You are currently viewing Oracle Critical Security Updates January 2022

Oracle Critical Security Updates January 2022

Oracle has released 497 new security patches for various product families, including Oracle Communications, Oracle MySQL, Oracle Financial Services Applications, Oracle Retail Applications, etc. This advisory covers multiple products which are prone to many vulnerabilities. Having a vulnerability management tool can help detect these vulnerabilities.

Oracle Communications has received 84 new security patches; 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without user credentials. The CVE-2021-23440, CVE-2021-21783, CVE-2021-32827, and CVE-2021-27568 are considered the most critical, with a base score of 9.8, 9.8, 9.6, and 9.1, respectively. These vulnerabilities can be patched using a patch management tool.

Oracle MySQL has received 78 new security patches; Among the detected vulnerabilities, 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The CVE-2021-22946, CVE-2021-3712, and CVE-2021-3712 are considered the most critical, with a base score of 7.5, 7.4, and 7.4 respectively.

Oracle Critical Security Updates January 2022 Summary

Oracle Database Server

Affected Components: Oracle Application Express (CKEditor), Java VM, Oracle Application Express (Prism), Core RDBMS
CVEs: CVE-2021-37695, CVE-2022-21393, CVE-2021-32723,CVE-2022-21247

Oracle Airlines Data Model
Products: Oracle Airlines Data Model

Affected Components: Installation (JDBC)
CVEs: CVE-2021-2351

Oracle Big Data Graph

Products: Big Data Spatial and Graph
Affected Components: Big Data Graph (JDBC), Big Data Graph (Apache Tomcat)
CVEs: CVE-2021-2351, CVE-2021-30639

Oracle Communications Data Model

Products: Oracle Communications Data Model
Affected Components: Utilities (JDBC)
CVEs: CVE-2021-2351

Oracle Essbase

Products: Oracle Essbase Administration Services, Oracle Essbase
Affected Components: EAS Console, Infrastructure (OpenSSL), Build (cURL), Infrastructure (mod_auth_openidc)
CVEs: CVE-2021-35683, CVE-2021-3711, CVE-2021-22901, CVE-2021-20718

Oracle GoldenGate

Products: Oracle GoldenGate
Affected Components: GG Market Place for Support (nginx), Database (OCCI), Build Request (Apache Xerces-C++)
CVEs: CVE-2021-23017, CVE-2021-2351, CVE-2018-1311

Oracle Graph Server and Client

Products: Oracle Graph Server and Client
Affected Components: Packaging/install issues (JDBC), Packaging/Install (Apache Tomcat)
CVEs: CVE-2021-2351, CVE-2021-33037

Oracle NoSQL

Products: Oracle NoSQL Database
Affected Components: Administration (Netty)
CVEs: CVE-2021-21409

Oracle REST Data Services

Products: Oracle REST Data Services
Affected Components: General (Eclipse Jetty), General (SheetJS)
CVEs: CVE-2021-28165, CVE-2021-32014

Oracle Secure Backup

Products: Oracle Secure Backup
Affected Components: Oracle Secure Backup (Apache HTTP Server), Oracle Secure Backup (OpenSSL)
CVEs: CVE-2021-26691, CVE-2021-3712

Oracle Spatial Studio

Products: Oracle Spatial Studio
Affected Components: Install (JDBC)
CVEs: CVE-2021-2351

Oracle TimesTen In-Memory Database

Products: Oracle TimesTen In-Memory Database
Affected Components: EM TimesTen plug-in (JDBC,OCCI), EM TimesTen plug-in (Go), Install (Go), TimesTen Infrastructure (Apache ZooKeeper), Install (Apache Ant)
CVEs: CVE-2021-2351, CVE-2021-29923, CVE-2021-29923, CVE-2020-7712, CVE-2020-11979

Oracle Commerce

Products: Oracle Commerce Platform, Oracle Commerce Guided Search
Affected Components: Dynamo Application Framework (JDBC), Content Acquisition System (Apache Commons Compress), Content Acquisition System (Netty), Endeca Application Controller (Apache Tomcat), Dynamo Application Framework, Content Acquisition System (Apache Commons IO)
CVEs: CVE-2021-2351, CVE-2021-36090, CVE-2021-37137, CVE-2020-13935, CVE-2022-21387, CVE-2021-29425

