Oracle – Intelligent Systems Monitoring

Oracle Critical Patch Update Advisory – January 2022

January 17, 2022January 25, 2022 Oracle Leave a comment

Oracle Critical Patch Update Advisory – January 2022

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 497 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2022 Critical Patch Update: Executive Summary and Analysis.

Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers should review the Alert if they have not already done so.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, version 3.6	Oracle Supply Chain Products
Application Performance Management, versions 13.4.1.0, 13.5.1.0	Enterprise Manager
Big Data Spatial and Graph, versions prior to 23.1	Database
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2410, prior to XCP3110	Systems
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.1	JD Edwards
MySQL Cluster, versions 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior	MySQL
MySQL Connectors, versions 8.0.27 and prior	MySQL
MySQL Server, versions 5.7.36 and prior, 8.0.27 and prior	MySQL
MySQL Workbench, versions 8.0.27 and prior	MySQL
Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Agile Engineering Data Management, version 6.2.1.0	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.6	Oracle Supply Chain Products
Oracle Airlines Data Model, versions 12.1.1.0.0, 12.2.0.1.0	Oracle Airlines Data Model
Oracle Application Express, versions prior to 21.1.4	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle Argus Analytics, versions 8.2.1, 8.2.2, 8.2.3	Health Sciences
Oracle Argus Insight, versions 8.2.1, 8.2.2, 8.2.3	Health Sciences
Oracle Argus Mart, versions 8.2.1, 8.2.2, 8.2.3	Health Sciences
Oracle Argus Safety, versions 8.2.1, 8.2.2, 8.2.3	Health Sciences
Oracle Banking APIs, versions 18.1-18.3, 19.1, 19.2, 20.1, 21.1	Contact Support
Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0	Contact Support
Oracle Banking Digital Experience, versions 17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1	Contact Support
Oracle Banking Enterprise Default Management, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.10.0, 2.12.0	Oracle Banking Platform
Oracle Banking Loans Servicing, version 2.12.0	Contact Support
Oracle Banking Party Management, version 2.7.0	Oracle Banking Platform
Oracle Banking Platform, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1	Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Activity Monitoring, versions 12.2.1.4.0, 12.2.1.5.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clinical, versions 5.2.1, 5.2.2	Health Sciences
Oracle Commerce Guided Search, version 11.3.2	Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2	Oracle Commerce
Oracle Communications Billing and Revenue Management, versions 12.0.0.3, 12.0.0.4	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3, 12.0	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Calendar Server, version 8.0.0.5.0	Oracle Communications Calendar Server
Oracle Communications Cloud Native Core Automated Test Suite, version 1.8.0	Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function, versions 1.9.0, 1.10.0	Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Console, version 1.7.0	Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 1.9.0	Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0	Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, version 1.14.0	Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.5.0, 1.6.0, 1.15.0	Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.14.0	Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, version 1.14.0	Communications Cloud Native Core Unified Data Repository
Oracle Communications Contacts Server, version 8.0.0.3.0	Oracle Communications Contacts Server
Oracle Communications Convergence, version 3.0.2.2.0	Oracle Communications Convergence
Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0	Oracle Communications Convergent Charging Controller
Oracle Communications Data Model, versions 11.3.2.1.0, 11.3.2.2.0, 11.3.2.3.0, 12.1.0.1.0, 12.1.2.0.0	Oracle Communications Data Model
Oracle Communications Design Studio, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.1.0	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Application Processor, versions 16.1-16.4	Oracle Communications EAGLE Application Processor
Oracle Communications Instant Messaging Server, version 10.0.1.5.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.3, 6.4	Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 8.1	Oracle Communications Messaging Server
Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0	Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.5, 7.3.6	Oracle Communications Network Integrity
Oracle Communications Offline Mediation Controller, version 12.0.0.3	Oracle Communications Offline Mediation Controller
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4, 5.0	Oracle Communications Operations Monitor
Oracle Communications Pricing Design Center, versions 12.0.0.3.0, 12.0.0.4.0	Oracle Communications Pricing Design Center
Oracle Communications Service Broker, version 6.2	Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, version 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2, 8.3, 8.4, 9.0	Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.5.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1	Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21c	Database
Oracle Demantra Demand Management, versions 12.2.6-12.2.11	Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.2.3-12.2.11	Oracle E-Business Suite
Oracle Enterprise Communications Broker, version 3.3	Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.4, 9.0	Oracle Enterprise Session Border Controller
Oracle Essbase, versions prior to 11.1.2.4.47, prior to 21.3	Database
Oracle Essbase Administration Services, versions prior to 11.1.2.4.47	Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7-8.1.1	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, versions 8.0.7, 8.0.8, 8.1.1	Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Enterprise Case Management, versions 8.0.7, 8.0.8, 8.1.1	Oracle Financial Services Enterprise Case Management
Oracle Financial Services Foreign Account Tax Compliance Act Management, versions 8.0.7, 8.0.8, 8.1.1	Contact Support
Oracle Financial Services Model Management and Governance, versions 8.0.8-8.1.1	Oracle Financial Services Model Management and Governance
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7, 8.0.8	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0	Contact Support
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Contact Support
Oracle Fusion Middleware, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0	Fusion Middleware
Oracle GoldenGate, versions prior to 12.3.0.1, prior to 19.1.0.0.220118, prior to 21.4.0.0.0, prior to 21.5.0.0.220118	Database
Oracle GraalVM Enterprise Edition, versions 20.3.4, 21.3.0	Java SE
Oracle Graph Server and Client, versions prior to 21.4	Database
Oracle Health Sciences Clinical Development Analytics, version 4.0.1	Health Sciences
Oracle Health Sciences InForm CRF Submit, version 6.2.1	Health Sciences
Oracle Health Sciences Information Manager, versions 3.0.2, 3.0.3	HealthCare Applications
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0, 8.1.1	HealthCare Applications
Oracle Healthcare Foundation, versions 7.3.0.0-7.3.0.2, 8.0.0-8.0.2, 8.1.0-8.1.1	HealthCare Applications
Oracle Healthcare Translational Research, version 4.1.0	HealthCare Applications
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality OPERA 5, version 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0	Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0, 12.2.1.5.0	Fusion Middleware
Oracle Hyperion Infrastructure Technology, version 11.2.7.0	Fusion Middleware
Oracle iLearning, versions 6.2, 6.3	iLearning
Oracle Insurance Data Gateway, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1	Oracle Insurance Applications
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0	Oracle Insurance Applications
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0, 11.3.1	Oracle Insurance Applications
Oracle Java SE, versions 7u321, 8u311, 11.0.13, 17.1	Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle NoSQL Database, versions prior to 21.1.12	NoSQL Database
Oracle Policy Automation, versions 12.2.0-12.2.24	Oracle Policy Automation
Oracle Product Lifecycle Analytics, version 3.6.1	Oracle Supply Chain Products
Oracle Rapid Planning, versions 12.2.6-12.2.11	Oracle Supply Chain Products
Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0	Enterprise Manager
Oracle REST Data Services, versions prior to 21.2.4	Database
Oracle Retail Allocation, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1	Retail Applications
Oracle Retail Analytics, version 21.0.1	Retail Applications
Oracle Retail Assortment Planning, version 16.0.3	Retail Applications
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Insights, version 21.0.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0	Retail Applications
Oracle Retail EFTLink, versions 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1	Retail Applications
Oracle Retail Extract Transform and Load, version 13.2.8	Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1	Retail Applications
Oracle Retail Fiscal Management, version 14.2	Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1	Retail Applications
Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Merchandising System, version 19.0.1	Retail Applications
Oracle Retail Order Broker, versions 16.0, 18.0, 19.1	Retail Applications
Oracle Retail Order Management System, version 19.5	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3, 14.1.3.46, 15.0.3, 15.0.3.115, 16.0.3, 16.0.3.240	Retail Applications
Oracle Retail Price Management, versions 13.2, 14.0.4, 14.1, 14.1.3, 15, 15.0.3, 16, 16.0.3	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1	Retail Applications
Oracle Retail Size Profile Optimization, version 16.0.3	Retail Applications
Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1	Retail Applications
Oracle SD-WAN Aware, version 8.2	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 9.0, 9.1	Oracle SD-WAN Edge
Oracle Secure Backup, versions prior to 18.1.0.1.0	Oracle Secure Backup
Oracle Solaris, versions 10, 11	Systems
Oracle Spatial Studio, versions prior to 21.2.1	Database
Oracle Thesaurus Management System, versions 5.2.3, 5.3.0, 5.3.1	Health Sciences
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.27, prior to 21.1.1.1.0	Database
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0	Oracle Utilities Applications
Oracle Utilities Testing Accelerator, versions 6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.32	Virtualization
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
Oracle ZFS Storage Application Integration Engineering Software, version 1.3.3	Systems
OSS Support Tools, versions prior to 2.12.42	Oracle Support Tools
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59	PeopleSoft
Primavera Analytics, versions 18.8.3.3, 19.12.11.1, 20.12.12.0	Oracle Construction and Engineering Suite
Primavera Data Warehouse, versions 18.8.3.3, 19.12.11.1, 20.12.12.0	Oracle Construction and Engineering Suite
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.18.0, 20.12.0.0-20.12.12.0, 21.12.0.0	Oracle Construction and Engineering Suite
Primavera P6 Professional Project Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0	Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1	Oracle Construction and Engineering Suite
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 21.12 and prior	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product’s risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Abdelrhman Yousri: CVE-2022-21246, CVE-2022-21402, CVE-2022-21403
Alexander Kornbrust of Red Database Security: CVE-2022-21247
Andrej Simko of Accenture: CVE-2022-21251
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2022-21279, CVE-2022-21280, CVE-2022-21284, CVE-2022-21285, CVE-2022-21286, CVE-2022-21287, CVE-2022-21288, CVE-2022-21289, CVE-2022-21290, CVE-2022-21307, CVE-2022-21308, CVE-2022-21309
Aobo Wang of Chaitin Security Research Lab: CVE-2022-21295
Dan Rabe: CVE-2022-21296
Dinh Ho Anh Khoa of Viettel Cyber Security: CVE-2021-35684, CVE-2022-21306
Fabian Meumertzheim of Code Intelligence: CVE-2022-21360, CVE-2022-21366
Frederic Quenneville of videotron.com: CVE-2022-21338
Hamed Ashraf: CVE-2022-21395, CVE-2022-21396, CVE-2022-21397, CVE-2022-21398, CVE-2022-21399, CVE-2022-21400, CVE-2022-21401
Hans Christian Woithe: CVE-2021-43395
Harold Siyu Zang of Trustwave: CVE-2022-21381, CVE-2022-21382, CVE-2022-21383
Jangggg of VNPT: CVE-2021-35587
Jeremy Nunn of Trustwave: CVE-2022-21383
Jie Liang of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304
Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304
Jonah T: CVE-2021-35685, CVE-2022-21371
Jonni Passki of Apple Information Security: CVE-2022-21282
Kun Yang of Chaitin Security Research Lab: CVE-2022-21295
Liboheng of Tophant Starlight laboratory: CVE-2022-21261
Longofo of Knownsec 404 Team: CVE-2022-21252, CVE-2022-21260
Lucas Leong (wmliang) of Trend Micro Zero Day Initiative: CVE-2022-21310, CVE-2022-21311, CVE-2022-21312, CVE-2022-21313, CVE-2022-21314, CVE-2022-21315, CVE-2022-21316, CVE-2022-21317, CVE-2022-21318, CVE-2022-21319, CVE-2022-21320, CVE-2022-21321, CVE-2022-21322, CVE-2022-21323, CVE-2022-21324, CVE-2022-21325, CVE-2022-21326, CVE-2022-21327, CVE-2022-21328, CVE-2022-21329, CVE-2022-21330, CVE-2022-21331, CVE-2022-21332, CVE-2022-21333, CVE-2022-21334, CVE-2022-21335, CVE-2022-21336, CVE-2022-21337, CVE-2022-21355, CVE-2022-21356, CVE-2022-21357, CVE-2022-21380
Markus Loewe: CVE-2022-21293, CVE-2022-21294
Matei “Mal” Badanoiu: CVE-2022-21392
osword from SGLAB of Legendsec at Qi’anxin Group: CVE-2022-21347
peterjson – Security Engineering – VNG Corporation: CVE-2021-35587
r00t4dm: CVE-2022-21252, CVE-2022-21257, CVE-2022-21258, CVE-2022-21259, CVE-2022-21260, CVE-2022-21261, CVE-2022-21262
RE:HACK: CVE-2022-21373
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2022-21355, CVE-2022-21356, CVE-2022-21357, CVE-2022-21380
Ryota Shiga (Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative: CVE-2022-21394
Sander Meijering of HackDefense: CVE-2021-35685, CVE-2022-21371
Thijmen Kooy of HackDefense: CVE-2021-35685, CVE-2022-21371
thiscodecc of MoyunSec V-Lab: CVE-2022-21292, CVE-2022-21350, CVE-2022-21361
Victor Rodriguez: CVE-2022-21364
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2022-21303, CVE-2022-21304
Zhiqiang Zang of University of Texas at Austin: CVE-2022-21305
Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2022-21303, CVE-2022-21304

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

Huixin Ma of Tencent.com [2 reports]
Liying Wang
Longofo of Knownsec 404 Team
r00t4dm
Robin Textor

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abderrahmane Elghoul
Abilash V L
Abisheik M
Adam Willard
Aleena Avarachan
Ali Alzahrani
Aniket Nimkar
Ashik Kunjumon
B.Dhiyaneshwaran aka (Geek Freak) [2 reports]
Dhanesh Sivasamy
Dor Tumarkin, Principal Application Security Researcher at Checkmarx
Gaurang Maheta [2 reports]
Jangggg of VNPT
Kishore Hariram
Lidor Ben Shitrit from Orca Security
Lokesh Rulz
Malicious.Group
Mohit Ahir
N3td1v3r
Nightwatch Cybersecurity Research
peterjson – Security Engineering – VNG Corporation
pinkflower
Quan Doan of R&D Center – VinCSS LLC (a member of Vingroup)
Rahul PS
Rob Evans of Fortinet, Inc.
Rounak Sharma
Sakhare Vinayak
Samprit Das (sampritdas8)
Saptak Saha
Shubham Choudhery
Shuvam Adhikari [4 reports]
Srikar V – exp1o1t9r
Truffle Security Co
Yeswanth Reddy

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 April 2022
19 July 2022
18 October 2022
17 January 2023

References

Modification History

Date	Note
2022-January-18	Rev 2. Updated Siebel Applications versions and added couple of credit names
2022-January-18	Rev 1. Initial Release

Oracle Database Products Risk Matrices

This Critical Patch Update contains 28 new security patches for Oracle Database Products divided as follows:

4 new security patches for Oracle Database Products
1 new security patch for Oracle Airlines Data Model
2 new security patches for Oracle Big Data Graph
1 new security patch for Oracle Communications Data Model
4 new security patches for Oracle Essbase
3 new security patches for Oracle GoldenGate
2 new security patches for Oracle Graph Server and Client
1 new security patch for Oracle NoSQL Database
2 new security patches for Oracle REST Data Services
2 new security patches for Oracle Secure Backup
1 new security patch for Oracle Spatial Studio
5 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 4 new security patches plus additional third party patches noted below for Oracle Database Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-37695	Oracle Application Express (CKEditor)	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 21.1.4
CVE-2022-21393	Java VM	Create Procedure	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-32723	Oracle Application Express (Prism)	Valid User Account	HTTP	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	Prior to 21.1.4
CVE-2022-21247	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.2.0.1, 19c

Additional CVEs addressed are:

The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Database Configuration Assistant (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
Oracle Spatial and Graph (Apache Log4j): CVE-2021-45105.
Trace file analyzer (Apache Log4j): CVE-2021-45105.
Workload Manager (Guava): CVE-2020-8908.
Workload Manager (Jetty): CVE-2021-28165, CVE-2021-28169 and CVE-2021-34428.

