Oracle Security Patches January 2021 has released 329 new security patches as a part of its quarterly patch cycle. 273 vulnerabilities are remotely exploitable without user credentials. A vulnerability scanning tool can help detect these vulnerabilities.
Oracle MySQL has received 43 security updates, out of which 5 patches are for the vulnerabilities that allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2020-13871 is considered to be the most critical in the lineup. This CVE affects the ‘Workbench (SQLite)’ component of MySQL Workbench. However, successful exploitation of this vulnerability can crash the service or execute arbitrary code on the affected system. Therefore, a patch management solution is required for patching these vulnerabilities.
Oracle Java SE received 1 security patch for CVE-2020-14803. The vulnerability resides in the ‘Libraries’ component of Java SE, Java SE Embedded. The flaw can be exploited remotely over the network without requiring user credentials. Successful exploitation can result in unauthorized read access to a subset of Java SE accessible data.
Oracle VM VirtualBox received 17 security patches. Also, none of the patched vulnerabilities can be exploited remotely without authentication. CVE-2021-2074 has been rated high and affects the ‘Core‘ component of Oracle VM VirtualBox. However, successful exploitation can lead to a takeover of Oracle VM VirtualBox.
Oracle Security Patches January 2021 Summary
Oracle Security Patches January 2021 MySQL
Products: MySQL Client, MySQL Server, MySQL Workbench, MySQL Enterprise Monitor
Affected Components: C API, Information Schema, InnoDB, MySQL Workbench (OpenSSL), Server: Components Services, Server: DDL, Server: DML, Server: Locking, Server: Optimizer, Server: PAM Auth Plugin, Server: Replication, Server: Security: Privileges, Server: Security: Roles, Server: Stored Procedure, Service Manager (Apache Commons BeanUtils), Service Manager (Spring Framework), Service Manager (Spring Security) and then Workbench (SQLite)
CVEs: CVE-2019-10086, CVE-2020-13871, CVE-2020-1971, CVE-2020-5408, CVE-2020-5421, CVE-2021-1998, CVE-2021-2001, CVE-2021-2002, CVE-2021-2006, CVE-2021-2007, CVE-2021-2009, CVE-2021-2010, CVE-2021-2011, CVE-2021-2012, CVE-2021-2014, CVE-2021-2016, CVE-2021-2019, CVE-2021-2020, CVE-2021-2021, CVE-2021-2022, CVE-2021-2024, CVE-2021-2028, CVE-2021-2030, CVE-2021-2031, CVE-2021-2032, CVE-2021-2036, CVE-2021-2038, CVE-2021-2042, CVE-2021-2046, CVE-2021-2048, CVE-2021-2055, CVE-2021-2056, CVE-2021-2058, CVE-2021-2060, CVE-2021-2061, CVE-2021-2065, CVE-2021-2070, CVE-2021-2072, CVE-2021-2076, CVE-2021-2081, CVE-2021-2087, CVE-2021-2088, CVE-2021-2122
Oracle Java SE
Products: Java SE, Java SE Embedded
Affected Components: Libraries
CVEs: CVE-2020-14803
Oracle Virtualization
Products: Oracle VM VirtualBox
Affected Components: Core
CVEs : CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2123, CVE-2021-2124, CVE-2021-2125, CVE-2021-2126, CVE-2021-2127, CVE-2021-2128, CVE-2021-2129, CVE-2021-2130, CVE-2021-2131
Oracle Database Server
Affected Components: Advanced Networking Option, Java VM, Oracle Application Express Opportunity Tracker, Oracle Application Express Survey Builder, Oracle Text, RDBMS Scheduler, RDBMS Sharding and then Unified Audit
CVEs : CVE-2021-1993, CVE-2021-2000, CVE-2021-2018, CVE-2021-2035, CVE-2021-2045, CVE-2021-2054, CVE-2021-2116, CVE-2021-2117
Oracle Construction and Engineering
Products: Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components: Admin (Apache Ant), Admin (Spring Framework), Core (Apache Commons BeanUtils), Core, Config (Apache Ant), Dashboard module (Apache Batik), Platform (MPXJ) and then Web access (Spring Framework)
CVEs : CVE-2019-10086, CVE-2019-17566, CVE-2020-11979, CVE-2020-25020, CVE-2020-5421
Oracle E-Business Suite
