A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2022 Critical Patch Update: Executive Summary and Analysis.
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:
Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:
Date | Note |
---|---|
2024-December-23 | Rev 9. Updated the addtional CVE for ZFS CVE-2021-39275 |
2024-September-20 | Rev 8. Product Name and details changes for CVE-2022-21445. |
2022-June-16 | Rev 7. Added credit for CVE-2022-21438. |
2022-May-20 | Rev 6. Added version 8.5.6 to Outside In Technology. Changed the Component of Middleware Common Libraries and Tools to FMW Remote Diagnostic Agent for CVE-2021-30129. Updated credit name. |
2022-May-4 | Rev 5. Removed affected version 11.1.1.5.0 of Oracle Identity Manager Connector for CVE-2022-23305. Added a footnote for the change. |
2022-May-2 | Rev 4. Updated the affected versions Oracle Health Sciences InForm Publisher and Oracle Communications Unified Inventory Management. Note added for MySQL Enterprise Monitor. Note Removed for CVE-2022-21449. Credit Name Updated for CVE-2022-21453 |
2022-April-29 | Rev 3. Updated EM Ops Center additional CVEs for CVE-2021-40438. Updated Oracle ZFS additional CVEs for CVE-2021-39275 |
2022-April-21 | Rev 2. Updated the affected versions for CVE-2022-21449 |
2022-April-19 | Rev 1. Initial Release. |
This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:
This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle Database Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-21410 | Oracle Database - Enterprise Edition Sharding | Create Any Procedure | Oracle Net | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 19c | |
CVE-2022-21498 | Java VM | Create Procedure | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | High | None | 12.1.0.2, 19c, 21c | |
CVE-2021-41165 | Oracle Application Express (CKEditor) | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 22.1 | |
CVE-2022-21411 | RDBMS Gateway / Generic ODBC Connectivity | Create Session | Oracle Net | No | 5.4 | Network | Low | Low | None | Un- changed |
Low | Low | None | 12.1.0.2, 19c, 21c | |
CVE-2021-22569 | Oracle Spatial and Graph MapViewer (protobuf-java) | Local Logon | Local Logon | No | 2.8 | Local | Low | Low | Required | Un- changed |
None | None | Low | 19c, 21c |
This Critical Patch Update contains 1 new security patch for Oracle Autonomous Health Framework. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-2464 | Engineered Systems Utilities | Local Logon | Local Logon | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 12.1.0.2, 19c, 21c |
This Critical Patch Update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-23017 | Oracle Blockchain Platform | Backend (nginx) | UDP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 21.1.2 | |
CVE-2020-5245 | Oracle Blockchain Platform | Backend (Dropwizard-Validation) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | Prior to 21.1.2 | |
CVE-2021-2351 | Oracle Blockchain Platform | BCS Console (JDBC, OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 21.1.2 | See Note 1 |
CVE-2020-8174 | Oracle Blockchain Platform | BCS Console (Node.js) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | Prior to 21.1.2 | |
CVE-2020-24750 | Oracle Blockchain Platform | BCS Console (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | Prior to 21.1.2 | |
CVE-2020-28052 | Oracle Blockchain Platform | BCS Console (Bouncy Castle Java Library) | HTTPS | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | Prior to 21.1.2 | |
CVE-2019-12399 | Oracle Blockchain Platform | BCS Console (Apache Kafka) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | Prior to 21.1.2 | |
CVE-2020-17527 | Oracle Blockchain Platform | BCS Console (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | Prior to 21.1.2 | |
CVE-2020-11612 | Oracle Blockchain Platform | BCS Console (Netty) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 21.1.2 | |
CVE-2019-13565 | Oracle Blockchain Platform | Backend (OpenLDAP) | LDAP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | Prior to 21.1.2 | |
CVE-2020-8203 | Oracle Blockchain Platform | BCS Console (Lodash) | HTTP | Yes | 7.4 | Network | High | None | None | Un- changed |
None | High | High | Prior to 21.1.2 | |
CVE-2019-10086 | Oracle Blockchain Platform | BCS Console (Apache Commons BeanUtils) | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | Prior to 21.1.2 | |
CVE-2020-11022 | Oracle Blockchain Platform | Backend (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 21.1.2 | |
CVE-2021-29425 | Oracle Blockchain Platform | BCS Console (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | Prior to 21.1.2 | |
CVE-2020-27218 | Oracle Blockchain Platform | BCS Console (Eclipse Jetty) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
None | Low | Low | Prior to 21.1.2 |
This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Global Lifecycle Management. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Global Lifecycle Management. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below. |
This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle GoldenGate. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-26291 | Oracle GoldenGate Big Data and Application Adapters | General (Apache Maven) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | Prior to 23.1 | |
CVE-2022-21442 | Oracle GoldenGate | OGG Core Library | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | Prior to 23.1 | |
CVE-2021-2351 | Oracle GoldenGate Application Adapters | General (OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Prior to 23.1 | |
CVE-2019-12086 | Oracle GoldenGate | Internal Framework (jackson-databind) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | Prior to 12.3.0.1.2 | |
CVE-2019-14862 | Oracle GoldenGate | Internal Framework (Knockout) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 12.3.0.1.2 |
This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle NoSQL Database. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle NoSQL Database. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below. |
This Critical Patch Update contains 1 new security patch for Oracle REST Data Services. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-29425 | Oracle REST Data Services | General (Apache Commons IO) | HTTP | No | 4.2 | Network | High | Low | None | Un- changed |
Low | Low | None | Prior to 21.2 |
This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Secure Backup. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Secure Backup. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below. |
This Critical Patch Update contains 2 new security patches for Oracle SQL Developer. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-44832 | Oracle SQL Developer | Installation (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 21.4.2 | |
CVE-2020-13956 | Oracle SQL Developer | Thirdparty Database support (Apache HTTPClient) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | Prior to 21.99 |
This Critical Patch Update contains 7 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-39139 | Oracle Commerce Guided Search | Content Acquisition System (XStream) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.3.2 | |
CVE-2021-22118 | Oracle Commerce Guided Search | Content Acquisition System (Spring Framework) | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 11.3.2 | |
CVE-2021-42340 | Oracle Commerce Guided Search | Content Acquisition System (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.3.2 | |
CVE-2022-21466 | Oracle Commerce Guided Search | Tools and Frameworks | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.3.2 | |
CVE-2021-41165 | Oracle Commerce Guided Search | Content Acquisition System (CKEditor) | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 11.3.2 | |
CVE-2020-13956 | Oracle Commerce Guided Search | Workbench (HTTPClient) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.3.2 | |
CVE-2020-8908 | Oracle Commerce Guided Search | Workbench (Guava) | None | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 11.3.2 |
This Critical Patch Update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-21431 | Oracle Communications Billing and Revenue Management | Connection Manager | TCP | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2022-23305 | Oracle Communications Messaging Server | ISC (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.1 | |
CVE-2022-23990 | Oracle Communications MetaSolv Solution | User Interface (LibExpat) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 6.3.1 | |
CVE-2022-23305 | Oracle Communications Network Integrity | Cartridge Deployer Tool (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.6 | |
CVE-2022-23305 | Oracle Communications Unified Inventory Management | Logging (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.4-7.3.5, 7.4.1-7.4.2 | |
CVE-2020-13936 | Oracle Communications Network Integrity | TL1 Cartridge (Apache Velocity Engine) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 7.3.6 | |
CVE-2022-21430 | Oracle Communications Billing and Revenue Management | Connection Manager | TCP | No | 8.5 | Network | High | Low | None | Changed | High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2021-2351 | Oracle Communications Billing and Revenue Management | Pipeline Configuration Center, Oracle Data Manager, Rated Event Loader (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2022-21424 | Oracle Communications Billing and Revenue Management | Connection Manager | TCP | No | 8.3 | Network | Low | Low | None | Un- changed |