Oracle Airlines Data Model Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Airlines Data Model. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Airlines Data Model	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.0.1.0, 12.1.1.0.0

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Big Data Graph. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Big Data Spatial and Graph	Big Data Graph (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 23.1
CVE-2021-30639	Big Data Spatial and Graph	Big Data Graph (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Prior to 23.1

Oracle Communications Data Model Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Communications Data Model. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Communications Data Model	Utilities (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.3.2.2.0, 12.1.2.0.0, 12.1.0.1.0, 11.3.2.3.0, 11.3.2.1.0

Oracle Essbase Risk Matrix

This Critical Patch Update contains 4 new security patches plus additional third party patches noted below for Oracle Essbase. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35683	Oracle Essbase Administration Services	EAS Console	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	Prior to 11.1.2.4.047
CVE-2021-3711	Oracle Essbase	Infrastructure (OpenSSL)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 11.1.2.4.047, Prior to 21.3
CVE-2021-22901	Oracle Essbase	Build (cURL)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 11.1.2.4.047, Prior to 21.3
CVE-2021-20718	Oracle Essbase	Infrastructure (mod_auth_openidc)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 21.3

Additional CVEs addressed are:

The patch for CVE-2021-22901 also addresses CVE-2021-22897 and CVE-2021-22898.
The patch for CVE-2021-3711 also addresses CVE-2021-3712.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Essbase
- Infrastructure (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-23017	Oracle GoldenGate	GG Market Place for Support (nginx)	UDP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	Prior to 21.4.0.0.0
CVE-2021-2351	Oracle GoldenGate	Database (OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 21.5.0.0.220118, Prior to 19.1.0.0.220118, Prior to 12.3.0.1
CVE-2018-1311	Oracle GoldenGate	Build Request (Apache Xerces-C++)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Prior to 21.4.0.0.0

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains 2 new security patches plus additional third party patches noted below for Oracle Graph Server and Client. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Graph Server and Client	Packaging/install issues (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 21.4
CVE-2021-33037	Oracle Graph Server and Client	Packaging/Install (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 21.4

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Graph Server and Client
- Packaging/Install (Apache Commons IO): CVE-2021-29425.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21409	Oracle NoSQL Database	Administration (Netty)	Local Logon	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	Prior to 21.1.12

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle REST Data Services. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-28165	Oracle REST Data Services	General (Eclipse Jetty)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 21.2.0
CVE-2021-32014	Oracle REST Data Services	General (SheetJS)	Local Logon	No	3.3	Local	Low	None	Required	Un- changed	None	None	Low	Prior to 21.2.4

Additional CVEs addressed are:

The patch for CVE-2021-28165 also addresses CVE-2021-28169 and CVE-2021-34428.
The patch for CVE-2021-32014 also addresses CVE-2021-32012 and CVE-2021-32013.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-26691	Oracle Secure Backup	Oracle Secure Backup (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 18.1.0.1.0
CVE-2021-3712	Oracle Secure Backup	Oracle Secure Backup (OpenSSL)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	None	High	Prior to 18.1.0.1.0

Additional CVEs addressed are:

The patch for CVE-2021-26691 also addresses CVE-2021-33193 and CVE-2021-42013.

Oracle Spatial Studio Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Spatial Studio. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Spatial Studio	Install (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 21.2.1

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle TimesTen In-Memory Database. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle TimesTen In-Memory Database	EM TimesTen plug-in (JDBC,OCCI)	OracleNet	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 21.1.1.1.0
CVE-2021-29923	Oracle TimesTen In-Memory Database	EM TimesTen plug-in (Go)	TCP/IP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 21.1.1.1.0
CVE-2021-29923	Oracle TimesTen In-Memory Database	Install (Go)	TCP/IP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 21.1.1.1.0
CVE-2020-7712	Oracle TimesTen In-Memory Database	TimesTen Infrastructure (Apache ZooKeeper)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	Prior to 21.1.1.1.0
CVE-2020-11979	Oracle TimesTen In-Memory Database	Install (Apache Ant)	Local Logon	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	Prior to 11.2.2.8.27

Additional CVEs addressed are:

The patch for CVE-2020-11979 also addresses CVE-2020-1945, CVE-2021-36373 and CVE-2021-36374.
The patch for CVE-2021-29923 also addresses CVE-2021-34558 and CVE-2021-36221.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Commerce Platform	Dynamo Application Framework (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.3.0, 11.3.1, 11.3.2
CVE-2021-36090	Oracle Commerce Guided Search	Content Acquisition System (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.3.2
CVE-2021-37137	Oracle Commerce Guided Search	Content Acquisition System (Netty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.3.2
CVE-2020-13935	Oracle Commerce Guided Search	Endeca Application Controller (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.3.2
CVE-2022-21387	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3.0, 11.3.1, 11.3.2
CVE-2021-29425	Oracle Commerce Guided Search	Content Acquisition System (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	11.3.2

Additional CVEs addressed are:

The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-37137 also addresses CVE-2021-37136.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 33 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-21275	Oracle Communications Billing and Revenue Management	Connection Manager	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.0.0.3, 12.0.0.4
CVE-2022-21389	Oracle Communications Billing and Revenue Management	Connection Manager	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.0.0.3, 12.0.0.4
CVE-2022-21390	Oracle Communications Billing and Revenue Management	Webservices Manager	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.0.0.3, 12.0.0.4
CVE-2022-21276	Oracle Communications Billing and Revenue Management	Connection Manager	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	12.0.0.3, 12.0.0.4
CVE-2022-21391	Oracle Communications Billing and Revenue Management	Connection Manager	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	12.0.0.3, 12.0.0.4
CVE-2021-39139	Oracle Communications BRM – Elastic Charging Engine	Updater (XStream)	TCP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.3, 12.0
CVE-2021-29505	Oracle Communications Unified Inventory Management	Rulesets (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2
CVE-2021-2351	Oracle Communications Calendar Server	Administration (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.0.5.0
CVE-2021-2351	Oracle Communications Contacts Server	Database (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.0.3.0
CVE-2021-2351	Oracle Communications Convergent Charging Controller	ACS (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
CVE-2021-2351	Oracle Communications Design Studio	OSM, NI Plugins (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	7.3.5, 7.4.0, 7.4.1, 7.4.2
CVE-2021-2351	Oracle Communications Network Charging and Control	ACS (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
CVE-2021-2351	Oracle Communications Network Integrity	Installer (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	7.3.5, 7.3.6
CVE-2020-28052	Oracle Communications Convergence	Messaging (Bouncy Castle Java Library)	S/MIME	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.0.2.2.0
CVE-2020-24750	Oracle Communications Instant Messaging Server	PresenceApi (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.0.1.5.0
CVE-2020-24750	Oracle Communications Offline Mediation Controller	Installer (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.0.0.3
CVE-2020-24750	Oracle Communications Pricing Design Center	Installation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.0.0.4.0
CVE-2021-22118	Oracle Communications Unified Inventory Management	TMF API (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	7.4.1, 7.4.2, 7.5.0
CVE-2022-21266	Oracle Communications Billing and Revenue Management	Pipeline Manager	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0.3, 12.0.0.4
CVE-2021-25122	Oracle Communications Instant Messaging Server	DBPlugin (Apache Tomcat)	XMPP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.0.1.5.0
CVE-2021-37714	Oracle Communications Messaging Server	ISC (jsoup)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1
CVE-2021-36090	Oracle Communications Unified Inventory Management	Inventory Organizer (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4.0, 7.4.1, 7.4.2, 7.5.0
CVE-2019-10086	Oracle Communications Convergence	Message Store (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.0.2.2.0
CVE-2019-10086	Oracle Communications Design Studio	Inventory (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.4, 7.3.5, 7.4.0
CVE-2020-5421	Oracle Communications Design Studio	Inventory (Spring Framework)	HTTP	No	6.5	Network	High	Low	Required	Changed	Low	High	None	7.3.4, 7.3.5, 7.4.0
CVE-2021-36374	Oracle Communications Unified Inventory Management	Build Tool (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0
CVE-2021-29425	Oracle Communications BRM – Elastic Charging Engine	Charging Controller (Apache Commons IO)	TCP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.0
CVE-2021-29425	Oracle Communications Convergence	Convergence Server (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	3.0.2.2.0
CVE-2021-29425	Oracle Communications Offline Mediation Controller	Installation (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.0.0.3
CVE-2022-21338	Oracle Communications Convergence	General Framework	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	3.0.2.2.0
CVE-2022-21267	Oracle Communications Billing and Revenue Management	Pipeline Manager	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	12.0.0.3, 12.0.0.4
CVE-2022-21268	Oracle Communications Billing and Revenue Management	Pipeline Manager	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	12.0.0.3, 12.0.0.4
CVE-2022-21388	Oracle Communications Pricing Design Center	On Premise Install	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	12.0.0.3.0, 12.0.0.4.0

Additional CVEs addressed are:

The patch for CVE-2020-24750 also addresses CVE-2020-24616, CVE-2020-25649 and CVE-2020-36189.
The patch for CVE-2021-25122 also addresses CVE-2020-13934, CVE-2020-13935, CVE-2020-17527, CVE-2021-25329 and CVE-2021-33037.
The patch for CVE-2021-29505 also addresses CVE-2021-39154.
The patch for CVE-2021-39139 also addresses CVE-2021-29505, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.

Oracle Communications Risk Matrix

This Critical Patch Update contains 84 new security patches plus additional third party patches noted below for Oracle Communications. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-23440	Oracle Communications Cloud Native Core Policy	Policy (set-value)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.14.0
CVE-2021-21783	Oracle Communications EAGLE Application Processor	Platform (gSOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1-16.4
CVE-2021-32827	Oracle Communications Cloud Native Core Policy	Policy (MockServer)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	1.14.0
CVE-2021-27568	Oracle Communications Cloud Native Core Policy	Policy (netplex json-smart)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	1.14.0
CVE-2021-39139	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.10.0
CVE-2019-13734	Oracle Communications Cloud Native Core Network Repository Function	NRF (SQLite)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	1.14.0
CVE-2020-13936	Oracle Communications Cloud Native Core Policy	Policy (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.14.0
CVE-2020-15824	Oracle Communications Cloud Native Core Policy	Policy (Kotlin)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.14.0
CVE-2020-10878	Oracle Communications EAGLE Application Processor	Platform (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	16.1-16.4
CVE-2021-39153	Oracle Communications Cloud Native Core Policy	Signaling (XStream)	HTTP	No	8.5	Network	High	Low	None	Changed	High	High	High	1.14.0
CVE-2020-36189	Oracle Communications Cloud Native Core Policy	Policy (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	1.14.0
CVE-2021-22118	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	1.9.0
CVE-2021-22118	Oracle Communications Cloud Native Core Policy	Policy (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	1.14.0
CVE-2021-22118	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	1.6.0
CVE-2021-22118	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	1.14.0
CVE-2021-22118	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	1.14.0
CVE-2021-33909	Oracle Communications Session Border Controller	Core (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.2, 8.3, 8.4, 9.0
CVE-2022-21382	Oracle Enterprise Session Border Controller	WebUI	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	8.4, 9.0
CVE-2020-17527	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.10.0
CVE-2021-37137	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Netty)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.10.0
CVE-2021-33560	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Configuration (libgcrypt)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.9.0
CVE-2020-13949	Oracle Communications Cloud Native Core Policy	Policy (Apache Thrift)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2020-17527	Oracle Communications Cloud Native Core Policy	Policy (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.14.0
CVE-2021-28165	Oracle Communications Cloud Native Core Policy	Policy (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-22119	Oracle Communications Cloud Native Core Policy	Policy (Spring Security)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2020-28469	Oracle Communications Cloud Native Core Policy	Policy (glob-parent)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-25122	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.6.0
CVE-2021-36090	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-36090	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-37137	Oracle Communications Diameter Signaling Router	API Gateway (Netty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.5.0.2
CVE-2021-42340	Oracle Communications Diameter Signaling Router	Platform (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.5.0.2
CVE-2021-42340	Oracle SD-WAN Edge	Management (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.0, 9.1
CVE-2021-23337	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	1.9.0
CVE-2022-21395	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2021-23337	Oracle Communications Services Gatekeeper	Policy service (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	7.0
CVE-2021-21703	Oracle Communications Diameter Signaling Router	Platform (PHP)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.0.0.0-8.5.0.2
CVE-2021-44832	Oracle Communications Diameter Signaling Router	Virtual Network Function Manager, API Gateway (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	8.3.0.0-8.5.1.0	See Note 1
CVE-2021-44832	Oracle Communications Interactive Session Recorder	RSS (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	6.3, 6.4	See Note 1
CVE-2022-21399	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	6.6	Network	Low	High	None	Changed	Low	Low	Low	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21401	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	6.6	Network	Low	High	None	Changed	Low	Low	Low	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21403	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	6.6	Network	Low	High	None	Changed	Low	Low	Low	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21381	Oracle Enterprise Session Border Controller	WebUI	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	8.4, 9.0
CVE-2020-11022	Oracle Communications EAGLE Application Processor	Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1-16.4
CVE-2020-11022	Oracle Communications Services Gatekeeper	API Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.0
CVE-2021-21409	Oracle Communications Cloud Native Core Console	Console (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	1.7.0
CVE-2020-14340	Oracle Communications Cloud Native Core Network Repository Function	Network Repository Function (XNIO)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	1.14.0
CVE-2020-14340	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (XNIO)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	1.15.0
CVE-2021-33880	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (aaugustin websockets)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.5.0
CVE-2021-3326	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (glibc)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	1.5.0
CVE-2020-14340	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (XNIO)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-33880	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (aaugustin websockets)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.14.0
CVE-2020-14340	Oracle Communications Cloud Native Core Unified Data Repository	UDR (XNIO)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	1.14.0
CVE-2021-33880	Oracle Communications Cloud Native Core Unified Data Repository	UDR (aaugustin websockets)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.14.0
CVE-2021-45105	Oracle Communications Service Broker	Integration (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	6.2	See Note 1
CVE-2021-45105	Oracle Communications Services Gatekeeper	API Portal (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	7.0	See Note 1
CVE-2021-45105	Oracle Communications WebRTC Session Controller	Signaling Engine, Media Engine (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	7.2.0, 7.2.1	See Note 1
CVE-2021-3426	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Python)	Multiple	No	5.7	Adjacent Network	Low	Low	None	Un- changed	High	None	None	1.10.0
CVE-2021-23017	Oracle Communications Session Border Controller	Routing (nginx)	HTTP	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	8.4, 9.0
CVE-2021-23017	Oracle Enterprise Communications Broker	Routing (nginx)	HTTP	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	3.3
CVE-2021-23017	Oracle Enterprise Session Border Controller	Routing (nginx)	HTTP	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	8.4, 9.0
CVE-2020-27618	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (glibc)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	1.14.0
CVE-2022-21246	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21396	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21397	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21398	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21400	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2021-34429	Oracle Communications Cloud Native Core Binding Support Function	Binding Support Function (Eclipse Jetty)	TCP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.10.0
CVE-2021-34429	Oracle Communications Cloud Native Core Security Edge Protection Proxy	SEPP (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.5.0
CVE-2020-13956	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	1.14.0
CVE-2021-33037	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	1.14.0
CVE-2021-34429	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.14.0
CVE-2020-29582	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Kotlin)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.14.0
CVE-2021-34429	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.14.0
CVE-2021-34429	Oracle Communications Diameter Signaling Router	API Gateway (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0.0-8.5.0.2
CVE-2021-21705	Oracle SD-WAN Aware	Management (PHP)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.2
CVE-2020-8554	Oracle Communications Cloud Native Core Service Communication Proxy	SCP (Kubernetes API)	HTTP	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	1.14.0
CVE-2020-8554	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Kubernetes API)	HTTP	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	1.14.0
CVE-2021-29921	Oracle Communications Cloud Native Core Automated Test Suite	ATS Framework (Python)	HTTP	No	4.9	Network	Low	High	None	Un- changed	None	High	None	1.8.0
CVE-2021-29425	Oracle Communications Cloud Native Core Network Repository Function	NRF (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	1.14.0
CVE-2021-29425	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	1.14.0
CVE-2022-21402	Oracle Communications Operations Monitor	Mediation Engine	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	3.4, 4.2, 4.3, 4.4, 5.0
CVE-2022-21383	Oracle Enterprise Session Border Controller	Log	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	8.4, 9.0
CVE-2021-3448	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Configuration (dnsmasq)	TCP	Yes	4.0	Network	High	None	None	Changed	None	Low	None	1.9.0
CVE-2020-8908	Oracle Communications Cloud Native Core Unified Data Repository	UDR (Guava)	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	1.14.0

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2020-17527 also addresses CVE-2020-13934, CVE-2020-13935, CVE-2020-9484, CVE-2021-25122, CVE-2021-25329, CVE-2021-30369, CVE-2021-30640 and CVE-2021-33037.
The patch for CVE-2020-36189 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187 and CVE-2020-36188.
The patch for CVE-2021-23337 also addresses CVE-2020-28500.
The patch for CVE-2021-25122 also addresses CVE-2021-25329.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-37137 also addresses CVE-2021-37136.
The patch for CVE-2021-39139 also addresses CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.
The patch for CVE-2021-39153 also addresses CVE-2021-39139, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152 and CVE-2021-39154.
The patch for CVE-2021-42340 also addresses CVE-2021-33037.
The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Communications Cloud Native Core Network Repository Function
- NRF (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-44790	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2021-42575	Primavera Unifier	Platform, Data Persistence (OWASP Java HTML Sanitizer)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2021-2351	Primavera Analytics	ETL (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	18.8.3.3, 19.12.11.1, 20.12.12.0
CVE-2021-2351	Primavera Data Warehouse	ETL (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	18.8.3.3, 19.12.11.1, 20.12.12.0
CVE-2021-2351	Primavera P6 Enterprise Project Portfolio Management	Web Access (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
CVE-2021-2351	Primavera P6 Professional Project Management	API component of P6 Pro (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
CVE-2021-2351	Primavera Unifier	Platform,Data Access,Data Persistence (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2021-37714	Primavera Unifier	Platform,Data Parsing (jsoup)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	20.12, 21.12
CVE-2021-44832	Primavera Gateway	Admin (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0	See Note 1
CVE-2021-44832	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	19.12.0.0-19.12.18.0, 20.12.0.0-20.12.12.0, 21.12.0.0	See Note 1
CVE-2021-44832	Primavera Unifier	Logging (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	18.8, 19.12, 20.12, 21.12	See Note 1
CVE-2022-21269	Primavera Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2021-45105	Instantis EnterpriseTrack	Logging (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3	See Note 1
CVE-2021-38153	Primavera Unifier	Event Streams and Communications (Apache Kafka)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	18.8, 19.12, 20.12, 21.12
CVE-2022-21377	Primavera Portfolio Management	Web API	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0
CVE-2022-21242	Primavera Portfolio Management	Web Access	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2022-21376	Primavera Portfolio Management	Web Access	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0
CVE-2022-21281	Primavera Portfolio Management	Web Access	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2021-29425	Primavera Unifier	Platform (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	17.7-17.12, 18.8, 19.12, 20.12, 21.12
CVE-2022-21243	Primavera Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2022-21244	Primavera Portfolio Management	Web Access	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
CVE-2020-8908	Primavera Unifier	Data Service (Guava)	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	17.7-17.12, 18.8, 19.12, 20.12, 21.12

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2021-44790 also addresses CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524, CVE-2021-41773, CVE-2021-42013 and CVE-2021-44224.
The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle E-Business Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2022), My Oracle Support Note 2484000.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-21255	Oracle Configurator	UI Servlet	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.11
CVE-2022-21273	Oracle Project Costing	Expenses, Currency Override	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.11
CVE-2022-21274	Oracle Sourcing	Intelligence, RFx Creation	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.11
CVE-2022-21250	Oracle Trade Management	GL Accounts	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.11
CVE-2022-21251	Oracle Installed Base	Instance Main	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.3-12.2.11
CVE-2019-10086	Oracle Time and Labor	Timecard (Apache Commons Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.6-12.2.11
CVE-2020-6950	Oracle Time and Labor	Timecard (Eclipse Mojarra)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.2.6-12.2.11
CVE-2022-21354	Oracle iStore	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.3-12.2.11
CVE-2022-21373	Oracle Partner Management	Reseller Locator	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.3-12.2.11

Additional CVEs addressed are:

The patch for CVE-2020-6950 also addresses CVE-2019-17091.

