Oracle Releases January 2022 Critical Patch Update

Scheduled updates for multiple Oracle Products

Threat ID:: CC-4020
Threat Severity:: Information only
Published:: 19 January 2022 11:25 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled updates for multiple Oracle Products

Affected platforms

The following platforms are known to be affected:

Oracle Database Server

Oracle WebLogic Server

Versions: 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0

Oracle Middleware

The following platforms are also known to be affected:

Multiple other platforms are affected. Please review the Oracle Critical Patch Update Advisory - January 2022 for more information.

Threat details

Introduction

Oracle has released its Critical Patch Update for January 2022 to address 497 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Note: Oracle released a Security Alert on 10 December 2021 for Log4Shell in their advisory for Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Affected organisations should review the alert in conjunction with the Critical Patch Update Advisory - January 2022 and apply any relevant updates.

CVE-2021-35587 in Oracle Fusion Middleware is Being Actively Exploited

CISA has added a vulnerability in the Oracle Fusion Middleware product to its Known Exploited Vulnerabilities Catalog. This vulnerability could allow a threat actor with network access to take control of Oracle Access Manager. CVE-2021-35587 has been given a CVSS 3.1 Base Score of 9.8.

Threat updates

Date	Update
29 Nov 2022	CISA Adds CVE-2021-35587 to Known Exploited Vulnerabilities Catalog A vulnerability in the Oracle Fusion Middleware has been added to the CISA Known Exploited Vulnerabilities Catalog. This article has been updated to reflect this change.

Remediation advice

Affected organisations are encouraged to review the Oracle January 2022 Critical Patch Update and apply the necessary updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2021-35587

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Last edited: 29 November 2022 2:41 pm