Big October update from Oracle

Oracle released a massive update for its major products

The full list of affected products is quite large, here it is:

  • Application Management Pack for Oracle E-Business Suite, version 13.4.1.0.0
  • Big Data Spatial and Graph
  • Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager for Virtualization, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.4 and prior
  • JD Edwards EnterpriseOne Tools, versions 9.2.6.4 and prior
  • MySQL Connectors, versions 8.0.30 and prior
  • MySQL Enterprise Backup, versions 4.1.4 and prior
  • MySQL Enterprise Monitor, versions 8.0.31 and prior
  • MySQL Installer, versions 1.6.3 and prior
  • MySQL Server, versions 5.7.39 and prior, 8.0.30 and prior
  • MySQL Shell, versions 8.0.30 and prior
  • MySQL Workbench, versions 8.0.30 and prior
  • Oracle Access Manager, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Agile Engineering Data Management, version 6.2.1.0
  • Oracle Agile PLM, version 9.3.6
  • Oracle Airlines Data Model
  • Oracle Application Express
  • Oracle AutoVue, version 21.0.2
  • Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
  • Oracle Banking Enterprise Default Management, version 2.12.0
  • Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0
  • Oracle Banking Party Management, version 2.7.0
  • Oracle Banking Platform, versions 2.7.1, 2.9.0, 2.12.0
  • Oracle BI Publisher, versions 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Activity Monitoring(Oracle BAM), versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0, 6.4.0.0
  • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Platform, versions 11.3.0-11.3.2
  • Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications Cloud Native Core Binding Support Function, version 22.3.0
  • Oracle Communications Cloud Native Core Console, version 22.2.0
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 22.2.1, 22.3.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.9.0, 22.1, 22.1.0, 22.2, 22.2.0, 22.2.1
  • Oracle Communications Cloud Native Core Network Repository Function, version 22.2.2
  • Oracle Communications Cloud Native Core Policy, version 22.3.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.1.1, 22.2.0, 22.2.1, 22.3.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.2.3, 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 22.1.1, 22.2.1, 22.3.0
  • Oracle Communications Converged Application Server - Service Controller, version 6.2
  • Oracle Communications Convergence, version 3.0.3.0
  • Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
  • Oracle Communications Data Model, version 12.2.0.1
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Diameter Signaling Router, version 8.6.0.0
  • Oracle Communications Element Manager, version 9.0
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Instant Messaging Server, version 10.0.1.6.0
  • Oracle Communications Interactive Session Recorder, version 6.4
  • Oracle Communications Messaging Server, version 8.1
  • Oracle Communications MetaSolv Solution, version 6.3.1
  • Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
  • Oracle Communications Order and Service Management, versions 7.3, 7.4
  • Oracle Communications Policy Management, version 12.6.0.0.0
  • Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications Services Gatekeeper, version 7.0.0.0.0
  • Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1
  • Oracle Communications Session Report Manager, version 9.0
  • Oracle Communications Unified Assurance, versions prior to 5.5.7.0.0, 6.0.0.0.0
  • Oracle Communications User Data Repository, versions 12.4.0, 12.6.0, 12.6.1
  • Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
  • Oracle Data Integrator, version 12.2.1.4.0
  • Oracle Database Server, versions 19c, 21c
  • Oracle Documaker Enterprise Edition, versions 12.6-12.7
  • Oracle E-Business Suite, versions 12.2.3-12.2.11
  • Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Enterprise Operations Monitor, versions 4.4, 5.0
  • Oracle Essbase, version 21.3
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
  • Oracle Financial Services Behavior Detection Platform, versions 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
  • Oracle Financial Services Enterprise Case Management, versions 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
  • Oracle Financial Services Model Management and Governance, versions 8.0.8.0, 8.1.0.0, 8.1.1.0
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0
  • Oracle GoldenGate, version 19c
  • Oracle GraalVM Enterprise Edition, versions 20.3.7, 21.3.3, 22.2.0
  • Oracle Healthcare Data Repository, versions 8.1.1, 8.1.2, 8.1.3
  • Oracle Healthcare Foundation, versions 8.1, 8.2
  • Oracle Healthcare Master Person Index, versions 5.0.0-5.0.3
  • Oracle Healthcare Translational Research, version 4.1
  • Oracle Hospitality Cruise Fleet Management System, version 9.1.5
  • Oracle Hospitality Cruise Shipboard Property Management System, versions 20.2.0, 20.2.2
  • Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
  • Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Hyperion Infrastructure Technology, version 11.2.9
  • Oracle Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.2
  • Oracle Java SE, versions 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19
  • Oracle MapViewer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle NoSQL Database
  • Oracle Outside In Technology, version 8.5.6
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail Customer Insights, versions 15.0.2, 15.2, 16.0.2
  • Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0
  • Oracle Retail EFTLink, versions 20.0.1, 21.0.0
  • Oracle Retail Fiscal Management, version 14.2
  • Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 19.0.1
  • Oracle Retail Point Of Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1.3.47, 15.0.3.116, 16.0.3.260
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Sales Audit, version 19.0.1
  • Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3
  • Oracle SD-WAN Aware, version 9.0.1.3.0
  • Oracle SD-WAN Edge, versions 7.0.7, 9.1.1.2.0
  • Oracle Secure Backup, versions prior to 18.1.0.2.0
  • Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Solaris, version 11
  • Oracle Solaris Cluster, version 4
  • Oracle SQL Developer
  • Oracle TimesTen In-Memory Database
  • Oracle Transportation Management, versions 6.4.3, 6.5.1
  • Oracle Utilities Testing Accelerator, versions 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0
  • Oracle VM VirtualBox, versions prior to 6.1.40
  • Oracle WebCenter Content, version 12.2.1.3.0
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • PeopleSoft Enterprise Common Components, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
  • Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.14, 20.12.0-20.12.9, 21.12.0-21.12.7
  • Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12
  • Siebel Applications, versions 22.8 and prior