Products: Oracle Common Applications, Oracle Common Applications Calendar, Oracle CRM Technical Foundation, Oracle Customer Interaction History, Oracle Email Center, Oracle Installed Base, Oracle iStore, Oracle iSupport, Oracle Marketing, Oracle One-to-One Fulfillment, Oracle Scripting, Oracle User Management and then Oracle Workflow
Affected Components: APIs, Applications Calendar, CRM User Management Framework, Marketing Administration, Message Display, Miscellaneous, Outcome-Result, Preferences, Print Server, Profile, Proxy User Delegation, Runtime Catalog, Shopping Cart, Tasks, User Responsibilities, Web interface and then Worklist
CVEs : CVE-2021-2015, CVE-2021-2017, CVE-2021-2023, CVE-2021-2026, CVE-2021-2027, CVE-2021-2029, CVE-2021-2034, CVE-2021-2059, CVE-2021-2077, CVE-2021-2082, CVE-2021-2083, CVE-2021-2084, CVE-2021-2085, CVE-2021-2089, CVE-2021-2090, CVE-2021-2091, CVE-2021-2092, CVE-2021-2093, CVE-2021-2094, CVE-2021-2096, CVE-2021-2097, CVE-2021-2098, CVE-2021-2099, CVE-2021-2100, CVE-2021-2101, CVE-2021-2105, CVE-2021-2106, CVE-2021-2107, CVE-2021-2114, CVE-2021-2115, CVE-2021-2118
Oracle Enterprise Manager
Products: Enterprise Manager Base Platform, Enterprise Manager for Fusion Applications, Enterprise Manager Ops Center, Oracle Application Testing Suite
Affected Components: Connector Framework (Quartz), Control Proxy (Apache HTTP Server), Load Testing for Web Apps (dom4j), Load Testing for Web Apps (jQuery), Reporting Framework (Apache Camel), Reporting Framework (Apache Commons FileUpload), Topology Viewer (Spring Framework) and then User Interface (OpenSSL)
CVEs : CVE-2015-4000, CVE-2016-1000031, CVE-2018-15756, CVE-2019-13990, CVE-2020-10683, CVE-2020-11022, CVE-2020-11973, CVE-2020-11984
Oracle Financial Services Applications
Products: Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Extensibility Workbench, Oracle Banking Liquidity Management, Oracle Banking Payments, Oracle Banking Platform, Oracle Banking Supply Chain Finance, Oracle Banking Trade Finance Process Management, Oracle Banking Virtual Account Management, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Asset Liability Management, Oracle Financial Services Data Integration Hub, Oracle Financial Services Funds Transfer Pricing, Oracle Financial Services Market Risk Measurement and Management, Oracle Financial Services Profitability Management, Oracle Financial Services Revenue Management and Billing, Oracle FLEXCUBE Core Banking, Oracle FLEXCUBE Universal Banking and then Oracle Insurance Allocation Manager for Enterprise Profitability
Affected Components : Common (Apache Ant), Common (Apache Kafka), Common Core (Apache Kafka), Common Core (Netty), Common Core (Spring Security), Common Core (Spring Security Oauth), Common (Netty), Common (Spring Security), Common (Spring Security Oauth), Core (Apache Commons BeanUtils), Core (Apache Kafka), Core (Lodash), Core (Netty), Core (Node.js), Core (Spring Security), Core (Spring Security Oauth), Dashboard (Apache Kafka), Dashboard (Netty), Dashboard (Spring Security), Dashboard (Spring Security Oauth), Infrastructure (Apache Ant), Infrastructure (Apache Commons BeanUtils), Infrastructure (Apache Kafka), Infrastructure (Netty), Infrastructure (Spring Framework), Infrastructure (Spring Security Oauth), Infrastructure (Spring Web Services), Installer (Apache Ant), On Demand Billing, Party, Financials (Apache Commons Compress), Payments Core (Apache Kafka), Payments Core (Netty), Payments Core (Spring Security Oauth), Product Manufacturing (Apache Kafka), Securities (Eclipse Jetty) and then User Interface (Apache Struts)
CVEs : CVE-2019-0230, CVE-2019-10086, CVE-2019-10744, CVE-2019-11269, CVE-2019-12399, CVE-2019-12402, CVE-2019-3773, CVE-2020-11612, CVE-2020-11979, CVE-2020-1945, CVE-2020-27216, CVE-2020-5408, CVE-2020-5421, CVE-2020-8174, CVE-2021-2113
Oracle Food and Beverage Applications
