Oracle July 2021 Critical Patch Update for All Product Families

Oracle July 2021 Critical Patch Update for All Product Families

agosto 2, 2021 | Jie Ji

Overview

On July 21, 2021, NSFOCUS detected that Oracle released the July 2021 Critical Patch Update (CPU), which fixed 342 vulnerabilities of varying risk levels. This CPU involves multiple commonly used products, such as Oracle Database Server, Oracle Java SE, Oracle Fusion Middleware, Oracle MySQL, and Oracle Communications. Oracle strongly recommends that users fix these vulnerabilities by applying Critical Patch Update patches as soon as possible.

Reference link: https://www.oracle.com/security-alerts/cpujul2021.html

Description of Major Vulnerabilities

Based on product popularity and vulnerability importance, we have selected the vulnerabilities with a huge impact from the updates for affected users.

Oracle MySQL multiple vulnerabilities:

This security update contains 41 security patches for Oracle MySQL. Ten of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

  • CVE-2021-22884
  • CVE-2021-22901

Oracle Communications Applications multiple vulnerabilities:

This security update contains 33 security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

  • CVE-2020-11612
  • CVE-2021-3177
  • CVE-2020-17530
  • CVE-2019-17195
  • CVE-2019-17195
  • CVE-2020-11612
  • CVE-2020-10878
  • CVE-2020-14195

Oracle E-Business Suite multiple vulnerabilities:

This security update contains 17 security patches for Oracle Communications Applications. Three of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

  • CVE-2021-2355
  • CVE-2021-2436
  • CVE-2021-2359

Oracle Fusion Middleware multiple vulnerabilities:

This security update contains 48 security patches for Oracle Fusion Middleware. Thirty-five of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

  • CVE-2021-2394
  • CVE-2021-2397
  • CVE-2021-2382
  • CVE-2021-2456
  • CVE-2019-17195
  • CVE-2020-10683
  • CVE-2020-28052

Oracle Retail Applications multiple vulnerabilities:

This security update contains 23 security patches for Oracle Retail Applications. Fifteen of these vulnerabilities may be remotely exploitable without requiring user credentials. The CVE IDs of high-risk vulnerabilities are listed as follows:

  • CVE-2021-21345
  • CVE-2019-0219

Oracle July 2021 Critical Patch Update is summarized as follows:

ProductNumber of VulnerabilitiesNumber of Remote Exploits Without AuthenticationCVSS Base Score
Oracle Database Products Risk Matrices1618.3
Oracle Database Server1618.3
Oracle Big Data Graph228.8
Oracle Essbase9810
Oracle Commerce1189.8
Oracle Communications Applications33229.9
Oracle Communications26239.8
Oracle Construction and Engineering1059.8
Oracle E-Business Suite1739.1
Oracle Enterprise Manager889.8
Oracle Financial Services Applications22179.9
Oracle Food and Beverage Applications608.1
Oracle Fusion Middleware48359.9
Oracle Hospitality Applications105.5
Oracle Hyperion649.8
Oracle Insurance Applications438.8
Oracle Java SE659.8
Oracle JD Edwards989.8
Oracle MySQL41108.8
Oracle PeopleSoft1489.8
Oracle Policy Automation119.8
Oracle Retail Applications23159.9
Oracle Siebel CRM648.1
Oracle Supply Chain557.5
Oracle Support Tools116.1
Oracle Systems1199.8
Oracle Virtualization619.9
Oracle Database Products Risk Matrices1618.3
Oracle Database Server1618.3
Oracle Big Data Graph228.8
Oracle Essbase9810
Oracle Commerce1189.8
Oracle Communications Applications33229.9
Oracle Communications26239.8
Oracle Construction and Engineering1059.8
Oracle E-Business Suite1739.1
Oracle Enterprise Manager889.8
Oracle Financial Services Applications22179.9
Oracle Food and Beverage Applications608.1
Oracle Fusion Middleware48359.9
Oracle Hospitality Applications105.5
Oracle Hyperion649.8
Oracle Insurance Applications438.8
Oracle Java SE659.8
Oracle JD Edwards989.8
Oracle MySQL41108.8
Oracle PeopleSoft1489.8
Oracle Policy Automation119.8
Oracle Retail Applications23159.9
Oracle Siebel CRM648.1
Oracle Supply Chain557.5
Oracle Support Tools116.1
Oracle Systems1199.8
Oracle Virtualization619.9

Mitigation

Affected users should refer to the Appendix to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.

