Oracle Critical Security Updates July 2021 has released 342 new security patches for a wide range of product families. However, these include Oracle E-Business Suite, Oracle MySQL, Oracle Java SE, Oracle Hospitality Applications, Oracle Siebel CRM, Database Server, etc. Moreover, multiple products covered by this advisory are prone to several common vulnerabilities. However, all these affected products vulnerabilities can be fixed using a patch management software.
Oracle Database Server has received 16 security patches. Out of these 16 vulnerabilities addressed, one can be remotely exploited without authentication, and it is tracked as CVE-2021-2351. However, the flaw affects the Advanced Networking Option component and Oracle Net protocol. Moreover, successful exploitation equally affects confidentiality, integrity, and availability. However, successful exploitation can be mitigated using a vulnerability management tool.
Oracle MySQL has received 41 security patches. Out of which 10 patches are for the vulnerabilities that allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2021-22884 is considered to be the most critical in the lineup. However, this CVE affects the ‘Cluster: JS module (Node.js)‘ component of MySQL Cluster. Moreover, successful exploitation of this vulnerability allows remote attackers to conduct a DNS rebinding attack.
Oracle Java SE received 6 security patches. 5 of these vulnerabilities addressed can be exploited over a network without authentication. Moreover, The flaw tracked as CVE-2021-29921 has the highest CVSS score among these, and it resides in the Python interpreter and runtime (CPython) component of Oracle GraalVM Enterprise Edition. Finally, successful exploitation can result in unauthorized access, and the highest threat is data integrity and system availability.
Oracle Critical Security Updates July 2021 Summary
Affected Components: Advanced Networking Option, Oracle Text, Oracle Application Express (CKEditor), Oracle Application Express Application Builder (DOMPurify). Oracle Application Express Data Reporter, Oracle XML DB, Oracle Spatial and Graph (GDAL). Core RDBMS, Enterprise Manager Express User Interface (CodeMirror). Java VM, Oracle Database – Enterprise Edition Data Redaction, Database Vault
CVEs: CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2020-27193, CVE-2020-26870, CVE-2021-2460, CVE-2021-2333, CVE-2019-17545, CVE-2021-2330, CVE-2020-7760, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336, CVE-2021-2326
Products: Essbase Analytic Provider Services, Hyperion Essbase Administration Services, Hyperion Essbase Administration Services, Essbase
Affected Components: JAPI, EAS Console, Infrastructure (OpenSSL), Infrastructure (cURL), Web Services, Infrastructure (CodeMirror), Infrastructure (Apache Commons Compress)
CVEs: CVE-2021-2244, CVE-2021-2349, CVE-2021-2435, CVE-2019-0190, CVE-2020-8285, CVE-2021-2433, CVE-2021-2350, CVE-2020-7760, CVE-2019-12402
Products: Oracle Commerce Platform, Oracle Commerce Guided Search, Oracle Commerce Experience Manager, Oracle Commerce Merchandising and then Oracle Commerce Service Center
Affected Components: Dynamo Application Framework, Dynamo Application Framework (Coherence), Content Acquisition System (Java SE), Experience Manage (jackson-databind), Tools and Frameworks (Java SE), Dynamo Application Framework (jackson-databind), Experience Manager, Business Control Center (CKEditor), Commerce Service Center and then Tools and Frameworks
CVEs: CVE-2021-2463, CVE-2020-2555, CVE-2020-2604, CVE-2021-20190, CVE-2020-2604, CVE-2020-25649, CVE-2021-26272, CVE-2021-2462, CVE-2021-2345, CVE-2021-2346, CVE-2021-2348