Oracle Communications Applications

Products: Oracle Communications Billing and Revenue Management, Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Unified Inventory Management, Oracle Communications Calendar Server, Oracle Communications Contacts Server, Oracle Communications Convergent Charging Controller, Oracle Communications Design Studio, Oracle Communications Network Charging and Control, Oracle Communications Network Integrity, Oracle Communications Convergence, Oracle Communications Instant Messaging Server, Oracle Communications Offline Mediation Controller, Oracle Communications Pricing Design Center, Oracle Communications Unified Inventory Management, Oracle Communications Messaging Server, Oracle Communications Offline Mediation Controller
Affected Components: Connection Manager, Webservices Manager, Updater (XStream), Rulesets (XStream), Administration (JDBC), Database (JDBC), ACS (JDBC), OSM, NI Plugins (JDBC), Installer (JDBC), Messaging (Bouncy Castle Java Library), PresenceApi (jackson-databind), Installer (jackson-databind), TMF API (Spring Framework), Pipeline Manager, DBPlugin (Apache Tomcat), ISC (jsoup), Inventory Organizer (Apache Commons Compress), Message Store (Apache Commons BeanUtils), Inventory (Apache Commons BeanUtils), Inventory (Spring Framework), Build Tool (Apache Ant), Charging Controller (Apache Commons IO), Convergence Server (Apache Commons IO), Installation (Apache Commons IO), General Framework, On-Premise Install
CVEs: CVE-2022-21275, CVE-2022-21389, CVE-2022-21390, CVE-2022-21276, CVE-2022-21276, CVE-2022-21391, CVE-2021-39139, CVE-2021-29505, CVE-2021-2351, CVE-2020-28052, CVE-2020-24750, CVE-2021-22118, CVE-2022-21266, CVE-2021-25122, CVE-2021-37714, CVE-2021-36090, CVE-2019-10086, CVE-2020-5421, CVE-2021-36374, CVE-2021-29425, CVE-2022-21338, CVE-2022-21267, CVE-2022-21268, CVE-2022-21388

