Oracle January Critical Patch Update for All Product Families

Oracle January Critical Patch Update for All Product Families

janeiro 24, 2022 | Jie Ji


On January 19, 2022, NSFOCUS CERT monitoring found that Oracle officially released the CPU (Critical Patch Update) in January. A total of 497 vulnerabilities of varying degrees were fixed this time. This security update involves Oracle WebLogic Server. , Oracle MySQL, Oracle Java SE, Oracle FusionMiddleware, Oracle Retail Applications and many other common products. Oracle strongly recommends that customers apply critical patch update fixes as soon as possible to remediate vulnerabilities.

Reference link:

Key vulnerabilities

According to the popularity of the product and the importance of the vulnerability, the most influential vulnerabilities contained in this update are screened out. Please pay attention to the relevant users:

Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2022-21306):

Oracle WebLogic Server has a remote code execution vulnerability. An unauthenticated attacker sends a specially crafted malicious request to the server through the T3 protocol, which eventually leads to the execution of arbitrary code on the target server.

Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2022-21292/CVE-2022-21371):

Oracle WebLogic Server has an information disclosure vulnerability. An unauthenticated attacker sends a specially crafted request to the affected server through the HTTP protocol, which may achieve illegal access to critical data or complete access to all Oracle WebLogic Server data, causing sensitive Information disclosure.

Multiple vulnerabilities in Oracle MySQL:

This security update released 78 security patches for Oracle MySQL, 3 of which can be exploited remotely without user authentication, that is, can be exploited over the network without user credentials. The bug numbers are as follows:

  • CVE-2021-22946
  • CVE-2021-3712
  • CVE-2022-21278
  • CVE-2022-21351

Multiple vulnerabilities in Oracle Financial Services Applications:

This security update releases 48 security patches for Oracle Financial Services Applications. Thirty-seven of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2019-17495
  • CVE-2020-13936
  • CVE-2021-2351
  • CVE-2020-11987
  • CVE-2021-22118
  • CVE-2021-36090
  • CVE-2020-25649
  • CVE-2021-37137

Multiple vulnerabilities in Oracle Insurance Applications:

This security update releases seven security patches for Oracle Insurance Applications. Six of the vulnerabilities could be exploited remotely without user authentication. Attackers can access the network via HTTP to send malicious requests to control components in the product and gain full access to critical data. The critical bug numbers are as follows:

  • CVE-2020-10683
  • CVE-2021-2351
  • CVE-2021-22118

Oracle Communications Multiple Vulnerabilities:

The security update released 84 security patches for Oracle Communications, 50 of which could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2021-23440
  • CVE-2021-21783
  • CVE-2021-32827
  • CVE-2021-27568
  • CVE-2021-39139
  • CVE-2019-13734
  • CVE-2020-13936
  • CVE-2020-15824
  • CVE-2020-10878
  • CVE-2021-39153
  • CVE-2020-36189

Multiple vulnerabilities in Oracle Communications Applications:

This security update releases 33 security patches for Oracle Communications Applications. Twenty-two of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerabilities are as follows:

  • CVE-2022-21275
  • CVE-2022-21389
  • CVE-2022-21390
  • CVE-2022-21276
  • CVE-2022-21391
  • CVE-2021-39139
  • CVE-2021-29505
  • CVE-2021-2351
  • CVE-2020-28052
  • CVE-2020-24750

Multiple vulnerabilities in Oracle E-Business Suite:

This security update releases nine security patches for Oracle E-Business Suite. Five of the vulnerabilities could be exploited remotely without user authentication. An attacker could access the network via HTTP to compromise the products in the suite, allowing unauthorized access to critical data or full access to data accessible to all products in the suite. The high-risk vulnerability numbers are as follows:

  • CVE-2022-21255
  • CVE-2022-21273
  • CVE-2022-21274
  • CVE-2022-21250

Multiple vulnerabilities in Oracle Retail Applications:

This security update releases 43 security patches for Oracle Retail Applications. Thirty-four of the vulnerabilities could be exploited remotely without user authentication. The high-risk vulnerability numbers are as follows:

  • CVE-2020-13936
  • CVE-2021-2351
  • CVE-2021-22118
  • CVE-2021-4104
  • CVE-2021-23337

Oracle’s official January critical patch update vulnerabilities are summarized as follows:

ProductNumber of vulnerabilitiesNumber of unauthorized remote exploitsHighest CVSSrate
Oracle Database Server405.4
Oracle Essbase439.9
Oracle GoldenGate339.4
Oracle Graph Server and Client229.8
Oracle REST Data Services217.5
Oracle Secure Backup229.8
Oracle Commerce668.3
Oracle Communications Applications332210.0
Oracle Communications84509.8
Oracle Construction and Engineering22159.8
Oracle E-Business Suite958.1
Oracle Enterprise Manager769.8
Oracle Financial Services Applications48379.8
Oracle Fusion Middleware39359.8
Oracle Health Sciences Applications888.3
Oracle Hospitality Applications338.3
Oracle HealthCare Applications448.3
Oracle Hyperion118.3
Oracle Insurance Applications769.8
Oracle Java SE18186.5
Oracle JD Edwards107.2
Oracle MySQL7837.5
Oracle PeopleSoft13109.8
Oracle Retail Applications43348.8
Oracle Siebel CRM218.8
Oracle Supply Chain1088.3
Oracle Systems1178.6
Oracle Utilities Applications1379.8
Oracle Virtualization206.5

Vulnerability mitigation

Patch update

Please refer to the appendix “Affected Products and Patch Information” to download the affected product update patch in time, and refer to the readme file in the patch installation package to install and update to ensure long-term effective protection.

Note: Oracle’s official patch requires users to hold a licensed account of the genuine software. After using this account to log in to, the latest patch can be downloaded.

Weblogic Temporary Protection Measures

If the relevant users are temporarily unable to install patches or do not communicate with the JVM through the T3 protocol, the following measures can be used to block attacks that exploit T3 protocol vulnerabilities:

WebLogic Server provides a default connection filter named This connection filter accepts all incoming connections. You can configure rules through this connection filter to control access to T3 and T3s protocols. Detailed operation steps as follows:

1. Enter the WebLogic console, in the base_domain configuration page, enter the “Security” tab page, click “Filter”, enter the connection filter configuration.

2. In the connection filter, enter:, refer to the following writing method, and configure the rules that conform to the actual situation of the enterprise in the connection filter rules: * * allow t3 t3s

Native IP ** allow t3 t3s

IPs allowed to access  * * allow t3 t3s   * * * deny t3 t3s

Connection filter rules have the following format: target localAddress localPort action protocols, where:

• target specifies one or more servers to filter.

• localAddress defines the server’s host address. (If specified as an asterisk (*), the returned matches will be all local IP addresses.)

• localPort defines the port on which the server is listening. (If an asterisk is specified, the match will return all ports available on the server).

• action specifies the action to perform. (The value must be “allow” or “deny”.) • protocols is a list of protocol names to match. (One of the following protocols must be specified: http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.

3. If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption, and it is recommended that relevant personnel evaluate the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows:

Enter the bin directory under the directory where the domain is located, and run the stopWebLogic.cmd file in Windows to stop the WebLogic service, and in Linux, run

After the execution of the termination script is completed, run the startWebLogic.cmd or file to start WebLogic to complete the restart of the WebLogic service. Reference link:

Appendix: Affected Products and Patch Information

Affected ProductPatch Information
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, version 3.6
Application Performance Management, versions,
Big Data Spatial and Graph, versions prior to 23.1
Enterprise Manager Base Platform, versions,
Enterprise Manager Ops Center, version
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2410, prior to XCP3110
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
JD Edwards EnterpriseOne Tools, versions prior to
MySQL Cluster, versions 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
MySQL Connectors, versions 8.0.27 and prior
MySQL Server, versions 5.7.36 and prior, 8.0.27 and prior
MySQL Workbench, versions 8.0.27 and prior
Oracle Access Manager, versions,,
Oracle Agile Engineering Data Management, version
Oracle Agile PLM, versions 9.3.3, 9.3.6
Oracle Agile PLM MCAD Connector, versions 3.4, 3.6
Oracle Airlines Data Model, versions,
Oracle Application Express, versions prior to 21.1.4
Oracle Application Testing Suite, version
Oracle Argus Analytics, versions 8.2.1, 8.2.2, 8.2.3
Oracle Argus Insight, versions 8.2.1, 8.2.2, 8.2.3
Oracle Argus Mart, versions 8.2.1, 8.2.2, 8.2.3
Oracle Argus Safety, versions 8.2.1, 8.2.2, 8.2.3
Oracle Banking APIs, versions 18.1-18.3, 19.1, 19.2, 20.1, 21.1
Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0
Oracle Banking Digital Experience, versions 17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
Oracle Banking Enterprise Default Management, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.10.0, 2.12.0
Oracle Banking Loans Servicing, version 2.12.0
Oracle Banking Party Management, version 2.7.0
Oracle Banking Platform, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1
Oracle BI Publisher, versions,,,
Oracle Business Activity Monitoring, versions,
Oracle Business Intelligence Enterprise Edition, versions,,,
Oracle Business Process Management Suite, versions,
Oracle Clinical, versions 5.2.1, 5.2.2
Oracle Commerce Guided Search, version 11.3.2
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
Oracle Communications Billing and Revenue Management, versions,
Oracle Communications BRM – Elastic Charging Engine, versions 11.3, 12.0
Oracle Communications Calendar Server, version
Oracle Communications Cloud Native Core Automated Test Suite, version 1.8.0
Oracle Communications Cloud Native Core Binding Support Function, versions 1.9.0, 1.10.0
Oracle Communications Cloud Native Core Console, version 1.7.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 1.9.0
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0
Oracle Communications Cloud Native Core Policy, version 1.14.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.5.0, 1.6.0, 1.15.0
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.14.0
Oracle Communications Cloud Native Core Unified Data Repository, version 1.14.0
Oracle Communications Contacts Server, version
Oracle Communications Convergence, version
Oracle Communications Convergent Charging Controller, versions,
Oracle Communications Data Model, versions,,,,
Oracle Communications Design Studio, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2
Oracle Communications Diameter Signaling Router, versions
Oracle Communications EAGLE Application Processor, versions 16.1-16.4
Oracle Communications Instant Messaging Server, version
Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
Oracle Communications Messaging Server, version 8.1
Oracle Communications Network Charging and Control, versions,
Oracle Communications Network Integrity, versions 7.3.5, 7.3.6
Oracle Communications Offline Mediation Controller, version
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4, 5.0
Oracle Communications Pricing Design Center, versions,
Oracle Communications Service Broker, version 6.2
Oracle Communications Services Gatekeeper, version 7.0
Oracle Communications Session Border Controller, versions 8.2, 8.3, 8.4, 9.0
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.5.0
Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
Oracle Data Integrator, versions,
Oracle Database Server, versions,, 19c, 21c
Oracle Demantra Demand Management, versions 12.2.6-12.2.11
Oracle E-Business Suite, versions 12.2.3-12.2.11
Oracle Enterprise Communications Broker, version 3.3
Oracle Enterprise Data Quality, versions,
Oracle Enterprise Session Border Controller, versions 8.4, 9.0
Oracle Essbase, versions prior to, prior to 21.3
Oracle Essbase Administration Services, versions prior to