High | High | Low | 12.0.0.4 | |
CVE-2021-2351 | Oracle Communications IP Service Activator | Service Activator (OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 7.4.0 | |
CVE-2021-2351 | Oracle Communications Pricing Design Center | Cloud Native Deployment (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2021-22118 | Oracle Communications Network Integrity | MSS Cartridge (Spring Framework) | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 7.3.6 | |
CVE-2021-36090 | Oracle Communications Billing and Revenue Management | Billing Care (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.0.0.4 | |
CVE-2022-21422 | Oracle Communications Billing and Revenue Management | Connection Manager | TCP | No | 7.5 | Network | High | Low | None | Un- changed |
High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2021-42340 | Oracle Communications Instant Messaging Server | DBPlugin (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 10.0.1.5.0 | |
CVE-2021-40690 | Oracle Communications Messaging Server | ISC (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 8.1 | |
CVE-2021-33813 | Oracle Communications Messaging Server | ISC (Apache Tika) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.1 | |
CVE-2019-10086 | Oracle Communications Network Integrity | User Interface (Apache Commons BeanUtils) | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 7.3.6 | |
CVE-2021-44832 | Oracle Communications ASAP | SRP (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.3 | |
CVE-2021-44832 | Oracle Communications Billing and Revenue Management | Rated Event Manager, Business Operations Center, Kafka Data Manager (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2021-44832 | Oracle Communications Convergence | Configuration (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 3.0.2.2, 3.0.3.0 | |
CVE-2021-44832 | Oracle Communications Convergent Charging Controller | Network Gateway (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0 | |
CVE-2021-44832 | Oracle Communications IP Service Activator | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.4.0 | |
CVE-2021-44832 | Oracle Communications Messaging Server | ISC (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 8.1 | |
CVE-2021-44832 | Oracle Communications Network Charging and Control | Gateway (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0 | |
CVE-2021-44832 | Oracle Communications Network Integrity | Cartridge Deployer Tool (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.3.6 | |
CVE-2021-44832 | Oracle Communications Pricing Design Center | REST Services Manager (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.0.0.4, 12.0.0.5 | |
CVE-2021-44832 | Oracle Communications Unified Inventory Management | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.3.5, 7.4.1-7.4.2 | |
CVE-2021-43797 | Oracle Communications Messaging Server | ISC (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 8.1 | |
CVE-2020-6950 | Oracle Communications Network Integrity | Installer (Eclipse Mojarra) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 7.3.6 | |
CVE-2019-3740 | Oracle Communications Network Integrity | Installer (RSA BSAFE Crypto-J) | HTTPS | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 7.3.2, 7.3.5, 7.3.6 | |
CVE-2021-36374 | Oracle Communications Order and Service Management | Installer, OSM SDK (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 7.3, 7.4 | |
CVE-2022-24329 | Oracle Communications Pricing Design Center | REST Services Manager (Kotlin) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 12.0.0.4, 12.0.0.5 | |
CVE-2021-29425 | Oracle Communications Contacts Server | File Upload (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 8.0.0.6.0 | |
CVE-2021-29425 | Oracle Communications Design Studio | OSM Plugin (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 7.3.5, 7.4.0-7.4.2 | |
CVE-2021-29425 | Oracle Communications Order and Service Management | OSM SDK (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 7.3, 7.4 | |
CVE-2021-29425 | Oracle Communications Pricing Design Center | REST Service Manager (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 12.0.0.4, 12.0.0.5 | |
CVE-2021-21275 | Oracle Communications Pricing Design Center | REST Service Manager (Jacoco) | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 12.0.0.4, 12.0.0.5 | |
CVE-2020-8908 | Oracle Communications Pricing Design Center | REST Services Manager (Guava) | None | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 12.0.0.4, 12.0.0.5 |
This Critical Patch Update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-22947 | Oracle Communications Cloud Native Core Network Exposure Function | NEF (Spring Cloud Gateway) | HTTP | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 22.1.0 | |
CVE-2022-22947 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Spring Cloud Gateway) | HTTP | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | 22.1.0, 1.8.0 | |
CVE-2017-1000353 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite (Jenkins) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.9.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Automated Test Suite | Automation Test Suite (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.9.0, 22.1.0 | |
CVE-2021-29921 | Oracle Communications Cloud Native Core Binding Support Function | BSF (Python) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.11.0 | |
CVE-2021-43527 | Oracle Communications Cloud Native Core Binding Support Function | BSF (NSS) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.11.0 | |
CVE-2022-23221 | Oracle Communications Cloud Native Core Console | CNC Console (H2) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.9.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Console | CNC Console (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.9.0, 22.1.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Network Exposure Function | NEF (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 22.1.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | DB Tier (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.10.0, 22.1.0 | |
CVE-2020-14343 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (PyYAML) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.10.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Network Repository Function | OCNRF (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0, 22.1.0 | |
CVE-2021-43527 | Oracle Communications Cloud Native Core Network Repository Function | OCNRF (NSS) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0, 1.15.1 | |
CVE-2021-29921 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Python) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.8.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 22.1.0, 1.8.0 | |
CVE-2021-43527 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (NSS) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.8.0 | |
CVE-2021-42392 | Oracle Communications Cloud Native Core Policy | Policy (H2) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Policy | Policy (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0, 22.1.0 | |
CVE-2021-35574 | Oracle Communications Cloud Native Core Policy | Policy (glibc) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2021-3520 | Oracle Communications Cloud Native Core Policy | Policy (lz4) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.14.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Security Edge Protection Proxy | OC SEPP (Spring framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.7.0, 22.1.0 | |
CVE-2022-22965 | Oracle Communications Cloud Native Core Unified Data Repository | UDR (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.15.0, 22.1.0 | |
CVE-2020-17530 | Oracle Communications Diameter Intelligence Hub | Visualization (Apache Struts) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2022-23305 | Oracle Communications EAGLE FTP Table Base Retrieval | Core (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 4.5 | |
CVE-2020-35198 | Oracle Communications EAGLE Software | Measurements (VxWorks) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 46.7.0, 46.8.0-46.8.2, 46.9.1-46.9.3 | |
CVE-2021-44790 | Oracle Communications Element Manager | Security (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2021-44790 | Oracle Communications Operations Monitor | Mediation Engine (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 4.3, 4.4, 5.0 | |
CVE-2022-22965 | Oracle Communications Policy Management | CMP (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.6.0.0.0 | |
CVE-2021-23450 | Oracle Communications Policy Management | CMP (dojo) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.6.0.0.0 | |
CVE-2021-43527 | Oracle Communications Policy Management | CMP (NSS) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.6.0.0.0 | |
CVE-2021-44790 | Oracle Communications Session Report Manager | General (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2021-44790 | Oracle Communications Session Route Manager | Third Party (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2022-22965 | Oracle SD-WAN Edge | Management (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 9.0, 9.1 | |
CVE-2020-36242 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (python-cryptography) | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | None | High | 1.10.0 | |