Oracle Communications

Products: Oracle Communications Cloud-Native Core Policy, Oracle Communications EAGLE Application Processor, Oracle Communications Cloud-Native Core Binding Support Function, Oracle Communications Cloud-Native Core Network Repository Function, Oracle Communications Cloud-Native Core Security Edge Protection Proxy, Oracle Communications Cloud-Native Core Service Communication Proxy, Oracle Communications Cloud-Native Core Unified Data Repository, Oracle Communications Session Border Controller, Oracle Enterprise Session Border Controller, Oracle Communications Cloud-Native Core Network Function Cloud Native Environment, Oracle Communications Cloud-Native Core Policy, Oracle Communications Diameter Signaling Router, Oracle SD-WAN Edge, Oracle Communications Operations Monitor, Oracle Communications Services Gatekeeper, Oracle Communications Interactive Session Recorder, Oracle Enterprise Session Border Controller, Oracle Communications EAGLE Application Processor, Oracle Communications Services Gatekeeper, Oracle Communications Cloud-Native Core Network Repository Function, Oracle Communications Service Broker, Oracle Communications WebRTC Session Controller, Oracle Enterprise Communications Broker, Oracle SD-WAN Aware, Oracle Communications Cloud-Native Core Automated Test Suite
Affected Components: Policy (set-value), Platform (gSOAP), Policy (MockServer), Policy (netplex json-smart), Binding Support Function (XStream), NRF (SQLite), Policy (Apache Velocity Engine), Policy (Kotlin), Platform (Perl), Signaling (XStream), Policy (jackson-databind), Binding Support Function (Spring Framework), Policy (Spring Framework), SEPP (Spring Framework), SCP (Spring Framework), UDR (Spring Framework), Core (Kernel), WebUI, Binding Support Function (Apache Tomcat), Binding Support Function (Netty), Configuration (libgcrypt), Policy (Apache Thrift), Policy (Apache Tomcat), Policy (Eclipse Jetty), Policy (Spring Security), Policy (glob-parent). SEPP (Apache Tomcat), SCP (Apache Commons Compress), UDR (Apache Commons Compress), API Gateway (Netty), Platform (Apache Tomcat), Management (Apache Tomcat), Binding Support Function (Lodash), Mediation Engine, Policy service (Lodash), Platform (PHP), Virtual Network Function Manager, API Gateway (Apache Log4j), RSS (Apache Log4j), Mediation Engine, WebUI, Platform (jQuery), API Portal (jQuery), Console (Netty), Network Repository Function (XNIO), SEPP (XNIO), SEPP (aaugustin websockets), SEPP (glibc), SCP (XNIO), SCP (aaugustin websockets), UDR (XNIO), UDR (aaugustin websockets), Integration (Apache Log4j), API Portal (Apache Log4j), Signaling Engine, Media Engine (Apache Log4j), Binding Support Function (Python), Routing (nginx), SCP (glibc), Binding Support Function (Eclipse Jetty), SEPP (Eclipse Jetty), SCP (Apache HttpClient), SCP (Apache Tomcat), SCP (Eclipse Jetty), SCP (Kotlin), UDR (Eclipse Jetty), API Gateway (Eclipse Jetty), Management (PHP), SCP (Kubernetes API), UDR (Kubernetes API), ATS Framework (Python), NRF (Apache Commons IO), UDR (Apache Commons IO), Log, Configuration (dnsmasq), UDR (Guava)
CVEs: CVE-2021-23440, CVE-2021-21783, CVE-2021-32827, CVE-2021-27568, CVE-2021-39139, CVE-2019-13734, CVE-2020-13936, CVE-2020-15824, CVE-2020-10878, CVE-2021-39153, CVE-2020-36189, CVE-2021-22118, CVE-2021-33909, CVE-2022-21382, CVE-2022-21382, CVE-2020-17527, CVE-2021-37137, CVE-2021-33560, CVE-2020-13949, CVE-2020-17527, CVE-2021-28165, CVE-2021-28165, CVE-2021-22119, CVE-2020-28469, CVE-2021-25122, CVE-2021-36090, CVE-2021-37137, CVE-2021-42340, CVE-2021-23337, CVE-2022-21395, CVE-2021-21703, CVE-2021-44832, CVE-2022-21399, CVE-2022-21401, CVE-2022-21403, CVE-2022-21381, CVE-2020-11022, CVE-2021-21409, CVE-2020-14340, CVE-2021-33880, CVE-2021-3326, CVE-2021-45105, CVE-2021-3426, CVE-2021-23017, CVE-2020-27618, CVE-2022-21246, CVE-2022-21396, CVE-2022-21397, CVE-2022-21398, CVE-2022-21400, CVE-2021-34429, CVE-2020-13956, CVE-2021-33037, CVE-2021-34429, CVE-2020-29582, CVE-2021-21705, CVE-2020-8554, CVE-2021-29921, CVE-2021-29425, CVE-2022-21402, CVE-2022-21383, CVE-2021-3448 and then CVE-2020-8908

Oracle Construction and Engineering

Products: Instantis EnterpriseTrack, Primavera Unifier, Primavera Analytics, Primavera Data Warehouse, Primavera P6 Enterprise Project Portfolio Management, Primavera Gateway, Primavera Portfolio Management
Affected Components: Core (Apache HTTP Server), Platform, Data Persistence (OWASP Java HTML Sanitizer), ETL (JDBC), Web Access (JDBC), API component of P6 Pro (JDBC), Platform, Data Access, Data Persistence (JDBC), Platform, Data Parsing (jsoup), Admin (Apache Log4j), Web Access (Apache Log4j), Logging (Apache Log4j), Web Access, Event Streams and Communications (Apache Kafka), Web API, Platform (Apache Commons IO) and then Data Service (Guava)
CVEs: CVE-2021-44790, CVE-2021-42575, CVE-2021-2351, CVE-2021-37714, CVE-2021-44832, CVE-2021-44832, CVE-2022-21269, CVE-2021-45105, CVE-2021-38153, CVE-2022-21377, CVE-2022-21242, CVE-2022-21376, CVE-2022-21281, CVE-2021-29425, CVE-2022-21243, CVE-2022-21244, CVE-2020-8908

Oracle E-Business Suite

Products: Oracle Configurator, Oracle Project Costing, Oracle Sourcing, Oracle Trade Management, Oracle Installed Base, Oracle Time and Labor, Oracle iStore, Oracle Partner Management
Affected Components: UI Servlet, Expenses, Currency Override, Intelligence, RFx Creation, GL Accounts, Instance Main, Timecard (Apache Commons Beanutils), Timecard (Eclipse Mojarra), User Interface and then Reseller Locator
CVEs: CVE-2022-21255, CVE-2022-21273, CVE-2022-21274, CVE-2022-21250, CVE-2022-21251, CVE-2019-10086, CVE-2020-6950, CVE-2022-21354, CVE-2022-21373