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2022 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2817011.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-3177	Enterprise Manager Ops Center	Networking (Python)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.4.0.0
CVE-2021-2351	Application Performance Management	End User Experience Management (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.4.1.0, 13.5.1.0
CVE-2021-2351	Enterprise Manager Base Platform	Enterprise Manager Install (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.4.0.0, 13.5.0.0
CVE-2021-2351	Enterprise Manager Ops Center	Networking (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.4.0.0
CVE-2021-2351	Oracle Application Testing Suite	Load Testing for Web Apps (JDBC, OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.3.0.1
CVE-2021-2351	Oracle Real User Experience Insight	End User Experience Management (OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.4.1.0, 13.5.1.0
CVE-2022-21392	Enterprise Manager Base Platform	Policy Framework	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.4.0.0, 13.5.0.0

Additional CVEs addressed are:

The patch for CVE-2021-3177 also addresses CVE-2021-23336.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 48 new security patches for Oracle Financial Services Applications. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17495	Oracle Banking APIs	Framework (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2019-17495	Oracle Banking Digital Experience	Framework (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-13936	Oracle Banking Deposits and Lines of Credit Servicing	Web UI (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.12.0
CVE-2020-13936	Oracle Banking Enterprise Default Management	Collections (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.3.0-2.4.1, 2.6.2, 2.7.1, 2.10.0, 2.12.0
CVE-2020-13936	Oracle Banking Loans Servicing	Web UI (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.12.0
CVE-2020-13936	Oracle Banking Party Management	Web UI (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.7.0
CVE-2020-13936	Oracle Banking Platform	Security (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.3.0-2.4.1, 2.6.2, 2.7.1
CVE-2021-2351	Oracle Banking APIs	Framework (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-2351	Oracle Banking Digital Experience	Framework (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-2351	Oracle Financial Services Analytical Applications Infrastructure	Rate Management (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.7-8.1.1
CVE-2021-2351	Oracle Financial Services Behavior Detection Platform	Third Party (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.7, 8.0.8, 8.1.1
CVE-2021-2351	Oracle Financial Services Enterprise Case Management	Installers (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.7, 8.0.8, 8.1.1
CVE-2021-2351	Oracle Financial Services Foreign Account Tax Compliance Act Management	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.7, 8.0.8, 8.1.1
CVE-2021-2351	Oracle Financial Services Model Management and Governance	Installer & Configuration (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.8-8.1.1
CVE-2021-2351	Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition	User Interface (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.7, 8.0.8
CVE-2021-2351	Oracle FLEXCUBE Investor Servicing	Infrastructure Code (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0
CVE-2021-2351	Oracle FLEXCUBE Private Banking	Miscellaneous (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.0.0, 12.1.0
CVE-2020-11987	Oracle Banking APIs	Framework (Apache Batik)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-11987	Oracle Banking Digital Experience	Framework (Apache Batik)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-22118	Oracle Financial Services Analytical Applications Infrastructure	Others (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.8-8.1.1
CVE-2021-36090	Oracle Banking APIs	Framework (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2020-25649	Oracle Banking APIs	Framework (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37137	Oracle Banking APIs	Framework (Netty)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-36090	Oracle Banking Digital Experience	Framework (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37137	Oracle Banking Digital Experience	Framework (Netty)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-36090	Oracle Banking Enterprise Default Management	Collections (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.7.0
CVE-2021-36090	Oracle Banking Party Management	Web UI (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.7.0
CVE-2021-35043	Oracle Banking Enterprise Default Management	Collections (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0
CVE-2020-9281	Oracle Banking Enterprise Default Management	Collections (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0
CVE-2021-35043	Oracle Banking Party Management	Web UI (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0
CVE-2021-35043	Oracle Banking Platform	SECURITY (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0
CVE-2021-45105	Oracle Financial Services Analytical Applications Infrastructure	Others (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.0.7-8.1.1	See Note 1
CVE-2021-45105	Oracle Financial Services Model Management and Governance	Installer & Configuration (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.0.8, 8.1.0, 8.1.1	See Note 1
CVE-2021-41165	Oracle Banking APIs	Framework (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-41165	Oracle Banking Digital Experience	Framework (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-37695	Oracle Banking Party Management	Web UI (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	2.7.0
CVE-2021-37695	Oracle Financial Services Analytical Applications Infrastructure	Others (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.0.7-8.1.1
CVE-2021-28164	Oracle Banking APIs	Framework (Apache Ignite)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	20.1, 21.1
CVE-2021-28164	Oracle Banking Digital Experience	Framework (Apache Ignite)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	20.1, 21.1
CVE-2021-35687	Oracle Financial Services Analytical Applications Infrastructure	Unified Metadata Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.7-8.1.1
CVE-2021-29425	Oracle Banking APIs	Framework (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-29425	Oracle Banking Digital Experience	Framework (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
CVE-2021-29425	Oracle Banking Enterprise Default Management	Collections (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	2.3.0-2.4.1, 2.6.2, 2.7.1, 2.10.0, 2.12.0
CVE-2021-29425	Oracle Banking Party Management	Web UI (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	2.7.0
CVE-2021-29425	Oracle Banking Platform	Security (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	2.3.0-2.4.1, 2.6.2, 2.7.1
CVE-2021-29425	Oracle Financial Services Analytical Applications Infrastructure	Others (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	8.0.7-8.1.1
CVE-2021-29425	Oracle Financial Services Model Management and Governance	Installer & Configuration (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	8.0.8, 8.1.0, 8.1.1
CVE-2021-35686	Oracle Financial Services Analytical Applications Infrastructure	Unified Metadata Manager	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.0.7-8.1.1

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2021-28164 also addresses CVE-2021-28163.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-37137 also addresses CVE-2021-37136.
The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.
The patch for CVE-2021-41165 also addresses CVE-2021-41164.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10086	Oracle Hospitality Reporting and Analytics	Reporting (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 39 new security patches for Oracle Fusion Middleware. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update January 2022 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2022 Patch Availability Document for Oracle Products, My Oracle Support Note 2817011.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35587	Oracle Access Manager	OpenSSO Agent	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-17530	Oracle Business Intelligence Enterprise Edition	Installation (Apache Struts2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2022-21306	Oracle WebLogic Server	Core	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-40438	Oracle HTTP Server	OSSL Module (Apache HTTP Server)	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 12.2.1.5.0
CVE-2021-39154	Oracle Business Activity Monitoring	Centralized Thirdparty Jars (XStream)	HTTP	No	8.5	Network	High	Low	None	Changed	High	High	High	12.2.1.4.0, 12.2.1.5.0
CVE-2021-2351	Oracle Data Integrator	Runtime Java agent for ODI (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2351	Oracle Enterprise Data Quality	General (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2351	Oracle Fusion Middleware	Centralized Third-party Jars (JDBC, OCCI, ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2022-21346	Oracle BI Publisher	BI Publisher Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17566	Oracle Business Intelligence Enterprise Edition	Analytics Web Answers (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-36090	Oracle Business Process Management Suite	Installer (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-4104	Oracle WebLogic Server	Centralized Thirdparty Jars (Apache Log4j)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21292	Oracle WebLogic Server	Samples	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.4.0, 14.1.1.0.0
CVE-2020-5258	Oracle WebLogic Server	Samples (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21371	Oracle WebLogic Server	Web Container	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-27568	Oracle WebLogic Server	Web Services (json-smart)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-44832	Oracle WebLogic Server	Centralized Thirdparty Jars (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	See Note 1
CVE-2022-21252	Oracle WebLogic Server	Samples	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21347	Oracle WebLogic Server	Core	T3	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21350	Oracle WebLogic Server	Core	T3	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21353	Oracle WebLogic Server	Core	T3	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2934	Oracle WebLogic Server	Datasource (MySQL Connector)	SQL	Yes	6.3	Network	Low	None	Required	Un- changed	Low	Low	Low	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2022-21361	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2020-11023	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21257	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21258	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.1.1.0.0
CVE-2022-21259	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21260	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21261	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21262	Oracle WebLogic Server	Samples	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2022-21386	Oracle WebLogic Server	Web Container	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-10219	Oracle WebLogic Server	Web Services (JBoss Enterprise Application Platform)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-45105	Oracle Business Intelligence Enterprise Edition	Analytics Server (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.5.0.0.0	See Note 1
CVE-2021-45105	Oracle Managed File Transfer	MFT Runtime Server (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0	See Note 1
CVE-2021-45105	Oracle WebCenter Portal	Security Framework (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0	See Note 1
CVE-2018-1324	Oracle WebLogic Server	WLST (Apache Commons Compress)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1.1.0.0
CVE-2020-13956	Oracle WebLogic Server	Samples (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.4.0, 14.1.1.0.0
CVE-2021-29425	Oracle Fusion Middleware MapViewer	Install (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.1.4.0
CVE-2021-29425	Oracle WebLogic Server	Third Party Tools (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2018-1324 also addresses CVE-2018-11771.
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-39154 also addresses CVE-2021-29505, CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152 and CVE-2021-39153.
The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Argus Analytics	Schema Creation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.2.1, 8.2.2, 8.2.3
CVE-2021-2351	Oracle Argus Insight	Schema Creation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.2.1, 8.2.2, 8.2.3
CVE-2021-2351	Oracle Argus Mart	Schema Creation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.2.1, 8.2.2, 8.2.3
CVE-2021-2351	Oracle Argus Safety	Schema Creation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.2.1, 8.2.2, 8.2.3
CVE-2021-2351	Oracle Clinical	Schema Creation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	5.2.1, 5.2.2
CVE-2021-2351	Oracle Health Sciences Clinical Development Analytics	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	4.0.1
CVE-2021-2351	Oracle Health Sciences InForm CRF Submit	Installation and Configuration (JDBC, ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.2.1
CVE-2021-2351	Oracle Thesaurus Management System	Report Generation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	5.2.3, 5.3.0, 5.3.1

Oracle HealthCare Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle HealthCare Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Health Sciences Information Manager	Health Policy Engine (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	3.0.2, 3.0.3
CVE-2021-2351	Oracle Healthcare Data Repository	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	7.0.2, 8.1.0, 8.1.1
CVE-2021-2351	Oracle Healthcare Foundation	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	7.3.0.0-7.3.0.2, 8.0.0-8.0.2, 8.1.0-8.1.1
CVE-2021-2351	Oracle Healthcare Translational Research	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	4.1.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Hospitality OPERA 5	Integrations (JDBC, ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	5.6
CVE-2021-2351	Oracle Hospitality Suite8	Rest API (ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
CVE-2021-42340	Oracle Hospitality Cruise Shipboard Property Management System	Next-Gen SPMS (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	20.1.0

Additional CVEs addressed are:

The patch for CVE-2021-42340 also addresses CVE-2021-30640 and CVE-2021-33037.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hyperion. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Hyperion Infrastructure Technology	Installation and Configuration (JDBC, OCCI, ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.2.7.0

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle iLearning	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.2, 6.3

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Insurance Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Insurance Policy Administration J2EE	Architecture (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2020-10683	Oracle Insurance Rules Palette	Architecture (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2021-2351	Oracle Insurance Data Gateway	Security (JDBC)	HTTP	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-2351	Oracle Insurance Insbridge Rating and Underwriting	Framework Administrator IBFA (JDBC, ODP for .NET)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	5.2.0, 5.4.0-5.6.0
CVE-2021-2351	Oracle Insurance Policy Administration	Architecture (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-2351	Oracle Insurance Rules Palette	Architecture (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
CVE-2021-22118	Oracle Insurance Rules Palette	Architecture (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1

Oracle Java SE Risk Matrix

This Critical Patch Update contains 18 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22959	Oracle GraalVM Enterprise Edition	Node (Node.js)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0
CVE-2022-21349	Oracle Java SE, Oracle GraalVM Enterprise Edition	2D	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21291	Oracle Java SE, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21305	Oracle Java SE, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21277	Oracle Java SE, Oracle GraalVM Enterprise Edition	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21360	Oracle Java SE, Oracle GraalVM Enterprise Edition	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21365	Oracle Java SE, Oracle GraalVM Enterprise Edition	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21366	Oracle Java SE, Oracle GraalVM Enterprise Edition	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21282	Oracle Java SE, Oracle GraalVM Enterprise Edition	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21296	Oracle Java SE, Oracle GraalVM Enterprise Edition	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21299	Oracle Java SE, Oracle GraalVM Enterprise Edition	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21271	Oracle Java SE, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21283	Oracle Java SE, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21293	Oracle Java SE, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21294	Oracle Java SE, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21340	Oracle Java SE, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21341	Oracle Java SE, Oracle GraalVM Enterprise Edition	Serialization	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1
CVE-2022-21248	Oracle Java SE, Oracle GraalVM Enterprise Edition	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4, 21.3.0	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Additional CVEs addressed are:

The patch for CVE-2021-22959 also addresses CVE-2021-22960.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle JD Edwards. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-23337	JD Edwards EnterpriseOne Tools	E1 Dev Platform Tech – Cloud (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	Prior to 9.2.6.1

Additional CVEs addressed are:

The patch for CVE-2021-23337 also addresses CVE-2020-28500.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22946	MySQL Server	Server: Compiling (cURL)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.36 and prior, 8.0.27 and prior
CVE-2021-3712	MySQL Connectors	Connector/C++ (OpenSSL)	MySQL Protocol	Yes	7.4	Network	High	None	None	Un- changed	High	None	High	8.0.27 and prior
CVE-2021-3712	MySQL Connectors	Connector/ODBC (OpenSSL)	MySQL Protocol	Yes	7.4	Network	High	None	None	Un- changed	High	None	High	8.0.27 and prior
CVE-2022-21278	MySQL Server	Server: Optimizer	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	8.0.26 and prior
CVE-2022-21351	MySQL Server	Server: Optimizer	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	8.0.27 and prior
CVE-2022-21363	MySQL Connectors	Connector/J	MySQL Protocol	No	6.6	Network	High	High	None	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21358	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2021-3634	MySQL Workbench	Workbench: libssh	MySQL Workbench	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21279	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21280	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21284	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21285	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21286	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21287	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21288	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21289	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21290	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21307	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21308	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21309	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21310	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21314	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21315	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21316	MySQL Cluster	Cluster: General	Multiple	No	6.3	Local	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21318	MySQL Cluster	Cluster: General	Multiple	No	6.3	Local	High	High	Required	Un- changed	High	High	High	7.6.20 and prior, 8.0.27 and prior
CVE-2022-21320	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21322	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21326	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21327	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21328	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21329	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21330	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21332	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21334	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	8.0.27 and prior
CVE-2022-21335	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21336	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21337	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21356	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21380	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21352	MySQL Server	InnoDB	MySQL Protocol	No	5.9	Network	High	High	None	Un- changed	None	High	High	8.0.26 and prior
CVE-2022-21367	MySQL Server	Server: Compiling	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21301	MySQL Server	Server: DML	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.27 and prior
CVE-2022-21378	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.27 and prior
CVE-2022-21302	MySQL Server	InnoDB	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21254	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21348	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21270	MySQL Server	Server: Federated	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21256	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21379	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21362	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21374	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21253	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21264	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21297	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2022-21339	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21342	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21370	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.27 and prior
CVE-2022-21304	MySQL Server	Server: Parser	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21344	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21303	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21368	MySQL Server	Server: Components Services	MySQL Protocol	No	4.7	Network	Low	High	None	Un- changed	Low	Low	Low	8.0.27 and prior
CVE-2022-21245	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.7.36 and prior, 8.0.27 and prior
CVE-2022-21265	MySQL Server	Server: Optimizer	MySQL Protocol	No	3.8	Network	Low	High	None	Un- changed	None	Low	Low	8.0.27 and prior
CVE-2022-21311	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21312	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21313	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.6.20 and prior, 8.0.27 and prior
CVE-2022-21317	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21319	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21321	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21323	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21324	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21325	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21331	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21333	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21355	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21357	MySQL Cluster	Cluster: General	Multiple	No	2.9	Adjacent Network	High	High	Required	Un- changed	Low	None	Low	7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
CVE-2022-21249	MySQL Server	Server: DDL	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	8.0.27 and prior
CVE-2022-21372	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	8.0.27 and prior

