Overview
On July 20, 2022, NSFOCUS CERT monitored and found that Oracle officially released the CPU (Critical Patch Update) in July. A total of 349 vulnerabilities of varying degrees were fixed this time. This security update involves Oracle WebLogic Server, Oracle MySQL, Oracle Java SE, Oracle Retail Applications and many other common products. Oracle strongly recommends that customers apply critical patch update fixes as soon as possible to remediate vulnerabilities.
Reference link: https://www.oracle.com/security-alerts/cpujul2022.html
Key Vulnerabilities
According to the popularity of the product and the importance of the vulnerability, the most influential vulnerabilities contained in this update are screened out. Please pay attention to the relevant users:
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2022-23457):
Due to the reference to the third-party application “OWASP Enterprise Security API” in Oracle WebLogic Server, an unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which eventually leads to the execution of arbitrary code on the target server. The CVSS score was 9.8.
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-23450):
Due to the reference to the third-party application “Dojo” in Oracle WebLogic Server, an unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which eventually leads to the execution of arbitrary code on the target server. The CVSS score was 9.8.
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2022-22965):
Due to the reference to the third-party framework “Spring Framework” in Oracle WebLogic Server, an unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which ultimately leads to the execution of arbitrary code on the target server. The CVSS score was 9.8.
Oracle WebLogic Server Denial of Service Vulnerability (CVE-2022-24839):
A denial of service vulnerability exists in Oracle WebLogic Server. An unauthenticated attacker sends malicious requests to the affected server through the HTTP protocol, which may cause Oracle WebLogic Server to hang or crash, resulting in a denial of service. The CVSS score was 7.5.
Oracle WebLogic Server Denial of Service Vulnerability (CVE-2022-21548):
There is a denial of service vulnerability in Oracle WebLogic Server. An unauthenticated attacker sends malicious requests to the affected server through the T3/IIOP protocol, which eventually leads to unauthorized updating, Insertion or deletion can also cause a certain degree of denial of service.
Multiple vulnerabilities in Oracle MySQL:
This security update released 34 security patches for Oracle MySQL, 10 of which can be exploited remotely without user authentication, that is, can be exploited over the network without user credentials. The high-risk vulnerability numbers are as follows:
- CVE-2022-1292
- CVE-2022-21824
- CVE-2022-27778
Multiple vulnerabilities in Oracle Financial Services Applications:
This security update releases 59 security patches for Oracle Financial Services Applications. Thirty-eight of these vulnerabilities can be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-22963
- CVE-2022-22978
Multiple vulnerabilities in Oracle Communications:
The security update released 56 security patches for Oracle Communications, 45 of which could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-22947
- CVE-2022-22965
- CVE-2022-23219
- CVE-2022-1154
- CVE-2022-22963
- CVE-2022-25845
Multiple vulnerabilities in Oracle Communications Applications:
This security update releases 17 security patches for Oracle Communications Applications. Twelve of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerabilities are as follows:
- CVE-2022-23305
- CVE-2022-23632
- CVE-2022-22965
- CVE-2022-21429
Multiple vulnerabilities in Oracle E-Business Suite:
This security update releases 6 security patches for Oracle E-Business Suite. Five of the vulnerabilities could be exploited remotely without user authentication. An attacker could access the network via HTTP to compromise the products in the suite, allowing unauthorized access to critical data or full access to data accessible to all products in the suite. The high-risk vulnerability numbers are as follows:
- CVE-2022-23305
- CVE-2022-21566
- CVE-2022-21500
- CVE-2022-21567
Multiple vulnerabilities in Oracle Retail Applications:
This security update releases 17 security patches for Oracle Retail Applications. Thirteen of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:
- CVE-2022-22965
- CVE-2022-23305
- CVE-2022-25647
Oracle’s official July critical patch update vulnerabilities are summarized as follows:
| Product | No. of Vulnerability | Number of unauthorized remote exploits | Highest CVSS score |
|---|---|---|---|
| Oracle Database Products Risk Matrices | 9 | 1 | 9.1 |
| Oracle Database Server | 9 | 1 | 9.1 |
| Oracle Big Data Graph | 3 | 3 | 7.5 |
| Oracle Essbase | 1 | 0 | 5.8 |
| Oracle Global Lifecycle Management | 1 | 0 | 4.2 |
| Oracle GoldenGate | 4 | 2 | 7.5 |
| Oracle Graph Server and Client | 1 | 0 | 6.5 |
| Oracle REST Data Services | 2 | 2 | 6.1 |
| Oracle Spatial Studio | 1 | 0 | 6.5 |
| Oracle TimesTen In-Memory Database | 1 | 1 | 8.3 |
| Oracle Commerce | 12 | 10 | 9.8 |
| Oracle Communications Applications | 17 | 12 | 9.8 |
| Oracle Communications | 56 | 45 | 10 |
| Oracle Construction and Engineering | 7 | 4 | 7.8 |
| Oracle E-Business Suite | 6 | 5 | 9.8 |
| Oracle Enterprise Manager | 6 | 6 | 9.8 |
| Oracle Financial Services Applications | 59 | 38 | 9.8 |
| Oracle Food and Beverage Applications | 3 | 3 | 7.5 |
| Oracle Fusion Middleware | 38 | 32 | 9.8 |
| Oracle Health Sciences Applications | 6 | 3 | 7.5 |
| Oracle HealthCare Applications | 3 | 2 | 7.5 |
| Oracle Hospitality Applications | 2 | 2 | 9.8 |
| Oracle Java SE | 5 | 4 | 7.5 |
| Oracle JD Edwards | 6 | 3 | 9.8 |
| Oracle MySQL | 34 | 10 | 9.8 |
| Oracle PeopleSoft | 11 | 9 | 9.8 |
| Oracle Policy Automation | 3 | 1 | 6.6 |
| Oracle Retail Applications | 17 | 13 | 9.8 |
| Oracle Siebel CRM | 1 | 0 | 5.5 |
| Oracle Supply Chain | 24 | 19 | 9.8 |
| Oracle Systems | 7 | 2 | 8.2 |
| Oracle Utilities Applications | 1 | 1 | 7.5 |
| Oracle Virtualization | 2 | 0 | 8.2 |
Mitigation
Patch update
Please refer to the appendix “Affected Products and Patch Information” to download the affected product update patch in time, and refer to the readme file in the patch installation package to install and update to ensure long-term effective protection.
Note: Oracle’s official patch requires users to hold a licensed account of the genuine software. After using this account to log in to https://support.oracle.com, the latest patch can be downloaded.
Weblogic temporary mitigation
If the relevant users are temporarily unable to install patches or do not communicate with the JVM through the T3 protocol, the following measures can be used to block attacks that exploit T3 protocol vulnerabilities:
WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections. You can configure rules through this connection filter to control access to T3 and T3s protocols. Detailed operation steps as follows:
1. Enter the WebLogic console, in the base_domain configuration page, enter the “Security” tab page, click “Filter”, enter the connection filter configuration.
2. In the connection filter, enter: weblogic.security.net.ConnectionFilterImpl, refer to the following writing method, and configure the rules that conform to the actual situation of the enterprise in the connection filter rules:
127.0.0.1 * * allow t3 t3s
Native IP ** allow t3 t3s
IPs to allow access * * allow t3 t3s * * * deny t3 t3s
Connection filter rules have the following format: target localAddress localPort action protocols, where:
- target specifies one or more servers to filter.
- localAddress defines the server’s host address. (If specified as an asterisk (*), the returned matches will be all local IP addresses.)
- localPort defines the port on which the server is listening. (If an asterisk is specified, the match will return all ports available on the server).
- action specifies the action to perform. (The value must be “allow” or “deny”.)
- protocols is a list of protocol names to match. (One of the following protocols must be specified: http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.
3. If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption, and it is recommended that relevant personnel evaluate the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows:
Enter the bin directory under the directory where the domain is located, and run the stopWebLogic.cmd file in Windows to stop the WebLogic service, and in Linux, run stopWebLogic.sh.
After the execution of the termination script is completed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic to complete the restart of the WebLogic service.