Products: Oracle Hospitality Simphony, Oracle Hospitality Reporting and Analytics
Affected Components: Simphony Server (Apache log4net), Report
CVEs : CVE-2018-1285, CVE-2021-1997
Oracle Fusion Middleware
Products: Business Intelligence Enterprise Edition, Oracle Adaptive Access Manager, Oracle BAM (Business Activity Monitoring), Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle Data Integrator, Oracle Endeca Information Discovery Integrator, Oracle Enterprise Data Quality, Oracle Enterprise Repository, Oracle Fusion Middleware MapViewer, Oracle GoldenGate Application Adapters, Oracle Managed File Transfer, Oracle Outside In Technology, Oracle Real-Time Decision Server, Oracle WebCenter Portal, Oracle WebCenter Sites and then Oracle WebLogic Server
Affected Components:
Administration, Analytics Server (Knockout), Analytics Web Dashboards, Analytics Web General, Application Adapters (Apache Log4j), Application Adapters (Spring Framework), BI Platform Security, BI Publisher Security, Centralized Thirdparty Jars (Eclipse Jetty), Centralized Thirdparty Jars (Google Guava), Console, Console (Apache Commons Beanutils), Core Components, Core Components (Connect2id Nimbus JOSE+JWT), Decision Studio (Apache Ant), E-Business Suite – XDO, General (Apache Commons FileUpload), General (Apache POI), General (dom4j), General (Eclipse Mojarra), General (Xstream), Install and Config, Install (Apache Commons BeanUtils), Installation, Install, config, upgrade (Apache Commons BeanUtils), Install, config, upgrade (Apache Log4j), Install, config, upgrade (JCraft JSch), Install, config, upgrade (Rogue Wave JViews), Installer (dom4j), Integrator ETL (Apache Commons BeanUtils), Integrator ETL (Spring Framework), MFT Runtime Server (Apache Tomcat), Outside In Filters, Platform Installation (Apache Axis), Platform Installation (Apache Commons BeanUtils), Portlet Services (dom4j), Rest Service (Dolibarr), Runtime Java agent for ODI (Bouncy Castle Java Library), Runtime Java agent for ODI (dom4j), Sample apps (jQuery), Sample apps (Spring Framework), Samples, Security Framework (Apache Commons BeanUtils), Security Subsystem (Apache ActiveMQ), Security Subsystem (Apache Ant), Security Subsystem (Apache Batik), Security Subsystem (Apache Camel), WebCenter Sites (jQuery), Web Server and then Web Services.
CVEs :
CVE-2015-8965, CVE-2016-1000031, CVE-2016-5725, CVE-2017-12626, CVE-2018-10237, CVE-2018-2587, CVE-2018-9019, CVE-2019-0227, CVE-2019-10086, CVE-2019-10173, CVE-2019-10247, CVE-2019-14862, CVE-2019-17091, CVE-2019-17195, CVE-2019-17359, CVE-2019-17566, CVE-2020-10683, CVE-2020-11022, CVE-2020-11979, CVE-2020-11994, CVE-2020-11998, CVE-2020-13935, CVE-2020-14756, CVE-2020-1945, CVE-2020-5421, CVE-2020-9488, CVE-2021-1994, CVE-2021-1995, CVE-2021-1996, CVE-2021-2003, CVE-2021-2005, CVE-2021-2013, CVE-2021-2025, CVE-2021-2033, CVE-2021-2041, CVE-2021-2047, CVE-2021-2049, CVE-2021-2050, CVE-2021-2051, CVE-2021-2062, CVE-2021-2064, CVE-2021-2066, CVE-2021-2067, CVE-2021-2068, CVE-2021-2069, CVE-2021-2075, CVE-2021-2108, CVE-2021-2109
Oracle GraalVM
Products: Oracle GraalVM Enterprise Edition
Affected Components: Node (Node.js), Java
CVEs : CVE-2020-8277, CVE-2020-14803
Oracle Health Sciences Applications
Products: Oracle Health Sciences Information Manager, Oracle Healthcare Master Person Index, Oracle Argus Safety, Oracle Health Sciences Information Manager
Affected Components: Recordlocator, DSUB (dom4j), MDM Module (Spring Framework), Case Form, Local Affiliate Form, Letters, Recordlocator and then DSUB (Apache Log4j)
CVEs : CVE-2020-10683, CVE-2020-5421, CVE-2021-2040, CVE-2021-2110, CVE-2020-9488
Oracle Hyperion
Products: Hyperion Infrastructure Technology, Hyperion Financial Reporting