Additional CVEs addressed are:

The patch for CVE-2021-22946 also addresses CVE-2021-22947.
The patch for CVE-2021-3712 also addresses CVE-2021-3711.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22931	PeopleSoft Enterprise PeopleTools	Elastic Search (Node.js)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.57, 8.58, 8.59
CVE-2021-2351	PeopleSoft Enterprise PeopleTools	Change Impact Analyzer (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.57, 8.58, 8.59
CVE-2022-21300	PeopleSoft Enterprise CS SA Integration Pack	Snapshot Integration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.0, 9.2
CVE-2021-37137	PeopleSoft Enterprise PeopleTools	Elastic Search (Netty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.57, 8.58, 8.59
CVE-2021-22946	PeopleSoft Enterprise PeopleTools	File Processing (cURL)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.57, 8.58, 8.59
CVE-2021-3712	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	None	High	8.57, 8.58, 8.59
CVE-2021-23337	PeopleSoft Enterprise PeopleTools	Elastic Search (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.58, 8.59
CVE-2022-21345	PeopleSoft Enterprise PeopleTools	Security	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.58, 8.59
CVE-2022-21359	PeopleSoft Enterprise PeopleTools	Optimization Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2022-21272	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2022-21369	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2021-37695	PeopleSoft Enterprise PeopleTools	Rich Text Editor (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2022-21364	PeopleSoft Enterprise PeopleTools	Weblogic	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.57, 8.58, 8.59

Additional CVEs addressed are:

The patch for CVE-2021-22931 also addresses CVE-2021-22939 and CVE-2021-22940.
The patch for CVE-2021-22946 also addresses CVE-2021-22924, CVE-2021-22925, CVE-2021-22926 and CVE-2021-22947.
The patch for CVE-2021-23337 also addresses CVE-2020-28500 and CVE-2020-8203.
The patch for CVE-2021-3712 also addresses CVE-2021-3711.
The patch for CVE-2021-37137 also addresses CVE-2021-37136.
The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Policy Automation	Determinations Engine (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.0-12.2.24

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 43 new security patches for Oracle Retail Applications. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-13936	Oracle Retail Integration Bus	RIB Kernal (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	19.0.1
CVE-2020-13936	Oracle Retail Order Broker	Order Broker Foundation (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2020-13936	Oracle Retail Service Backbone	RSB kernel (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	19.0.1
CVE-2021-2351	Oracle Retail Analytics	Other (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	21.0.001
CVE-2021-2351	Oracle Retail Assortment Planning	Application Core (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	16.0.3
CVE-2021-2351	Oracle Retail Back Office	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1
CVE-2021-2351	Oracle Retail Central Office	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1
CVE-2021-2351	Oracle Retail Customer Insights	Other (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	21.0.001
CVE-2021-2351	Oracle Retail Extract Transform and Load	Mathematical Operators (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.2.8
CVE-2021-2351	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351	Oracle Retail Integration Bus	RIB Kernal (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351	Oracle Retail Merchandising System	Foundation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.0.1
CVE-2021-2351	Oracle Retail Order Broker	System Administration (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	16.0, 18.0, 19.1
CVE-2021-2351	Oracle Retail Order Management System	Upgrade Install (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.5
CVE-2021-2351	Oracle Retail Point-of-Service	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1
CVE-2021-2351	Oracle Retail Predictive Application Server	RPAS Server (OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1.3, 15.0.3, 16.0.3
CVE-2021-2351	Oracle Retail Price Management	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1, 15, 16
CVE-2021-2351	Oracle Retail Returns Management	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1
CVE-2021-2351	Oracle Retail Service Backbone	RSB Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-2351	Oracle Retail Xstore Point of Service	Xenvironment (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.0.4, 18.0.3, 19.0.2, 20.0.1
CVE-2021-22118	Oracle Retail Customer Management and Segmentation Foundation	Deal (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	16.0-19.0
CVE-2021-4104	Oracle Retail Allocation	General (Apache Log4j)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-23337	Oracle Retail Customer Management and Segmentation Foundation	Security (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	19.0
CVE-2021-44832	Oracle Retail Assortment Planning	Application Core (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	16.0.3	See Note 1
CVE-2021-44832	Oracle Retail Fiscal Management	NF Issuing (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	14.2	See Note 1
CVE-2021-45105	Oracle Retail Back Office	Security (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1	See Note 1
CVE-2021-45105	Oracle Retail Central Office	Security (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1	See Note 1
CVE-2021-45105	Oracle Retail EFTLink	Installation (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1	See Note 1
CVE-2021-45105	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1	See Note 1
CVE-2021-45105	Oracle Retail Invoice Matching	Security (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	15.0.3, 16.0.3	See Note 1
CVE-2021-45105	Oracle Retail Order Broker	System Administration (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	16.0, 18.0, 19.1	See Note 1
CVE-2021-45105	Oracle Retail Order Management System	Upgrade Install (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	19.5	See Note 1
CVE-2021-45105	Oracle Retail Point-of-Service	Administration (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1	See Note 1
CVE-2021-45105	Oracle Retail Predictive Application Server	RPAS Server (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1.3.46, 15.0.3.115, 16.0.3.240	See Note 1
CVE-2021-45105	Oracle Retail Price Management	Security (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	13.2, 14.0.4, 14.1.3, 15.0.3, 16.0.3	See Note 1
CVE-2021-45105	Oracle Retail Returns Management	Security (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1	See Note 1
CVE-2021-45105	Oracle Retail Service Backbone	RSB Installation (Apache Log4j)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1	See Note 1
CVE-2021-31812	Oracle Retail Customer Management and Segmentation Foundation	Security (Apache PDFbox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	18.1
CVE-2021-29425	Oracle Retail Assortment Planning	Application Core (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	16.0.3
CVE-2021-29425	Oracle Retail Integration Bus	RIB Kernal (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
CVE-2021-29425	Oracle Retail Order Broker	System Administration (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	16.0, 18.0, 19.1
CVE-2021-29425	Oracle Retail Service Backbone	RSB Installation (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	15.0.3.1, 16.0.3, 19.0.1
CVE-2021-29425	Oracle Retail Size Profile Optimization	Application Core (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	16.0.3

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2021-23337 also addresses CVE-2020-28500.
The patch for CVE-2021-31812 also addresses CVE-2021-31811.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Siebel UI Framework	EAI (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	21.12 and prior
CVE-2021-44832	Siebel UI Framework	Enterprise Cache (Apache Log4j)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	21.12 and prior	See Note 1

Notes:

This patch also addresses vulnerabilities CVE-2021-44228 and CVE-2021-45046. Customers need not apply the patches/mitigations of Security Alert CVE-2021-44228 and CVE-2021-45046 for this product.

Additional CVEs addressed are:

The patch for CVE-2021-44832 also addresses CVE-2021-45105.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle Supply Chain. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Agile Engineering Data Management	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.2.1.0
CVE-2021-2351	Oracle Agile PLM	Security (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	9.3.6
CVE-2021-2351	Oracle Demantra Demand Management	Security (JDBC, OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.6-12.2.11
CVE-2021-2351	Oracle Product Lifecycle Analytics	Installation (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	3.6.1
CVE-2021-2351	Oracle Rapid Planning	Middle Tier (JDBC, OCCI)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.6-12.2.11
CVE-2020-25649	Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite	Installation Issues (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	3.6
CVE-2021-35043	Oracle Agile PLM	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.3
CVE-2021-36374	Oracle Agile PLM	Security (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	9.3.6
CVE-2020-17521	Oracle Agile PLM MCAD Connector	CAX Client (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	3.6, 3.4
CVE-2021-33037	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	9.3.6

Additional CVEs addressed are:

The patch for CVE-2021-36374 also addresses CVE-2021-36373.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Support Tools. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-27568	OSS Support Tools	Diagnostic Assistant (json-smart)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	Prior to 2.12.42
CVE-2021-2351	OSS Support Tools	Diagnostic Assistant (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Prior to 2.12.42
CVE-2016-7103	OSS Support Tools	Diagnostic Assistant (jQuery UI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 2.12.42
CVE-2021-29425	OSS Support Tools	Diagnostic Assistant (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Prior to 2.12.42

Oracle Systems Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Systems. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-3517	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	8.8
CVE-2021-2351	Oracle ZFS Storage Application Integration Engineering Software	Snap Management Utility (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	1.3.3
CVE-2020-8285	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (cURL)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2410, prior to XCP3110
CVE-2021-3326	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (glibc)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2410, prior to XCP3110
CVE-2021-23840	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2410, prior to XCP3110
CVE-2020-13817	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NTP)	NTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	Prior to XCP2410, prior to XCP3110
CVE-2021-43395	Oracle Solaris	Filesystem	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11, 10
CVE-2022-21375	Oracle Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11
CVE-2022-21271	Oracle Solaris	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11
CVE-2022-21263	Oracle Solaris	Fault Management Architecture	None	No	4.8	Local	Low	Low	Required	Un- changed	Low	Low	Low	11
CVE-2022-21298	Oracle Solaris	Install	None	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11

Additional CVEs addressed are:

The patch for CVE-2020-8285 also addresses CVE-2020-8177 and CVE-2020-8284.
The patch for CVE-2021-3517 also addresses CVE-2021-3516, CVE-2021-3541 and CVE-2021-36690.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Utilities Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14756	Oracle Utilities Framework	General (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-27568	Oracle Utilities Framework	Common (json-smart)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-39139	Oracle Utilities Framework	General (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2020-13936	Oracle Utilities Testing Accelerator	Tools (Apache Velocity Engine)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-39139	Oracle Utilities Testing Accelerator	Tools (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	6.0.0.1.1
CVE-2021-2351	Oracle Utilities Framework	General (JDBC)	HTTP	Yes	8.3	Network	High	None	Required	Changed	High	High	High	4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2021-2351	Oracle Utilities Testing Accelerator	Tools (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-22118	Oracle Utilities Testing Accelerator	Tools (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-36090	Oracle Utilities Testing Accelerator	Tools (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-4104	Oracle Utilities Testing Accelerator	Tools (Apache Log4j)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-36374	Oracle Utilities Testing Accelerator	Tools (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	6.0.0.1.1
CVE-2021-33037	Oracle Utilities Testing Accelerator	Tools (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
CVE-2021-29425	Oracle Utilities Testing Accelerator	Tools (Apache Commons IO)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	6.0.0.1.1

Additional CVEs addressed are:

The patch for CVE-2020-14756 also addresses CVE-2020-14642, CVE-2021-2277, CVE-2021-2344, CVE-2021-2371 and CVE-2021-2428.
The patch for CVE-2021-27568 also addresses CVE-2021-31684.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-36374 also addresses CVE-2021-36373.
The patch for CVE-2021-39139 also addresses CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153 and CVE-2021-39154.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Virtualization. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2022-21394	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 6.1.32	See Note 1
CVE-2022-21295	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	Prior to 6.1.32

Notes:

This vulnerability applies to Windows systems only.

No Related Posts

Oracle Security Alert for CVE-2021-44228 – 10 December 2021

December 10, 2021January 25, 2022 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2021-44228

Description

This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. It also addresses CVE-2021-45046, which arose as an incomplete fix by Apache to CVE-2021-44228.

Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the product listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Apache Log4j, versions 2.0-2.15.0	My Oracle Support Document

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2020-Decmber-17	Rev 3. Updated CVSS score for CVE-2021-45046.
2021-December-15	Rev 2. Added CVE-2021-45046.
2021-December-10	Rev 1. Initial Release.

Third Party Component Risk Matrix

This Security Alert contains 2 new security patches for Third Party Component. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-44228	Apache Log4j	All	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	2.0 – 2.14.1
CVE-2021-45046	Apache Log4j	All	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	2.0 – 2.15.0

No Related Posts

Oracle Critical Patch Update Advisory – October 2021

October 18, 2021January 25, 2022 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2021

Description

This Critical Patch Update contains 419 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2021 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0	Enterprise Manager
Enterprise Manager for Oracle Database, version 13.4.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
Essbase Administration Services, versions prior to 11.1.2.4.046, prior to 21.3,	Database
Hyperion Financial Management, versions 11.1.2.4, 11.2.6.0	Fusion Middleware
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.6.0	Fusion Middleware
Hyperion Infrastructure Technology, version 11.2.6.0	Fusion Middleware
Hyperion Planning, versions 11.1.2.4, 11.2.6.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.6.0	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.0	JD Edwards
JD Edwards World Security, version A9.4	JD Edwards
MySQL Client, versions 8.0.26 and prior	MySQL
MySQL Cluster, versions 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior	MySQL
MySQL Connectors, versions 8.0.26 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.25 and prior	MySQL
MySQL Server, versions 5.7.35 and prior, 8.0.26 and prior	MySQL
MySQL Workbench, versions 8.0.26 and prior	MySQL
Oracle Agile PLM, versions 9.3.3, 9.3.6	Oracle Supply Chain Products
Oracle Application Express, versions prior to 21.1.0	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2	Oracle Supply Chain Products
Oracle Banking Cash Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Corporate Lending Process Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Credit Facilities Process Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0	Oracle Banking Platform
Oracle Banking Extensibility Workbench, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0	Oracle Banking Platform
Oracle Banking Supply Chain Finance, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Trade Finance Process Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Virtual Account Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Business Activity Monitoring, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Commerce Guided Search, version 11.3.2	Oracle Commerce
Oracle Commerce Merchandising, version 11.3.2	Oracle Commerce
Oracle Communications Application Session Controller, version 3.9	Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.0.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, version 12.0.0.3	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Calendar Server, version 8.0.0.6.0	Oracle Communications Calendar Server
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0	Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, version 1.11.0	Communications Cloud Native Core Policy
Oracle Communications Control Plane Monitor, versions 3.4, 4.2, 4.3, 4.4	Oracle Communications Control Plane Monitor
Oracle Communications Converged Application Server – Service Controller, version 6.2	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Design Studio, version 7.4.2	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.0.0	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE	Oracle Communications EAGLE
Oracle Communications EAGLE FTP Table Base Retrieval, version 4.5	Oracle Communications EAGLE FTP Table Base Retrieval
Oracle Communications EAGLE LNP Application Processor, versions 46.7, 46.8, 46.9	Oracle Communications EAGLE LNP Application Processor
Oracle Communications Element Manager, versions 8.2.0.0-8.2.4.0	Oracle Communications Element Manager
Oracle Communications Fraud Monitor, versions 3.4-4.4	Oracle Communications Fraud Monitor
Oracle Communications Interactive Session Recorder, version 6.4	Oracle Communications Interactive Session Recorder
Oracle Communications LSMS, versions 13.1-13.4	Oracle Communications LSMS
Oracle Communications Messaging Server, version 8.1	Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.1	Oracle Communications MetaSolv Solution
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	Oracle Communications Offline Mediation Controller
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4	Oracle Communications Operations Monitor
Oracle Communications Policy Management, version 12.5.0	Oracle Communications Policy Management
Oracle Communications Pricing Design Center, version 12.0.0.3.0	Oracle Communications Pricing Design Center
Oracle Communications Services Gatekeeper, version 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.4, 9.0	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.0.0.0-8.2.5.0	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.0.0.0-8.2.5.0	Oracle Communications Session Route Manager
Oracle Data Integrator, version 12.2.1.4.0	Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21c	Database
Oracle Documaker, versions 12.6.0-12.6.4	Oracle Insurance Applications
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	Oracle E-Business Suite
Oracle Enterprise Communications Broker, versions 3.2, 3.3	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Telephony Fraud Monitor, versions 3.4, 4.2, 4.3, 4.4	Oracle Enterprise Telephony Fraud Monitor
Oracle Ethernet Switch ES2-64, Oracle Ethernet Switch ES2-72, version 2.0.0.14	Systems
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.1	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Enterprise Case Management, versions 8.0.7.2.0, 8.0.8.1.0	Oracle Financial Services Enterprise Case Management
Oracle Financial Services Model Management and Governance, versions 8.0.8.0.0-8.1.0.0.0	Oracle Financial Services Model Management and Governance
Oracle FLEXCUBE Core Banking, versions 11.7, 11.8, 11.9, 11.10	Contact Support
Oracle Global Lifecycle Management OPatch	Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0.210420	Database
Oracle GoldenGate Application Adapters, version 19.1.0.0.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 20.3.3, 21.2.0	Java SE
Oracle Graph Server and Client, versions prior to 21.3.0	Database
Oracle Health Sciences Central Coding, versions 6.2.0, 6.3.0	Health Sciences
Oracle Health Sciences InForm, version 6.3.0	Health Sciences
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0	Health Sciences
Oracle Healthcare Foundation, versions 7.3, 8.0, 8.1	Health Sciences
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0	Oracle Hospitality Cruise Shipboard Property Management System
Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Insurance Calculation Engine, versions 11.0.0-11.3.1	Oracle Insurance Applications
Oracle Insurance Policy Administration, versions 11.0.0-11.3.1	Oracle Insurance Applications
Oracle Java SE, versions 7u311, 8u301, 11.0.12, 17	Java SE
Oracle NoSQL Database	NoSQL Database
Oracle Outside In Technology, version 8.5.5	Fusion Middleware
Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0	Enterprise Manager
Oracle Real-Time Decision Server, versions 3.2.0.0, 11.1.1.9.0	Fusion Middleware
Oracle REST Data Services, versions prior to 21.3	Database
Oracle Retail Advanced Inventory Planning, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Assortment Planning, version 16.0	Retail Applications
Oracle Retail Back Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1	Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0	Retail Applications
Oracle Retail Extract Transform and Load, version 13.2.8	Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.4.0, 16.0.3.0	Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0	Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 19.0.1	Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0	Retail Applications
Oracle Retail Store Inventory Management, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Secure Backup, versions prior to 18.1.0.1.0	Oracle Secure Backup
Oracle Secure Global Desktop, version 5.6	Virtualization
Oracle Solaris, version 11	Systems
Oracle Spatial Studio	Database
Oracle SQL Developer	Database
Oracle Transportation Management, version 6.4.3	Oracle Supply Chain Products
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.28	Virtualization
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise CC Common Application Objects, version 9.2	PeopleSoft
PeopleSoft Enterprise CS Academic Advisement, version 9.2	PeopleSoft
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise CS Student Records, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59	PeopleSoft
PeopleSoft Enterprise SCM, version 9.2	PeopleSoft
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7	Oracle Construction and Engineering Suite
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 21.9 and prior	Siebel
Tekelec Platform Distribution, versions 7.4.0-7.7.1	Tekelec Platform Distribution
Tekelec Virtual Operating Environment, versions 3.4.0-3.7.1	Tekelec Virtual Operating Environment

