocols. Successful exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data, or access to all Oracle WebLogic Server data, while also potentially causing a denial of service.
Multiple vulnerabilities in Oracle MySQL:
This security update has released 24 security patches for Oracle MySQL, of which 11 vulnerabilities are exploited remotely without user authentication, meaning that no user credentials are required to exploit them over the network. The high-risk vulnerability numbers are as follows:
- CVE-2023-20862
- CVE-2022-37865
Multiple vulnerabilities in Oracle Financial Services Applications:
This security update has released 147 security patches for Oracle Financial Services Applications. 115 of these vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-1471
- CVE-2022-46364
- CVE-2022-45047
- CVE-2022-31692
Multiple vulnerabilities in Oracle Insurance Applications:
This security update has released three security patches for Oracle Insurance Applications. Two of these vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerability number is as follows:
- CVS 2023-1436
Multiple vulnerabilities in Oracle Communications:
This security update has released 77 security patches for Oracle Communications, of which 57 vulnerabilities can be remotely exploited without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2023-20862
- CVE-2022-37434
- CVE-2022-1471
- CVS 2023-20873
- CVE-2022-36944
Multiple vulnerabilities in Oracle Communications Applications:
This security update has released 40 security patches for Oracle Communications Applications. Thirty of these vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerabilities are as follows:
- CVE-2022-1471
- CVE-2021-42575
- CVE-2022-46364
- CVE-2022-31692
- CVS 2023-20873
- CVE-2023-20862
- CVE-2020-35169
Multiple vulnerabilities in Oracle Enterprise Manager:
This security update has released 8 security patches for Oracle Enterprise Manager. Six of these vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-23305
- CVE-2023-25690
Multiple vulnerabilities in Oracle Retail Applications:
This security update has released 11 security patches for Oracle Retail Applications. There are 8 vulnerabilities that can be remotely exploited without user authentication. The high-risk vulnerability number is as follows:
- CVE-2022-37434
Multiple vulnerabilities in Oracle Siebel CRM:
This security update has released 9 security patches for Oracle Siebel CRM. There are 9 vulnerabilities that can be remotely exploited without user authentication. The high-risk vulnerability number is as follows:
- CVE-2022-1471
Multiple vulnerabilities in Oracle Supply Chain:
This security update has released 13 security patches for Oracle Supply Chain. There are 11 vulnerabilities that can be remotely exploited without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-37434
- CVE-2022-27404
The vulnerability summary of Oracle’s official July key patch update is as follows:
| Product | Number of vulnerabilities | Number of unauthorized remote exploits | Highest CVSS score |
| Oracle Database Products Risk Matrices | 5 | 1 | 6.5 |
| Oracle Database Server | 5 | 1 | 6.5 |
| Oracle Application Express | 3 | 1 | 9 |
| Oracle Big Data Spatial and Graph | 2 | 0 | 6 |
| Oracle Essbase | 2 | 0 | 6 |
| Oracle GoldenGate | 2 | 1 | 6.5 |
| Oracle Graph Server and Client | 1 | 1 | 7.5 |
| Oracle NoSQL Database | 1 | 0 | 4.3 |
| Oracle Secure Backup | 1 | 0 | 4.3 |
| Oracle Spatial Studio | 1 | 0 | 4.3 |
| Oracle TimesTen In-Memory Database | 1 | 1 | 8.1 |
| Oracle Commerce | 8 | 8 | 7.5 |
| Oracle Communications Applications | 40 | 30 | 9.8 |
| Oracle Communications | 77 | 57 | 9.8 |
| Oracle Construction and Engineering | 6 | 5 | 7.5 |
| Oracle E-Business Suite | 5 | 3 | 6.5 |
| Oracle Enterprise Manager | 8 | 6 | 9.8 |
| Oracle Financial Services Applications | 147 | 115 | 9.8 |
| Oracle Food and Beverage Applications | 1 | 1 | 9.8 |
| Oracle Fusion Middleware | 60 | 40 | 9.8 |
| Oracle Analytics | 32 | 23 | 9.8 |
| Oracle Health Sciences Applications | 1 | 0 | 6.5 |
| Oracle Hospitality Applications | 2 | 2 | 9.8 |
| Oracle Hyperion | 3 | 1 | 9.8 |
| Oracle Insurance Applications | 3 | 2 | 7.5 |
| Oracle Java SE | 9 | 8 | 5.9 |
| Oracle JD Edwards | 4 | 3 | 9.8 |
| Oracle MySQL | 24 | 11 | 9.8 |
| Oracle PeopleSoft | 9 | 8 | 9.8 |
| Oracle Policy Automation | 2 | 2 | 7.5 |
| Oracle Retail Applications | 11 | 8 | 9.8 |
| Oracle Siebel CRM | 9 | 9 | 9.8 |
| Oracle Supply Chain | 13 | 11 | 9.8 |
| Oracle Systems | 1 | 0 | 7.8 |
| Oracle Utilities Applications | 14 | 12 | 9.8 |
| Oracle Virtualization | 4 | 2 | 8.1 |
Mitigation
Patch update
Please refer to the appendix of this article titled “Affected Products and Patch Information” to download updated patches for affected products in a timely manner, and refer to the readme file in the patch installation package for installation and updates to ensure long-term effective protection. Note: The official Oracle patch requires users to hold a licensed account for the genuine software and log in using that account https://support.oracle.com. Afterwards, you can download the latest patch.