Affected Components: Common Security (Apache POI), Common Security (Apache Tomcat), Common Security (Quartz), Installation and Configuration (Apache Commons Compress), Installation and Configuration (Apache HTTP Server), Installation and Configuration (Spring Framework) and then Installation (jQuery)
CVEs : CVE-2019-12402, CVE-2019-12415, CVE-2019-13990, CVE-2019-17563, CVE-2020-11022, CVE-2020-11984, CVE-2020-5421
Oracle PeopleSoft
Products: PeopleSoft Enterprise FIN Payables, PeopleSoft Enterprise HCM Human Resources, PeopleSoft Enterprise PeopleTools
Affected Components: Company Dir / Org Chart Viewer, Employee Snapshot (jQuery), Elastic Search, Financial Sanctions, Global Payroll for Switzerland (Apache Axis), Portal, Rich Text Editor (CKEditor) and then Security (OpenSSL)
CVEs : CVE-2019-0227, CVE-2020-11022, CVE-2020-1968, CVE-2020-9281, CVE-2021-2043, CVE-2021-2044, CVE-2021-2063, CVE-2021-2071
Oracle Retail Applications
Products: Oracle Retail Assortment Planning, Oracle Retail Bulk Data Integration, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Extract Transform and Load, Oracle Retail Financial Integration, Oracle Retail Integration Bus, Oracle Retail Invoice Matching, Oracle Retail Merchandising System, Oracle Retail Order Broker, Oracle Retail Order Broker Cloud Service, Oracle Retail Sales Audit, Oracle Retail Service Backbone, Oracle Retail Store Inventory Management
Affected Components : Application Core (Spring Framework), BDI Job Scheduler (Apache Groovy), BDI Job Scheduler (Eclipse Mojarra), BDI Job Scheduler (Spring Framework), Foundation (jackson-databind), Internal Operations, Mathematical Operators (Apache Ant), PeopleSoft Integration (Apache Ant), PeopleSoft Integration (Apache Commons BeanUtils), PeopleSoft Integration Bugs (Apache Groovy), PeopleSoft Integration (Spring Framework), Posting (Spring-LDAP), Promotions (Apache Log4j), RIB Kernal (Apache Ant), RIB Kernal (Apache Batik), RIB Kernal (Apache Commons BeanUtils), RIB Kernal (Apache Groovy), RIB Kernal (Spring Framework), RSB kernel (Apache Ant), RSB kernel (Apache Commons BeanUtils), RSB kernel (Apache Groovy), RSB kernel (Spring Framework), Rule Wizards (jackson-databind), Security (Spring Framework), Segment (dom4j), SIM Integration (Apache Ant), SIM Integration (Eclipse Mojarra), Supplier Direct Fulfillment (Apache CXF), System Administration (Apache Batik), System Administration (Apache Commons BeanUtils), System Administration (Apache Tomcat) and then System Administration (Spring Framework)
CVEs : CVE-2017-8028, CVE-2019-10086, CVE-2019-17091, CVE-2019-17566, CVE-2020-10683, CVE-2020-11979, CVE-2020-13954, CVE-2020-17521, CVE-2020-1945, CVE-2020-5398, CVE-2020-5421, CVE-2020-9484, CVE-2020-9488, CVE-2020-9546, CVE-2021-2057
Oracle Siebel CRM
Products : Siebel Core – Server Framework, Siebel UI Framework, Siebel Mobile App and then Siebel Core – Server BizLogic Script
Affected Components: Search, EAI (Apache Tomcat), Open UI (jQuery), Integration – Scripting
CVEs : CVE-2021-2039, CVE-2020-9484, CVE-2020-11022, CVE-2021-2004
Oracle Systems
Products: Oracle ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool
Affected Components: Operating System Image, Software (jQuery), RAS subsystems, Software (Apache Log4j)
CVEs : CVE-2020-11984, CVE-2020-11022, CVE-2021-1999, CVE-2020-9488
Oracle Supply Chain
Products: Oracle Agile Engineering Data Management, Oracle Agile PLM, Oracle Agile Product Lifecycle Management for Process, Oracle Complex Maintenance, Repair, and Overhaul, Oracle Configurator and then Oracle Transportation Management
Affected Components : Dialog Box, Install (Apache Tomcat), Installation (jQuery), Install (jQuery), Security (CKEditor), Security (jackson-databind), UI Servlet
CVEs : CVE-2019-11358, CVE-2019-17563, CVE-2020-14195, CVE-2020-9281, CVE-2021-2078, CVE-2021-2079, CVE-2021-2080, CVE-2021-2102, CVE-2021-2103, CVE-2021-2104
These are the patches released by Oracle Security Patches January 2021.