Reference link: https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
Appendix
| Affected products and version numbers | Patches available |
|---|---|
| Autonomous Health Framework | https://support.oracle.com/rs?type=doc&id=2815521.1 |
| Big Data Spatial and Graph, versions prior to 23.1 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2867874.1 |
| Enterprise Manager for MySQL Database | https://support.oracle.com/rs?type=doc&id=2867874.1 |
| Enterprise Manager Ops Center, version 12.4.0.0 | https://support.oracle.com/rs?type=doc&id=2867874.1 |
| JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.3 and prior | https://support.oracle.com/rs?type=doc&id=2880760.1 |
| JD Edwards EnterpriseOne Tools, versions 9.2.6.3 and prior | https://support.oracle.com/rs?type=doc&id=2880760.1 |
| MySQL Cluster, versions 7.4.36 and prior, 7.5.26 and prior, 7.6.22 and prior, 8.0.29 and prior, and8.0.29 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| MySQL Enterprise Monitor, versions 8.0.30 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| MySQL Server, versions 5.7.38 and prior, 8.0.29 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| MySQL Shell, versions 8.0.28 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| MySQL Shell for VS Code, versions 1.1.8 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| MySQL Workbench, versions 8.0.29 and prior | https://support.oracle.com/rs?type=doc&id=2880175.1 |
| Oracle Agile Engineering Data Management, version 6.2.1.0 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle Agile PLM, version 9.3.6 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle Agile Product Lifecycle Management for Process, versions 6.2.2, 6.2.3 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle Application Express, versions prior to 22.1.1 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Application Testing Suite, version 13.3.0.1 | https://support.oracle.com/rs?type=doc&id=2867874.1 |
| Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle Banking Branch, version 14.5 | https://support.oracle.com |
| Oracle Banking Cash Management, version 14.5 | https://support.oracle.com |
| Oracle Banking Corporate Lending Process Management, version 14.5 | https://support.oracle.com |
| Oracle Banking Credit Facilities Process Management, version 14.5 | https://support.oracle.com |
| Oracle Banking Deposits and Lines of Credit Servicing, version 2.7 | https://support.oracle.com |
| Oracle Banking Electronic Data Exchange for Corporates, version 14.5 | https://support.oracle.com |
| Oracle Banking Liquidity Management, versions 14.2, 14.5 | https://support.oracle.com |
| Oracle Banking Origination, version 14.5 | https://support.oracle.com |
| Oracle Banking Party Management, version 2.7 | https://support.oracle.com/rs?type=doc&id=2880601.1 |
| Oracle Banking Platform, versions 2.6.2, 2.9, 2.12 | https://support.oracle.com/rs?type=doc&id=2880601.1 |
| Oracle Banking Supply Chain Finance, version 14.5 | https://support.oracle.com |
| Oracle Banking Trade Finance, version 14.5 | https://support.oracle.com |
| Oracle Banking Trade Finance Process Management, version 14.5 | https://support.oracle.com |
| Oracle Banking Virtual Account Management, version 14.5 | https://support.oracle.com |
| Oracle Berkeley DB | https://support.oracle.com/rs?type=doc&id=2881355.1 |
| Oracle BI Publisher, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880164.2 |
| Oracle Blockchain Platform | https://support.oracle.com/rs?type=doc&id=2815521.1 |
| Oracle Business Intelligence Enterprise Edition, version 5.9.0.0.0 | https://support.oracle.com/rs?type=doc&id=2880164.2 |
| Oracle Coherence, versions 3.7.1.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Commerce Guided Search, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2881330.1 |
| Oracle Commerce Merchandising, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2881330.1 |
| Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2 | https://support.oracle.com/rs?type=doc&id=2881330.1 |
| Oracle Communications ASAP, version 7.3 | https://support.oracle.com/rs?type=doc&id=2880117.1 |
| Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.6.0 | https://support.oracle.com/rs?type=doc&id=2880120.1 |
| Oracle Communications BRM – Elastic Charging Engine, versions prior to 12.0.0.4.6, prior to 12.0.0.5.1 | https://support.oracle.com/rs?type=doc&id=2880120.1 |
| Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.3, 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881121.1 |
| Oracle Communications Cloud Native Core Console, versions 22.1.2, 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881127.1 |