CVE-2021-3518 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (libxml2) | HTTP | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 1.10.0 | |
CVE-2021-32626 | Oracle Communications Operations Monitor | FDP (Redis) | TCP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 4.3, 4.4, 5.0 | |
CVE-2020-10878 | Oracle Communications EAGLE LNP Application Processor | Platform (Perl) | HTTP | Yes | 8.6 | Network | Low | None | None | Un- changed |
Low | Low | High | 10.1, 10.2 | |
CVE-2020-10878 | Oracle Communications Performance Intelligence Center (PIC) Software | Platform (Perl) | HTTP | Yes | 8.6 | Network | Low | None | None | Un- changed |
Low | Low | High | 10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1 | |
CVE-2021-39153 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite Framework (XStream) | HTTP | No | 8.5 | Network | High | Low | None | Changed | High | High | High | 1.9.0 | |
CVE-2021-2351 | Oracle Communications Diameter Intelligence Hub | Integrated DIH (JDBC, OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 8.0.0-8.2.3 | |
CVE-2021-2351 | Oracle Communications Services Gatekeeper | Third party software/products (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 7.0.0.0.0 | |
CVE-2019-16789 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (ceph) | HTTP | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | High | None | 1.10.0 | |
CVE-2019-18276 | Oracle Communications Cloud Native Core Policy | Policy (GNU Bash) | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 1.14.0 | |
CVE-2021-22118 | Oracle Communications Diameter Intelligence Hub | Visualization, Mediation (Spring Framework) | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2021-3156 | Oracle Communications Performance Intelligence Center (PIC) Software | Platform (Sudo) | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 10.3.0.0.0-10.3.0.2.1, 10.4.0.1.0-10.4.0.3.1 | |
CVE-2021-42340 | Management Cloud Engine | Security (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 1.5.0 | |
CVE-2021-35515 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.8.0 | |
CVE-2021-22946 | Oracle Communications Cloud Native Core Binding Support Function | CNC BSF (cURL) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.11.0 | |
CVE-2020-36518 | Oracle Communications Cloud Native Core Console | CNC Console (jackson-databind) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.9.0 | |
CVE-2021-22946 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (cURL) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.10.0 | |
CVE-2021-22946 | Oracle Communications Cloud Native Core Network Repository Function | OCNRF (cURL) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.15.0, 1.15.1 | |
CVE-2021-3690 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Undertow) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.8.0 | |
CVE-2021-22946 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (cURL) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.8.0 | |
CVE-2020-28196 | Oracle Communications Cloud Native Core Policy | Policy (MIT Kerberos) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.14.0 | |
CVE-2021-3807 | Oracle Communications Cloud Native Core Policy | Policy (ansi-regex) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.15.0 | |
CVE-2020-8231 | Oracle Communications Cloud Native Core Policy | Policy (libcurl) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.14.0 | |
CVE-2020-29363 | Oracle Communications Cloud Native Core Policy | Policy (p11-kit) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.14.0 | |
CVE-2021-42340 | Oracle Communications Cloud Native Core Service Communication Proxy | SCP (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 1.15.0 | |
CVE-2021-22946 | Oracle Communications Cloud Native Core Service Communication Proxy | SCP (cURL) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.15.0 | |
CVE-2021-36090 | Oracle Communications Diameter Intelligence Hub | Integrated DIH (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.0-8.2.3 | |
CVE-2020-11971 | Oracle Communications Diameter Intelligence Hub | Mediation (Apache Camel) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2021-43859 | Oracle Communications Diameter Intelligence Hub | Visualization, Database (XStream) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2021-30468 | Oracle Communications Diameter Intelligence Hub | Visualization, Mediation (Apache CXF) | SOAP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2021-42340 | Oracle Communications Element Manager | Security (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2021-43859 | Oracle Communications Policy Management | CMP (XStream) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.6.0.0.0 | |
CVE-2021-42340 | Oracle Communications Session Report Manager | General (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2021-42340 | Oracle Communications Session Route Manager | Third Party (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2020-25638 | Oracle Communications Cloud Native Core Console | CNC Console (hibernate-core) | HTTP | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | 1.9.0 | |
CVE-2021-3712 | Oracle Communications Cloud Native Core Console | CNC Console (OpenSSL) | HTTPS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 1.9.0 | |
CVE-2021-3712 | Oracle Communications Cloud Native Core Security Edge Protection Proxy | SEPP (OpenSSL) | HTTP | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 1.7.0 | |
CVE-2021-3712 | Oracle Communications Cloud Native Core Unified Data Repository | UDR (OpenSSL) | HTTPS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 1.15.0 | |
CVE-2021-3712 | Oracle Communications Session Border Controller | Security (OpenSSL) | TLS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 8.4, 9.0 | |
CVE-2021-3712 | Oracle Communications Unified Session Manager | Security (OpenSSL) | TLS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 8.2.5, 8.4.5 | |
CVE-2021-3712 | Oracle Enterprise Communications Broker | Security (OpenSSL) | TLS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 3.2, 3.3 | |
CVE-2021-3712 | Oracle Enterprise Session Border Controller | Security (OpenSSL) | TLS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 8.4, 9.0 | |
CVE-2022-23181 | Oracle Communications Cloud Native Core Policy | Policy (Apache Tomcat) | None | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2021-44832 | Management Cloud Engine | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.5.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Console | CNC Console (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.9.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | DBTier (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.10.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Network Repository Function | OCNRF (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.15.0, 1.15.1 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.8.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Policy | Policy (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Security Edge Protection Proxy | SEPP (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.7.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Service Communication Proxy | SCP (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2021-44832 | Oracle Communications Cloud Native Core Unified Data Repository | UDR (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.15.0 | |
CVE-2021-44832 | Oracle Communications EAGLE Element Management System | Platform (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 46.6 | |
CVE-2021-44832 | Oracle Communications EAGLE FTP Table Base Retrieval | Core (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 4.5 | |
CVE-2021-44832 | Oracle Communications Element Manager | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2021-44832 | Oracle Communications Evolved Communications Application Server | SDC,SCF (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.1 | |
CVE-2021-44832 | Oracle Communications Performance Intelligence Center (PIC) Software | Management (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 10.4.0.3 | |
CVE-2021-44832 | Oracle Communications Services Gatekeeper | OCSG common services - CORE (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.0.0.0.0 | |
CVE-2021-44832 | Oracle Communications Session Report Manager | General (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2021-44832 | Oracle Communications Session Route Manager | Third Party (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 9.0 | |
CVE-2021-44832 | Oracle Communications User Data Repository | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.4 | |
CVE-2021-44832 | Oracle Communications WebRTC Session Controller | Admin console, LWPR (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.2.1 | |
CVE-2021-43797 | Oracle Communications Cloud Native Core Binding Support Function | Policy (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.11.0 | |
CVE-2021-30129 | Oracle Communications Cloud Native Core Console | CNC Console (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 1.9.0 | |
CVE-2021-43797 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.8.0 | |
CVE-2021-43797 | Oracle Communications Cloud Native Core Policy | Policy (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.15.0 | |
CVE-2019-3799 | Oracle Communications Cloud Native Core Policy | Policy (Spring Cloud Config) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 1.15.0 | |
