Threat Response – Oracle critical patch update advisory

20-01-2022

On Wednesday, January 19, Oracle released 497 security patches for a variety of vulnerabilities in various Oracle products as part of their first patch round of 2022. Most of the vulnerabilities are in communications software, financial applications, MySQL, and retail applications. Multiple vulnerabilities in Oracle’s communications software have a CVSS3.1 score of 10. In addition, there are vulnerabilities in Oracle Essbase with a maximum CVSS3.1 score of 9.9. Furthermore, there are several products with vulnerabilities that have a CVSS3.1 score of 9.8. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

We recommend installing these patches as soon as possible.

Description

On January 19, Oracle released security patches during its first quarterly update round. In total, Oracle has fixed 497 vulnerabilities with this security update. Given the large number of vulnerabilities within various Oracle products, we advise you to find out which Oracle products your organisation uses and to patch them as soon as possible. Oracle has published a complete overview of all vulnerabilities fixed [1]. Below, we mention the categories of the vulnerable products:

  • Oracle Database Server
  • Oracle Airlines Data Model
  • Oracle Big Data Graph
  • Oracle Communications
  • Oracle Essbass
  • Oracle Goldengate
  • Oracle Graph Server & Client
  • Oracle NoSQL Database
  • Oracle REST Data Services
  • Oracle Secure Backup
  • Oracle Spatial Studio
  • Oracle Times-Ten In-Memory Database
  • Oracle Commerce
  • Oracle Construction & Engineering
  • Oracle E-Business Suite
  • Oracle Enterprise Manager
  • Oracle Financial Services
  • Oracle Food & Beverage Applications
  • Oracle Fusion Middleware
  • Oracle Health Sciences Applications
  • Oracle Health Care Applications
  • Oracle Hospitality Applications
  • Oracle Hyperion
  • Oracle iLearning
  • Oracle Insurance Applications
  • Oracle Java SE
  • Oracle JD Edwards
  • Oracle MySQL
  • Oracle Peoplesoft
  • Oracle Policy Automation
  • Oracle Retail Applications
  • Oracle Siebel CRM
  • Oracle Supply Chain
  • Oracle Support Tools
  • Oracle Systems
  • Oracle Utilities Applications
  • Oracle Virtualization

Impact

From the list of vulnerabilities, many have been identified as critical. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. That is why we consider the risk high. For all vulnerabilities addressed within the Oracle products, the corresponding CVEs and impact scores are published by Oracle [1].

Risk

There is currently no public exploit code available for the three mentioned vulnerabilities (and others) but we expect these to be available soon. We asses the risk as high.

Mitigation

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

What should you do?

Install the latest security updates from Oracle.

What will Northwave do?

Northwave will monitor developments around these vulnerabilities. When possible, we will add detection rules around these vulnerabilities to the Northwave Detection Platform. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)Disclaimer applies, see below.

Bronnen:

[1] https://www.oracle.com/security-alerts/cpujan2022.html

Disclaimer applies, see below.

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.