Weblogic Temporary Protection Measures
If relevant users are temporarily unable to install patches or do not communicate with the JVM through the T3 protocol, the following measures can be used to block attacks that exploit vulnerabilities in the T3 protocol:
WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections and can configure rules to control access to T3 and T3s protocols. The detailed steps are as follows:
1. Enter the WebLogic console and enter the base_ In the configuration page of domain, enter the “Security” tab page, click “Filter” to enter the connection filter configuration.
2. In the connection filter, enter: weblogic.security.net.ConnectionFilterImpl, refer to the following notation, and configure rules in the connection filter rules that match the actual situation of the enterprise:
| 127.0.0.1 * * allow t3 t3s Local IP * * allow t3 t3s Allowed IP * * allow t3 t3s ** * deny t3 t3s |
| The format of the connection filter rule is as follows: target localAddress localPort action protocols, where: – Target specifies one or more servers to filter. – LocalAddress can define the host address of the server. (If specified as an asterisk (*), the matching result returned will be all local IP addresses.) – LocalPort defines the port on which the server is listening. If an asterisk is specified, the matching result will be all available ports on the server. – Action specifies the action to be performed. (The value must be ‘allow’ or ‘deny’.) Protocols is a list of protocol names to match. (One of the following protocols must be specified: http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule. |
3. If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption, and it is recommended that relevant personnel evaluate the risk before proceeding with the operation). Taking the Windows environment as an example, the steps to restart the service are as follows:
- Enter the bin directory in the directory where the domain is located, and run the stopWebLogic.cmd file to terminate the WebLogic service on Windows systems, while running the stopWebLogic.sh file on Linux systems.
- After the termination script execution is completed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic and complete the WebLogic service restart. Reference link: https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
Appendix
| Affected products and version numbers | Available Patches |
| Application Management Pack for Oracle Utilities&Enterprise Taxation, versions 13.4.1.0.0, 13.5.1.0.0 | https://support.oracle.com/rs?type=doc&id=2957770.1 |
| BI Publisher, versions 6.4.0.0.0, 7.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2958379.2 |
| JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.4 | https://support.oracle.com/rs?type=doc&id=2959208.1 |
| JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.4 | https://support.oracle.com/rs?type=doc&id=2959208.1 |
| MySQL Cluster, versions 8.0.33 and prior | https://support.oracle.com/rs?type=doc&id=2958912.1 |
| MySQL Connectors, versions 8.0.33 and prior | https://support.oracle.com/rs?type=doc&id=2958912.1 |
| MySQL Enterprise Monitor, versions 8.0.34 and prior | https://support.oracle.com/rs?type=doc&id=2958912.1 |
| MySQL Server, versions 5.7.42 and prior, 8.0.33 and prior | https://support.oracle.com/rs?type=doc&id=2958912.1 |
| MySQL Workbench, versions 8.0.33 and prior | https://support.oracle.com/rs?type=doc&id=2958912.1 |
| Oracle Access Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Agile Engineering Data Management, versions 6.2.1.0-6.2.1.8 | https://support.oracle.com/rs?type=doc&id=2959239.1 |
| Oracle Agile PLM, version 9.3.6 | https://support.oracle.com/rs?type=doc&id=2959239.1 |
| Oracle Application Express, versions [Application Express Administration] 18.2-22.2, [Application Express Customers Plugin] 18.2-22.2, [Application Express Team Calendar Plugin] 18.2-22.1 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Application Testing Suite, version 13.3.0.1 | https://support.oracle.com/rs?type=doc&id=2946187.1 |
| Oracle AutoVue, versions 21.0.2.0-21.0.2.7 | https://support.oracle.com/rs?type=doc&id=2959239.1 |
| Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2 | https://support.oracle.com/rs?type=doc&id=2959239.1 |
| Oracle BAM (Business Activity Monitoring), version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Banking APIs, versions 18.2.0.0.0, 18.3.0.0.0, 19.1.0.0, 19.2.0.0.0, 21.1.0.0, 22.1.0.0.0, 22.2.0.0.0 | https://support.oracle.com |
| Oracle Banking Branch, versions 14.5-14.7 | https://support.oracle.com |
| Oracle Banking Cash Management, versions 14.7.0.2.0, 14.7.1.0.0 | https://support.oracle.com |
| Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7 | https://support.oracle.com |
| Oracle Banking Corporate Lending Process Management, versions 14.4-14.7 | https://support.oracle.com |
| Oracle Banking Credit Facilities Process Management, version 14.7.1.0.0 | https://support.oracle.com |
| Oracle Banking Digital Experience, versions 18.2.0.0.0, 18.3.0.0.0, 19.1.0.0, 19.2.0.0.0, 21.1.0.0, 22.1.0.0.0, 22.2.0.0.0 | https://support.oracle.com |
| Oracle Banking Liquidity Management, versions 14.5.0.8.0, 14.6.0.3.0, 14.6.0.4.0, 14.7.0.1.0, 14.7.0.2.0, 14.7.1.0.0 | https://support.oracle.com |
| Oracle Banking Origin, versions 14.5-14.7, 14.7.0 | https://support.oracle.com |
| Oracle Banking Payments, versions 14.5-14.7 | https://support.oracle.com |
| Oracle Banking Supply Chain Finance, versions 14.7.0.2.0, 14.7.1.0.0 | https://support.oracle.com |
| Oracle Banking Trade Finance, versions 14.0-14.3, 14.5-14.7 | https://support.oracle.com |
| Oracle Banking Trade Finance Process Management, versions 14.5.0.8.0, 14.6.0.4.0, 14.7.0.2.0, 14.7.1.0.0 | https://support.oracle.com |
| Oracle Banking Treasury Management, versions 14.5-14.7 | https://support.oracle.com |
| Oracle Big Data Spatial and Graph, version 3.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Business Intelligence Enterprise Edition, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958379.2 |
| Oracle Business Process Management Suite, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Commerce Guided Search, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2959205.1 |
| Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2 | https://support.oracle.com/rs?type=doc&id=2959205.1 |
| Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0 | https://support.oracle.com/rs?type=doc&id=2957693.1 |
| Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.4.0-12.0.0.8.0 | https://support.oracle.com/rs?type=doc&id=2957693.1 |
| Oracle Communications Calendar Server, versions 8.0.0.2.0-8.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2957711.1 |
| Oracle Communications Cloud Native Core Automated Test Suite, versions 22.4.1, 23.1.0, 23.1.1 | https://support.oracle.com/rs?type=doc&id=2960528.1 |
| Oracle Communications Cloud Native Core Binding Support Function, versions 22.4.0, 23.1.0 | https://support.oracle.com/rs?type=doc&id=2960529.1 |
| Oracle Communications Cloud Native Core Console, versions 22.4.2, 23.1.1 | https://support.oracle.com/rs?type=doc&id=2960530.1 |
| Oracle Communications Cloud Native Core Network Exposure Function, versions 22.4.3, 23.1.2 | https://support.oracle.com/rs?type=doc&id=2960531.1 |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 23.1.0 | https://support.oracle.com/rs?type=doc&id=2960532.1 |
| Oracle Communications Cloud Native Core Network Repository Function, versions 22.4.2, 22.4.3, 23.1.0, 23.1.1, 23.2.0 | https://support.oracle.com/rs?type=doc&id= two million nine hundred and sixty thousand five hundred and thirty-three point one |
| Oracle Communications Cloud Native Core Policy, versions 22.4.0, 23.1.0, 23.2.0 | https://support.oracle.com/rs?type=doc&id=2960534.1 |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.3.2, 22.4.0, 22.4.3, 23.1.0, 23.1.1, 23.1.2 | https://support.oracle.com/rs?type=doc&id=2960535.1 |
| Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.4.0, 23.1.0 | https://support.oracle.com/rs?type=doc&id=2960537.1 |
| Oracle Communications Cloud Native Core Unified Data Repository, version 23.1.1 | https://support.oracle.com/rs?type=doc&id=2960549.1 |
| Oracle Communications Contacts Server, versions 8.0.0.6.0-8.0.0.8.0 | https://support.oracle.com/rs?type=doc&id=2957711.1 |