CVE-2021-43797 | Oracle Communications Cloud Native Core Security Edge Protection Proxy | SEPP (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.7.0 | |
CVE-2021-43797 | Oracle Communications Cloud Native Core Unified Data Repository | UDR (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.15.0 | |
CVE-2022-23437 | Oracle Communications Element Manager | Security (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2022-23437 | Oracle Communications Session Report Manager | General (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2022-23437 | Oracle Communications Session Route Manager | Third Party (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | Prior to 9.0 | |
CVE-2021-39140 | Oracle Communications Cloud Native Core Policy | Policy (XStream) | HTTP | No | 6.3 | Network | High | Low | None | Changed | None | None | High | 1.14.0 | |
CVE-2021-41184 | Oracle Communications Interactive Session Recorder | Dashboard (jQueryUI) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 6.4 | |
CVE-2021-41184 | Oracle Communications Operations Monitor | Mediation Engine (jQueryUI) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 4.3, 4.4, 5.0 | |
CVE-2021-2471 | Oracle Communications Cloud Native Core Console | CNC Console (MySQL Connectors) | HTTP | No | 5.9 | Network | High | High | None | Un- changed |
High | None | High | 1.9.0 | |
CVE-2020-14340 | Oracle Communications Cloud Native Core Console | CNC Console (XNIO) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 1.9.0 | |
CVE-2020-1971 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 1.10.0 | |
CVE-2021-2471 | Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (MySQL) | TCP | No | 5.9 | Network | High | High | None | Un- changed |
High | None | High | 1.8.0 | |
CVE-2021-21409 | Oracle Communications Cloud Native Core Policy | Policy (Netty) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
None | High | None | 1.14.0 | |
CVE-2021-38153 | Oracle Communications Cloud Native Core Policy | Policy (Apache Kafka) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 1.15.0 | |
CVE-2021-2471 | Oracle Communications Cloud Native Core Policy | Policy (MySQL) | HTTP | No | 5.9 | Network | High | High | None | Un- changed |
High | None | High | 1.15.0 | |
CVE-2020-14340 | Oracle Communications Cloud Native Core Policy | Policy (XNIO) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 1.14.0 | |
CVE-2021-33880 | Oracle Communications Cloud Native Core Policy | Policy (aaugustin websockets) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 1.14.0 | |
CVE-2020-16135 | Oracle Communications Cloud Native Core Policy | Policy (libssh) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 1.15.0 | |
CVE-2021-2471 | Oracle Communications Cloud Native Core Security Edge Protection Proxy | SEPP (MySQL) | TCP | No | 5.9 | Network | High | High | None | Un- changed |
High | None | High | 1.7.0 | |
CVE-2021-3572 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (python-pip) | HTTP | No | 5.7 | Network | Low | Low | Required | Un- changed |
None | High | None | 1.10.0 | |
CVE-2021-3572 | Oracle Communications Cloud Native Core Policy | Policy (python-pip) | HTTP | No | 5.7 | Network | Low | Low | Required | Un- changed |
None | High | None | 1.15.0 | |
CVE-2021-36374 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 1.9.0 | |
CVE-2021-36374 | Oracle Communications Cloud Native Core Binding Support Function | CNC BSF (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 1.11.0 | |
CVE-2021-22569 | Oracle Communications Cloud Native Core Console | CNC Console (protobuf-java) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 1.9.0 | |
CVE-2021-22569 | Oracle Communications Cloud Native Core Network Repository Function | OCNRF (protobuf-java) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 1.15.0, 1.15.1 | |
CVE-2020-13434 | Oracle Communications Cloud Native Core Policy | Policy (SQLite) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 1.14.0 | |
CVE-2020-15250 | Oracle Communications Cloud Native Core Policy | Policy (JUnit) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
High | None | None | 1.14.0 | |
CVE-2021-28168 | Oracle Communications Cloud Native Core Policy | Policy (Eclipse Jersey) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 1.15.0 | |
CVE-2021-22569 | Oracle Communications Cloud Native Core Policy | Policy (protobuf-java) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 1.15.0 | |
CVE-2021-28168 | Oracle Communications Cloud Native Core Unified Data Repository | UDR (Eclipse Jersey) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 1.15.0 | |
CVE-2021-36374 | Oracle Communications Diameter Intelligence Hub | Visualization (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2020-17521 | Oracle Communications Diameter Signaling Router | API Gateway (Apache Groovy) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 8.4.0.0 | |
CVE-2022-20615 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite Framework (Jenkins Matrix Project) | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 1.9.0 | |
CVE-2021-20289 | Oracle Communications Cloud Native Core Console | CNC Console (RESTEasy) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 1.9.0 | |
CVE-2020-14155 | Oracle Communications Cloud Native Core Policy | Policy (PCRE) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 1.15.0 | |
CVE-2021-28169 | Oracle Communications Cloud Native Core Policy | Policy (Eclipse Jetty) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 1.14.0 | |
CVE-2021-28170 | Oracle Communications Cloud Native Core Policy | Policy (Jakarta) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 1.14.0 | |
CVE-2020-29582 | Oracle Communications Cloud Native Core Policy | Policy (Kotlin) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 1.14.0 | |
CVE-2020-8554 | Oracle Communications Cloud Native Core Policy | Policy (Kubernetes) | HTTP | No | 5.0 | Network | High | Low | None | Un- changed |
Low | Low | Low | 1.15.0 | |
CVE-2021-22132 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite Framework (Elasticsearch) | HTTP | No | 4.8 | Network | High | Low | Required | Un- changed |
High | None | None | 1.8.0 | |
CVE-2021-29425 | Oracle Communications Cloud Native Core Policy | Policy (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 1.14.0 | |
CVE-2021-29425 | Oracle Communications Diameter Intelligence Hub | Database (Apache Commons IO) | Oracle Net | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 8.0.0-8.1.0, 8.2.0-8.2.3 | |
CVE-2021-29425 | Oracle Communications Policy Management | CMP (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 12.5.0.0.0 | |
CVE-2021-3521 | Oracle Communications Cloud Native Core Network Function Cloud Native Environment | OC-CNE (rpm) | None | No | 4.4 | Local | High | Low | Required | Un- changed |
None | High | None | 1.10.0 | |
CVE-2022-20613 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite (Jenkins Mailer) | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 1.9.0 | |
CVE-2022-20612 | Oracle Communications Cloud Native Core Automated Test Suite | Automated Test Suite Framework (Jenkins) | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 1.9.0 | |
CVE-2021-22096 | Oracle Communications Cloud Native Core Console | CNC Console (Spring boot) | HTTP | No | 4.3 | Network | Low | Low | None | Un- changed |
None | Low | None | 1.9.0 | |
CVE-2021-22096 | Oracle Communications Cloud Native Core Service Communication Proxy | SCP (Spring Framework) | HTTP | No | 4.3 | Network | Low | Low | None | Un- changed |
None | Low | None | 1.15.0 | |
CVE-2021-3200 | Oracle Communications Cloud Native Core Policy | Signaling (libsolv) | None | No | 3.3 | Local | Low | None | Required | Un- changed |
None | None | Low | 1.15.0 |
This Critical Patch Update contains 3 new security patches for Oracle Construction and Engineering. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-23450 | Primavera Unifier | Platform (dojo) | HTTP | No | 7.6 | Network | Low | Low | None | Un- changed |
Low | Low | High | 17.7-17.12, 18.8, 19.12, 20.12, 21.12 | |
CVE-2021-44832 | Instantis EnterpriseTrack | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 17.1, 17.2, 17.3 | |
CVE-2021-41184 | Primavera Unifier | User Interface (jQueryUI) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 17.7-17.12, 18.8, 19.12, 20.12, 21.12 |
This Critical Patch Update contains 5 new security patches for Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2022), My Oracle Support Note 2484000.1.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | Oracle E-Business Suite Cloud Manager and Cloud Backup Module | Logging (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | EBS Cloud Manager and Backup Module: Prior to 22.1.1.1 | |
CVE-2021-44832 | Oracle E-Business Suite Information Discovery | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Enterprise Information Discovery: 7-9 | See Note 1 |
CVE-2021-44832 | Oracle Enterprise Command Center Framework | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Enterprise Command Center: 7.0 | See Note 1 |
CVE-2022-21468 | Oracle Applications Framework | Popups | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.4-12.2.11 | |
CVE-2022-21477 | Oracle Applications Framework | Attachments, File Upload | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.2.6-12.2.11 |
This Critical Patch Update contains 10 new security patches for Oracle Enterprise Manager. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2844807.1 .
