Oracle July 2021 Critical Patch Update for All Product Families

agosto 2, 2021 | Jie Ji

Overview

On July 21, 2021, NSFOCUS detected that Oracle released the July 2021 Critical Patch Update (CPU), which fixed 342 vulnerabilities of varying risk levels. This CPU involves multiple commonly used products, such as Oracle Database Server, Oracle Java SE, Oracle Fusion Middleware, Oracle MySQL, and Oracle Communications. Oracle strongly recommends that users fix these vulnerabilities by applying Critical Patch Update patches as soon as possible.

Reference link: https://www.oracle.com/security-alerts/cpujul2021.html

Description of Major Vulnerabilities

Based on product popularity and vulnerability importance, we have selected the vulnerabilities with a huge impact from the updates for affected users.

Oracle MySQL multiple vulnerabilities:

This security update contains 41 security patches for Oracle MySQL. Ten of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-22884
CVE-2021-22901

Oracle Communications Applications multiple vulnerabilities:

This security update contains 33 security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2020-11612
CVE-2021-3177
CVE-2020-17530
CVE-2019-17195
CVE-2019-17195
CVE-2020-11612
CVE-2020-10878
CVE-2020-14195

Oracle E-Business Suite multiple vulnerabilities:

This security update contains 17 security patches for Oracle Communications Applications. Three of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-2355
CVE-2021-2436
CVE-2021-2359

Oracle Fusion Middleware multiple vulnerabilities:

This security update contains 48 security patches for Oracle Fusion Middleware. Thirty-five of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-2394
CVE-2021-2397
CVE-2021-2382
CVE-2021-2456
CVE-2019-17195
CVE-2020-10683
CVE-2020-28052

Oracle Retail Applications multiple vulnerabilities:

This security update contains 23 security patches for Oracle Retail Applications. Fifteen of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

CVE-2021-21345
CVE-2019-0219

Oracle July 2021 Critical Patch Update is summarized as follows:

Product	Number of Vulnerabilities	Number of Remote Exploits Without Authentication	CVSS Base Score
Oracle Database Products Risk Matrices	16	1	8.3
Oracle Database Server	16	1	8.3
Oracle Big Data Graph	2	2	8.8
Oracle Essbase	9	8	10
Oracle Commerce	11	8	9.8
Oracle Communications Applications	33	22	9.9
Oracle Communications	26	23	9.8
Oracle Construction and Engineering	10	5	9.8
Oracle E-Business Suite	17	3	9.1
Oracle Enterprise Manager	8	8	9.8
Oracle Financial Services Applications	22	17	9.9
Oracle Food and Beverage Applications	6	0	8.1
Oracle Fusion Middleware	48	35	9.9
Oracle Hospitality Applications	1	0	5.5
Oracle Hyperion	6	4	9.8
Oracle Insurance Applications	4	3	8.8
Oracle Java SE	6	5	9.8
Oracle JD Edwards	9	8	9.8
Oracle MySQL	41	10	8.8
Oracle PeopleSoft	14	8	9.8
Oracle Policy Automation	1	1	9.8
Oracle Retail Applications	23	15	9.9
Oracle Siebel CRM	6	4	8.1
Oracle Supply Chain	5	5	7.5
Oracle Support Tools	1	1	6.1
Oracle Systems	11	9	9.8
Oracle Virtualization	6	1	9.9
Oracle Database Products Risk Matrices	16	1	8.3
Oracle Database Server	16	1	8.3
Oracle Big Data Graph	2	2	8.8
Oracle Essbase	9	8	10
Oracle Commerce	11	8	9.8
Oracle Communications Applications	33	22	9.9
Oracle Communications	26	23	9.8
Oracle Construction and Engineering	10	5	9.8
Oracle E-Business Suite	17	3	9.1
Oracle Enterprise Manager	8	8	9.8
Oracle Financial Services Applications	22	17	9.9
Oracle Food and Beverage Applications	6	0	8.1
Oracle Fusion Middleware	48	35	9.9
Oracle Hospitality Applications	1	0	5.5
Oracle Hyperion	6	4	9.8
Oracle Insurance Applications	4	3	8.8
Oracle Java SE	6	5	9.8
Oracle JD Edwards	9	8	9.8
Oracle MySQL	41	10	8.8
Oracle PeopleSoft	14	8	9.8
Oracle Policy Automation	1	1	9.8
Oracle Retail Applications	23	15	9.9
Oracle Siebel CRM	6	4	8.1
Oracle Supply Chain	5	5	7.5
Oracle Support Tools	1	1	6.1
Oracle Systems	11	9	9.8
Oracle Virtualization	6	1	9.9

Mitigation

Affected users should refer to the Appendix to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.

