Security Experts:

Connect with us

Hi, what are you looking for?



Oracle’s First Security Updates for 2022 Include 497 Patches

Oracle on Tuesday announced its first set of quarterly security updates for 2022, which include a total of 497 new patches. More than half of the addressed vulnerabilities can be exploited remotely without authentication.

Oracle on Tuesday announced its first set of quarterly security updates for 2022, which include a total of 497 new patches. More than half of the addressed vulnerabilities can be exploited remotely without authentication.

As part of the January 2022 Critical Patch Update (CPU), Oracle addressed 28 vulnerabilities rated critical severity, including two that have a CVSS score of 10. Roughly 120 of the remaining vulnerabilities feature CVSS scores between 8.0 and 9.0.

Just as in October 2021, the largest number of patches are for Oracle’s Communications product. This month, 84 such patches were announced, with 50 of the addressed vulnerabilities being remotely exploitable without authentication.

Oracle published 78 patches for MySQL, including fixes for 3 unauthenticated, remotely exploitable issues, and 48 patches for Financial Services Applications (37 for security flaws that an unauthenticated attacker can exploit remotely).

Retail Applications received 43 patches (34 vulnerabilities exploitable remotely, without authentication), Fusion Middleware received 39 fixes (35 remote, unauthenticated bugs), while Communications Applications got 33 security updates (22 flaws remotely exploitable, without authentication).

Oracle also released fixes for Construction and Engineering (22 fixes – 15 unauthenticated, remotely exploitable flaws), Java SE (18 – 18), PeopleSoft (13 – 10), Utilities Applications (13 – 7), Systems (11 – 7), Supply Chain (10 – 8), E-Business Suite (9 – 5), Health Sciences Applications (8 – 8), Insurance Applications (7 – 6), Enterprise Manager (7 – 6), and Commerce (6 – 6).

Other Oracle software to have received patches include Airlines Data Model, Big Data Graph, Communications Data Model, Database Server, Essbase, Food and Beverage Applications, GoldenGate, Graph Server and Client, HealthCare Applications, Hospitality Applications, Hyperion, iLearning, JD Edwards, NoSQL Database, Policy Automation, REST Data Services, Secure Backup, Spatial Studio, Siebel CRM, Support Tools, TimesTen In-Memory Database, and Virtualization.

Oracle published a security bulletin regarding the Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 in December 2021.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the tech giant notes.

The company encourages all customers to apply the available security updates as soon as possible, to ensure their systems are protected against potential attacks.

Oracle plans to release the next set of quarterly patches on April 19.

The United States Cybersecurity and Infrastructure Security Agency (CISA) encouraged administrators to review Oracle’s latest CPU and apply the fixes immediately.

“A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Oracle’s October 2021 CPU Includes 419 Security Patches

Related: Oracle Releases July 2021 CPU With 342 Security Patches

Related: Oracle Delivers 390 Security Fixes With April 2021 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.