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | Enterprise Manager Base Platform | Oracle Management Service (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 13.4.0.0, 13.5.0.0 | |
CVE-2018-1285 | Oracle Application Testing Suite | Load Testing for Web Apps (Apache log4net) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 13.3.0.1 | |
CVE-2021-40438 | Enterprise Manager Ops Center | User Interface (Apache HTTP Server) | HTTP | Yes | 9.0 | Network | High | None | None | Changed | High | High | High | 12.4.0.0 | |
CVE-2021-3518 | Enterprise Manager Base Platform | Enterprise Manager Install (libxml2) | HTTP | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 13.4.0.0, 13.5.0.0 | |
CVE-2021-2351 | Enterprise Manager Ops Center | Networking (OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 12.4.0.0 | |
CVE-2021-3450 | Enterprise Manager for Storage Management | Privilege Management (OpenSSL) | HTTPS | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | 13.4.0.0 | |
CVE-2021-44832 | Enterprise Manager Base Platform | Enterprise Manager Install (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 13.4.0.0, 13.5.0.0 | |
CVE-2021-44832 | Enterprise Manager for Peoplesoft | PSEM Plugin (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 13.4.1.1, 13.5.1.1 | |
CVE-2021-44832 | Enterprise Manager Ops Center | Networking (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.4.0.0 | |
CVE-2022-21469 | Enterprise Manager Base Platform | UI Framework | HTTP | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 13.4.0.0, 13.5.0.0 |
This Critical Patch Update contains 41 new security patches for Oracle Financial Services Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-22965 | Oracle Financial Services Analytical Applications Infrastructure | Others (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.1.1.0, 8.1.2.0 | |
CVE-2022-22965 | Oracle Financial Services Behavior Detection Platform | BD (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.1.1.0, 8.1.1.1, 8.1.2.0 | |
CVE-2022-22965 | Oracle Financial Services Enterprise Case Management | Installers (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.1.1.0, 8.1.1.1, 8.1.2.0 | |
CVE-2022-23305 | Oracle Financial Services Revenue Management and Billing | Infrastructure (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.7.0.0, 2.7.0.1, 2.8.0.0 | |
CVE-2021-2351 | Oracle Banking Enterprise Default Management | Collections (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 2.10.0, 2.12.0 | |
CVE-2021-2351 | Oracle Banking Platform | Security (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 2.6.2, 2.7.1, 2.12.0 | |
CVE-2021-36090 | Oracle Banking Payments | Infrastructure (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-36090 | Oracle Banking Trade Finance | Infrastructure (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-37714 | Oracle Banking Trade Finance | Infrastructure (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-36090 | Oracle Banking Treasury Management | Infrastructure (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-37714 | Oracle Banking Treasury Management | Infrastructure (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-36090 | Oracle FLEXCUBE Universal Banking | Infrastructure (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.4, 14.0-14.3, 14.5 | |
CVE-2021-37714 | Oracle FLEXCUBE Universal Banking | Infrastructure (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 14.0-14.3, 14.5 | |
CVE-2021-44832 | Oracle Banking Deposits and Lines of Credit Servicing | Web UI (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 2.12.0 | |
CVE-2021-44832 | Oracle Banking Enterprise Default Management | Collections (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 2.7.1, 2.12.0 | |
CVE-2021-44832 | Oracle Banking Loans Servicing | Web UI (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 2.12.0 | |
CVE-2021-44832 | Oracle Banking Party Management | Web UI (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 2.7.0 | |
CVE-2021-44832 | Oracle Banking Payments | Infrastructure (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.5 | |
CVE-2021-44832 | Oracle Banking Platform | SECURITY (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 2.6.2, 2.7.1, 2.12.0 | |
CVE-2021-44832 | Oracle Banking Trade Finance | Infrastructure (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.5 | |
CVE-2021-44832 | Oracle Banking Treasury Management | Infrastructure (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.5 | |
CVE-2021-44832 | Oracle FLEXCUBE Universal Banking | Infrastructure (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 11.83.3, 12.1-12.4, 14.0-14.3, 14.5 | |
CVE-2021-30129 | Oracle Banking Payments | Infrastructure (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-30129 | Oracle Banking Trade Finance | Infrastructure (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 14.5 | |
CVE-2021-30129 | Oracle Banking Treasury Management | Infrastructure (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 14.5 | |
CVE-2022-23437 | Oracle Financial Services Analytical Applications Infrastructure | Others (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0 | |
CVE-2022-23437 | Oracle Financial Services Behavior Detection Platform | Third Party (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0 | |
CVE-2022-23437 | Oracle Financial Services Enterprise Case Management | Installers (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1 | |
CVE-2021-30129 | Oracle FLEXCUBE Universal Banking | Infrastructure (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 14.0-14.3, 14.5 | |
CVE-2022-21475 | Oracle Banking Payments | Infrastructure | HTTP | No | 5.9 | Network | High | Low | Required | Un- changed |
Low | High | Low | 14.5 | |
CVE-2022-21474 | Oracle Banking Trade Finance | Infrastructure | HTTP | No | 5.9 | Network | High | Low | Required | Un- changed |
Low | High | Low | 14.5 | |
CVE-2022-21473 | Oracle Banking Treasury Management | Infrastructure | HTTP | No | 5.9 | Network | High | Low | Required | Un- changed |
Low | High | Low | 14.5 | |
CVE-2021-38153 | Oracle Financial Services Analytical Applications Infrastructure | Others (Apache Kafka) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.0.6.0-8.0.9.0, 8.1.0.0-8.1.2.0 | |
CVE-2021-38153 | Oracle Financial Services Behavior Detection Platform | Third Party (Apache Kafka) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.0.6.0-8.0.8.0, 8.1.1.0, 8.1.1.1, 8.1.2.0 | |
CVE-2021-38153 | Oracle Financial Services Enterprise Case Management | Installers (Apache Kafka) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0, 8.1.1.1 | |
CVE-2022-21472 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | No | 5.9 | Network | High | Low | Required | Un- changed |
Low | High | Low | 12.4, 14.0-14.3, 14.5 | |
CVE-2021-36374 | Oracle Banking Trade Finance | Infrastructure (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 14.5 | |
CVE-2021-31812 | Oracle Banking Trade Finance | Infrastructure (Apache PDFBox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 14.5 | |
CVE-2021-36374 | Oracle Banking Treasury Management | Infrastructure (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 14.5 | |
CVE-2021-31812 | Oracle Banking Treasury Management | Infrastructure (Apache PDFBox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 14.5 | |
CVE-2021-31812 | Oracle FLEXCUBE Universal Banking | Infrastructure (Apache PDFBox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 14.0-14.3, 14.5 |
This Critical Patch Update contains 54 new security patches plus additional third party patches noted below for Oracle Fusion Middleware. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update April 2022 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2853458.2.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-21445 | Oracle Application Development Framework (ADF) | ADF Faces | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | See Note 1 |
CVE-2022-23305 | Oracle Business Intelligence Enterprise Edition | Analytics Server (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 5.9.0.0.0 | |
CVE-2022-23305 | Oracle Business Intelligence Enterprise Edition | BI Platform Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-23305 | Oracle Business Intelligence Enterprise Edition | Storage Service Integration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.4.0 | |
CVE-2022-23305 | Oracle Business Process Management Suite | Runtime Engine (JBoss Enterprise Application Platform) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-21420 | Oracle Coherence | Core | T3 | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2021-39275 | Oracle HTTP Server | Web Listener (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-23305 | Oracle Identity Management Suite | Installer (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-23305 | Oracle Identity Manager Connector | General and Misc (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | - | See Note 1 |
CVE-2022-23305 | Oracle JDeveloper | Oracle JDeveloper (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0 | |
CVE-2022-23305 | Oracle Middleware Common Libraries and Tools | Third Party Patch (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.4.0 | |
CVE-2022-23305 | Oracle Tuxedo | Third Party Patch (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.2.0.0 | |
CVE-2022-23305 | Oracle WebLogic Server | Centralized Third Party Jars (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2022-21404 | Helidon | Reactive WebServer | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 1.4.10, 2.0.0-RC1 | |
CVE-2021-22901 | Oracle HTTP Server | SSL Module (cURL) | HTTPS | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-21497 | Oracle Web Services Manager | Web Services Security | HTTP | Yes | 8.1 | Network | Low | None | Required | Un- changed |
High | High | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-21421 | Oracle Business Intelligence Enterprise Edition | Analytics Web General | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-37714 | Oracle Business Process Management Suite | Installer (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2019-0227 | Oracle Internet Directory | Oracle Directory Services Mngr (Apache Axis) | HTTP | Yes | 7.5 | Adjacent Network |