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0xfoxone: CVE-2021-35572, CVE-2021-35573, CVE-2021-35574, CVE-2021-35656, CVE-2021-35657, CVE-2021-35658, CVE-2021-35661, CVE-2021-35662
Andrej Simko of Accenture: CVE-2021-35580, CVE-2021-35581, CVE-2021-35582
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2021-35590, CVE-2021-35592, CVE-2021-35593, CVE-2021-35594, CVE-2021-35598, CVE-2021-35621
Artem Smotrakov: CVE-2021-35603
Asaf Greenholts of Bank Hapoalim: CVE-2021-35550
Aveek Biswas of Salesforce.com: CVE-2021-27290, CVE-2021-32804
Black Lantern Security LLC: CVE-2021-35665
Chuck Hunley of sas.com: CVE-2021-35567
DoHyun Lee (l33d0hyun) of VirtualBoBs: CVE-2021-35540
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2021-2332
Emad Al-Mousa: CVE-2021-35576
Girlelecta: CVE-2021-35659, CVE-2021-35660
Guillaume Jacques of synacktiv: CVE-2021-35651, CVE-2021-35652, CVE-2021-35653, CVE-2021-35654, CVE-2021-35655
Hongkun Chen of Alibaba: CVE-2021-2471
Jie Liang of WingTecher Lab of Tsinghua University: CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645
Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645
John Simpson of Trend Micro Security Research working with the Zero Day Initiative: CVE-2021-35611
Kosong: CVE-2021-2461
Lai Han of NSFocus Security Team: CVE-2021-35620
Liboheng of Tophant Starlight laboratory: CVE-2021-35617
Markus Loewe: CVE-2021-35561
Matthias Kaiser of Apple Information Security: CVE-2021-2137
Ofir Hamam: CVE-2021-2476, CVE-2021-35616
Paul Barbé of synacktiv: CVE-2021-35651, CVE-2021-35652, CVE-2021-35653, CVE-2021-35654, CVE-2021-35655
Qiguang Zhu: CVE-2021-35551
Qiuhao Li: CVE-2021-2475
Ryan Emmons: CVE-2021-35538
Sven Woynoski of it.sec GmbH: CVE-2021-2414, CVE-2021-2416
Théo Louis-Tisserand of synacktiv: CVE-2021-35651, CVE-2021-35652, CVE-2021-35653, CVE-2021-35654, CVE-2021-35655
Tristen Hayfield of Cisco: CVE-2021-35565
Victor Rodriguez: CVE-2021-35595
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2021-2471
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-35557, CVE-2021-35558, CVE-2021-35634, CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645
Yi Ren of Alibaba: CVE-2021-35542
Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645

Security-In-Depth Contributors

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

Alexander Kornbrust of Red Database Security [2 reports]
Andrej Simko of Accenture
Emad Al-Mousa
Fabian Meumertzheim of Code Intelligence
Hinemos Development Team, NTT DATA INTELLILINK Corporation working with Red Hat
Juho Nurminen of Mattermost
Masafumi Miura of Red Hat
Paul Fiterau Brostean of Uppsala University [3 reports]
Yoshikazu Nojima of Red Hat

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Adarsh VS Mannarakkal
Ali Alzahrani
Anil Bhatt
Aravindha Hariharan
Black Lantern Security LLC [8 reports]
Brahim Ait Boufakri
Dara Greaney
Gaurang Maheta of gaurang maheta
Gil Hoffer
H01 from FPT Software Cybersecurity Assurance Service
Jebarson Immanuel
Khalid matar Alharthi
Lidor Ben Shitrit from Orca Security
Mahad Ali
Maxime Bonillo
Nic Palmer (Optimus Crime)
Omri Litvak
Osama Mohammed
PhishLabs Security Operations
Priyanshu Kumawat
PwnWiki Administrator of PwnWiki
Sergiy Kornienko
Seth Duda of SquareWorks Consulting
Shuvam Adhikari
Vaishnav Pardhi
Vismit Sudhir Rakhecha (Druk) [2 reports]

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

18 January 2022
19 April 2022
19 July 2022
18 October 2022

References

Modification History

Date	Note
2022-January-18	Rev 3. Updated the essbase affected versions
2021-October-28	Rev 2. Changed the product of CVE-2018-20843 from Oracle WebLogic Server Proxy Plug-In to Oracle HTTP Server and added 5.9.0.0.0 to affected versions of Oracle Business Intelligence Enterprise Edition.
2021-October-19	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 18 new security patches for Oracle Database Products divided as follows:

9 new security patches for Oracle Database Products
5 new security patches for Oracle Essbase
No new security patches for Oracle Global Lifecycle Management, but third party patches are provided
1 new security patch for Oracle GoldenGate
1 new security patch for Oracle Graph Server and Client
No new security patches for Oracle NoSQL Database, but third party patches are provided
1 new security patch for Oracle REST Data Services
1 new security patch for Oracle Secure Backup
No new security patches for Oracle Spatial Studio, but third party patches are provided
No new security patches for Oracle SQL Developer, but third party patches are provided

Oracle Database Server Risk Matrix

This Critical Patch Update contains 9 new security patches plus additional third party patches noted below for Oracle Database Products. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35599	Zero Downtime DB Migration to Cloud	Local Logon	Local Logon	No	8.2	Local	Low	High	None	Changed	High	High	High	21c
CVE-2021-25122	Oracle Database Enterprise Edition (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.0.1, 19c, 21c
CVE-2021-35619	Java VM	Create Procedure	Oracle Net	No	7.1	Network	High	Low	Required	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-2332	Oracle LogMiner	DBA	Oracle Net	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	12.1.0.2, 12.2.0.1, 19c
CVE-2021-35551	RDBMS Security	DBA	Oracle Net	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	12.2.0.1, 19c, 21c
CVE-2021-35557	Core RDBMS	Create Table	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-35558	Core RDBMS	Create Table	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-26272	Oracle Application Express (CKEditor)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	Prior to 21.1.0
CVE-2021-35576	Oracle Database Enterprise Edition Unified Audit	Local Logon	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 19c

Additional CVEs addressed are:

The patch for CVE-2021-25122 also addresses CVE-2020-9484 and CVE-2021-25329.
The patch for CVE-2021-26272 also addresses CVE-2021-26271.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Autonomous Health Framework (Apache Commons IO): CVE-2021-29425.
GraalVM Multilingual Engine: CVE-2021-29921, CVE-2020-28928, CVE-2021-2341, CVE-2021-2369, CVE-2021-2388 and CVE-2021-2432.
Oracle Spatial and Graph – GeoRaster (OpenJPEG): CVE-2020-27824.

Oracle Essbase Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Essbase. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35652	Essbase Administration Services	EAS Console	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 11.1.2.4.046, Prior to 21.3
CVE-2021-35651	Essbase Administration Services	EAS Console	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	Prior to 11.1.2.4.046, Prior to 21.3
CVE-2021-35653	Essbase Administration Services	EAS Console	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	Prior to 11.1.2.4.046, Prior to 21.3
CVE-2021-35654	Essbase Administration Services	EAS Console	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 11.1.2.4.046, Prior to 21.3
CVE-2021-35655	Essbase Administration Services	EAS Console	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 11.1.2.4.046, Prior to 21.3

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Global Lifecycle Management. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Global Lifecycle Management. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Global Lifecycle Management OPatch
- Patch Installer (Apache Commons Compress): CVE-2021-36090, CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
- Patch Installer (jackson-databind): CVE-2020-25649.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3740	Oracle GoldenGate	Install (Dell BSAFE Crypto-J)	Oracle Net	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	Prior to 19.1.0.0.0.210420

Additional CVEs addressed are:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle GoldenGate
- General (Apache Batik): CVE-2020-11987 and CVE-2019-17566.
- Install (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022.
- Internal Framework (Google Guava): CVE-2018-10237 and CVE-2020-8908.

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Graph Server and Client. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-25122	Oracle Graph Server and Client	Packaging/install (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Prior to 21.3.0

Additional CVEs addressed are:

The patch for CVE-2021-25122 also addresses CVE-2021-25329.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Graph Server and Client
- Packaging/Install (Guava): CVE-2020-8908.
- Packaging/Install (Lodash): CVE-2021-23337 and CVE-2020-28500.
- Packaging/Install (jackson-databind): CVE-2020-25649.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle NoSQL Database. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle NoSQL Database. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle NoSQL Database
- Administration (Go): CVE-2021-34558.
- Administration (Netty): CVE-2021-21409.

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-28165	Oracle REST Data Services	General (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 21.3

Additional CVEs addressed are:

The patch for CVE-2021-28165 also addresses CVE-2021-28169 and CVE-2021-34428.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle REST Data Services
- Infrastructure (Apache Batik): CVE-2020-11988, CVE-2019-17566 and CVE-2020-11987.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Secure Backup. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-3450	Oracle Secure Backup	Oracle Secure Backup (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Prior to 18.1.0.1.0

Additional CVEs addressed are:

The patch for CVE-2021-3450 also addresses CVE-2021-3449.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Secure Backup
- Generic (PHP): CVE-2021-21702, CVE-2020-7065 and CVE-2020-7071.

Oracle Spatial Studio Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Spatial Studio. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Spatial Studio. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Spatial Studio
- Install (Apache Commons IO): CVE-2021-29425.
- Install (Apache Commons BeanUtils): CVE-2019-10086.

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle SQL Developer. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle SQL Developer. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

SQL Developer Data Modeler
- Infrastructure (Apache PDFBox): CVE-2021-27807.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Commerce. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-37695	Oracle Commerce Guided Search	Content Acquisition System (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.2
CVE-2021-37695	Oracle Commerce Merchandising	Merchandising (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.2

Additional CVEs addressed are:

The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 19 new security patches for Oracle Communications Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-3177	Oracle Communications Pricing Design Center	Pricing (Python)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2021-2351	Oracle Communications MetaSolv Solution	Reports (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	6.3.1
CVE-2021-22118	Oracle Communications BRM – Elastic Charging Engine	Controller (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.0.0.3
CVE-2021-36090	Oracle Communications Messaging Server	Message Store (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1
CVE-2021-30468	Oracle Communications Messaging Server	Security (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1
CVE-2020-25648	Oracle Communications Offline Mediation Controller	Storage & Reporting (NSS)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0.3.0
CVE-2019-10086	Oracle Communications Billing and Revenue Management	Billing Care (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.5.0.0.0, 12.0.0.3.0
CVE-2021-23337	Oracle Communications Design Studio	PSR Designer (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	7.4.2
CVE-2020-6950	Oracle Communications Pricing Design Center	Services Manager (Eclipse Mojarra)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.0.3.0
CVE-2021-21409	Oracle Communications BRM – Elastic Charging Engine	OUI Installer (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	12.0.0.3
CVE-2021-21409	Oracle Communications Design Studio	PSR Designer (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	7.4.2
CVE-2021-21409	Oracle Communications Messaging Server	Multiplexor (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	8.1
CVE-2020-17521	Oracle Communications BRM – Elastic Charging Engine	Orchestration (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.0.0.3
CVE-2021-31812	Oracle Communications Messaging Server	Monitoring (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1
CVE-2021-28657	Oracle Communications Messaging Server	Monitoring (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1
CVE-2021-29425	Oracle Communications Calendar Server	Administration (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0.6.0
CVE-2021-29425	Oracle Communications Messaging Server	Message Store (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1
CVE-2021-29425	Oracle Communications MetaSolv Solution	Reports (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.3.1
CVE-2021-33037	Oracle Communications Pricing Design Center	Pricing (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.0.0.3.0

Additional CVEs addressed are:

The patch for CVE-2021-21409 also addresses CVE-2021-21290.
The patch for CVE-2021-23337 also addresses CVE-2020-28500.
The patch for CVE-2021-30468 also addresses CVE-2021-21290.
The patch for CVE-2021-3177 also addresses CVE-2021-23336.
The patch for CVE-2021-31812 also addresses CVE-2021-27807 and CVE-2021-27906.
The patch for CVE-2021-33037 also addresses CVE-2021-30369 and CVE-2021-30640.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Oracle Communications Risk Matrix

