Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Releases 520 New Security Patches With April 2022 CPU

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.

Roughly 75 of the patches deal with security holes rated “critical severity,” including three that feature a CVSS score of 10. Over 40 of the remaining vulnerabilities have a CVSS score between 8 and 9.

Several of the patches that Oracle included in this month’s CPU deal with CVE-2022-22965 – also known as Spring4Shell and SpringShell – a critical remote code execution (RCE) bug in the Spring Framework. One of these patches also resolves CVE-2022-22963, a critical RCE flaw in the Spring Cloud Function.

Oracle Communications received the largest number of patches in this quarterly CPU, at 149. Of the addressed bugs, 98 can be exploited remotely without authentication, Oracle notes in its advisory.

The bulk of the remaining patches were released for Fusion Middleware (54 fixes – 41 for flaws exploitable remotely, without authentication), MySQL (43 – 11), Financial Services Applications (41 – 19), Communications Applications (39 – 22), Retail Applications (30 – 15), Systems (20 – 14), and Blockchain Platform (15 – 14).

[ READ: Oracle’s First Security Updates for 2022 Include 497 Patches ]

Other Oracle applications that received patches this week include PeopleSoft, Hyperion, Supply Chain, Enterprise Manager, HealthCare Applications, JD Edwards, Java SE, Commerce, Insurance Applications, Virtualization, Hospitality Applications, Database Server, GoldenGate, and others.

For many of these applications, as well as for some software that did not receive security fixes, Oracle announced the inclusion of third-party patches in the April 2022 CPU.

Advertisement. Scroll to continue reading.

For most products, the newly announced security patches also addressed additional vulnerabilities, and in some cases non-exploitable CVEs were also resolved, Oracle announced.

The tech giant notes that it continuously receives reports of attacks targeting vulnerabilities that have already been addressed in its products, and strongly advises customers to use actively-supported versions of its products and to apply CPUs in a timely manner.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday encouraged users and administrators to review Oracle’s April 2022 CPU and apply the available patches as soon as possible.

“Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA said.

Oracle plans to release the next CPU on July 19, 2022.

Related: Oracle’s October 2021 CPU Includes 419 Security Patches

Related: Oracle Releases July 2021 CPU With 342 Security Patches

Related: Oracle Delivers 390 Security Fixes With April 2021 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.