High | None | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | See Note 2 |
CVE-2021-40690 | Oracle Outside In Technology | Installation (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 8.5.5, 8.5.6 | See Note 3 |
CVE-2021-36090 | Oracle WebCenter Portal | Security Framework (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-37137 | Oracle WebCenter Portal | Security Framework (Netty) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-25649 | Oracle WebCenter Portal | Security Framework (jackson-databind) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-37714 | Oracle WebCenter Portal | Security Framework (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-7226 | Oracle WebCenter Sites | WebCenter Sites (Cryptacular) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-21441 | Oracle WebLogic Server | Core | T3/IIOP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2021-44832 | Oracle Data Integrator | Runtime Java agent for ODI (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-44832 | Oracle Identity Management Suite | Installer (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-44832 | Oracle Identity Manager Connector | General and Misc (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 9.1.0 | |
CVE-2021-44832 | Oracle JDeveloper | Oracle JDeveloper (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.4.0 | |
CVE-2021-44832 | Oracle Managed File Transfer | MFT Runtime Server (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-44832 | Oracle WebCenter Portal | Security Framework (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-44832 | Oracle WebCenter Sites | Advanced UI (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-43797 | Helidon | Reactive WebServer (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 1.4.10,2.4.0 | |
CVE-2021-30129 | Middleware Common Libraries and Tools | FMW Remote Diagnostic Agent (Apache MINA SSHD and Apache MINA) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2021-43797 | Oracle Coherence | Configuration and Parsing (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-24977 | Oracle HTTP Server | SSL Module (libxml2) | HTTPS | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | None | Low | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-44224 | Oracle HTTP Server | SSL Module (Apache HTTP Server) | HTTPS | Yes | 6.5 | Network | Low | None | None | Un- changed |
None | Low | Low | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2022-23437 | Oracle WebLogic Server | Third Party Tools (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2022-21492 | Oracle Business Intelligence Enterprise Edition | Analytics Server | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 5.9.0.0.0 | |
CVE-2022-21419 | Oracle Business Intelligence Enterprise Edition | Visual Analyzer | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 5.5.0.0.0, 5.9.0.0.0 | |
CVE-2022-21448 | Oracle Business Intelligence Enterprise Edition | Visual Analyzer | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 5.9.0.0.0 | |
CVE-2022-21453 | Oracle WebLogic Server | Console | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2021-41184 | Oracle WebLogic Server | Console, Samples (jQueryUI) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | |
CVE-2020-17521 | Oracle Business Process Management Suite | BPM Studio (Apache Groovy) | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-31812 | Oracle WebCenter Portal | Security Framework (Apache PDFbox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-28657 | Oracle WebCenter Portal | Security Framework (Apache Tika) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-41165 | Oracle WebCenter Portal | Security Framework (CKEditor) | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2018-11212 | Oracle Internet Directory | Oracle Directory Services Manager (libjpeg) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-33037 | Oracle Managed File Transfer | MFT Runtime Server (Apache Tomcat) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2021-28170 | Oracle WebLogic Server | Centralized Third Party Jars (JBoss Enterprise Application Platform) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 14.1.1.0.0 | |
CVE-2021-29425 | Helidon | CDI support (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 1.4.7, 2.2.0 | |
CVE-2021-29425 | Oracle WebCenter Portal | Security Framework (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 12.2.1.3.0, 12.2.1.4.0 | |
CVE-2020-8908 | Oracle WebLogic Server | Third Party Tools (Guava) | None | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 14.1.1.0.0 |
This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-3711 | Oracle Health Sciences InForm Publisher | Connector (OpenSSL) | TLS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 6.2.1.0, 6.3.1.1 | |
CVE-2021-44832 | Oracle Health Sciences Empirica Signal | Logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 9.1.0.6, 9.2.0.0 | |
CVE-2021-44832 | Oracle Health Sciences InForm | Cognos logging (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 6.2.1.1, 6.3.2.1, 7.0.0.0 |
This Critical Patch Update contains 10 new security patches for Oracle HealthCare Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | Oracle Healthcare Data Repository | FHIR (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.1.0 | |
CVE-2021-36090 | Oracle Healthcare Data Repository | FHIR Commandline (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.1.0 | |
CVE-2021-44832 | Oracle Health Sciences Information Manager | Record Locator (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 3.0.1-3.0.4 | |
CVE-2021-44832 | Oracle Healthcare Data Repository | FHIR (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 8.1.1 | |
CVE-2021-44832 | Oracle Healthcare Foundation | RPD Generation (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 7.3.0.1-7.3.0.4 | |
CVE-2021-44832 | Oracle Healthcare Master Person Index | IHE (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 5.0.1 | |
CVE-2021-44832 | Oracle Healthcare Translational Research | Datastudio (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 4.1.1 | |
CVE-2021-33037 | Oracle Healthcare Translational Research | Datastudio (Apache Tomcat) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 4.1.0 | |
CVE-2021-29425 | Oracle Health Sciences Information Manager | Health Policy Engine (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 3.0.1-3.0.4 | |
CVE-2021-29425 | Oracle Healthcare Data Repository | FHIR Comandline (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 8.1.0 |
This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2020-13936 | Oracle Hospitality Token Proxy Service | TPS Service (Apache Velocity Engine) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 19.2 | |
CVE-2021-37714 | Oracle Hospitality Token Proxy Service | TPS Service (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 19.2 | |
CVE-2021-44832 | Oracle Hospitality Suite8 | Leisure (Apache Log4j) | TCP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 8.13.0, 8.14.0 | |
CVE-2021-44832 | Oracle Hospitality Token Proxy Service | TPS Service (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 19.2 | |
CVE-2021-44832 | Oracle Payment Interface | OPI Core (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 19.1, 20.3 | |
CVE-2021-41184 | Oracle Hospitality Suite8 | WebConnect (jQueryUI) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.10.2, 8.11.0-8.14.0 |
This Critical Patch Update contains 12 new security patches for Oracle Hyperion. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | Oracle Hyperion Data Relationship Management | Installation/Configuration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2022-23305 | Oracle Hyperion Infrastructure Technology | Installation and Configuration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion BI+ | Architect (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Data Relationship Management | Installation/Configuration (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Financial Management | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Infrastructure Technology | Installation and Configuration (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Planning | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Profitability and Cost Management | Install (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2021-44832 | Oracle Hyperion Tax Provision | Tax Provision (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 11.2.8.0 | |
CVE-2020-6950 | Oracle Hyperion Calculation Manager | General (Eclipse Mojarra) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | Prior to 11.2.8.0 | |
CVE-2021-31812 | Oracle Hyperion Infrastructure Technology | Installation and Configuration (Apache PDFbox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | Prior to 11.2.8.0 | |
CVE-2020-7760 | Oracle Hyperion Data Relationship Management | Web Client - Unicode (CodeMirror) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Prior to 11.2.9.0 |
This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23437 | Oracle iLearning | Installation (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 6.2, 6.3 |
This Critical Patch Update contains 7 new security patches for Oracle Insurance Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-2351 | Oracle Documaker | Development Tools (JDBC, OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 12.6.0, 12.6.2-12.6.4, 12.7.0 | |
CVE-2021-36090 | Oracle Insurance Policy Administration | Architecture (Apache Commons Compress) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1 | |
CVE-2021-44832 | Oracle Insurance Data Gateway | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 1.0.1 | |
CVE-2021-44832 | Oracle Insurance Insbridge Rating and Underwriting | Framework Administrator IBFA (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 5.2.0, 5.4.0-5.6.0, 5.6.1 | |
CVE-2021-35043 | Oracle Insurance Policy Administration | Architecture (AntiSamy) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1 | |
CVE-2021-29425 | Oracle Insurance Policy Administration | Architecture (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1 | |
CVE-2021-29425 | Oracle Insurance Rules Palette | Architecture (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1 |