This Critical Patch Update contains 71 new security patches plus additional third party patches noted below for Oracle Communications. 56 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle Communications Policy Management	Policy (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	12.5.0
CVE-2021-21783	Oracle Communications Diameter Signaling Router	Platform (gSOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.5.0.0
CVE-2017-9841	Oracle Communications Diameter Signaling Router	Signaling (PHP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.5.0.0
CVE-2021-21783	Oracle Communications EAGLE LNP Application Processor	Patches (gSOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	46.7, 46.8, 46.9
CVE-2020-11998	Oracle Communications Element Manager	Work orders (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0.0-8.2.4.0
CVE-2021-21783	Oracle Communications LSMS	Platform (gSOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 13.3, 13.4
CVE-2020-17530	Oracle Communications Policy Management	Enterprise Policy (Apache Struts2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0
CVE-2020-11998	Oracle Communications Session Report Manager	Reports (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.2.2.0
CVE-2020-11998	Oracle Communications Session Route Manager	Route Manager (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.2.2.0
CVE-2021-21783	Tekelec Virtual Operating Environment	Syscheck (gSOAP)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.0-3.7.1
CVE-2021-23017	Oracle Communications Control Plane Monitor	Infrastructure (nginx)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.4, 4.2, 4.3, 4.4
CVE-2021-23017	Oracle Communications Fraud Monitor	Infrastructure (nginx)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.4-4.4
CVE-2021-23017	Oracle Communications Operations Monitor	Developer Infrastructure (nginx)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.4, 4.2, 4.3, 4.4
CVE-2021-23017	Oracle Enterprise Telephony Fraud Monitor	Policies (nginx)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.4, 4.2, 4.3, 4.4
CVE-2021-22112	Oracle Communications Element Manager	Work Orders (Spring Security)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.2.0.0-8.2.4.0
CVE-2020-10878	Oracle Communications Diameter Signaling Router	Platform (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	8.0.0.0-8.5.0.0
CVE-2020-10878	Oracle Communications LSMS	Platform (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	13.1-13.4
CVE-2020-10878	Tekelec Platform Distribution	Platform (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	7.4.0-7.7.1
CVE-2021-2351	Oracle Communications Application Session Controller	Signaling (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	3.9
CVE-2021-2461	Oracle Communications Interactive Session Recorder	Provision API	HTTP	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	6.4
CVE-2021-2351	Oracle Communications Session Report Manager	Reports (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.0.0.0-8.2.5.0
CVE-2021-2351	Oracle Communications Session Route Manager	Route Manager (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	8.2.0.0-8.2.5.0
CVE-2020-10543	Oracle Communications EAGLE LNP Application Processor	Realtime db (Perl)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	46.7, 46.8, 46.9
CVE-2020-24750	Oracle Communications Element Manager	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0.0-8.2.4.0
CVE-2020-24750	Oracle Communications Policy Management	Policy (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.5.0
CVE-2020-24750	Oracle Communications Session Report Manager	Reports (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0.0-8.2.2.1
CVE-2020-28052	Oracle Communications Session Report Manager	Reports (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0.0-8.2.4.0
CVE-2020-24750	Oracle Communications Session Route Manager	Reports (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0.0-8.2.2.1
CVE-2020-28052	Oracle Communications Session Route Manager	Route Manager (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0.0-8.2.4.0
CVE-2021-22118	Oracle Communications Element Manager	Work Orders (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.2.0.0-8.2.4.0
CVE-2021-22118	Oracle Communications Interactive Session Recorder	Monitor (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	6.4
CVE-2021-22118	Oracle Communications Session Report Manager	Reports (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0.0-8.2.4.0
CVE-2021-22118	Oracle Communications Session Route Manager	Route Manager (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0.0-8.2.4.0
CVE-2020-29661	Tekelec Platform Distribution	Storage Management (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	7.4.0-7.7.1
CVE-2021-3156	Tekelec Platform Distribution	Storage Management (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	7.4.0-7.7.1
CVE-2021-33560	Oracle Communications Cloud Native Core Network Repository Function	Measurements (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.14.0
CVE-2020-11994	Oracle Communications Diameter Signaling Router	IDIH – Visualization (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.0.0-8.5.0.0
CVE-2020-25649	Oracle Communications Diameter Signaling Router	IDIH – Visualization (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	8.0.0.0-8.5.0.0
CVE-2021-36090	Oracle Communications Element Manager	Fault Management (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0.0-8.2.4.0
CVE-2021-30468	Oracle Communications Element Manager	Work Orders (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.2
CVE-2021-28165	Oracle Communications Element Manager	Work Orders (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.2
CVE-2018-20034	Oracle Communications LSMS	NPA Agent (Flexnet)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.1-13.4
CVE-2020-5258	Oracle Communications Policy Management	Policy (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.5.0
CVE-2020-5398	Oracle Communications Policy Management	VNF Manager (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.5.0
CVE-2021-28165	Oracle Communications Services Gatekeeper	Messaging Service (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0
CVE-2020-7226	Oracle Communications Services Gatekeeper	Payment (Cryptacular)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0
CVE-2021-22696	Oracle Communications Session Report Manager	Reports (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.2.4.0
CVE-2021-36090	Oracle Communications Session Report Manager	Reports (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0.0-8.2.5.0
CVE-2021-28165	Oracle Communications Session Report Manager	Reports (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.2.4.0
CVE-2021-22696	Oracle Communications Session Route Manager	Route Manager (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.2.4.0
CVE-2021-36090	Oracle Communications Session Route Manager	Route Manager (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.2.5.0
CVE-2021-28165	Oracle Communications Session Route Manager	Route Manager (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0.0-8.2.4.0
CVE-2021-25215	Tekelec Platform Distribution	Storage Management (BIND)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4.0-7.7.1
CVE-2019-10086	Oracle Communications Policy Management	Policy (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.5.0
CVE-2021-23337	Oracle Communications Cloud Native Core Policy	Signaling (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	1.11.0
CVE-2021-23337	Oracle Communications Session Border Controller	Routing (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.4, 9.0
CVE-2021-23337	Oracle Enterprise Communications Broker	Routing (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	3.2, 3.3
CVE-2021-2414	Oracle Communications Session Border Controller	Routing	HTTP	No	6.8	Network	Low	High	None	Changed	High	None	None	8.4, 9.0
CVE-2020-8622	Oracle Communications Diameter Signaling Router	Provisioning (BIND)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.0.0-8.5.0.0
CVE-2021-30640	Tekelec Platform Distribution	Console (Apache Tomcat)	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	High	None	7.4.0-7.7.1
CVE-2021-27906	Oracle Communications Session Report Manager	Reports (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.0.0-8.2.4.0
CVE-2021-29425	Oracle Communications Application Session Controller	Signaling (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.9
CVE-2021-29425	Oracle Communications Converged Application Server – Service Controller	Charging (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.2
CVE-2021-33037	Oracle Communications Diameter Signaling Router	Platform (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.0.0.0-8.5.0.0
CVE-2021-33037	Oracle Communications Policy Management	MediationServer (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.5.0
CVE-2021-29425	Oracle Communications Session Report Manager	Reports (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0.0-8.2.5.0
CVE-2021-33037	Oracle Communications Session Report Manager	Reports (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.0.0.0-8.2.4.0
CVE-2021-29425	Oracle Communications Session Route Manager	Route Manager (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0.0-8.2.5.0
CVE-2021-33037	Oracle Communications Session Route Manager	Route Manager (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.0.0.0-8.2.4.0
CVE-2021-2416	Oracle Communications Session Border Controller	Routing	HTTP	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.4, 9.0
CVE-2020-9488	Oracle Communications EAGLE FTP Table Base Retrieval	Logging (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	4.5

Additional CVEs addressed are:

The patch for CVE-2017-9841 also addresses CVE-2020-7069 and CVE-2021-21702.
The patch for CVE-2018-20034 also addresses CVE-2018-20031, CVE-2018-20032 and CVE-2018-20033.
The patch for CVE-2020-10543 also addresses CVE-2020-10878.
The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-11998 also addresses CVE-2020-13947 and CVE-2021-26117.
The patch for CVE-2020-17530 also addresses CVE-2019-0230 and CVE-2019-0233.
The patch for CVE-2020-24750 also addresses CVE-2020-24616, CVE-2020-25649 and CVE-2020-36189.
The patch for CVE-2020-25649 also addresses CVE-2020-14195, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-29661 also addresses CVE-2021-20265, CVE-2021-27364 and CVE-2021-27365.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-9488 also addresses CVE-2017-5645.
The patch for CVE-2021-21345 also addresses CVE-2020-26217, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351 and CVE-2021-29505.
The patch for CVE-2021-23337 also addresses CVE-2020-28500 and CVE-2020-8203.
The patch for CVE-2021-27906 also addresses CVE-2021-27807.
The patch for CVE-2021-28165 also addresses CVE-2020-27218, CVE-2021-28163 and CVE-2021-28164.
The patch for CVE-2021-30468 also addresses CVE-2021-22696.
The patch for CVE-2021-30640 also addresses CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797 and CVE-2021-33037.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Communications EAGLE
- Health Check (Perl): CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-26691	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2021-2351	Instantis EnterpriseTrack	Core (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.1, 17.2, 17.3
CVE-2021-2351	Primavera Gateway	Admin (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7
CVE-2021-36090	Primavera Gateway	Admin (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7
CVE-2021-36090	Primavera Unifier	File Management (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.7-17.12, 18.8, 19.12, 20.12
CVE-2021-23337	Primavera Gateway	Admin (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7
CVE-2021-23337	Primavera Unifier	Platform, UI (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	17.7-17.12, 18.8, 19.12, 20.12
CVE-2021-36374	Primavera Gateway	Admin (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7
CVE-2021-28657	Primavera Unifier	Platform (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	17.7-17.12, 18.8, 19.12, 20.12
CVE-2021-36374	Primavera Unifier	System Configuration (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	17.7-17.12, 18.8, 19.12, 20.12
CVE-2021-33037	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2021-29425	Primavera Gateway	Admin (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11

Additional CVEs addressed are:

The patch for CVE-2021-23337 also addresses CVE-2020-28500 and CVE-2020-8203.
The patch for CVE-2021-26691 also addresses CVE-2019-17567, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-30641 and CVE-2021-31618.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-36374 also addresses CVE-2021-36373.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 18 new security patches for Oracle E-Business Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2021), My Oracle Support Note 2484000.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35566	Oracle Applications Manager	Diagnostics	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2483	Oracle Content Manager	Content Item Manager	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35536	Oracle Deal Management	Miscellaneous	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35585	Oracle Incentive Compensation	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35570	Oracle Mobile Field Service	Admin UI	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2484	Oracle Operations Intelligence	BIS Operations Intelligence	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2482	Oracle Payables	Invoice Approvals	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35563	Oracle Shipping Execution	Workflow Events	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.6-12.2.10
CVE-2021-2485	Oracle Trade Management	Quotes	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35562	Oracle Universal Work Queue	Work Provider Site Level Administration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2474	Oracle Web Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-35582	Oracle Applications Manager	View Reports	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	12.1.3, 12.2.3-12.2.10
CVE-2021-35580	Oracle Applications Manager	View Reports	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2477	Oracle Applications Framework	Session Management	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.1.3, 12.2.3-12.2.10
CVE-2021-35554	Oracle Trade Management	Quotes	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-35569	Oracle Applications Manager	Diagnostics	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	12.1.3, 12.2.3-12.2.10
CVE-2021-35581	Oracle Applications Manager	View Reports	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2021-35611	Oracle Sales Offline	Offline Template	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.1-12.1.3, 12.2.3-12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Enterprise Manager. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2796575.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-26691	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.4.0.0
CVE-2021-2137	Enterprise Manager Base Platform	Policy Framework	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.4.0.0, 13.5.0.0
CVE-2021-29505	Enterprise Manager Ops Center	Guest Management (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.4.0.0
CVE-2021-3518	Enterprise Manager Ops Center	Guest Management (libxml2)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	12.4.0.0
CVE-2021-3518	Oracle Real User Experience Insight	End User Experience Management (libxml2)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	13.5.1.0, 13.4.1.0
CVE-2021-2351	Oracle Real User Experience Insight	End User Experience Management (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	13.5.1.0, 13.4.1.0
CVE-2020-25649	Oracle Application Testing Suite	Load Testing for Web Apps (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	13.3.0.1
CVE-2021-20227	Enterprise Manager for Oracle Database	Provisioning (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	13.4.0.0

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-24616, CVE-2020-24750, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2021-26691 also addresses CVE-2019-17567, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-30641 and CVE-2021-31618.
The patch for CVE-2021-3518 also addresses CVE-2019-20388, CVE-2020-24977, CVE-2020-7595, CVE-2021-3517 and CVE-2021-3537.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 44 new security patches for Oracle Financial Services Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle Banking Virtual Account Management	Common Core (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-5413	Oracle Banking Corporate Lending Process Management	Loans (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-5413	Oracle Banking Credit Facilities Process Management	Credit Appraisal (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-5413	Oracle Banking Supply Chain Finance	Account-Maintenance (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-5413	Oracle Banking Virtual Account Management	Common Core (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-10683	Oracle FLEXCUBE Core Banking	Bills And Collections (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.7, 11.8, 11.9, 11.10
CVE-2021-29505	Oracle Banking Cash Management	Accessibility (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-29505	Oracle Banking Corporate Lending Process Management	Lending (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-29505	Oracle Banking Credit Facilities Process Management	Credit Appraisal (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-15824	Oracle Banking Extensibility Workbench	Web UI (Kotlin)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-29505	Oracle Banking Supply Chain Finance	Account-Maintenance (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-29505	Oracle Banking Trade Finance Process Management	Dashboard (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-24750	Oracle Banking Corporate Lending Process Management	Lending (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-28052	Oracle Banking Corporate Lending Process Management	Loans (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-24750	Oracle Banking Credit Facilities Process Management	Credit Appraisal (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-28052	Oracle Banking Credit Facilities Process Management	Credit Appraisal (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-28052	Oracle Banking Extensibility Workbench	Web UI (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-24750	Oracle Banking Supply Chain Finance	Invoice (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-28052	Oracle Banking Supply Chain Finance	Security (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-28052	Oracle Banking Virtual Account Management	Common Core (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-25649	Oracle Banking Extensibility Workbench	Web UI (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.2, 14.3, 14.5
CVE-2021-36090	Oracle Banking Platform	Product Accounting (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.6.2, 2.7.1, 2.9.0, 2.12.0
CVE-2020-25649	Oracle Banking Virtual Account Management	Account (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.2, 14.3, 14.5
CVE-2021-36090	Oracle Financial Services Analytical Applications Infrastructure	Rate Management (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.6-8.1.1
CVE-2021-36090	Oracle Financial Services Enterprise Case Management	Web UI (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.7.2.0, 8.0.8.1.0
CVE-2019-0227	Oracle FLEXCUBE Core Banking	Bills And Collections (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	11.7, 11.8, 11.9, 11.10
CVE-2020-8203	Oracle Banking Virtual Account Management	Account (Lodash)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	14.2, 14.3, 14.5
CVE-2021-23337	Oracle Banking Corporate Lending Process Management	Lending (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-23337	Oracle Banking Credit Facilities Process Management	Collateral Review (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-23337	Oracle Banking Extensibility Workbench	Banking (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-23337	Oracle Banking Supply Chain Finance	Invoice (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-23337	Oracle Banking Trade Finance Process Management	Dashboard (Lodash)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2020-6950	Oracle Banking Enterprise Default Management	Collections (Eclipse Mojarra)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	2.10.0, 2.12.0
CVE-2020-6950	Oracle Banking Platform	Investment Account (Eclipse Mojarra)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	2.6.2, 2.7.1, 2.9.0, 2.12.0
CVE-2021-26272	Oracle Financial Services Model Management and Governance	Model Governance (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.0.8.0.0-8.1.0.0.0
CVE-2021-21409	Oracle Banking Corporate Lending Process Management	Lending (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	14.2, 14.3, 14.5
CVE-2021-21409	Oracle Banking Credit Facilities Process Management	Collateral Review (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	14.2, 14.3, 14.5
CVE-2021-21409	Oracle Banking Trade Finance Process Management	Dashboard (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	14.2, 14.3, 14.5
CVE-2021-31812	Oracle Banking Corporate Lending Process Management	Lending (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.2, 14.3, 14.5
CVE-2021-31812	Oracle Banking Credit Facilities Process Management	Collateral Review (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.2, 14.3, 14.5
CVE-2021-31812	Oracle Banking Supply Chain Finance	Security (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.2, 14.3, 14.5
CVE-2021-27906	Oracle Banking Trade Finance Process Management	Dashboard (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.2, 14.3, 14.5
CVE-2021-27906	Oracle Banking Virtual Account Management	Common Core (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.2, 14.3, 14.5
CVE-2021-36374	Oracle Financial Services Analytical Applications Infrastructure	Publish Catalog (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.6-8.1.1

Additional CVEs addressed are:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2020-24750 also addresses CVE-2020-24616.
The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-28052 also addresses CVE-2020-26217.
The patch for CVE-2021-21345 also addresses CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
The patch for CVE-2021-21409 also addresses CVE-2021-21290.
The patch for CVE-2021-23337 also addresses CVE-2020-28500 and CVE-2020-8203.
The patch for CVE-2021-26272 also addresses CVE-2021-26271 and CVE-2021-37695.
The patch for CVE-2021-27906 also addresses CVE-2019-0228 and CVE-2021-27807.
The patch for CVE-2021-29505 also addresses CVE-2020-26217 and CVE-2021-21345.
The patch for CVE-2021-31812 also addresses CVE-2021-27906 and CVE-2021-31811.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.
The patch for CVE-2021-36374 also addresses CVE-2021-36373.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Fusion Middleware. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2021 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2796575.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Oracle WebCenter Sites	WebCenter Sites (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2018-8088	Oracle WebLogic Server	Web Services (slf4j-ext)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0
CVE-2021-35617	Oracle WebLogic Server	Coherence Container	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-29505	Oracle Business Activity Monitoring	General (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-29505	Oracle WebCenter Portal	Discussion Forums (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-29505	Oracle WebCenter Sites	WebCenter Sites (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-30468	Oracle Business Intelligence Enterprise Edition	Analytics Server (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-25649	Oracle Data Integrator	Install, config, upgrade (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.4.0
CVE-2021-35572	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35573	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35662	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35661	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35574	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35660	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35659	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35658	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35657	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-35656	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2020-5258	Oracle WebCenter Sites	WebCenter Sites (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-7226	Oracle WebLogic Server	Core (Cryptacular)	SAML	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0, 14.1.1.0.0
CVE-2021-35620	Oracle WebLogic Server	Core	T3	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2018-20843	Oracle HTTP Server	SSL Module (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-26272	Oracle WebCenter Sites	WebCenter Sites (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle WebLogic Server	Web Services (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-23841	Oracle Business Intelligence Enterprise Edition	Analytics Server (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-35666	Oracle HTTP Server	OSSL Module	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2020-1971	Oracle HTTP Server	SSL Module (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2018-10237	Oracle WebLogic Server	Web Services (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	12.1.3.0.0
CVE-2021-36374	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	11.1.1.7.0
CVE-2021-36374	Oracle Real-Time Decision Server	Platform Installation (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	3.2.0.0, 11.1.1.9.0
CVE-2021-27906	Oracle WebCenter Sites	WebCenter Sites (Apache PDFbox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle WebCenter Sites	WebCenter Sites (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-12400	Oracle WebLogic Server	Web Services (Apache Santuario XML Security For Java)	None	No	5.5	Local	Low	Low	None	Un- changed	None	High	None	12.2.1.4.0, 14.1.1.0.0
CVE-2021-29425	Oracle GoldenGate Application Adapters	Application Adapters (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.1.0.0.0
CVE-2021-29425	Oracle Real-Time Decision Server	Decision Server (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0.0
CVE-2021-29425	Oracle WebLogic Server	Console (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-35552	Oracle WebLogic Server	Diagnostics	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2480	Oracle HTTP Server	Web Listener	HTTP	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	11.1.1.9.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS Base Score depend on the software that uses Outside In Technology. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

The patch for CVE-2018-20843 also addresses CVE-2019-10082.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2021-23841 also addresses CVE-2020-1971, CVE-2021-23839 and CVE-2021-23840.
The patch for CVE-2021-26272 also addresses CVE-2021-26271.
The patch for CVE-2021-27906 also addresses CVE-2021-27807.
The patch for CVE-2021-30468 also addresses CVE-2020-13954 and CVE-2021-22696.
The patch for CVE-2021-36374 also addresses CVE-2017-5645, CVE-2020-11979 and CVE-2021-36373.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Health Sciences Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	Oracle Healthcare Data Repository	Install Utility (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.0
CVE-2021-22118	Oracle Healthcare Data Repository	Service Framework (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.1.0
CVE-2020-11022	Oracle Health Sciences Central Coding	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0, 6.3.0
CVE-2020-11023	Oracle Health Sciences InForm	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.3.0
CVE-2020-17521	Oracle Healthcare Data Repository	Install Utility (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	7.0.2
CVE-2021-28657	Oracle Healthcare Foundation	Security (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	7.3, 8.0, 8.1

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11022	Oracle Hospitality Cruise Shipboard Property Management System	Next-Gen SPMS (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	20.1.0

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hyperion. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35665	Hyperion Financial Reporting	Repository	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.6.0
CVE-2019-11358	Hyperion Planning	Hyperion Planning (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4, 11.2.6.0
CVE-2021-27906	Hyperion Financial Reporting	Server Components (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	11.1.2.4, 11.2.6.0
CVE-2021-29425	Hyperion Financial Management	Security (Apache Commons IO)	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.2.4, 11.2.6.0
CVE-2019-7317	Hyperion Infrastructure Technology	Installation and Configuration (libpng)	HTTP	Yes	5.3	Network	High	None	Required	Un- changed	None	None	High	11.2.6.0
CVE-2020-27218	Hyperion Infrastructure Technology	Installation and Configuration (Eclipse Jetty)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	11.2.6.0

Additional CVEs addressed are:

The patch for CVE-2019-7317 also addresses CVE-2018-14550.
The patch for CVE-2021-27906 also addresses CVE-2021-27807.

