Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Releases 520 New Security Patches With April 2022 CPU

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Roughly 75 of the patches deal with security holes rated “critical severity,” including three that feature a CVSS score of 10. Over 40 of the remaining vulnerabilities have a CVSS score between 8 and 9.

Several of the patches that Oracle included in this month’s CPU deal with CVE-2022-22965 – also known as Spring4Shell and SpringShell – a critical remote code execution (RCE) bug in the Spring Framework. One of these patches also resolves CVE-2022-22963, a critical RCE flaw in the Spring Cloud Function.

Oracle Communications received the largest number of patches in this quarterly CPU, at 149. Of the addressed bugs, 98 can be exploited remotely without authentication, Oracle notes in its advisory.

The bulk of the remaining patches were released for Fusion Middleware (54 fixes – 41 for flaws exploitable remotely, without authentication), MySQL (43 – 11), Financial Services Applications (41 – 19), Communications Applications (39 – 22), Retail Applications (30 – 15), Systems (20 – 14), and Blockchain Platform (15 – 14).

[ READ: Oracle’s First Security Updates for 2022 Include 497 Patches ]

Advertisement. Scroll to continue reading.

Other Oracle applications that received patches this week include PeopleSoft, Hyperion, Supply Chain, Enterprise Manager, HealthCare Applications, JD Edwards, Java SE, Commerce, Insurance Applications, Virtualization, Hospitality Applications, Database Server, GoldenGate, and others.

For many of these applications, as well as for some software that did not receive security fixes, Oracle announced the inclusion of third-party patches in the April 2022 CPU.

For most products, the newly announced security patches also addressed additional vulnerabilities, and in some cases non-exploitable CVEs were also resolved, Oracle announced.

The tech giant notes that it continuously receives reports of attacks targeting vulnerabilities that have already been addressed in its products, and strongly advises customers to use actively-supported versions of its products and to apply CPUs in a timely manner.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday encouraged users and administrators to review Oracle’s April 2022 CPU and apply the available patches as soon as possible.

“Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA said.

Oracle plans to release the next CPU on July 19, 2022.

Related: Oracle’s October 2021 CPU Includes 419 Security Patches

Related: Oracle Releases July 2021 CPU With 342 Security Patches

Related: Oracle Delivers 390 Security Fixes With April 2021 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.