Security Experts:

Connect with us

Hi, what are you looking for?



Oracle Releases 520 New Security Patches With April 2022 CPU

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Roughly 75 of the patches deal with security holes rated “critical severity,” including three that feature a CVSS score of 10. Over 40 of the remaining vulnerabilities have a CVSS score between 8 and 9.

Several of the patches that Oracle included in this month’s CPU deal with CVE-2022-22965 – also known as Spring4Shell and SpringShell – a critical remote code execution (RCE) bug in the Spring Framework. One of these patches also resolves CVE-2022-22963, a critical RCE flaw in the Spring Cloud Function.

Oracle Communications received the largest number of patches in this quarterly CPU, at 149. Of the addressed bugs, 98 can be exploited remotely without authentication, Oracle notes in its advisory.

The bulk of the remaining patches were released for Fusion Middleware (54 fixes – 41 for flaws exploitable remotely, without authentication), MySQL (43 – 11), Financial Services Applications (41 – 19), Communications Applications (39 – 22), Retail Applications (30 – 15), Systems (20 – 14), and Blockchain Platform (15 – 14).

[ READ: Oracle’s First Security Updates for 2022 Include 497 Patches ]

Other Oracle applications that received patches this week include PeopleSoft, Hyperion, Supply Chain, Enterprise Manager, HealthCare Applications, JD Edwards, Java SE, Commerce, Insurance Applications, Virtualization, Hospitality Applications, Database Server, GoldenGate, and others.

For many of these applications, as well as for some software that did not receive security fixes, Oracle announced the inclusion of third-party patches in the April 2022 CPU.

For most products, the newly announced security patches also addressed additional vulnerabilities, and in some cases non-exploitable CVEs were also resolved, Oracle announced.

The tech giant notes that it continuously receives reports of attacks targeting vulnerabilities that have already been addressed in its products, and strongly advises customers to use actively-supported versions of its products and to apply CPUs in a timely manner.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday encouraged users and administrators to review Oracle’s April 2022 CPU and apply the available patches as soon as possible.

“Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA said.

Oracle plans to release the next CPU on July 19, 2022.

Related: Oracle’s October 2021 CPU Includes 419 Security Patches

Related: Oracle Releases July 2021 CPU With 342 Security Patches

Related: Oracle Delivers 390 Security Fixes With April 2021 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.