This Critical Patch Update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-0778 | Oracle GraalVM Enterprise Edition | Node (OpenSSL) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | |
CVE-2022-21449 | Oracle Java SE, Oracle GraalVM Enterprise Edition | Libraries | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | Oracle Java SE: 17.0.2, 18; Oracle GraalVM Enterprise Edition: 21.3.1, 22.0.0.2 | |
CVE-2022-21476 | Oracle Java SE, Oracle GraalVM Enterprise Edition | Libraries | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | See Note 1 |
CVE-2022-21426 | Oracle Java SE, Oracle GraalVM Enterprise Edition | JAXP | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | See Note 1 |
CVE-2022-21496 | Oracle Java SE, Oracle GraalVM Enterprise Edition | JNDI | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | See Note 1 |
CVE-2022-21434 | Oracle Java SE, Oracle GraalVM Enterprise Edition | Libraries | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | See Note 1 |
CVE-2022-21443 | Oracle Java SE, Oracle GraalVM Enterprise Edition | Libraries | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 | See Note 1 |
This Critical Patch Update contains 8 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-42013 | JD Edwards EnterpriseOne Tools | Upgrade SEC (Apache HTTP Server) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 9.2.6.0 | |
CVE-2021-3711 | JD Edwards EnterpriseOne Tools | Enterprise Infrastructure (OpenSSL) | JDENET | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | Prior to 9.2.6.3 | |
CVE-2021-3711 | JD Edwards World Security | World Software Security (OpenSSL) | HTTPS | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | A9.4 | |
CVE-2021-2351 | JD Edwards EnterpriseOne Tools | Database and Comm SEC (OCCI) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Prior to 9.2.6.3 | |
CVE-2021-2351 | JD Edwards EnterpriseOne Tools | Monitoring and Diagnostics SEC (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Prior to 9.2.6.3 | |
CVE-2022-21464 | JD Edwards EnterpriseOne Tools | Business Logic Infra SEC | HTTP | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | None | High | Prior to 9.2.6.3 | |
CVE-2021-32066 | JD Edwards EnterpriseOne Tools | E1 Dev Platform Tech-Cloud (Ruby) | HTTP | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | Prior to 9.2.6.1 | |
CVE-2022-21409 | JD Edwards EnterpriseOne Tools | Web Runtime | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 9.2.6.3 |
This Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | MySQL Enterprise Monitor | Monitoring: General (Apache Log4j) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.29 and prior | |
CVE-2022-22965 | MySQL Enterprise Monitor | Monitoring: General (Spring Framework) | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.29 and prior | See Note 1 |
CVE-2022-0778 | MySQL Connectors | Connector/C++ (OpenSSL) | MySQL Protocol | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-0778 | MySQL Connectors | Connector/ODBC (OpenSSL) | MySQL Protocol | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2021-42340 | MySQL Enterprise Monitor | Monitoring: General (Apache Tomcat) | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.29 and prior | |
CVE-2022-0778 | MySQL Enterprise Monitor | Monitoring: General (OpenSSL) | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.29 and prior | |
CVE-2021-22570 | MySQL Server | Server: Compiling (protobuf) | MySQL Protocol | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-0778 | MySQL Server | Server: Packaging (OpenSSL) | MySQL Protocol | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-0778 | MySQL Workbench | Workbench: libssh (OpenSSL) | MySQL Workbench | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-23181 | MySQL Enterprise Monitor | Monitoring: General (Apache Tomcat) | Multiple | No | 7.0 | Local | High | Low | None | Un- changed |
High | High | High | 8.0.29 and prior | |
CVE-2021-44832 | MySQL Enterprise Monitor | Monitoring: General (Apache Log4j) | Multiple | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 8.0.29 and prior | |
CVE-2022-21454 | MySQL Server | Server: Group Replication Plugin | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21482 | MySQL Cluster | Cluster: General | Multiple | No | 6.3 | Adjacent Network |
High | High | Required | Un- changed |
High | High | High | 8.0.28 and prior | |
CVE-2022-21483 | MySQL Cluster | Cluster: General | Multiple | No | 6.3 | Adjacent Network |
High | High | Required | Un- changed |
High | High | High | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2022-21489 | MySQL Cluster | Cluster: General | Multiple | No | 6.3 | Adjacent Network |
High | High | Required | Un- changed |
High | High | High | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2022-21490 | MySQL Cluster | Cluster: General | Multiple | No | 6.3 | Adjacent Network |
High | High | Required | Un- changed |
High | High | High | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2021-41184 | MySQL Enterprise Monitor | Monitoring: General (jQueryUI) | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.29 and prior | |
CVE-2022-21457 | MySQL Server | Server: PAM Auth Plugin | FIDO protocols | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.0.28 and prior | |
CVE-2022-21425 | MySQL Server | Server: DDL | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 8.0.28 and prior | |
CVE-2022-21440 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 8.0.28 and prior | |
CVE-2022-21459 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 8.0.28 and prior | |
CVE-2022-21478 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 8.0.28 and prior | |
CVE-2022-21479 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
Low | None | High | 8.0.28 and prior | |
CVE-2022-21418 | MySQL Server | InnoDB | MySQL Protocol | No | 5.0 | Network | High | High | None | Un- changed |
None | Low | High | 8.0.28 and prior | |
CVE-2022-21417 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21413 | MySQL Server | Server: DML | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21427 | MySQL Server | Server: FTS | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21412 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21414 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21435 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21436 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21437 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21438 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21452 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21462 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21415 | MySQL Server | Server: Replication | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 8.0.28 and prior | |
CVE-2022-21451 | MySQL Server | InnoDB | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21444 | MySQL Server | Server: DDL | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
None | None | High | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21460 | MySQL Server | Server: Logging | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
High | None | None | 5.7.37 and prior, 8.0.28 and prior | |
CVE-2022-21484 | MySQL Cluster | Cluster: General | Multiple | No | 2.9 | Adjacent Network |
High | High | Required | Un- changed |
Low | None | Low | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2022-21485 | MySQL Cluster | Cluster: General | Multiple | No | 2.9 | Adjacent Network |
High | High | Required | Un- changed |
Low | None | Low | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2022-21486 | MySQL Cluster | Cluster: General | Multiple | No | 2.9 | Adjacent Network |
High | High | Required | Un- changed |
Low | None | Low | 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior | |
CVE-2022-21423 | MySQL Server | InnoDB | MySQL Protocol | No | 2.7 | Network | Low | High | None | Un- changed |
None | None | Low | 8.0.28 and prior |
This Critical Patch Update contains 14 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-3518 | PeopleSoft Enterprise PeopleTools | PeopleSoft CDA (libxml2) | HTTP | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 8.58 | |
CVE-2021-37714 | PeopleSoft Enterprise PeopleTools | Elastic Search (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 8.58, 8.59 | |
CVE-2021-40690 | PeopleSoft Enterprise PeopleTools | Security (Apache Santuario XML Security for Java) | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 8.58, 8.59 | |
CVE-2021-44832 | PeopleSoft Enterprise PeopleTools | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 8.58, 8.59 | |
CVE-2022-21447 | PeopleSoft Enterprise CS Academic Advisement | Advising Notes | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 9.2 | |
CVE-2021-43797 | PeopleSoft Enterprise PeopleTools | Elastic Search (Netty) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | High | None | 8.58, 8.59 | |
CVE-2022-21458 | PeopleSoft Enterprise PeopleTools | Navigation Pages, Portal, Query | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.58, 8.59 | |
CVE-2022-21470 | PeopleSoft Enterprise PeopleTools | Process Scheduler | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.58, 8.59 | |
CVE-2021-4160 | PeopleSoft Enterprise PeopleTools | Security (OpenSSL) | TLS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.58, 8.59 | |
CVE-2022-21481 | PeopleSoft Enterprise FIN Cash Management | Financial Gateway | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 9.2 | |
CVE-2021-41165 | PeopleSoft Enterprise PeopleTools | Rich Text Editor (CKEditor) | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 8.58, 8.59 | |
CVE-2022-21450 | PeopleSoft Enterprise PRTL Interaction Hub | My Links | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 9.1 | |
CVE-2021-44533 | PeopleSoft Enterprise PeopleTools | Elastic Search (Node.js) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 8.58, 8.59 | |
CVE-2020-8908 | PeopleSoft Enterprise PeopleTools | File Processing (Guava) | None | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 8.58, 8.59 |
This Critical Patch Update contains 30 new security patches for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-22965 | Oracle Retail Xstore Point of Service | Xenvironment (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 20.0.1, 21.0.0 | |