Oracle Enterprise Manager

Products: Enterprise Manager Ops Center, Application Performance Management, Enterprise Manager Base Platform, Enterprise Manager Ops Center, Oracle Application Testing Suite and then Oracle Real User Experience Insight
Affected Components: Networking (Python), End User Experience Management (JDBC), Networking (JDBC), Load Testing for Web Apps (JDBC, OCCI), End User Experience Management (OCCI), Policy Framework
CVEs: CVE-2021-3177, CVE-2021-2351, CVE-2022-21392

Oracle Financial Services Applications

Products: Oracle Banking APIs, Oracle Banking Digital Experience, Oracle Banking Deposits and Lines of Credit Servicing, Oracle Banking Enterprise Default Management, Oracle Banking Loans Servicing, Oracle Banking Party Management, Oracle Banking Platform, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Enterprise Case Management, Oracle Financial Services Foreign Account Tax Compliance Act Management, Oracle Financial Services Model Management, and Governance, Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, Oracle FLEXCUBE Investor Servicing and then Oracle FLEXCUBE Private Banking
Affected Components: Framework (Swagger UI), Web UI (Apache Velocity Engine), Collections (Apache Velocity Engine), Security (Apache Velocity Engine), Framework (JDBC), Rate Management (JDBC), Third Party (JDBC), Installers (JDBC), Installation (JDBC), Installer & Configuration (JDBC), User Interface (JDBC), Infrastructure Code (JDBC), Miscellaneous (JDBC), Framework (Apache Batik), Others (Spring Framework), Framework (Apache Commons Compress), Framework (jackson-databind), Framework (Netty), Collections (Apache Commons Compress), Web UI (Apache Commons Compress), Collections (AntiSamy), Collections (CKEditor), Web UI (AntiSamy), SECURITY (AntiSamy), Others (Apache Log4j), Installer & Configuration (Apache Log4j), Framework (CKEditor), Web UI (CKEditor), Others (CKEditor), Framework (Apache Ignite), Unified Metadata Manager, Framework (Apache Commons IO), Collections (Apache Commons IO), Web UI (Apache Commons IO), Security (Apache Commons IO), Others (Apache Commons IO), Installer & Configuration (Apache Commons IO) and then Unified Metadata Manager
CVEs: CVE-2019-17495, CVE-2020-13936, CVE-2021-2351, CVE-2020-11987, CVE-2021-22118, CVE-2021-36090, CVE-2020-25649, CVE-2021-37137, CVE-2021-35043, CVE-2020-9281, CVE-2021-35043, CVE-2021-45105, CVE-2021-41165, CVE-2021-37695, CVE-2021-28164, CVE-2021-35687, CVE-2021-29425 and then CVE-2021-35686

Oracle Food and Beverage Applications

Products: Oracle Hospitality Reporting and Analytics
Affected Components: Reporting (Apache Commons BeanUtils)
CVEs: CVE-2019-10086

Oracle Fusion Middleware

Products: Oracle Access Manager, Oracle Business Intelligence Enterprise Edition, Oracle WebLogic Server, Oracle HTTP Server, Oracle Business Activity Monitoring, Oracle Data Integrator, Oracle Enterprise Data Quality, Oracle Fusion Middleware, Oracle BI Publisher, Oracle Business Process Management Suite, Oracle WebLogic Server, Oracle Managed File Transfer, Oracle WebCenter Portal and then Oracle Fusion Middleware MapViewer
Affected Components: OpenSSO Agent, Installation (Apache Struts2), Core, OSSL Module (Apache HTTP Server), Centralized Third-party Jars (XStream), Runtime Java agent for ODI (JDBC), General (JDBC), Centralized Third-party Jars (JDBC, OCCI, ODP for .NET), BI Publisher Security, Analytics Web Answers (Apache Batik), Installer (Apache Commons Compress), Centralized Third-party Jars (Apache Log4j), Samples, Samples(dojo), Web Container, Web Services (json-smart), Centralized Third-party Jars (Apache Log4j), Datasource (MySQL Connector), Sample apps, Sample apps (jQuery), Web Services (JBoss Enterprise Application Platform), Analytics Server (Apache Log4j), MFT Runtime Server (Apache Log4j), Security Framework (Apache Log4j), WLST (Apache Commons Compress), Samples (Apache HttpClient), Install (Apache Commons IO) and then Third-Party Tools (Apache Commons IO)
CVEs: CVE-2021-35587, CVE-2020-17530, CVE-2022-21306, CVE-2021-40438, CVE-2021-39154, CVE-2021-2351, CVE-2022-21346, CVE-2019-17566, CVE-2021-36090, CVE-2021-4104, CVE-2022-21292, CVE-2020-5258, CVE-2022-21371, CVE-2021-27568, CVE-2021-44832, CVE-2022-21252, CVE-2022-21347, CVE-2022-21350, CVE-2022-21353, CVE-2020-2934, CVE-2022-21361, CVE-2020-11023, CVE-2022-21257, CVE-2022-21258, CVE-2022-21259, CVE-2022-21260, CVE-2022-21261, CVE-2022-21262, CVE-2022-21386, CVE-2019-10219, CVE-2021-45105, CVE-2018-1324, CVE-2020-13956 and then CVE-2021-29425