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 16 new security patches for Oracle Insurance Applications. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Documaker	Development tools (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.6.0 – 12.6.4
CVE-2019-13990	Oracle Documaker	Development tools (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.6.0 – 12.6.4
CVE-2020-10683	Oracle Documaker	Development tools (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.6.0 – 12.6.4
CVE-2019-17195	Oracle Insurance Policy Administration	Architecture (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.0.0 – 11.3.1
CVE-2020-11987	Oracle Insurance Policy Administration	Architecture (Apache Batik)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	11.0.0 – 11.3.1
CVE-2020-36189	Oracle Documaker	Development tools (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.6.3, 12.6.4
CVE-2021-22118	Oracle Documaker	Development tools (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.6.0 – 12.6.4
CVE-2021-22118	Oracle Insurance Policy Administration	Architecture (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	11.0.0 – 11.3.1
CVE-2020-5258	Oracle Documaker	Development tools (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.6.0 – 12.6.4
CVE-2020-5398	Oracle Insurance Calculation Engine	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.0.0 – 11.3.1
CVE-2019-10086	Oracle Documaker	Development tools (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.6.0 – 12.6.4
CVE-2019-10086	Oracle Insurance Policy Administration	Architecture (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.0.0 – 11.3.1
CVE-2021-36374	Oracle Insurance Policy Administration	Architecture (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	11.0.0 – 11.3.1
CVE-2020-17521	Oracle Insurance Policy Administration	Architecture (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.0.0 – 11.3.1
CVE-2021-37695	Oracle Documaker	Development tools (CKEditor)	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.6.3, 12.6.4
CVE-2021-29425	Oracle Documaker	Development tools (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.6.0 – 12.6.4

Additional CVEs addressed are:

The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2020-36189 also addresses CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187 and CVE-2020-36188.
The patch for CVE-2020-5398 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272, CVE-2018-1275, CVE-2018-15756 and CVE-2020-5397.
The patch for CVE-2021-36374 also addresses CVE-2021-36373.
The patch for CVE-2021-37695 also addresses CVE-2021-32808 and CVE-2021-32809.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Java SE. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-3517	Java SE	JavaFX (libxml)	Multiple	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	Java SE: 8u301	See Note 1
CVE-2021-35560	Java SE	Deployment	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Java SE: 8u301	See Note 1
CVE-2021-27290	Oracle GraalVM Enterprise Edition	Node (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0
CVE-2021-35567	Java SE, Oracle GraalVM Enterprise Edition	Libraries	Kerberos	No	6.8	Network	Low	Low	Required	Changed	High	None	None	Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35550	Java SE, Oracle GraalVM Enterprise Edition	JSSE	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-3522	Java SE	JavaFX (GStreamer)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	Java SE: 8u301	See Note 1
CVE-2021-35586	Java SE, Oracle GraalVM Enterprise Edition	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35564	Java SE, Oracle GraalVM Enterprise Edition	Keytool	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35556	Java SE, Oracle GraalVM Enterprise Edition	Swing	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 1
CVE-2021-35559	Java SE, Oracle GraalVM Enterprise Edition	Swing	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35561	Java SE, Oracle GraalVM Enterprise Edition	Utility	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35565	Java SE, Oracle GraalVM Enterprise Edition	JSSE	TLS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 3
CVE-2021-35578	Java SE, Oracle GraalVM Enterprise Edition	JSSE	TLS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 3
CVE-2021-35603	Java SE, Oracle GraalVM Enterprise Edition	JSSE	TLS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2
CVE-2021-35588	Java SE, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3, 21.2.0	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Additional CVEs addressed are:

The patch for CVE-2021-27290 also addresses CVE-2019-16775, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134 and CVE-2021-39135.
The patch for CVE-2021-3517 also addresses CVE-2021-3537.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle JD Edwards. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22884	JD Edwards EnterpriseOne Tools	E1 Dev Platform Tech (Node.js)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 9.2.6.0
CVE-2020-25648	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (NSS)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 9.2.6.0
CVE-2020-8203	JD Edwards EnterpriseOne Tools	E1 Dev Platform Tech (Lodash)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	Prior to 9.2.6.0
CVE-2021-3450	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Prior to 9.2.6.0
CVE-2021-3450	JD Edwards World Security	World Software Security (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	A9.4
CVE-2020-27216	JD Edwards EnterpriseOne Tools	Installation (Eclipse Jetty)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 9.2.6.0
CVE-2021-26272	JD Edwards EnterpriseOne Tools	Web Runtime (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to 9.2.6.0
CVE-2020-17521	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	Prior to 9.2.6.0
CVE-2021-20227	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 9.2.6.0
CVE-2020-13956	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 9.2.6.0
CVE-2020-13956	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 9.2.6.0

Additional CVEs addressed are:

The patch for CVE-2021-22884 also addresses CVE-2020-8277, CVE-2021-22883 and CVE-2021-23840.
The patch for CVE-2021-26272 also addresses CVE-2020-27193, CVE-2021-26271, CVE-2021-32808, CVE-2021-32809 and CVE-2021-37695.
The patch for CVE-2021-3450 also addresses CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3449.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 66 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22931	MySQL Cluster	Cluster: General (Node.js)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.26 and prior
CVE-2021-3711	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.7.35 and prior, 8.0.26 and prior
CVE-2021-22112	MySQL Enterprise Monitor	Monitoring: General (Spring Security)	HTTPS	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.0.25 and prior
CVE-2021-3518	MySQL Workbench	MySQL Workbench (libxml2)	MySQL Workbench	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.0.26 and prior
CVE-2021-22118	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.25 and prior
CVE-2021-22926	MySQL Server	Server: Compiling (cURL)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.7.35 and prior, 8.0.26 and prior
CVE-2021-36222	MySQL Server	Server: Compiling (Kerberos)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35583	MySQL Server	Server: Windows	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-3712	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	7.4	Network	High	None	None	Un- changed	High	None	High	8.0.26 and prior
CVE-2021-35610	MySQL Server	Server: Optimizer	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	8.0.26 and prior
CVE-2021-3712	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	6.7	Local	High	None	None	Un- changed	High	None	High	8.0.25 and prior
CVE-2021-35597	MySQL Client	C API	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35607	MySQL Server	Server: DML	MYSQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-2481	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35590	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-35592	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-35593	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-35594	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-35598	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-35621	MySQL Cluster	Cluster: General	Multiple	No	6.3	Adjacent Network	High	High	Required	Un- changed	High	High	High	7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and prior
CVE-2021-2471	MySQL Connectors	Connector/J	MySQL Protocol	No	5.9	Network	High	High	None	Un- changed	High	None	High	8.0.26 and prior
CVE-2021-35604	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.35 and prior, 8.0.26 and prior
CVE-2021-35612	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.26 and prior
CVE-2021-20227	MySQL Workbench	MySQL Workbench (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-33037	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.0.25 and prior
CVE-2021-29425	MySQL Enterprise Monitor	Monitoring: General (Apache Commons IO)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.25 and prior
CVE-2021-35608	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35602	MySQL Server	Server: Options	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	8.0.26 and prior
CVE-2021-35577	MySQL Server	Server: Optimizer	MySQL Protcol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-2478	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-2479	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35537	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-35591	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35596	MySQL Server	Server: Error Handling	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35648	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35631	MySQL Server	Server: GIS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35626	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35627	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35628	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35629	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-35575	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35634	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35635	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35636	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35638	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35641	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35642	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35643	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35644	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35645	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35646	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35647	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35630	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	High	None	8.0.26 and prior
CVE-2021-35637	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35546	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35622	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35624	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	High	None	5.7.35 and prior, 8.0.26 and prior
CVE-2021-35639	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35632	MySQL Server	Server: Data Dictionary	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	8.0.26 and prior
CVE-2021-35584	MySQL Cluster	Cluster: ndbcluster/plugin DDL	Multiple	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	8.0.26 and prior
CVE-2021-35613	MySQL Cluster	Cluster: General	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	8.0.26 and prior
CVE-2021-35640	MySQL Server	Server: DDL	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.26 and prior
CVE-2021-35633	MySQL Server	Server: Logging	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	8.0.26 and prior
CVE-2021-35625	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.26 and prior
CVE-2021-35623	MySQL Server	Server: Security: Roles	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.26 and prior
CVE-2021-35618	MySQL Cluster	Cluster: General	Multiple	No	1.8	Adjacent Network	High	High	Required	Un- changed	None	None	Low	8.0.26 and prior

Additional CVEs addressed are:

The patch for CVE-2021-22926 also addresses CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925, CVE-2021-22945, CVE-2021-22946 and CVE-2021-22947.
The patch for CVE-2021-22931 also addresses CVE-2021-22939 and CVE-2021-22940.
The patch for CVE-2021-3518 also addresses CVE-2019-20388, CVE-2020-24977, CVE-2020-7595, CVE-2021-3517 and CVE-2021-3537.
The patch for CVE-2021-3711 also addresses CVE-2021-3712.
The patch for CVE-2021-3712 also addresses CVE-2021-3711.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-23926	PeopleSoft Enterprise PeopleTools	nVision (XMLBeans)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.57, 8.58, 8.59
CVE-2021-35543	PeopleSoft Enterprise CC Common Application Objects	Activity Guide Composer	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.2
CVE-2021-36090	PeopleSoft Enterprise PeopleTools	Cloud Manager (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.57, 8.58, 8.59
CVE-2020-1967	PeopleSoft Enterprise PeopleTools	DPK (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.57, 8.58, 8.59
CVE-2021-35609	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.57, 8.58, 8.59
CVE-2021-28363	PeopleSoft Enterprise PeopleTools	Porting (urllib3)	HTTPS	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	8.59
CVE-2021-35595	PeopleSoft Enterprise PeopleTools	Business Interlink	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2021-35568	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.57, 8.58, 8.59
CVE-2021-35606	PeopleSoft Enterprise CS Campus Community	Notification Framework	HTTP	No	5.7	Adjacent Network	Low	Low	None	Un- changed	High	None	None	9.0, 9.2
CVE-2021-35601	PeopleSoft Enterprise CS SA Integration Pack	Students Administration	HTTP	No	5.7	Adjacent Network	Low	Low	None	Un- changed	High	None	None	9.0, 9.2
CVE-2021-27906	PeopleSoft Enterprise PeopleTools	Elastic Search (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.58, 8.59
CVE-2019-12415	PeopleSoft Enterprise PeopleTools	nVision (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.57, 8.58, 8.59
CVE-2021-35571	PeopleSoft Enterprise CS Academic Advisement	Advising Notes	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2021-35553	PeopleSoft Enterprise CS Student Records	Class Search	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2
CVE-2021-35541	PeopleSoft Enterprise SCM	Supplier Portal	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2
CVE-2021-29425	PeopleSoft Enterprise PeopleTools	Updates Change Assistant (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.57, 8.58
CVE-2020-13956	PeopleSoft Enterprise PeopleTools	Updates Change Assistant (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.57, 8.58

Additional CVEs addressed are:

The patch for CVE-2021-27906 also addresses CVE-2021-27807.
The patch for CVE-2021-36090 also addresses CVE-2021-35515, CVE-2021-35516 and CVE-2021-35517.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 26 new security patches for Oracle Retail Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Oracle Retail Store Inventory Management	SIM Integration (JDBC)	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	14.1, 15.0, 16.0
CVE-2021-22118	Oracle Retail Assortment Planning	Plan (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2021-22118	Oracle Retail Merchandising System	Foundation (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	19.0.1
CVE-2021-22118	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	14.1.3, 15.0.3, 16.0.3
CVE-2020-25649	Oracle Retail Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0-19.0
CVE-2020-25649	Oracle Retail Merchandising System	Foundation (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	15.0.3
CVE-2020-6950	Oracle Retail Merchandising System	Foundation (Eclipse Mojarra)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	19.0.1
CVE-2020-1945	Oracle Retail Returns Management	Return Tickets (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	14.0, 14.1
CVE-2021-35043	Oracle Retail Back Office	Employee (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2021-35043	Oracle Retail Central Office	Transaction Tracker (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2021-35043	Oracle Retail Returns Management	Policy Evaluation (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2021-36374	Oracle Retail Advanced Inventory Planning	Operations & Maintenance (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1, 15.0, 16.0
CVE-2021-36374	Oracle Retail Back Office	Employee (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.0, 14.1
CVE-2021-36374	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	16.0.3, 19.0.1
CVE-2021-36374	Oracle Retail Central Office	Transaction Tracker (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.0, 14.1
CVE-2021-36374	Oracle Retail Extract Transform and Load	Mathematical Operators (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	13.2.8
CVE-2021-36374	Oracle Retail Financial Integration	EBS Integration Bugs (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1.3.2, 15.0.4.0, 16.0.3.0
CVE-2021-36374	Oracle Retail Integration Bus	RIB Kernal (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0
CVE-2021-36374	Oracle Retail Merchandising System	Foundation (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	19.0.1
CVE-2021-36374	Oracle Retail Point-of-Service	Pricing (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.0, 14.1
CVE-2021-36374	Oracle Retail Predictive Application Server	RPAS Server (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1.3, 15.0.3, 16.0.3
CVE-2021-36374	Oracle Retail Service Backbone	RSB Installation (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0
CVE-2021-36374	Oracle Retail Store Inventory Management	SIM Integration (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	14.1, 15.0, 16.0
CVE-2021-29425	Oracle Retail Customer Management and Segmentation Foundation	Segment (Apache Commons IO)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	16.0-19.0
CVE-2020-13956	Oracle Retail Customer Management and Segmentation Foundation	Segment (Apache HTTPClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	16.0-19.0
CVE-2020-8908	Oracle Retail Customer Management and Segmentation Foundation	Segment (Google Guava)	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	16.0-19.0

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2021-36374 also addresses CVE-2020-1945 and CVE-2021-36373.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Siebel CRM. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-28165	Siebel Core – Automation	Test Automation (Eclipse Jetty)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.9 and prior
CVE-2021-25122	Siebel UI Framework	EAI (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	21.9 and prior
CVE-2016-2183	Siebel UI Framework	EAI, SWSE (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	21.9 and prior
CVE-2020-9484	Siebel Apps – Marketing	Marketing (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	21.9 and prior
CVE-2021-26272	Siebel UI Framework	Open UI (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	21.9 and prior
CVE-2020-9488	Siebel Apps – Marketing	Marketing (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	21.9 and prior

Additional CVEs addressed are:

The patch for CVE-2021-26272 also addresses CVE-2021-26271.
The patch for CVE-2021-28165 also addresses CVE-2021-28163 and CVE-2021-28164.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-28165	Oracle Autovue for Agile Product Lifecycle Management	Autovue Viewer Integration (Eclipse Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.0.2
CVE-2020-25649	Oracle Autovue for Agile Product Lifecycle Management	Autovue Viewer Integration (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	21.0.2
CVE-2020-17521	Oracle Agile PLM	Security (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	9.3.3, 9.3.6
CVE-2021-35616	Oracle Transportation Management	UI Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	6.4.3
CVE-2021-2476	Oracle Transportation Management	Authentication	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.4.3

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548.
The patch for CVE-2021-28165 also addresses CVE-2021-28163 and CVE-2021-28164.

