New Oracle update fixes 520 vulnerabilities in 12 products: Three critical flaws with CVSS scores of 10 and 70 flaws with 9.8/10 score

In its quarterly Critical Patch Update (CPU), Oracle has included a total of 520 patches to address all sorts of vulnerabilities. This update fixes security flaws in dozens of products, with special focus on three bugs that received critical scores according to the Common Vulnerability Scoring System (CVSS).

Oracle recommends its users update their products as soon as possible, as the company has received dozens of reports of exploitation attempts: “In some cases, it has been reported that hackers have exploited these flaws successfully, as customers have not applied the available patches.”

About the critical faults detected, the first two errors reside in Oracle Communications Cloud Native Core Network Exposure Function; both failures were tracked as CVE2022-22947 and received CVSS scores of 10. Moreover, CVE-2022-21431 resides at Oracle Communications Billing and Revenue Management and also received a CVSS score of 10.

Eric Maurice, Oracle’s vice president of security assurance, says the updates will be applied across a wide range of products, including its blockchain platform and Oracle Virtualization.

Of the 520 patches available, Oracle Communications products received 149, 98 of which could be exploited remotely and without authentication. Oracle Financial Services applications received 41 patches, with 19 of them being exploitable remotely.

Oracle Fusion Middleware will receive 54 patches, 41 exploitable remotely without authentication. Other 13 vulnerabilities have a CVSS score of 9.8/10 and affect products such as Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle HTTP Server and other company products. Oracle MySQL received 43 patches, of which 11 can be exploited remotely without authentication, with another product severely affected by these flaws.

Oracle Retail applications received 30 patches, 15 of which can be exploited remotely without authentication. Oracle Retail Xstore Point of Service is affected by a BUG with a CVSS score of 9.8/10 and tracked as CVE-2022-22965. The Oracle Blockchain platform received 15 updates, 14 of which are exploitable remotely without authentication. This product is also affected by a CVSS-scored flaw of 9.8/10 that affects your nginx backend.

Finally, Oracle E-Business Suite Cloud Manager and Cloud Backup Module are also affected by a CVSS-scoring flaw of 9.8/10 linked to the Log4j component.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.