Oracle on Tuesday announced the release of 520 security fixes as part of its April 2022 Critical Patch Update (CPU), including nearly 300 for vulnerabilities that can be exploited remotely without authentication.
Roughly 75 of the patches deal with security holes rated “critical severity,” including three that feature a CVSS score of 10. Over 40 of the remaining vulnerabilities have a CVSS score between 8 and 9.
Several of the patches that Oracle included in this month’s CPU deal with CVE-2022-22965 – also known as Spring4Shell and SpringShell – a critical remote code execution (RCE) bug in the Spring Framework. One of these patches also resolves CVE-2022-22963, a critical RCE flaw in the Spring Cloud Function.
Oracle Communications received the largest number of patches in this quarterly CPU, at 149. Of the addressed bugs, 98 can be exploited remotely without authentication, Oracle notes in its advisory.
The bulk of the remaining patches were released for Fusion Middleware (54 fixes – 41 for flaws exploitable remotely, without authentication), MySQL (43 – 11), Financial Services Applications (41 – 19), Communications Applications (39 – 22), Retail Applications (30 – 15), Systems (20 – 14), and Blockchain Platform (15 – 14).
[ READ: Oracle’s First Security Updates for 2022 Include 497 Patches ]
Other Oracle applications that received patches this week include PeopleSoft, Hyperion, Supply Chain, Enterprise Manager, HealthCare Applications, JD Edwards, Java SE, Commerce, Insurance Applications, Virtualization, Hospitality Applications, Database Server, GoldenGate, and others.
For many of these applications, as well as for some software that did not receive security fixes, Oracle announced the inclusion of third-party patches in the April 2022 CPU.
For most products, the newly announced security patches also addressed additional vulnerabilities, and in some cases non-exploitable CVEs were also resolved, Oracle announced.
The tech giant notes that it continuously receives reports of attacks targeting vulnerabilities that have already been addressed in its products, and strongly advises customers to use actively-supported versions of its products and to apply CPUs in a timely manner.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday encouraged users and administrators to review Oracle’s April 2022 CPU and apply the available patches as soon as possible.
“Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA said.
Oracle plans to release the next CPU on July 19, 2022.
Related: Oracle’s October 2021 CPU Includes 419 Security Patches
Related: Oracle Releases July 2021 CPU With 342 Security Patches
Related: Oracle Delivers 390 Security Fixes With April 2021 CPU