Appendix: Information about Affected Products and Patches

Affected Products and VersionsPatches
Big Data Spatial and Graph, versions prior to 2.0, prior to 23.1https://support.oracle.com/rs?type=doc&id=2773670.1
Enterprise Manager Base Platform, version 13.4.0.0https://support.oracle.com/rs?type=doc&id=2773670.1
Essbase, version 21.2https://support.oracle.com/rs?type=doc&id=2773670.1
Essbase Analytic Provider Services, versions 11.1.2.4, 21.2https://support.oracle.com/rs?type=doc&id=2773670.1
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2400, prior to XCP3100https://support.oracle.com/rs?type=doc&id=2788472.1
Hyperion Essbase Administration Services, versions 11.1.2.4, 21.2https://support.oracle.com/rs?type=doc&id=2773670.1
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.5.0https://support.oracle.com/rs?type=doc&id=2773670.1
Hyperion Infrastructure Technology, versions 11.1.2.4, 11.2.5.0https://support.oracle.com/rs?type=doc&id=2773670.1
Identity Manager, versions 11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3https://support.oracle.com/rs?type=doc&id=2783281.1
JD Edwards EnterpriseOne Orchestrator, versions 9.2.5.3 and priorhttps://support.oracle.com/rs?type=doc&id=2787996.1
JD Edwards EnterpriseOne Tools, versions 9.2.5.3 and priorhttps://support.oracle.com/rs?type=doc&id=2787996.1
MICROS Compact Workstation 3, version 310https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS ES400 Series, versions 400-410https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Kitchen Display System Hardware, version 210https://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Workstation 5A, version 5Ahttps://support.oracle.com/rs?type=doc&id=2758251.1
MICROS Workstation 6, versions 610-655https://support.oracle.com/rs?type=doc&id=2758251.1
MySQL Cluster, versions 8.0.25 and priorhttps://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Connectors, versions 8.0.23 and priorhttps://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Enterprise Monitor, versions 8.0.23 and priorhttps://support.oracle.com/rs?type=doc&id=2787955.1
MySQL Server, versions 5.7.34 and prior, 8.0.25 and priorhttps://support.oracle.com/rs?type=doc&id=2787955.1
Oracle Access Manager, version 11.1.2.3.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Agile Engineering Data Management, version 6.2.1.0https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle Application Express, versions prior to 21.1.0.0.4https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Express (CKEditor), versions prior to 21.1.0.0.1https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Express Application Builder (DOMPurify), versions prior to 21.1.0.0.1https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Application Testing Suite, version 13.3.0.1https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Liquidity Management, versions 14.2, 14.3, 14.5https://support.oracle.com
Oracle Banking Party Management, version 2.7.0https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Platform, versions 2.4.0, 2.7.1, 2.9.0, 2.12.0https://support.oracle.com/rs?type=doc&id=2787695.1
Oracle Banking Treasury Management, version 14.4https://support.oracle.com
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Business Intelligence Enterprise Edition, version 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Commerce Guided Search, version 11.3.2https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.3.1.5, 11.3.2https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Merchandising, versions 11.1.0, 11.2.0, 11.3.0-11.3.2https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Platform, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Commerce Service Center, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2https://support.oracle.com/rs?type=doc&id=2792990.1
Oracle Communications Application Session Controller, version 3.9https://support.oracle.com/rs?type=doc&id=2787241.1
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications Cloud Native Core Console, version 1.4.0https://support.oracle.com/rs?type=doc&id=2791671.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.4.0, 1.7.0https://support.oracle.com/rs?type=doc&id=2791656.1
Oracle Communications Cloud Native Core Network Slice Selection Function, version 1.2.1https://support.oracle.com/rs?type=doc&id=2791657.1
Oracle Communications Cloud Native Core Policy, versions 1.5.0, 1.9.0https://support.oracle.com/rs?type=doc&id=2791658.1
Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 1.7.0https://support.oracle.com/rs?type=doc&id=2791680.1
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.5.2https://support.oracle.com/rs?type=doc&id=2791682.1
Oracle Communications Cloud Native Core Unified Data Repository, versions 1.4.0, 1.6.0https://support.oracle.com/rs?type=doc&id=2791683.1
Oracle Communications Convergent Charging Controller, version 12.0.4.0.0https://support.oracle.com/rs?type=doc&id=2790722.1
Oracle Communications Design Studio, version 7.4.2https://support.oracle.com/rs?type=doc&id=2789906.1
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.5.0https://support.oracle.com/rs?type=doc&id=2787208.1
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2https://support.oracle.com/rs?type=doc&id=2787243.1
Oracle Communications Evolved Communications Application Server, version 7.1https://support.oracle.com/rs?type=doc&id=2787205.1
Oracle Communications Instant Messaging Server, version 10.0.1.4.0https://support.oracle.com/rs?type=doc&id=2786444.1