Appendix: Information about Affected Products and Patches

Affected Products and Versions	Patches
Big Data Spatial and Graph, versions prior to 2.0, prior to 23.1	https://support.oracle.com/rs?type=doc&id=2773670.1
Enterprise Manager Base Platform, version 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Essbase, version 21.2	https://support.oracle.com/rs?type=doc&id=2773670.1
Essbase Analytic Provider Services, versions 11.1.2.4, 21.2	https://support.oracle.com/rs?type=doc&id=2773670.1
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2400, prior to XCP3100	https://support.oracle.com/rs?type=doc&id=2788472.1
Hyperion Essbase Administration Services, versions 11.1.2.4, 21.2	https://support.oracle.com/rs?type=doc&id=2773670.1
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.5.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Hyperion Infrastructure Technology, versions 11.1.2.4, 11.2.5.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Identity Manager, versions 11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	https://support.oracle.com/rs?type=doc&id=2783281.1
JD Edwards EnterpriseOne Orchestrator, versions 9.2.5.3 and prior	https://support.oracle.com/rs?type=doc&id=2787996.1
JD Edwards EnterpriseOne Tools, versions 9.2.5.3 and prior	https://support.oracle.com/rs?type=doc&id=2787996.1
MICROS Compact Workstation 3, version 310	https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS ES400 Series, versions 400-410	https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Kitchen Display System Hardware, version 210	https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Workstation 5A, version 5A	https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Workstation 6, versions 610-655	https://support.oracle.com/rs?type=doc&id=2758251.1
MySQL Cluster, versions 8.0.25 and prior	https://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Connectors, versions 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Enterprise Monitor, versions 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Server, versions 5.7.34 and prior, 8.0.25 and prior	https://support.oracle.com/rs?type=doc&id=2787955.1
Oracle Access Manager, version 11.1.2.3.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Agile Engineering Data Management, version 6.2.1.0	https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle Application Express, versions prior to 21.1.0.0.4	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Express (CKEditor), versions prior to 21.1.0.0.1	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Express Application Builder (DOMPurify), versions prior to 21.1.0.0.1	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Testing Suite, version 13.3.0.1	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0	https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Liquidity Management, versions 14.2, 14.3, 14.5	https://support.oracle.com
Oracle Banking Party Management, version 2.7.0	https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Platform, versions 2.4.0, 2.7.1, 2.9.0, 2.12.0	https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Treasury Management, version 14.4	https://support.oracle.com
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Business Intelligence Enterprise Edition, version 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Commerce Guided Search, version 11.3.2	https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.3.1.5, 11.3.2	https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Merchandising, versions 11.1.0, 11.2.0, 11.3.0-11.3.2	https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Platform, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2	https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Service Center, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2	https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Communications Application Session Controller, version 3.9	https://support.oracle.com/rs?type=doc&id=2787241.1
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications Cloud Native Core Console, version 1.4.0	https://support.oracle.com/rs?type=doc&id=2791671.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.4.0, 1.7.0	https://support.oracle.com/rs?type=doc&id=2791656.1
Oracle Communications Cloud Native Core Network Slice Selection Function, version 1.2.1	https://support.oracle.com/rs?type=doc&id=2791657.1
Oracle Communications Cloud Native Core Policy, versions 1.5.0, 1.9.0	https://support.oracle.com/rs?type=doc&id=2791658.1
Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 1.7.0	https://support.oracle.com/rs?type=doc&id=2791680.1
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.5.2	https://support.oracle.com/rs?type=doc&id=2791682.1
Oracle Communications Cloud Native Core Unified Data Repository, versions 1.4.0, 1.6.0	https://support.oracle.com/rs?type=doc&id=2791683.1
Oracle Communications Convergent Charging Controller, version 12.0.4.0.0	https://support.oracle.com/rs?type=doc&id=2790722.1
Oracle Communications Design Studio, version 7.4.2	https://support.oracle.com/rs?type=doc&id=2789906.1
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.5.0	https://support.oracle.com/rs?type=doc&id=2787208.1
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2	https://support.oracle.com/rs?type=doc&id=2787243.1
Oracle Communications Evolved Communications Application Server, version 7.1	https://support.oracle.com/rs?type=doc&id=2787205.1
Oracle Communications Instant Messaging Server, version 10.0.1.4.0	https://support.oracle.com/rs?type=doc&id=2786444.1