| Oracle Communications Cloud Native Core Network Exposure Function, version 22.1.1 | https://support.oracle.com/rs?type=doc&id=2881146.1 |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 22.1.0, 22.1.2, 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881128.1 |
| Oracle Communications Cloud Native Core Network Repository Function, versions 22.1.2, 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881129.1 |
| Oracle Communications Cloud Native Core Network Slice Selection Function, version 22.1.1 | https://support.oracle.com/rs?type=doc&id=2881130.1 |
| Oracle Communications Cloud Native Core Policy, versions 22.1.3, 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881131.1 |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 22.1.1 | https://support.oracle.com/rs?type=doc&id=2881132.1 |
| Oracle Communications Cloud Native Core Service Communication Proxy, version 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881112.1 |
| Oracle Communications Cloud Native Core Unified Data Repository, version 22.2.0 | https://support.oracle.com/rs?type=doc&id=2881143.1 |
| Oracle Communications Core Session Manager, versions 8.2.5, 8.4.5 | https://support.oracle.com/rs?type=doc&id=2881373.1 |
| Oracle Communications Design Studio, version 7.4.2 | https://support.oracle.com/rs?type=doc&id=2881549.1 |
| Oracle Communications Instant Messaging Server, version 10.0.1.5.0 | https://support.oracle.com/rs?type=doc&id=2881276.1 |
| Oracle Communications IP Service Activator | https://support.oracle.com/rs?type=doc&id=2880138.1 |
| Oracle Communications Offline Mediation Controller, versions prior to 12.0.0.4.4, prior to 12.0.0.5.1 | https://support.oracle.com/rs?type=doc&id=2880136.1 |
| Oracle Communications Operations Monitor, versions 4.3, 4.4, 5.0 | https://support.oracle.com/rs?type=doc&id=2881145.1 |
| Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1 | https://support.oracle.com/rs?type=doc&id=2881322.1 |
| Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2, 7.5.0 | https://support.oracle.com/rs?type=doc&id=2880135.1 |
| Oracle Communications Unified Session Manager, version 8.2.5 | https://support.oracle.com/rs?type=doc&id=2881373.1 |
| Oracle Crystal Ball, versions 11.1.2.0.0-11.1.2.4.900 | https://support.oracle.com/rs?type=doc&id=2879713.1 |
| Oracle Data Integrator | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Database Server, versions 12.1.0.2, 19c, 21c | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle E-Business Suite, versions 12.2.3-12.2.11 | https://support.oracle.com/rs?type=doc&id=2484000.1 |
| Oracle Enterprise Communications Broker, version 3.3 | https://support.oracle.com/rs?type=doc&id=2881359.1 |
| Oracle Enterprise Operations Monitor, versions 4.3, 4.4, 5.0 | https://support.oracle.com/rs?type=doc&id=2883136.1 |
| Oracle Enterprise Session Border Controller, versions 8.4, 9.0, 9.1 | https://support.oracle.com/rs?type=doc&id=2881322.1 |
| Oracle Essbase, version 21.3 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1 | https://support.oracle.com/rs?type=doc&id=2881546.1 |
| Oracle Financial Services Behavior Detection Platform, versions 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1 | https://support.oracle.com/rs?type=doc&id=2879993.1 |
| Oracle Financial Services Crime and Compliance Management Studio, versions 8.0.8.2.0, 8.0.8.3.0 | https://support.oracle.com/rs?type=doc&id=2879958.1 |
| Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1 | https://support.oracle.com/rs?type=doc&id=2879962.1 |
| Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2881994.1 |
| Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0 | https://support.oracle.com/rs?type=doc&id=2879961.1 |
| Oracle FLEXCUBE Core Banking, versions 5.2, 11.6-11.8, 11.10 | https://support.oracle.com |
| Oracle FLEXCUBE Private Banking, version 12.1 | https://support.oracle.com |
| Oracle FLEXCUBE Universal Banking, versions 12.1-12.4, 14.0-14.3, 14.5 | https://support.oracle.com |
| Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.10 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.30 | https://support.oracle.com/rs?type=doc&id=2815521.1 |
| Oracle GoldenGate, versions [19c] prior to 19.1.0.0.220719, [21c] prior to 21.7.0.0.0 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle GraalVM Enterprise Edition, versions 20.3.6, 21.3.2, 22.1.0 | https://support.oracle.com/rs?type=doc&id=2879978.1 |
| Oracle Graph Server and Client, versions prior to 22.2.0 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Health Sciences Data Management Workbench, versions 2.4.8.7, 2.5.2.1, 3.0.0.0, 3.1.0.3 | https://support.oracle.com/rs?type=doc&id=2870068.1 |