Products with no exploitable CVEs

  • Oracle Airlines Data Model
  • Oracle Big Data Graph
  • Oracle NoSQL Database
  • Oracle SQL Developer
  • Oracle TimesTen In-Memory Database

The above list contains product where no exploitable CVEs were addressed during this October update. It does not mean that these products are CVE-free, nor does it mean these products were not updated at all.

Products with highest rank exploitable CVEs that were fixed

We chose to list scores greater or equals to 9.0. A score according to the CVSS metrics is in brackets.

  • Oracle GoldenGate:
    • CVE-2020-35169 (9.8)
  • Oracle Secure Backup:
    • CVE-2022-31813 (9.8)
  • Oracle Commerce Platform:
    • CVE-2020-10683 (9.8)
  • Oracle Communications Convergence:
    • CVE-2021-23450 (9.8)
  • Oracle Communications Messaging Server:
    • CVE-2021-43527 (9.8)
  • Oracle Communications Order and Service Management:
    • CVE-2022-23632 (9.8)
  • Oracle Communications Unified Assurance:
    • CVE-2021-3918 (9.8)
    • CVE-2022-31813 (9.8)
    • CVE-2022-2068 (9.8)
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy:
    • CVE-2022-22978 (9.8)
    • CVE-2022-1292 (9.8)
    • CVE-2022-1586 (9.1)
  • Oracle Communications Cloud Native Core Unified Data Repository:
    • CVE-2022-23218 (9.8)
    • CVE-2022-1586 (9.1)
  • Oracle Communications Diameter Signaling Router:
    • CVE-2022-31813 (9.8)
    • CVE-2021-21708 (9.8)
  • Oracle Communications Element Manager:
    • CVE-2022-31813 (9.8)
    • CVE-2022-22978 (9.8)
  • Oracle Communications Interactive Session Recorder:
    • CVE-2022-22978 (9.8)
  • Oracle Communications Policy Management:
    • CVE-2021-31805 (9.8)
  • Oracle Communications User Data Repository:
    • CVE-2021-21783 (9.8)
    • CVE-2022-31813 (9.8)
    • CVE-2021-43527 (9.8)
    • CVE-2019-3862 (9.1)
  • Oracle Communications WebRTC Session Controller:
    • CVE-2021-23450 (9.8)
  • Oracle Enterprise Operations Monitor:
    • CVE-2022-31813 (9.8)
  • Oracle SD-WAN Edge:
    • CVE-2021-44790 (9.8)
    • CVE-2022-22978 (9.8)
  • Application Management Pack for Oracle E-Business Suite:
    • CVE-2022-23305 (9.8)
  • Oracle Web Applications Desktop Integrator:
    • CVE-2022-21587 (9.8)
    • CVE-2022-39428 (9.8)
  • Enterprise Manager Base Platform:
    • CVE-2018-1285 (9.8)
  • Enterprise Manager Ops Center:
    • CVE-2021-23450 (9.8)
  • Oracle Financial Services Analytical Applications Infrastructure:
    • CVE-2022-23457 (9.8)
  • Oracle Business Intelligence Enterprise Edition:
    • CVE-2022-33980 (9.8)
  • Oracle Data Integrator:
    • CVE-2019-17195 (9.8)
  • Oracle HTTP Server:
    • CVE-2022-23943 (9.8)
  • Oracle Middleware Common Libraries and Tools:
    • CVE-2022-23305 (9.8)
  • Oracle Outside In Technology:
    • CVE-2022-25315 (9.8)
  • Oracle WebCenter Content:
    • CVE-2022-23305 (9.8)
  • Oracle WebCenter Portal:
    • CVE-2021-23450 (9.8)
  • Oracle WebCenter Sites:
    • CVE-2021-23450 (9.8)
    • CVE-2022-32532 (9.8)
  • Oracle Healthcare Foundation:
    • CVE-2022-33980 (9.8)
  • Oracle Hyperion Infrastructure Technology:
    • CVE-2022-33980 (9.8)
  • Oracle GraalVM Enterprise Edition:
    • CVE-2022-32215 (9.1)
  • JD Edwards EnterpriseOne Tools:
    • CVE-2021-43527 (9.8)
    • CVE-2022-1292 (9.8)
  • MySQL Enterprise Backup:
    • CVE-2022-32207 (9.8)
  • Oracle Retail Fiscal Management:
    • CVE-2022-23305 (9.8)
  • Siebel Apps - Marketing:
    • CVE-2021-23926 (9.1)
  • Oracle Agile Engineering Data Management:
    • CVE-2022-23305 (9.8)
  • Oracle Utilities Testing Accelerator:
    • CVE-2022-22978 (9.8)