Oracle Communications Network Charging and Control, versions 6.0.1.0, 12.0.1.0-12.0.4.0, 12.0.4.0.0https://support.oracle.com/rs?type=doc&id=2790722.1
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2785182.1
Oracle Communications Pricing Design Center, version 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2785183.1
Oracle Communications Services Gatekeeper, versions 7.0, 8.2https://support.oracle.com/rs?type=doc&id=2787242.1
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1https://support.oracle.com/rs?type=doc&id=27851890.1
Oracle Configuration Manager, version 12.1.2.0.8https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19chttps://support.oracle.com/rs?type=doc&id=2773670.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10https://support.oracle.com/rs?type=doc&id=2770321.1
Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Enterprise Repository, version 11.1.1.7.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9, 8.1.0https://support.oracle.com/rs?type=doc&id=2787723.1
Oracle Financial Services Crime and Compliance Investigation Hub, version 20.1.2https://support.oracle.com/rs?type=doc&id=2792414.1
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.6.3https://support.oracle.com/rs?type=doc&id=2791194.1
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.7.0, 2.8.0https://support.oracle.com/rs?type=doc&id= 2787723.1
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0https://support.oracle.com
Oracle FLEXCUBE Universal Banking, versions 12.0-12.4, 14.0-14.4.0https://support.oracle.com
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle GraalVM Enterprise Edition, versions 20.3.2, 21.1.0https://support.oracle.com/rs?type=doc&id=2787003.1
Oracle Hospitality Reporting and Analytics, version 9.1.0https://support.oracle.com/rs?type=doc&id=2780088.1
Oracle Hospitality Suite8, versions 8.13, 8.14https://support.oracle.com/rs?type=doc&id=2785669.1
Oracle Hyperion BI+, versions 11.1.2.4, 11.2.5.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0-11.3.0https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Insurance Policy Administration J2EE, version 11.0.2https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0-11.3.0https://support.oracle.com/rs?type=doc&id=2784893.1
Oracle Java SE, versions 7u301, 8u291, 11.0.11, 16.0.1https://support.oracle.com/rs?type=doc&id=2787003.1
Oracle JDeveloper, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle JDeveloper and ADF, version 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Outside In Technology, version 8.5.5https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle Policy Automation, versions 12.2.0-12.2.22https://support.oracle.com/rs?type=doc&id=2782105.1
Oracle Retail Back Office, version 14.1https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Central Office, version 14.1https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Customer Engagement, versions 16.0-19.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 16.0.3https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Order Broker, versions 15.0, 16.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Order Management System Cloud Service, version 19.5https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Point-of-Service, version 14.1https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Price Management, versions 14.0, 14.1, 15.0, 16.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Returns Management, version 14.1https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3.0https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1https://support.oracle.com/rs?type=doc&id=2783353.1
Oracle SD-WAN Aware, versions 8.2, 9.0https://support.oracle.com/rs?type=doc&id=2787244.1
Oracle SD-WAN Edge, versions 8.2, 9.0, 9.1https://support.oracle.com/rs?type=doc&id=2787240.1
Oracle Secure Global Desktop, version 5.6https://support.oracle.com/rs?type=doc&id=2788251.1
Oracle Solaris, version 11https://support.oracle.com/rs?type=doc&id=2788472.1
Oracle Solaris Cluster, version 4.4https://support.oracle.com/rs?type=doc&id=2788472.1
Oracle Transportation Management, version 6.4.3https://support.oracle.com/rs?type=doc&id=2787997.1
Oracle VM VirtualBox, versions prior to 6.1.24https://support.oracle.com/rs?type=doc&id=2788251.1
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2773670.1
Oracle ZFS Storage Appliance Kit, version 8.8https://support.oracle.com/rs?type=doc&id=2788472.1
OSS Support Tools, versions prior to 2.12.41https://support.oracle.com/rs?type=doc&id=2787969.1
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise HCM Candidate Gateway, version 9.2https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise HCM Shared Components, version 9.2https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.58.8.59, 8.59https://support.oracle.com/rs?type=doc&id=2787995.1
PeopleSoft Enterprise PT PeopleTools, versions 8.57, 8.58, 8.59https://support.oracle.com/rs?type=doc&id=2787995.1
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0https://support.oracle.com/rs?type=doc&id=2783281.1
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14, 20.12.0-20.12.3https://support.oracle.com/rs?type=doc&id=2783281.1
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12https://support.oracle.com/rs?type=doc&id=2783281.1
Real-Time Decisions (RTD) Solutions, version 3.2.0.0https://support.oracle.com/rs?type=doc&id=2773670.1
Siebel Applications, versions 21.5 and priorhttps://support.oracle.com/rs?type=doc&id=2787996.1
StorageTek Tape Analytics SW Tool, version 2.3https://support.oracle.com/rs?type=doc&id=2788472.1

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.