| Oracle Communications Converted Application Server Service Controller, version 6.2.0 | https://support.oracle.com/rs?type=doc&id=2960550.1 |
| Oracle Communications Convergence, version 3.0.3.2 | https://support.oracle.com/rs?type=doc&id=2957711.1 |
| Oracle Communications Convergent Charging Controller, versions 12.0.3.0.0-12.06.0.0 | https://support.oracle.com/rs?type=doc&id=2957695.1 |
| Oracle Communications Design Studio, versions 7.4.0.7.0, 7.4.1.5.0, 7.4.2.8.0 | https://support.oracle.com/rs?type=doc&id=2961899.1 |
| Oracle Communications Diameter Signaling Router, version 8.6.0.0 | https://support.oracle.com/rs?type=doc&id=2960570.1 |
| Oracle Communications Instant Messaging Server, version 10.0.1.7.0 | https://support.oracle.com/rs?type=doc&id=2957711.1 |
| Oracle Communications Messaging Server, version 8.1.0.21.0 | https://support.oracle.com/rs?type=doc&id=2957711.1 |
| Oracle Communications Network Analytics Data Director, version 23.1.0 | https://support.oracle.com/rs?type=doc&id=2961143.1 |
| Oracle Communications Network Charging and Control, versions 12.03.0.0-12.06.0.0 | https://support.oracle.com/rs?type=doc&id=2957695.1 |
| Oracle Communications Network Integrity, version 7.3.6.4 | https://support.oracle.com/rs?type=doc&id=2959869.1 |
| Oracle Communications Operations Monitor, versions 5.0, 5.1 | https://support.oracle.com/rs?type=doc&id=2960571.1 |
| Oracle Communications Order and Service Management, versions 7.3.5, 7.4.0, 7.4.1 | https://support.oracle.com/rs?type=doc&id=2957694.1 |
| Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2957693.1 |
| Oracle Communications Unified Assurance, versions 5.5.0-5.5.17, 6.0.0-6.0.2 | https://support.oracle.com/rs?type=doc&id=2957696.1 |
| Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0 | https://support.oracle.com/rs?type=doc&id=2959836.1 |
| Oracle Data Integrator, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Database Server, versions 19.3-19.19, 21.3-21.10 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Documaker, versions 12.6.1-12.7.1 | https://support.oracle.com/rs?type=doc&id=2960012.1 |
| Oracle E-Business Suite, versions 12.2.3-12.3.12 | https://support.oracle.com/rs?type=doc&id=2484000.1 |
| Oracle Enterprise Data Quality, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Enterprise Manager for Exadata, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2946187.1 |
| Oracle Enterprise Manager for Fusion Middleware, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2946187.1 |
| Oracle Enterprise Manager for Oracle Database, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2946187.1 |
| Oracle Enterprise Manager Ops Center, version 12.4.0.0 | https://support.oracle.com/rs?type=doc&id=2946187.1 |
| Oracle Enterprise Operations Monitor, versions 5.0, 5.1 | https://support.oracle.com/rs?type=doc&id=2960572.1 |
| Oracle Essbase, version 21.4.3.0.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2 | https://support.oracle.com/rs?type=doc&id=2960444.1 |
| Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.4, 8.1.2.5 | https://support.oracle.com/rs?type=doc&id=2959412.1 |
| Oracle Financial Services Compliance Studio, version 8.1.2.4 | https://support.oracle.com/rs?type=doc&id=2959360.1 |
| Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.4, 8.1.2.5 | https://support.oracle.com/rs?type=doc&id=2959391.1 |
| Oracle Financial Services Trade Based Anti Money Launching Enterprise Edition, version 8.0.8 | https://support.oracle.com/rs?type=doc&id=2959413.1 |
| Oracle FLEXCUBE Investor Servicing, version 14.7.0.0.0 | https://support.oracle.com |
| Oracle FLEXCUBE Universal Banking, versions 14.0-14.7 | https://support.oracle.com |
| Oracle Fusion Middleware MapViewer, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle GoldenGate, versions 19.1.0.0.0-19.1.0.0.230422, 21.3.0.0.0-21.10.0.0.5 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle GoldenGate Stream Analytics, versions 19.1.0.0-19.1.0.7 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle GraalVM Enterprise Edition, versions 20.3.10, 21.3.6, 22.3.2 | https://support.oracle.com/rs?type=doc&id=2957260.1 |
| Oracle GraalVM for JDK, versions 17.0.7, 20.0.1 | https://support.oracle.com/rs?type=doc&id=2957260.1 |