Oracle Communications Network Charging and Control, versions 6.0.1.0, 12.0.1.0-12.0.4.0, 12.0.4.0.0	https://support.oracle.com/rs?type=doc&id=2790722.1
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2785182.1
Oracle Communications Pricing Design Center, version 12.0.0.3.0	https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications Services Gatekeeper, versions 7.0, 8.2	https://support.oracle.com/rs?type=doc&id=2787242.1
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1	https://support.oracle.com/rs?type=doc&id=27851890.1
Oracle Configuration Manager, version 12.1.2.0.8	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	https://support.oracle.com/rs?type=doc&id=2770321.1
Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Enterprise Repository, version 11.1.1.7.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9, 8.1.0	https://support.oracle.com/rs?type=doc&id=2787723.1
Oracle Financial Services Crime and Compliance Investigation Hub, version 20.1.2	https://support.oracle.com/rs?type=doc&id=2792414.1
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.6.3	https://support.oracle.com/rs?type=doc&id=2791194.1
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.7.0, 2.8.0	https://support.oracle.com/rs?type=doc&id= 2787723.1
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	https://support.oracle.com
Oracle FLEXCUBE Universal Banking, versions 12.0-12.4, 14.0-14.4.0	https://support.oracle.com
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle GraalVM Enterprise Edition, versions 20.3.2, 21.1.0	https://support.oracle.com/rs?type=doc&id=2787003.1
Oracle Hospitality Reporting and Analytics, version 9.1.0	https://support.oracle.com/rs?type=doc&id=2780088.1
Oracle Hospitality Suite8, versions 8.13, 8.14	https://support.oracle.com/rs?type=doc&id=2785669.1
Oracle Hyperion BI+, versions 11.1.2.4, 11.2.5.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0-11.3.0	https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Insurance Policy Administration J2EE, version 11.0.2	https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0-11.3.0	https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Java SE, versions 7u301, 8u291, 11.0.11, 16.0.1	https://support.oracle.com/rs?type=doc&id=2787003.1
Oracle JDeveloper, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle JDeveloper and ADF, version 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Outside In Technology, version 8.5.5	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Policy Automation, versions 12.2.0-12.2.22	https://support.oracle.com/rs?type=doc&id=2782105.1
Oracle Retail Back Office, version 14.1	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Central Office, version 14.1	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Customer Engagement, versions 16.0-19.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 16.0.3	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Order Broker, versions 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Order Management System Cloud Service, version 19.5	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Point-of-Service, version 14.1	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Price Management, versions 14.0, 14.1, 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Returns Management, version 14.1	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1	https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle SD-WAN Aware, versions 8.2, 9.0	https://support.oracle.com/rs?type=doc&id=2787244.1
Oracle SD-WAN Edge, versions 8.2, 9.0, 9.1	https://support.oracle.com/rs?type=doc&id=2787240.1
Oracle Secure Global Desktop, version 5.6	https://support.oracle.com/rs?type=doc&id=2788251.1
Oracle Solaris, version 11	https://support.oracle.com/rs?type=doc&id=2788472.1
Oracle Solaris Cluster, version 4.4	https://support.oracle.com/rs?type=doc&id=2788472.1
Oracle Transportation Management, version 6.4.3	https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle VM VirtualBox, versions prior to 6.1.24	https://support.oracle.com/rs?type=doc&id=2788251.1
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle ZFS Storage Appliance Kit, version 8.8	https://support.oracle.com/rs?type=doc&id=2788472.1
OSS Support Tools, versions prior to 2.12.41	https://support.oracle.com/rs?type=doc&id=2787969.1
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2	https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise HCM Candidate Gateway, version 9.2	https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise HCM Shared Components, version 9.2	https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.58.8.59, 8.59	https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise PT PeopleTools, versions 8.57, 8.58, 8.59	https://support.oracle.com/rs?type=doc&id=2787995.1
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0	https://support.oracle.com/rs?type=doc&id=2783281.1
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14, 20.12.0-20.12.3	https://support.oracle.com/rs?type=doc&id=2783281.1
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12	https://support.oracle.com/rs?type=doc&id=2783281.1
Real-Time Decisions (RTD) Solutions, version 3.2.0.0	https://support.oracle.com/rs?type=doc&id=2773670.1
Siebel Applications, versions 21.5 and prior	https://support.oracle.com/rs?type=doc&id=2787996.1
StorageTek Tape Analytics SW Tool, version 2.3	https://support.oracle.com/rs?type=doc&id=2788472.1

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.