Products: Oracle Communications Unified Inventory Management, Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Offline Mediation Controller, Oracle Communications Pricing Design Center, Oracle Communications Instant Messaging Server, Oracle Communications Billing, and Revenue Management, Oracle Communications Offline Mediation Controller, Oracle Communications Convergent Charging Controller, Oracle Communications Network Charging and Control, Oracle Communications Offline Mediation Controller, Oracle Communications Unified Inventory Management, Oracle Communications Instant Messaging Server, Oracle Communications Unified Inventory Management, Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Design Studio and then Oracle Communications Network Charging and Control
Affected Components: CN ECE (XStream), Drools Ruleset (XStream), HTTP GW (Netty), UDC CORE (Python), CNE (Apache Struts), CNE (Nimbus JOSE+JWT), REST API (Spring Security), UDC CORE (Perl), Transformation for PDC (Perl), Managing Messages (jackson-databind), Accounts Receivable (libgcrypt), CN OCOMC (Eclipse Jetty), Transformation for PDC (Eclipse Jetty), Balances (cURL), Business Operation Center (jackson-databind), Common fns (jackson-databind), OUI (jackson-databind), CN OCOMC (Apache Batik), NM Core (Kerberos), Server for PDC (dojo), Transformation for PDC (Apache Tomcat), Transformation for PDC (Kerberos), CNE (NSS), Media Resource (jackson-databind), Billing Care (Lodash), Transformation for PDC (Apache Commons BeanUtils), Managing Messages (Apache Tomcat), Balance Monitoring Manager (Kibana), Inventory Organizer (BSAFE Crypto-J), Elastic charging controller (Apache Groovy), Modeling (Netty), Common fns (SQLite) and then UDC CORE (Apache Batik)
CVEs: CVE-2021-21345, CVE-2021-21345, CVE-2020-11612, CVE-2021-3177, CVE-2020-17530, CVE-2019-17195, CVE-2021-22112, CVE-2020-10878, CVE-2020-10878, CVE-2020-14195, CVE-2021-3345, CVE-2020-27216, CVE-2020-27216, CVE-2020-8286, CVE-2020-25649, CVE-2020-25649, CVE-2020-25649, CVE-2019-17566, CVE-2020-28196, CVE-2020-5258, CVE-2020-17527, CVE-2020-28196, CVE-2020-25648, CVE-2020-25649, CVE-2020-8203, CVE-2019-10086, CVE-2020-9484, CVE-2020-7017, CVE-2019-3740, CVE-2020-17521, CVE-2021-21290, CVE-2021-20227, CVE-2020-11987
Products: Oracle Common Applications, Oracle Marketing, Oracle Advanced Outbound Telephony, Oracle Approvals Management, Oracle Collaborative Planning, Oracle E-Records, Oracle Engineering, Oracle Field Service, Oracle Human Resources, Oracle iSupplier Portal, Oracle Public Sector Financials (International), Oracle Time and Labor, Oracle Web Applications Desktop Integrator, Oracle Applications Framework and then Oracle Workflow
Affected Components: CRM User Management Framework, Marketing Administration, SDK client integration, Region Mapping, AME Page rendering, User Interface, E-signatures, Change Management, Wireless, People Management, Accounts, Authorization, Timecard, Application Service, Attachments / File Upload and then Workflow Notification Mailer
CVEs: CVE-2021-2355, CVE-2021-2436, CVE-2021-2359, CVE-2021-2361, CVE-2021-2398, CVE-2021-2360, CVE-2021-2406, CVE-2021-2393, CVE-2021-2405, CVE-2021-2362, CVE-2021-2365, CVE-2021-2364, CVE-2021-2363, CVE-2021-2415, CVE-2021-2434, CVE-2021-2380, CVE-2021-2343
Products: Oracle BAM (Business Activity Monitoring), Oracle WebCenter Portal, Oracle Business Intelligence Enterprise Edition, Oracle Data Integrator, Oracle JDeveloper, Oracle WebCenter Portal, Oracle WebLogic Server, Oracle BI Publisher, Oracle Enterprise Data Quality, Oracle Coherence, Identity Manager, Oracle GoldenGate Application Adapters, Oracle JDeveloper, Oracle Managed File Transfer, Real-Time Decisions (RTD) Solutions, Oracle Outside In Technology, Oracle Data Integrator, Identity Manager, Oracle JDeveloper, and ADF, Oracle Enterprise Repository, Oracle Fusion Middleware MapViewer, Oracle and then Access Manager
