On April 19, 2022, Oracle issued a Critical Patch Update advisory for April 2022. This security update fixed 520 vulnerabilities. Among them, Oracle Fusion Middleware has 54 vulnerability patch updates. The remaining flaws exist in Oracle Weblogic Server, Oracle Access Manager, Oracle Business Intelligence Enterprise Edition, Oracle Business Activity Monitoring, and other products. 41 vulnerabilities can be exploited remotely without authentication. There are three bugs with a CVSS of 10, including CVE-2022-21431, CVE-2022-22947, and CVE-2022-22947.
Some critical vulnerabilities
Oracle Weblogic Server
The new patches for Weblogic fix multiple vulnerabilities that allow unauthenticated attackers to send crafted malicious requests over HTTP or T3 protocols to execute code or steal critical data in Oracle WebLogic Server.
- CVE-2022-23305: Unauthenticated attackers send malicious requests over HTTP protocol and eventually take control of the server, with a CVSS score of 9.8
- CVE-2022-21420: An unauthenticated attacker sends malicious requests over the T3 protocol, and eventually takes control of the server, with a CVSS score of 9.8.
Oracle Communications
This Critical Patch Update contains 39 new security patches for Oracle Communications. Twenty-two of these vulnerabilities can be exploited remotely without authentication.
- CVE-2022-21431: Unauthenticated attackers send malicious requests over the TCP protocol and eventually take over Oracle Communications Billing and Revenue Management, with a CVSS score of 10.
- CVE-2022-23990: Unauthenticated attackers send malicious requests through the HTTP protocol, and after user interaction, finally, take over Oracle Communications MetaSolv Solution, with a CVSS score of 9.8
Oracle Communications Applications
This Critical Patch Update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities can be exploited remotely without authentication.
- CVE-2020-13936: An unauthenticated attacker can send malicious requests over HTTP and eventually take over Oracle Communications Network Integrity, with a CVSS score of 8.8
- CVE-2022-21430: An unauthenticated attacker can send malicious requests over TCP, eventually taking over Oracle Communications Billing and Revenue Management, with a CVSS score of 8.5
Oracle Financial Services Applications
This Critical Patch Update contains 41 new security patches for Oracle Financial Services Applications. 19 of these vulnerabilities can be exploited remotely without authentication, meaning that they can be exploited over a network without requiring user credentials.
- CVE-2022-22965: An unauthenticated attacker can send malicious requests over HTTP and eventually take over Oracle Financial Services Analytical Applications Infrastructure, with a CVSS score of9.8.
- CVE-2021-2351: An unauthenticated attacker can send malicious requests through Oracle Net and eventually take over Oracle Banking Enterprise Default Management, with a CVSS score of 8.3.