Oracle Health Sciences Applications

Products: Oracle Argus Analytics, Oracle Argus Insight, Oracle Argus Mart, Oracle Argus Safety, Oracle Clinical, Oracle Health Sciences Clinical Development Analytics, Oracle Health Sciences InForm CRF Submit and then Oracle Thesaurus Management System
Affected Components: Schema Creation (JDBC), Installation (JDBC), Installation and Configuration (JDBC, ODP for .NET), Report Generation (JDBC)
CVEs: CVE-2021-2351

Oracle Healthcare Applications

Products: Oracle Health Sciences Information Manager, Oracle Healthcare Data Repository, Oracle Healthcare Foundation, Oracle Healthcare Translational Research
Affected Components: Health Policy Engine (JDBC), Installation (JDBC)
CVEs: CVE-2021-2351

Oracle Hospitality Applications

Products: Oracle Hospitality OPERA 5, Oracle Hospitality Suite8, Oracle Hospitality Cruise Shipboard Property Management System
Affected Components: Integrations (JDBC, ODP for .NET), Rest API (ODP for .NET), Next-Gen SPMS (Apache Tomcat)
CVEs: CVE-2021-2351, CVE-2021-42340

Oracle Hyperion

Products: Oracle Hyperion Infrastructure Technology
Affected Components: Installation and Configuration (JDBC, OCCI, ODP for .NET)
CVEs: CVE-2021-2351

Oracle iLearning

Products: Oracle iLearning
Affected Components: Installation (JDBC)
CVEs: CVE-2021-2351

Oracle Insurance Applications

Products: Oracle Insurance Policy Administration J2EE, Oracle Insurance Rules Palette, Oracle Insurance Data Gateway, Oracle Insurance Insbridge Rating and Underwriting, Oracle Insurance Policy Administration
Affected Components: Architecture (dom4j), Security (JDBC), Framework Administrator IBFA (JDBC, ODP for .NET), Architecture (JDBC), Architecture (Spring Framework)
CVEs: CVE-2020-10683, CVE-2020-10683, CVE-2021-2351, CVE-2021-22118

Oracle Java SE

Products: Oracle GraalVM Enterprise Edition, Oracle Java SE, Oracle GraalVM Enterprise Edition
Affected Components: Node (Node.js), 2D, Hotspot, ImageIO, JAXP, Libraries, Serialization
CVEs: CVE-2021-22959, CVE-2022-21349, CVE-2022-21291, CVE-2022-21305, CVE-2022-21277, CVE-2022-21360, CVE-2022-21365, CVE-2022-21366, CVE-2022-21282, CVE-2022-21296, CVE-2022-21299, CVE-2022-21271, CVE-2022-21283, CVE-2022-21293, CVE-2022-21294, CVE-2022-21340, CVE-2022-21341, CVE-2022-21248

Oracle JD Edwards

Products: JD Edwards EnterpriseOne Tools
Affected Components: E1 Dev Platform Tech – Cloud (Lodash)
CVEs: CVE-2021-23337