| Oracle Graph Server and Client, versions 21.4.6, 21.4.7, 22.4.1, 22.4.2, 23.1.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Health Sciences Data Management Workbench, versions 3.1.0.2, 3.1.1.3, 3.2.0.0 | https://support.oracle.com/rs?type=doc&id=2959737.1 |
| Oracle Hospitality Cruise Shipboard Property Management System, versions 20.1.0, 20.2.0, 20.3.3 | https://support.oracle.com/rs?type=doc&id=2956382.1 |
| Oracle Hospitality Simphony, version 19.5 | https://support.oracle.com/rs?type=doc&id=2953046.1 |
| Oracle HTTP Server, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Hyperion Data Relationship Management, version 11.2.13.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Essbase Administration Services, version 21.4.3.0.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Hyperion Financial Reporting, version 11.2.13.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Workspace, version 11.2.13.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Identity Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Identity Manager Connector, versions 9.1.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Java SE, versions 8u371, 8u371 perf, 11.0.19, 17.0.7, 20.0.1 | https://support.oracle.com/rs?type=doc&id=2957260.1 |
| Oracle JDeveloper, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Mobile Security Suite, versions prior to 11.1.2.3.1 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle NoSQL Database, versions 19.5.33, 20.3.28, 21.2.55, 22.3.26 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Policy Automation, versions prior to 12.2.31 | https://support.oracle.com/rs?type=doc&id=2957599.1 |
| Oracle Retail Advanced Inventory Planning, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Financial Integration, versions 14.2.0, 15.0.4, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Integration Bus, versions 14.2.0, 15.0.4, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Order Broker, version 19.1 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle Retail Service Backbone, versions 14.2.0, 15.0.4, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2956573.1 |
| Oracle SD-WAN Edge, version 9.1.1.5.0 | https://support.oracle.com/rs?type=doc&id=2960573.1 |
| Oracle Secure Backup, version 18.1.0.1.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Service Bus, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle SOA Suite, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle Solaris, version 11 | https://support.oracle.com/rs?type=doc&id=2960446.1 |
| Oracle Spatial Studio, version 22.3.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle TimesTen In Memory Database, versions 22.1.1.1.0-22.1.1.11.0 | https://support.oracle.com/rs?type=doc&id=2946185.1 |
| Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.0, 4.5.0.1.0, 4.5.0.1.1 | https://support.oracle.com/rs?type=doc&id=2957770.1 |
| Oracle Utilities Network Management System, versions 2.4.0.1.21, 2.5.0.0.9, 2.5.0.1, 2.5.0.1.11, 2.5.0.2, 2.5.0.2.3, 2.6.0.0 | https://support.oracle.com/rs?type=doc&id=2957770.1 |
| Oracle Utilities Testing Accelerator, versions 6.0.0.1-7.0.0.0 | https://support.oracle.com/rs?type=doc&id=2957770.1 |
| Oracle VM VirtualBox, versions prior to 6.1.46, prior to 7.0.10 | https://support.oracle.com/rs?type=doc&id=2960866.1 |
| Oracle WebCenter Content, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle WebCenter Sites, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2958367.2 |
| PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60 | https://support.oracle.com/rs?type=doc&id=2959206.1 |
| Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.16, 20.12.0-20.12.11, 21.12.0-21.12.9 | https://support.oracle.com/rs?type=doc&id=2958838.1 |
| Primavera P6 Enterprise Project Portfolio Management, versions 22.12.2, 22.12.3 | https://support.oracle.com/rs?type=doc&id=2958838.1 |
| Primavera Unified, versions 18.8.0-18.8.18, 19.12.0-1912.16, 20.12.0-20.12.16, 21.12.0-212.15, 22.12.0-222.16 | https://support.oracle.com/rs?type=doc&id=2958838.1 |
| Siebel Applications, versions 22.12 and prior, 23.6 and prior | https://support.oracle.com/rs?type=doc&id=2959207.1 |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