CVE-2020-13936 | Oracle Retail Xstore Office Cloud Service | Configurator (Apache Velocity Engine) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1 | |
CVE-2021-39139 | Oracle Retail Xstore Point of Service | Xenvironment (XStream) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1 | |
CVE-2021-40690 | Oracle Retail Bulk Data Integration | BDI Job Scheduler (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 16.0.3 | |
CVE-2021-37714 | Oracle Retail Customer Management and Segmentation Foundation | Segment (jsoup) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 17.0-19.0 | |
CVE-2021-40690 | Oracle Retail Financial Integration | PeopleSoft Integration Bugs (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2021-40690 | Oracle Retail Integration Bus | RIB Kernal (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2021-40690 | Oracle Retail Merchandising System | Foundation (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 16.0.3, 19.0.1 | |
CVE-2021-40690 | Oracle Retail Service Backbone | RSB Installation (Apache Santuario XML Security For Java) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2019-10086 | Oracle Retail Invoice Matching | Security (Apache Commons BeanUtils) | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 16.0.3 | |
CVE-2021-44832 | Oracle Retail Customer Insights | Other (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 15.0.2, 16.0.2 | |
CVE-2021-44832 | Oracle Retail Data Extractor for Merchandising | Installer (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 15.0.2, 16.0.2 | |
CVE-2021-44832 | Oracle Retail EFTLink | Installation (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.0.0 | |
CVE-2021-44832 | Oracle Retail Financial Integration | PeopleSoft Integration Bugs (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1 | |
CVE-2021-44832 | Oracle Retail Integration Bus | RIB Kernal (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1 | |
CVE-2021-44832 | Oracle Retail Merchandising System | Foundation (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 16.0.3, 19.0.1 | |
CVE-2021-44832 | Oracle Retail Service Backbone | RSB Installation (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1 | |
CVE-2021-44832 | Oracle Retail Store Inventory Management | SIM Integration (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 14.0.4.13, 14.1.3.14, 14.1.3.5, 15.0.3.3, 15.0.3.8, 16.0.3.7 | |
CVE-2022-23437 | Oracle Retail Bulk Data Integration | BDI Job Scheduler (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 16.0.3 | |
CVE-2021-30129 | Oracle Retail Customer Management and Segmentation Foundation | Segment (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 18.0, 19.0 | |
CVE-2022-23437 | Oracle Retail Extract Transform and Load | Mathematical Operators (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 13.2.8 | |
CVE-2022-23437 | Oracle Retail Financial Integration | PeopleSoft Integration Bugs (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2022-23437 | Oracle Retail Integration Bus | RIB Kernal (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2022-23437 | Oracle Retail Merchandising System | Foundation (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 16.0.3, 19.0.1 | |
CVE-2022-23437 | Oracle Retail Service Backbone | RSB Installation (Apache Xerces-J) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | |
CVE-2021-36374 | Oracle Retail EFTLink | Installation (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 19.0.1, 20.0.1 | |
CVE-2021-36374 | Oracle Retail Invoice Matching | Security (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 16.0.3 | |
CVE-2021-36374 | Oracle Retail Xstore Point of Service | Xenvironment (Apache Ant) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1 | |
CVE-2021-31812 | Oracle Retail Xstore Point of Service | Xstore Office (Apache PDFbox) | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1 | |
CVE-2021-34429 | Oracle Retail EFTLink | Framework (Eclipse Jetty) | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 20.0.1 |
This Critical Patch Update contains 11 new security patches for Oracle Supply Chain. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2022-23305 | Oracle Advanced Supply Chain Planning | MscObieeSrvlt (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.1, 12.2 | |
CVE-2022-22965 | Oracle Product Lifecycle Analytics | Installer (Spring Framework) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 3.6.1.0 | |
CVE-2021-42340 | Oracle Agile PLM | Security (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 9.3.6 | |
CVE-2021-44832 | Oracle Agile Engineering Data Management | Installation Issues (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 6.2.1.0 | |
CVE-2021-44832 | Oracle Agile PLM | Security (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 9.3.6 | |
CVE-2021-44832 | Oracle Agile PLM MCAD Connector | CAX Client (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 3.6 | |
CVE-2021-44832 | Oracle Autovue for Agile Product Lifecycle Management | Internal Operations (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 21.0.2 | |
CVE-2022-21467 | Oracle Agile PLM | Attachments | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 9.3.6 | |
CVE-2022-21480 | Oracle Transportation Management | User Interface | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 6.4.3, 6.5.1 | |
CVE-2021-41165 | Oracle Agile PLM | Security (CKEditor) | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 9.3.6 | |
CVE-2021-29425 | Oracle Agile PLM | Security (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 9.3.6 |
This Critical Patch Update contains 3 new security patches for Oracle Support Tools. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-30129 | OSS Support Tools | Diagnostic Assistant (Apache MINA SSHD) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 2.12.42 | |
CVE-2021-41973 | OSS Support Tools | Diagnostic Assistant (Apache MINA) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 2.12.42 | |
CVE-2022-21405 | OSS Support Tools | Oracle Explorer | None | No | 5.5 | Local | Low | High | Required | Changed | High | None | None | 18.3 |
This Critical Patch Update contains 20 new security patches for Oracle Systems. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2019-17195 | Oracle Solaris Cluster | Tools (Nimbus JOSE+JWT) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 4 | |
CVE-2021-39275 | Oracle ZFS Storage Appliance Kit | Operating System Image | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.8 | |
CVE-2021-2351 | Oracle StorageTek ACSLS | Software (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 8.5.1 | |
CVE-2021-2351 | Oracle StorageTek Tape Analytics (STA) | Application Server (JDBC) | Oracle Net | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 2.4 | |
CVE-2022-21446 | Oracle Solaris | Utility | Multiple | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | High | None | 11 | |
CVE-2020-11979 | Oracle StorageTek ACSLS | Software (Apache Ant) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 8.5.1 | |
CVE-2020-11979 | Oracle StorageTek Tape Analytics (STA) | Core (Apache Ant) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 2.4 | |
CVE-2020-6950 | Oracle Solaris Cluster | Tools (Eclipse Mojarra) | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 4 | |
CVE-2020-5421 | Oracle StorageTek ACSLS | Software (Spring Framework) | HTTP | No | 6.5 | Network | High | Low | Required | Changed | Low | High | None | 8.5.1 | |
CVE-2019-3740 | Oracle StorageTek ACSLS | Software (RSA BSAFE Crypto-J) | HTTPS | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 8.5.1 | |
CVE-2020-11022 | Oracle StorageTek ACSLS | Software (jQuery) | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.5.1 | |
CVE-2022-21493 | Oracle Solaris | Kernel | None | No | 5.9 | Local | Low | Low | Required | Changed | None | None | High | 11 | |
CVE-2022-21461 | Oracle Solaris | Kernel | None | No | 5.5 | Local | Low | Low | None | Un- changed |
High | None | None | 11 | |
CVE-2022-21463 | Oracle Solaris | Kernel | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11 | |
CVE-2022-21416 | Oracle Solaris | Utility | None | No | 5.0 | Local | Low | Low | Required | Un- changed |
None | High | None | 11 | |
CVE-2021-29425 | Oracle Solaris Cluster | Tools (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 4 | |
CVE-2022-21494 | Oracle Solaris | Kernel | None | No | 4.0 | Local | High | High | Required | Un- changed |
None | None | High | 11 | |
CVE-2020-1968 | Oracle Ethernet Switch ES1-24 | Firmware (OpenSSL) | HTTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 1.3.1 | |
CVE-2020-1968 | Oracle Ethernet Switch TOR-72 | Firmware (OpenSSL) | HTTPS | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 1.2.2 | |
CVE-2020-9488 | Oracle StorageTek ACSLS | Software (Apache Log4j) | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
Low | None | None | 8.5.1 |
This Critical Patch Update contains 1 new security patch for Oracle Taleo. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-44832 | Oracle Taleo Platform | Taleo Connect Client Installer (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | Prior to 22.1 |
This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-44832 | Oracle Utilities Framework | General (Apache Log4j) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0 |
This Critical Patch Update contains 6 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2021-40438 | Oracle Secure Global Desktop | Web Server (Apache HTTP Server) | HTTP | Yes | 9.0 | Network | High | None | None | Changed | High | High | High | 5.6 | |
CVE-2022-21491 | Oracle VM VirtualBox | Core | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | Prior to 6.1.34 | See Note 1 |
CVE-2022-21465 | Oracle VM VirtualBox | Core | None | No | 6.7 | Local | Low | High | None | Changed | None | Low | High | Prior to 6.1.34 | |
CVE-2022-21471 | Oracle VM VirtualBox | Core | None | No | 6.5 | Local | Low | Low | None | Changed | None | None | High | Prior to 6.1.34 | |
CVE-2022-21487 | Oracle VM VirtualBox | Core | None | No | 3.8 | Local | Low | Low | None | Changed | Low | None | None | Prior to 6.1.34 | |
CVE-2022-21488 | Oracle VM VirtualBox | Core | None | No | 3.8 | Local | Low | Low | None | Changed | None | Low | None | Prior to 6.1.34 |