Oracle MySQL

Products: MySQL Server, MySQL Connectors, MySQL Workbench, MySQL Cluster, MySQL Server
Affected Components: Server: Compiling (cURL), Connector/C++ (OpenSSL), Connector/ODBC (OpenSSL), Server: Optimizer, Connector/J, Server: Security: Encryption, Workbench: libssh, Cluster: General, InnoDB, Server: Compiling, Server: DML, Server: Federated, Server: Group Replication Plugin, Server: Information Schema, Server: Parser, Server: Replication, Server: Stored Procedure, Server: Components Services, Server: Security: Privileges, Server: DDL
CVEs: CVE-2021-22946, CVE-2021-3712, CVE-2022-21278, CVE-2022-21351, CVE-2022-21363, CVE-2022-21358, CVE-2021-3634, CVE-2022-21279, CVE-2022-21280. CVE-2022-21284, CVE-2022-21285, CVE-2022-21286, CVE-2022-21287, CVE-2022-21288, CVE-2022-21289, CVE-2022-21290, CVE-2022-21307, CVE-2022-21308, CVE-2022-21309, CVE-2022-21310, CVE-2022-21314, CVE-2022-21315, CVE-2022-21316, CVE-2022-21318, CVE-2022-21320, CVE-2022-21322, CVE-2022-21326, CVE-2022-21327, CVE-2022-21328, CVE-2022-21329, CVE-2022-21330, CVE-2022-21332, CVE-2022-21334, CVE-2022-21335, CVE-2022-21336, CVE-2022-21337, CVE-2022-21356, CVE-2022-21380, CVE-2022-21352, CVE-2022-21367, CVE-2022-21301, CVE-2022-21378, CVE-2022-21302, CVE-2022-21254, CVE-2022-21348, CVE-2022-21270, CVE-2022-21256, CVE-2022-21379, CVE-2022-21362, CVE-2022-21374, CVE-2022-21374, CVE-2022-21264, CVE-2022-21253, CVE-2022-21264, CVE-2022-21297, CVE-2022-21339, CVE-2022-21342, CVE-2022-21370, CVE-2022-21304, CVE-2022-21344, CVE-2022-21303, CVE-2022-21368, CVE-2022-21245, CVE-2022-21265, CVE-2022-21311, CVE-2022-21312, CVE-2022-21313, CVE-2022-21317, CVE-2022-21319, CVE-2022-21321, CVE-2022-21323, CVE-2022-21324, CVE-2022-
, CVE-2022-21331, CVE-2022-21333, CVE-2022-21355, CVE-2022-21357, CVE-2022-21249, CVE-2022-21372

Oracle PeopleSoft

Products: PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise CS SA Integration Pack,
Affected Components: Elastic Search (Node.js), Change Impact Analyzer (JDBC), Snapshot Integration, Elastic Search (Netty), File Processing (cURL), Security (OpenSSL), Elastic Search (Lodash), Security, Optimization Framework, Portal, Rich Text Editor, Rich Text Editor (CKEditor), Weblogic
CVEs: CVE-2021-22931, CVE-2021-2351, CVE-2022-21300, CVE-2021-37137, CVE-2021-22946, CVE-2021-3712, CVE-2021-23337, CVE-2022-21345, CVE-2022-21359, CVE-2022-21272, CVE-2022-21369, CVE-2021-37695, CVE-2022-21364

Oracle Policy Automation

Products: Oracle Policy Automation
Affected Components: Determinations Engine (JDBC)
CVEs: CVE-2021-2351

