Oracle Critical Update
This live blog contains information regarding the Oracle critical patch update, dated july 2022. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 21 2022.
T-Update
This live blog contains information regarding the Oracle critical patch update, dated july 2022. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 21 2022.
Update July 21, 2022
15:00 |On the 18th of July 2022, Oracle released their most recent quarterly patch update, containing 349 new security patches across several product families. In total 188 CVE’s are addressed. The most severe vulnerabilities reside in the following products:
- Oracle Commerce
- Oracle Communications
- Oracle Fusion Middleware
- Oracle Retail Applications
We advise to check the advisory by Oracle and, if your products are listed, apply the required patches as soon as possible.
Background
With the July critical patch update, Oracle released 349 security updates across their product families, fixing 188 vulnerabilities. Vulnerability CVE-2022-22947 has a CVSS score of 10, the highest possible rating. In addition, 25 vulnerabilities have a rating of 9,8. The CVSS scale runs for 0 till 10. A score of 9.8 or higher is rare and implies a high risk of exploiting with a high impact. In this article we highlight the following three vulnerabilities, as they are being exploited in the wild.
Risk
The three highlighted vulnerabilities allow a remote unauthenticated attacker to perform code execution. There is evidence these vulnerabilities are being exploited in the wild.
- CVE-2022-22947 – CVSS score 10
- CVE-2022-22965 – CVSS score 9,8
- CVE-2018-1273 – CVSS Score 9,8
The other 23 vulnerabilities with a CVSS score of 9,8 also imply a significant risk. Please review the advisory of Oracle for full details on all products and corresponding vulnerabilities.
It is recommended to install the patch if it is available for your product(s). When a patch is not available for a given vulnerability, the following general advice applies:
- Apply a work-around, if provided by a supplier
- Restrict network access to the system until a patch is available
Advice
CISA has listed these three vulnerabilities in their Known Exploited Vulnerabilities (KEV) catalog. A vulnerability listed in the KEV catalog is actively exploited in the wild. All three vulnerabilities are related to previous vulnerabilities in the Spring Framework, about which we published an article earlier: Spring framework vulnerabilities.
These vulnerabilities reside in the following products:
- Oracle Commerce
- Oracle Communications
- Oracle Fusion Middleware
- Oracle Retail Applications
Oracle has published an advisory listing the affected products and versions. The advice is to check whether you are using these products and to install the available patches. The Oracle advisory can be found here.
Sources
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