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7-8.1.1
Oracle Financial Services Behavior Detection Platform, versions 8.0.7, 8.0.8, 8.1.1
Oracle Financial Services Enterprise Case Management, versions 8.0.7, 8.0.8, 8.1.1
Oracle Financial Services Foreign Account Tax Compliance Act Management, versions 8.0.7, 8.0.8, 8.1.1
Oracle Financial Services Model Management and Governance, versions 8.0.8-8.1.1
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7, 8.0.8
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
Oracle Fusion Middleware, versions,
Oracle Fusion Middleware MapViewer, version
Oracle GoldenGate, versions prior to, prior to, prior to, prior to
Oracle GraalVM Enterprise Edition, versions 20.3.4, 21.3.0
Oracle Graph Server and Client, versions prior to 21.4
Oracle Health Sciences Clinical Development Analytics, version 4.0.1
Oracle Health Sciences InForm CRF Submit, version 6.2.1
Oracle Health Sciences Information Manager, versions 3.0.2, 3.0.3
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0, 8.1.1
Oracle Healthcare Foundation, versions, 8.0.0-8.0.2, 8.1.0-8.1.1
Oracle Healthcare Translational Research, version 4.1.0
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
Oracle Hospitality OPERA 5, version 5.6
Oracle Hospitality Reporting and Analytics, version 9.1.0
Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
Oracle HTTP Server, versions,,
Oracle Hyperion Infrastructure Technology, version
Oracle iLearning, versions 6.2, 6.3
Oracle Insurance Data Gateway, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0, 11.3.1
Oracle Java SE, versions 7u321, 8u311, 11.0.13, 17.1
Oracle Managed File Transfer, versions,
Oracle NoSQL Database, versions prior to 21.1.12
Oracle Policy Automation, versions 12.2.0-12.2.24
Oracle Product Lifecycle Analytics, version 3.6.1
Oracle Rapid Planning, versions 12.2.6-12.2.11
Oracle Real User Experience Insight, versions,
Oracle REST Data Services, versions prior to 21.2.4
Oracle Retail Allocation, versions,, 16.0.3, 19.0.1
Oracle Retail Analytics, version 21.0.1
Oracle Retail Assortment Planning, version 16.0.3
Oracle Retail Back Office, version 14.1
Oracle Retail Central Office, version 14.1
Oracle Retail Customer Insights, version 21.0.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0
Oracle Retail EFTLink, versions 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1
Oracle Retail Extract Transform and Load, version 13.2.8
Oracle Retail Financial Integration, versions,, 16.0.3, 19.0.1
Oracle Retail Fiscal Management, version 14.2
Oracle Retail Integration Bus, versions,,, 16.0.1-16.0.3, 19.0.0, 19.0.1
Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
Oracle Retail Merchandising System, version 19.0.1
Oracle Retail Order Broker, versions 16.0, 18.0, 19.1
Oracle Retail Order Management System, version 19.5
Oracle Retail Point-of-Service, version 14.1
Oracle Retail Predictive Application Server, versions 14.1.3,, 15.0.3,, 16.0.3,
Oracle Retail Price Management, versions 13.2, 14.0.4, 14.1, 14.1.3, 15, 15.0.3, 16, 16.0.3
Oracle Retail Returns Management, version 14.1
Oracle Retail Service Backbone, versions,,, 16.0.1-16.0.3, 19.0.0, 19.0.1
Oracle Retail Size Profile Optimization, version 16.0.3
Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1
Oracle SD-WAN Aware, version 8.2
Oracle SD-WAN Edge, versions 9.0, 9.1
Oracle Secure Backup, versions prior to
Oracle Solaris, versions 10, 11
Oracle Spatial Studio, versions prior to 21.2.1
Oracle Thesaurus Management System, versions 5.2.3, 5.3.0, 5.3.1
Oracle TimesTen In-Memory Database, versions prior to, prior to
Oracle Utilities Framework, versions,,,,,
Oracle Utilities Testing Accelerator, versions,,
Oracle VM VirtualBox, versions prior to 6.1.32
Oracle WebCenter Portal, versions,
Oracle WebLogic Server, versions,,,
Oracle ZFS Storage Appliance Kit, version 8.8
Oracle ZFS Storage Application Integration Engineering Software, version 1.3.3
OSS Support Tools, versions prior to 2.12.42
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59
Primavera Analytics, versions,,
Primavera Data Warehouse, versions,,
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0
Primavera P6 Enterprise Project Portfolio Management, versions,,,,
Primavera P6 Professional Project Management, versions,,,
Primavera Portfolio Management, versions,,,
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12
Siebel Applications, versions 21.11 and prior


This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.


NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.