| Oracle Health Sciences Empirica Signal, versions 9.1.0.52, 9.2.0.52 | https://support.oracle.com/rs?type=doc&id=2870068.1 |
| Oracle Health Sciences Information Manager, versions 3.0.0.1, 3.0.1.0-3.0.5.0 | https://support.oracle.com/rs?type=doc&id=2879761.1 |
| Oracle Healthcare Foundation, versions 8.1.0, 8.2.0, 8.2.1 | https://support.oracle.com/rs?type=doc&id=2879761.1 |
| Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.1 | https://support.oracle.com/rs?type=doc&id=2873392.1 |
| Oracle Hospitality Inventory Management, version 9.1 | https://support.oracle.com/rs?type=doc&id=2871970.1 |
| Oracle Hospitality Materials Control, version 18.1 | https://support.oracle.com/rs?type=doc&id=2871960.1 |
| Oracle Hospitality OPERA 5, version 5.6 | https://support.oracle.com/rs?type=doc&id=2872807.1 |
| Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Identity Management Suite | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Identity Manager Connector | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Java SE, versions 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1 | https://support.oracle.com/rs?type=doc&id=2879978.1 |
| Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle NoSQL Database | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Policy Automation, versions 12.2.0-12.2.25 | https://support.oracle.com/rs?type=doc&id=2876163.1 |
| Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.24 | https://support.oracle.com/rs?type=doc&id=2876163.1 |
| Oracle Product Lifecycle Analytics, version 3.6.1 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle REST Data Services, versions prior to 22.1.1 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Retail Allocation, versions 15.0.3.1, 16.0.3 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Bulk Data Integration, version 16.0.3 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Customer Insights, versions 15.0.2, 16.0.2 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Extract Transform and Load, version 13.2.5 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Merchandising System, versions 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Order Broker, versions 18.0, 19.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Pricing, version 19.0.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Sales Audit, versions 15.0.3.1, 16.0.3 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1, 21.0.1 | https://support.oracle.com/rs?type=doc&id=2875760.1 |
| Oracle SD-WAN Edge, versions 9.0, 9.1 | https://support.oracle.com/rs?type=doc&id=2881968.1 |
| Oracle Security Service, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Solaris, versions 10, 11 | https://support.oracle.com/rs?type=doc&id=2880043.1 |
| Oracle Spatial Studio, versions prior to 22.1.0 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle SQL Developer | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Stream Analytics, versions [19c] prior to 19.1.0.0.6.4 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle TimesTen In-Memory Database, versions prior to 22.1.1.1.0 | https://support.oracle.com/rs?type=doc&id=2867871.1 |
| Oracle Transportation Management, version 1.4.4 | https://support.oracle.com/rs?type=doc&id=2880762.1 |
| Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0 | https://support.oracle.com/rs?type=doc&id=2877520.1 |
| Oracle VM VirtualBox, versions prior to 6.1.36 | https://support.oracle.com/rs?type=doc&id=2879930.1 |
| Oracle WebCenter Content, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle WebCenter Sites Support Tools, versions prior to 4.4.2 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2880163.2 |
| Oracle ZFS Storage Appliance Kit, version 8.8 | https://support.oracle.com/rs?type=doc&id=2880043.1 |
| PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59 | https://support.oracle.com/rs?type=doc&id=2880759.1 |
| Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.14, 19.12.0-19.12.13, 20.12.0-20.12.8, 21.12.0-21.12.1 | https://support.oracle.com/rs?type=doc&id=2879713.1 |
| Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.4, 18.8.0.0-18.8.25.4, 19.12.0.0-19.12.19.0, 20.12.0.0-20.12.14.0, 21.12.0.0-21.12.4.0 | https://support.oracle.com/rs?type=doc&id=2879713.1 |
| Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12 | https://support.oracle.com/rs?type=doc&id=2879713.1 |
| Siebel Applications, versions 22.6 and prior | https://support.oracle.com/rs?type=doc&id=2880773.1 |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