Affected Components: General (XStream), Security Framework (XStream), Analytics Web General, Runtime Java agent for ODI (Nimbus JOSE+JWT), Oracle JDeveloper (dom4j), Security Framework (Bouncy Castle Java Library), Core, Security, BI Publisher Security, E-Business Suite – XDO, Scheduler, General (Spring Framework), Core, Identity Console, Application Adapters (jackson-databind), Oracle JDeveloper (Apache Commons Compress), MFT Runtime Server (Apache Tomcat), Core, Web Services, Third Party Tools (Apache Standard Taglibs), WLS Deployment Template for RT (Apache Commons BeanUtils), Outside In Filters, Install, config, upgrade (Apache Ant), UI Platform (jQuery), OAM (Apache POI), Outside In Clean Content SDK (Apache PDFBox), Request Management & Workflow, upgrade (Apache HttpClient), Security Subsystem – 12c (Apache Batik), Install (Apache Batik), Rest interfaces for Access Mgr, upgrade (Guava) and then Installation Component (Oracle Coherence)
CVEs: CVE-2021-21345, CVE-2021-21345, CVE-2021-2456, CVE-2019-17195, CVE-2020-10683, CVE-2020-28052, CVE-2021-2394, CVE-2021-2397, CVE-2021-2382, CVE-2021-2392, CVE-2021-2396, CVE-2021-2391, CVE-2020-5421, CVE-2021-2428, CVE-2021-2458, CVE-2021-2400, CVE-2021-2371, CVE-2021-2344, CVE-2020-25649, CVE-2019-12402, CVE-2021-25122, CVE-2021-2378, CVE-2021-2376, CVE-2015-0254, CVE-2019-10086, CVE-2021-2450, CVE-2021-2451, CVE-2021-2419, CVE-2021-2420, CVE-2021-2423, CVE-2021-2449, CVE-2021-2452, CVE-2021-2430, CVE-2021-2431, CVE-2021-2453, CVE-2020-1945, CVE-2019-11358, CVE-2019-12415, CVE-2021-27906, CVE-2021-2457, CVE-2021-2401, CVE-2020-13956, CVE-2020-11987, CVE-2020-11987, CVE-2021-2403, CVE-2021-2358, CVE-2020-8908, CVE-2020-2555
Products: Oracle GraalVM Enterprise Edition, Java SE
Affected Components: Python interpreter and runtime (CPython), Hotspot, LLVM Interpreter (musl libc), Library, JNDI, Networking
CVEs: CVE-2021-29921, CVE-2021-2388, CVE-2020-28928, CVE-2021-2369, CVE-2021-2432, CVE-2021-2341
Products: MySQL Cluster, MySQL Enterprise Monitor, MySQL Server, MySQL Connectors
Affected Components: Cluster: JS module (Node.js), Server: Packaging (curl), Monitoring: General (Apache Tomcat), Server: Compiling (LZ4), Connector/C++ (OpenSSL), Connector/ODBC (OpenSSL), Monitoring: General (OpenSSL), Server: GIS, InnoDB, Server: Replication, Server: DDL, Server: DML, Server: Federated, Server: Locking, Server: Optimizer, Server: PS, Server: Stored Procedure, Cluster: JS module and then Server: Memcached
CVEs: CVE-2021-22884, CVE-2021-22901, CVE-2021-25122, CVE-2019-17543, CVE-2021-3450, CVE-2021-3450, CVE-2021-3450, CVE-2021-2417, CVE-2021-2389, CVE-2021-2390, CVE-2021-2429, CVE-2021-2356, CVE-2021-2385, CVE-2021-2339, CVE-2021-2352, CVE-2021-2399, CVE-2021-2370, CVE-2021-2440, CVE-2021-2354, CVE-2021-2402, CVE-2021-2342, CVE-2021-2357, CVE-2021-2367, CVE-2021-2412, CVE-2021-2383, CVE-2021-2384, CVE-2021-2387, CVE-2021-2444, CVE-2021-2410, CVE-2021-2418, CVE-2021-2425, CVE-2021-2426, CVE-2021-2427, CVE-2021-2437, CVE-2021-2441, CVE-2021-2422, CVE-2021-2424, CVE-2021-2372, CVE-2021-2374, CVE-2021-2411, CVE-2021-2340
Products: PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise CS Campus Community, PeopleSoft Enterprise HCM Candidate Gateway, PeopleSoft Enterprise HCM Shared Components, PeopleSoft Enterprise PT PeopleTools
Affected Components: REST Services (Nimbus JOSE+JWT), REST Services (netplex json-smart-v1), Elastic Search (Node.js), Security (OpenSSL), Elastic Search (Kibana), Integration and Interfaces, e-mail notification, Person Search, Notification Configuration, Elastic Search (Netty), Portal, Cloud Manager (Apache HttpClient), SQR and then Elastic Search (Google Guava)
CVEs: CVE-2019-17195, CVE-2021-27568, CVE-2021-22884, CVE-2021-3450, CVE-2020-7017, CVE-2021-2421, CVE-2021-2404, CVE-2021-2455, CVE-2021-2408, CVE-2021-21290, CVE-2021-2407, CVE-2020-13956, CVE-2021-2377, CVE-2020-8908
All these products are affected as shown in Oracle Critical Security Updates July 2021