Top three components receiving biggest number of CVEs addressed

  • MySQL Server:
    • CVE-2022-21632
    • CVE-2022-21594
    • CVE-2022-21617
    • CVE-2022-21637
    • CVE-2022-21589
    • CVE-2022-21600
    • CVE-2022-21633
    • CVE-2022-21604
    • CVE-2022-21635
    • CVE-2022-21599
    • CVE-2022-21625
    • CVE-2022-39400
    • CVE-2022-39410
    • CVE-2022-21640
    • CVE-2022-21607
    • CVE-2022-21611
    • CVE-2022-21608
    • CVE-2022-21595
    • CVE-2022-21641
    • CVE-2022-21638
    • CVE-2022-39408
    • CVE-2022-2097
    • CVE-2022-21592
    • CVE-2022-21605
  • Oracle Communications User Data Repository:
    • CVE-2020-10878
    • CVE-2020-11022
    • CVE-2022-31813
    • CVE-2022-34305
    • CVE-2021-21707
    • CVE-2020-29582
    • CVE-2021-2351
    • CVE-2020-13936
    • CVE-2021-43527
    • CVE-2020-6950
    • CVE-2021-21783
    • CVE-2019-3862
  • Oracle VM VirtualBox:
    • CVE-2022-39422
    • CVE-2022-21621
    • CVE-2022-39427
    • CVE-2022-21627
    • CVE-2022-39426
    • CVE-2022-39424
    • CVE-2022-39421
    • CVE-2022-39425
    • CVE-2022-39423
    • CVE-2022-21620

CVEs affecting multiple Oracle products, ranked from biggest top three

  • CVE-2020-36518 (jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects)
    • Oracle Autovue for Agile Product Lifecycle Management
    • Oracle Banking Loans Servicing
    • JD Edwards EnterpriseOne Orchestrator
    • Oracle Retail Service Backbone
    • Oracle Banking Platform
    • Enterprise Manager for Virtualization
    • Spatial and Graph (jackson-databind)
    • Oracle Communications Policy Management
    • Oracle Communications Evolved Communications Application Server
    • Oracle Communications Instant Messaging Server
    • Siebel UI Framework
    • Oracle Documaker Enterprise Edition
    • Oracle Database - Fleet Patching (jackson-databind)
    • Oracle Communications Services Gatekeeper
    • Oracle WebCenter Portal
    • Oracle Retail Merchandising System
    • Oracle Solaris Cluster
    • Oracle Agile PLM
    • Oracle Communications Pricing Design Center
    • Oracle Banking Enterprise Default Management
    • Oracle AutoVue
    • Oracle Banking Party Management
    • JD Edwards EnterpriseOne Tools
    • Oracle Healthcare Translational Research
    • Oracle Business Intelligence Enterprise Edition
  • CVE-2022-22971 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user)
    • Oracle Financial Services Enterprise Case Management
    • Oracle Financial Services Analytical Applications Infrastructure
    • Oracle Utilities Testing Accelerator
    • Oracle Middleware Common Libraries and Tools
    • Oracle Communications Element Manager
    • Siebel Engineering - Installer & Deployment
    • Oracle Financial Services Behavior Detection Platform
    • Oracle Documaker Enterprise Edition
    • Oracle Retail Customer Insights
    • Oracle Retail Assortment Planning
    • Oracle Communications Interactive Session Recorder
    • Oracle Financial Services Model Management and Governance
    • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
    • Oracle Retail Predictive Application Server
    • Oracle Data Integrator
    • Oracle Retail Merchandising System
    • Oracle SD-WAN Edge
    • Oracle Commerce Platform
    • Oracle WebLogic Server
    • Oracle Healthcare Master Person Index
    • Oracle Hospitality Cruise Shipboard Property Management System
  • CVE-2022-25647 (The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks):
    • Oracle Retail Customer Management and Segmentation Foundation
    • Oracle Financial Services Model Management and Governance
    • Siebel Core - Automation
    • Oracle Middleware Common Libraries and Tools
    • Oracle Communications WebRTC Session Controller
    • Oracle Retail EFTLink
    • Oracle Data Integrator
    • Oracle BI Publisher
    • Oracle Communications Cloud Native Core Binding Support Function
    • Siebel Core - Common Components
    • Oracle Healthcare Data Repository
    • Oracle Communications Cloud Native Core Policy
    • Oracle Healthcare Master Person Index
    • Oracle Utilities Testing Accelerator
    • Oracle Documaker Enterprise Edition
    • Oracle Communications Cloud Native Core Console
    • Oracle Banking Platform
    • PeopleSoft Enterprise PeopleTools

Useful Links