Oracle Retail Applications

Products: Oracle Retail Integration Bus, Oracle Retail Order Broker, Oracle Retail Service Backbone, Oracle Retail Analytics, Oracle Retail Assortment Planning, Oracle Retail Back Office, Oracle Retail Central Office, Oracle Retail Customer Insights, Oracle Retail Extract Transform and Load, Oracle Retail Financial Integration, Oracle Retail Merchandising System, Oracle Retail Order Management System, Oracle Retail Point-of-Service, Oracle Retail Predictive Application Server, Oracle Retail Price Management, Oracle Retail Returns Management, Oracle Retail Xstore Point of Service, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Allocation, Oracle Retail Assortment Planning, Oracle Retail Fiscal Management, Oracle Retail Back Office, Oracle Retail Central Office, Oracle Retail EFTLink, Oracle Retail Invoice Matching, Oracle Retail Predictive Application Server, Oracle Retail Size Profile Optimization
Affected Components: RIB Kernal (Apache Velocity Engine), Order Broker Foundation (Apache Velocity Engine), RSB kernel (Apache Velocity Engine), Other (JDBC), Application Core (JDBC), Security (JDBC), Mathematical Operators (JDBC), PeopleSoft Integration Bugs (JDBC), RIB Kernal (JDBC), Foundation (JDBC), System Administration (JDBC), Upgrade Install (JDBC), RPAS Server (OCCI), RSB Installation (JDBC), Xenvironment (JDBC), Deal (Spring Framework), General (Apache Log4j), Application Core (Apache Log4j), NF Issuing (Apache Log4j), Security (Apache Log4j), Installation (Apache Log4j), RIB Kernal (Apache Log4j), System Administration (Apache Log4j), Upgrade Install (Apache Log4j), Administration (Apache Log4j), RPAS Server (Apache Log4j), RSB Installation (Apache Log4j), Security (Apache PDFbox), Application Core (Apache Commons IO), RIB Kernal (Apache Commons IO), System Administration (Apache Commons IO) and then RSB Installation (Apache Commons IO)
CVEs: CVE-2020-13936, CVE-2021-2351, CVE-2021-22118, CVE-2021-4104, CVE-2021-23337, CVE-2021-44832, CVE-2021-45105, CVE-2021-31812 and then CVE-2021-29425

Oracle Siebel CRM

Products: Siebel UI Framework
Affected Components: EAI (JDBC), Enterprise Cache (Apache Log4j)
CVEs: CVE-2021-2351, CVE-2021-44832

Oracle Supply Chain

Products: Oracle Agile Engineering Data Management, Oracle Agile PLM, Oracle Demantra Demand Management, Oracle Product Lifecycle Analytics, Oracle Rapid Planning, Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite and then Oracle Agile PLM MCAD Connector
Affected Components: Installation (JDBC), Security (JDBC), Security (JDBC, OCCI), Middle Tier (JDBC, OCCI), Installation Issues (jackson-databind), Security (AntiSamy), Security (Apache Ant), CAX Client (Apache Groovy) and then Security (Apache Tomcat)
CVEs: CVE-2021-2351, CVE-2020-25649, CVE-2021-35043, CVE-2021-36374, CVE-2020-17521, CVE-2021-33037

Oracle Support Tools

Products: OSS Support Tools
Affected Components: Diagnostic Assistant (json-smart), Diagnostic Assistant (JDBC), Diagnostic Assistant (jQuery UI), Diagnostic Assistant (Apache Commons IO)
CVEs: CVE-2021-27568, CVE-2021-2351, CVE-2016-7103, CVE-2021-29425

Oracle Systems

Products: Oracle ZFS Storage Appliance Kit, Oracle ZFS Storage Application Integration Engineering Software, Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle Solaris
Affected Components: Operating System Image, Snap Management Utility (JDBC), XCP Firmware (cURL), XCP Firmware (glibc), XCP Firmware (OpenSSL), XCP Firmware (NTP), Filesystem, Kernel, Libraries, Fault Management Architecture and then Install
CVEs: CVE-2021-3517, CVE-2021-2351, CVE-2020-8285, CVE-2021-3326, CVE-2021-23840, CVE-2020-13817, CVE-2021-43395,CVE-2022-21375, CVE-2022-21271, CVE-2022-21263, CVE-2022-21298

Oracle Utilities Applications

Products: Oracle Utilities Framework, Oracle Utilities Testing Accelerator
Affected Components: General (Oracle Coherence), Common (json-smart), General (XStream), Tools (Apache Velocity Engine), Tools (XStream), General (JDBC), Tools (JDBC), Tools (Spring Framework), Tools (Apache Commons Compress), Tools (Apache Log4j), Tools (Apache Ant), Tools (Apache Tomcat) and then Tools (Apache Commons IO)
CVEs: CVE-2020-14756, CVE-2021-27568, CVE-2021-39139, CVE-2020-13936, CVE-2021-39139, CVE-2021-2351, CVE-2021-22118, CVE-2021-36090, CVE-2021-4104, CVE-2021-36374, CVE-2021-33037, CVE-2021-29425

Oracle Virtualization

Products: Oracle VM VirtualBox
Affected Components: Core
CVEs: CVE-2022-21394, CVE-2022-21395

SanerNow VM and SanerNow PM detect these vulnerabilities and automatically fix them by applying security updates. Use SanerNow and keep your systems updated and secure.