Oracle Systems Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Systems. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-26691	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8
CVE-2021-35539	Oracle Solaris	Filesystem	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11
CVE-2021-35589	Oracle Solaris	Device drivers	None	No	6.0	Local	Low	High	None	Changed	None	None	High	11
CVE-2021-35549	Oracle Solaris	Utility	None	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11
CVE-2020-1968	Oracle Ethernet Switch ES2-64, Oracle Ethernet Switch ES2-72	Firmware (OpenSSL)	HTTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.0.0.14

Additional CVEs addressed are:

The patch for CVE-2021-26691 also addresses CVE-2019-17567, CVE-2020-13950, CVE-2020-26116, CVE-2020-26137, CVE-2020-35452, CVE-2021-20227, CVE-2021-22207, CVE-2021-22222, CVE-2021-26690, CVE-2021-28957, CVE-2021-29921, CVE-2021-30641, CVE-2021-31618, CVE-2021-33503, CVE-2021-3426, CVE-2021-3520, CVE-2021-36222, CVE-2021-3711 and CVE-2021-3712.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-36374	Oracle Utilities Framework	General (Apache Ant)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0

Additional CVEs addressed are:

The patch for CVE-2021-36374 also addresses CVE-2021-36373.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35538	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 6.1.28	See Note 1
CVE-2021-35545	Oracle VM VirtualBox	Core	None	No	6.7	Local	Low	High	None	Changed	Low	None	High	Prior to 6.1.28
CVE-2021-35540	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 6.1.28
CVE-2021-35649	Oracle Secure Global Desktop	Server	Multiple	No	5.4	Network	Low	Low	None	Un- changed	Low	None	Low	5.6
CVE-2021-33037	Oracle Secure Global Desktop	Core (Apache Tomcat)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	5.6
CVE-2021-35650	Oracle Secure Global Desktop	Client	Multiple	No	4.6	Network	Low	Low	Required	Un- changed	Low	None	Low	5.6
CVE-2021-35542	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 6.1.28
CVE-2021-2475	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 6.1.28

Notes:

This vulnerability does not apply to Windows systems.

No Related Posts

Oracle Critical Patch Update Advisory – July 2021

July 19, 2021January 25, 2022 Oracle Leave a comment

Oracle Critical Patch Update Advisory – July 2021

Description

This Critical Patch Update contains 342 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2021 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Big Data Spatial and Graph, versions prior to 2.0, prior to 23.1	Database
Enterprise Manager Base Platform, version 13.4.0.0	Enterprise Manager
Essbase, version 21.2	Database
Essbase Analytic Provider Services, versions 11.1.2.4, 21.2	Database
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2400, prior to XCP3100	Systems
Hyperion Essbase Administration Services, versions 11.1.2.4, 21.2	Database
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.5.0	Fusion Middleware
Hyperion Infrastructure Technology, versions 11.1.2.4, 11.2.5.0	Fusion Middleware
Identity Manager, versions 11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions 9.2.5.3 and prior	JD Edwards
JD Edwards EnterpriseOne Tools, versions 9.2.5.3 and prior	JD Edwards
MICROS Compact Workstation 3, version 310	MICROS Compact Workstation
MICROS ES400 Series, versions 400-410	MICROS ES400 Series
MICROS Kitchen Display System Hardware, version 210	MICROS Kitchen Display System Hardware
MICROS Workstation 5A, version 5A	MICROS Workstation 5A
MICROS Workstation 6, versions 610-655	MICROS Workstation
MySQL Cluster, versions 8.0.25 and prior	MySQL
MySQL Connectors, versions 8.0.23 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.23 and prior	MySQL
MySQL Server, versions 5.7.34 and prior, 8.0.25 and prior	MySQL
Oracle Access Manager, version 11.1.2.3.0	Fusion Middleware
Oracle Agile Engineering Data Management, version 6.2.1.0	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Application Express, versions prior to 21.1.0.0.4	Database
Oracle Application Express (CKEditor), versions prior to 21.1.0.0.1	Database
Oracle Application Express Application Builder (DOMPurify), versions prior to 21.1.0.0.1	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0	Oracle Banking Platform
Oracle Banking Liquidity Management, versions 14.2, 14.3, 14.5	Contact Support
Oracle Banking Party Management, version 2.7.0	Oracle Banking Platform
Oracle Banking Platform, versions 2.4.0, 2.7.1, 2.9.0, 2.12.0	Oracle Banking Platform
Oracle Banking Treasury Management, version 14.4	Contact Support
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search, version 11.3.2	Oracle Commerce
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.3.1.5, 11.3.2	Oracle Commerce
Oracle Commerce Merchandising, versions 11.1.0, 11.2.0, 11.3.0-11.3.2	Oracle Commerce
Oracle Commerce Platform, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2	Oracle Commerce
Oracle Commerce Service Center, versions 11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2	Oracle Commerce
Oracle Communications Application Session Controller, version 3.9	Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Cloud Native Core Console, version 1.4.0	Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.4.0, 1.7.0	Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Slice Selection Function, version 1.2.1	Communications Cloud Native Core Network Slice Selection Function
Oracle Communications Cloud Native Core Policy, versions 1.5.0, 1.9.0	Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 1.7.0	Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, version 1.5.2	Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, versions 1.4.0, 1.6.0	Communications Cloud Native Core Unified Data Repository
Oracle Communications Convergent Charging Controller, version 12.0.4.0.0	Oracle Communications Convergent Charging Controller
Oracle Communications Design Studio, version 7.4.2	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.5.0	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2	Oracle Communications EAGLE
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0	Oracle Communications Instant Messaging Server
Oracle Communications Network Charging and Control, versions 6.0.1.0, 12.0.1.0-12.0.4.0, 12.0.4.0.0	Oracle Communications Network Charging and Control
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	Oracle Communications Offline Mediation Controller
Oracle Communications Pricing Design Center, version 12.0.0.3.0	Oracle Communications Pricing Design Center
Oracle Communications Services Gatekeeper, versions 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1	Oracle Communications Unified Inventory Management
Oracle Configuration Manager, version 12.1.2.0.8	Enterprise Manager
Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	Oracle E-Business Suite
Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9, 8.1.0, 8.1.1	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Crime and Compliance Investigation Hub, version 20.1.2	Oracle Financial Services Crime and Compliance Investigation Hub
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.6.3	Oracle Financial Services Regulatory Reporting with AgileREPORTER
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.7.0, 2.8.0	Oracle Financial Services Revenue Management and Billing Analytics
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Contact Support
Oracle FLEXCUBE Universal Banking, versions 12.0-12.4, 14.0-14.4.0	Contact Support
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 19.1.0.0.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 20.3.2, 21.1.0	Java SE
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality Suite8, versions 8.13, 8.14	MICROS BellaVita
Oracle Hyperion BI+, versions 11.1.2.4, 11.2.5.0	Fusion Middleware
Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0-11.3.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, version 11.0.2	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0-11.3.0	Oracle Insurance Applications
Oracle Java SE, versions 7u301, 8u291, 11.0.11, 16.0.1	Java SE
Oracle JDeveloper, versions 12.2.1.4.0	Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, version 8.5.5	Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.22	Oracle Policy Automation
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Engagement, versions 16.0-19.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0	Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	Retail Applications
Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 16.0.3	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0	Retail Applications
Oracle Retail Order Management System Cloud Service, version 19.5	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Price Management, versions 14.0, 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1	Retail Applications
Oracle SD-WAN Aware, versions 8.2, 9.0	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.2, 9.0, 9.1	Oracle SD-WAN Edge
Oracle Secure Global Desktop, version 5.6	Virtualization
Oracle Solaris, version 11	Systems
Oracle Solaris Cluster, version 4.4	Systems
Oracle Transportation Management, version 6.4.3	Oracle Supply Chain Products
Oracle VM VirtualBox, versions prior to 6.1.24	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
OSS Support Tools, versions prior to 2.12.41	Support Tools
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise HCM Candidate Gateway, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Shared Components, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.58.8.59, 8.59	PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.57, 8.58, 8.59	PeopleSoft
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14, 20.12.0-20.12.3	Oracle Construction and Engineering Suite
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12	Oracle Construction and Engineering Suite
Real-Time Decisions (RTD) Solutions, version 3.2.0.0	Fusion Middleware
Siebel Applications, versions 21.5 and prior	Siebel
StorageTek Tape Analytics SW Tool, version 2.3	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0xfoxone: CVE-2021-2452
Andrej Simko of Accenture: CVE-2021-2436
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2021-2389, CVE-2021-2390, CVE-2021-2429
Armaan Khurshid Pathan of Emirates Group: CVE-2021-2373
Billy Jheng Bing Jhong of STAR Labs: CVE-2021-2443
Devin Rosenbauer of Identity Works LLC: CVE-2021-2457
Dimitris Doganos of COSMOTE – Mobile Telecommunications S.A.: CVE-2021-2345, CVE-2021-2346, CVE-2021-2348
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2021-2328, CVE-2021-2329, CVE-2021-2333, CVE-2021-2337
Emad Al-Mousa: CVE-2021-2326
Faraz Khan from Emirates Group: CVE-2021-2375
Filip Ceglik: CVE-2021-2448
Gianluca Danesin of Mondadori: CVE-2021-2412
Girlelecta: CVE-2021-2419, CVE-2021-2420, CVE-2021-2423, CVE-2021-2430, CVE-2021-2431, CVE-2021-2449, CVE-2021-2450, CVE-2021-2451, CVE-2021-2453
Guillaume Jacques of synacktiv: CVE-2021-2435
Haya Shulman of Fraunhofer.de: CVE-2021-2432
Huixin Ma of Tencent.com: CVE-2021-2388
Jang Laptop of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2021-2400, CVE-2021-2401
Kajetan Rostojek: CVE-2021-2349, CVE-2021-2350
KPC of Trend Micro’s Zero Day Initiative: CVE-2021-2392
Li Boheng of Tophant Starlight laboratory : CVE-2021-2394
Longofo of Knownsec 404 Team: CVE-2021-2376, CVE-2021-2403, CVE-2021-2428, CVE-2021-2433, CVE-2021-2456
Maciej Grabiec of ING Tech Poland: CVE-2021-2350
Markus Loewe: CVE-2021-2369
Martin Neumann of Accenture: CVE-2021-2359
Matthias Kaiser of Apple Information Security: CVE-2021-2394, CVE-2021-2397
Max Van Amerongen (maxpl0it): CVE-2021-2442
Mohit Rawat: CVE-2021-2458
Moritz Bechler of SySS GmbH: CVE-2021-2351
Okan Basegmez: CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
Paul Barbé of synacktiv: CVE-2021-2347, CVE-2021-2435, CVE-2021-2439, CVE-2021-2445
Peterjson of RedTeam@VNG Corporation working with Trend Micro Zero Day Initiative: CVE-2021-2456
Philipp Jeitner of Fraunhofer.de: CVE-2021-2432
Qiguang Zhu: CVE-2021-2333
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2021-2391, CVE-2021-2396
r00t4dm at Cloud-Penetrating Arrow Lab: CVE-2021-2376, CVE-2021-2403, CVE-2021-2428, CVE-2021-2433, CVE-2021-2456
thiscodecc of MoyunSec V-Lab: CVE-2021-2382, CVE-2021-2394
threedr3am: CVE-2021-2344, CVE-2021-2371, CVE-2021-2376, CVE-2021-2378
Théo Louis-Tisserand of synacktiv: CVE-2021-2435
Varnavas Papaioannou: CVE-2021-2341
Ved Prabhu: CVE-2021-2460
Vishnu Dev T J working with Trend Micro’s Zero Day Initiative: CVE-2021-2409
Waleed Ezz Eldin of Cysiv (Previously SecureMisr): CVE-2021-2380
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-2330, CVE-2021-2357, CVE-2021-2444

Security-In-Depth Contributors

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

Aleksey Shipilev of Red Hat
Brian Reilly [2 reports]
Emad Al-Mousa
Markus Loewe [2 reports]
threedr3am [3 reports]

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abhishek Morla
Adeel Khan
Ashik Kunjumon
Boumediene Kaddour
Gaurang Maheta of gaurang maheta
Hamoud Al-Helmani
Husnain Iqbal
Information Security Management
Khalid matar Alharthi
Marwan Albahar
Mohamed Ahmed Naji
Naman Shah
Nik Czuprinski
Pratik Khalane [2 reports]
Rajnish Kumar Gupta
Rakan Abdulrahman Al Khaled
Sakhare Vinayak
Snigdha Priya
Sohamin Durkar
Stefano Barber
Tech Zone
Vivek Panday
Yash Sharma [2 reports]
Zach Edwards of victorymedium.com
Zoe Pentaleri

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 October 2021
18 January 2022
19 April 2022
19 July 2022

References

Modification History

Date	Note
2021-September-03	Rev 7. Removed additional CVEs of the patch for CVE-2019-17195
2021-August-18	Rev 6. Updated CVSS scores for Outside In Technology
2021-July-30	Rev 5. Updated affected version for Oracle Communications Services Gatekeeper
2021-July-26	Rev 4. Removed Oracle JDeveloper version 12.2.1.3.0, updated Credit Statement
2021-July-23	Rev 3. Removed Oracle JDeveloper and ADF entry from the product table. Updated Credit Statement.
2021-July-21	Rev 2. Updated Credit Statement, Oracle BI Publisher affected versions updated, MOS note numbers updated
2021-July-20	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 27 new security patches for Oracle Database Products divided as follows:

16 new security patches for Oracle Database Products
2 new security patches for Oracle Big Data Graph
9 new security patches for Oracle Essbase

Oracle Database Server Risk Matrix

This Critical Patch Update contains 16 new security patches plus additional third party patches noted below for Oracle Database Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2351	Advanced Networking Option	None	Oracle Net	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.1.0.2, 12.2.0.1, 19c	See Note 1
CVE-2021-2328	Oracle Text	Create Any Procedure, Alter Any Table	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2329	Oracle XML DB	Create Any Procedure, Create Public Synonym	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2337	Oracle XML DB	Create Any Procedure, Create Public Synonym	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 19c
CVE-2020-27193	Oracle Application Express (CKEditor)	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 21.1.0.00.01
CVE-2020-26870	Oracle Application Express Application Builder (DOMPurify)	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 21.1.0.00.01
CVE-2021-2460	Oracle Application Express Data Reporter	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 21.1.0.00.04
CVE-2021-2333	Oracle XML DB	Alter User	Oracle Net	No	4.9	Network	Low	High	None	Un- changed	High	None	None	12.1.0.2, 12.2.0.1, 19c
CVE-2019-17545	Oracle Spatial and Graph (GDAL)	Create Session	Oracle Net	No	4.4	Local	High	Low	Required	Un- changed	None	None	High	12.2.0.1, 19c
CVE-2021-2330	Core RDBMS	Create Table	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	19c
CVE-2020-7760	Enterprise Manager Express User Interface (CodeMirror)	User Account	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	19c
CVE-2021-2438	Java VM	Create Procedure	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2334	Oracle Database – Enterprise Edition Data Redaction	Create Session	Oracle Net	No	3.5	Network	Low	Low	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2335	Oracle Database – Enterprise Edition Data Redaction	Create Session	Oracle Net	No	3.5	Network	Low	Low	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2336	Oracle Database – Enterprise Edition Data Redaction	Create Session	Oracle Net	No	3.5	Network	Low	Low	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 19c
CVE-2021-2326	Database Vault	DBA	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.2.0.1, 19c

Notes:

The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: “Changes in Native Network Encryption with the July 2021 Critical Patch Update” (Doc ID 2791571.1).

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

MapViewer (OWASP ESAPI)Oracle Spatial and Graph (OpenJPEG): CVE-2020-27844, CVE-2018-21010, CVE-2019-12973, CVE-2020-15389, CVE-2020-27814, CVE-2020-27841, CVE-2020-27842, CVE-2020-27843 and CVE-2020-27845.
Oracle Database – Enterprise Edition (Kerberos): CVE-2020-28196.
Oracle Database Migration Assistant for Unicode (Apache POI): CVE-2019-12415.
Oracle Spatial and Graph (jackson-databind): CVE-2020-25649.
Oracle Spatial and Graph MapViewer (Apache Batik): CVE-2020-11987 and CVE-2019-17566.
Oracle Spatial and Graph MapViewer (Apache HttpClient): CVE-2020-13956.
Oracle Spatial and Graph MapViewer (Apache XMLGraphics Commons): CVE-2020-11988.
Oracle Spatial and Graph MapViewer (Google Guava): CVE-2020-8908.
Oracle Spatial and Graph Network Data Model (jackson-databind): CVE-2020-25649.
RDBMS (Perl): CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.
RDBMS (Python): CVE-2021-23336.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2021-2351.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 2 new security patches plus additional third party patches noted below for Oracle Big Data Graph. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5064	Big Data Spatial and Graph	Big Data Graph (OpenCV)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	Prior to 2.0
CVE-2020-17527	Big Data Spatial and Graph	Big Data Graph (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Prior to 23.1

Additional CVEs addressed are:

The patch for CVE-2019-5064 also addresses CVE-2019-5063.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Big Data Spatial and Graph
- Big Data Graph (Lodash): CVE-2020-8203.
- Big Data Graph (jackson-databind): CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.

Oracle Essbase Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Essbase. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2244	Essbase Analytic Provider Services	JAPI	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	21.2
CVE-2021-2349	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	11.1.2.4, 21.2
CVE-2021-2435	Essbase Analytic Provider Services	JAPI	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.1.2.4
CVE-2019-0190	Essbase	Infrastructure (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.2
CVE-2020-8285	Essbase	Infrastructure (cURL)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.2
CVE-2021-2433	Essbase Analytic Provider Services	Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.2.4, 21.2
CVE-2021-2350	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.2.4, 21.2
CVE-2020-7760	Essbase	Infrastructure (CodeMirror)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	21.2
CVE-2019-12402	Essbase	Infrastructure (Apache Commons Compress)	HTTP	No	4.1	Adjacent Network	Low	Low	Required	Un- changed	None	Low	Low	21.2

Additional CVEs addressed are:

The patch for CVE-2019-0190 also addresses CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449 and CVE-2021-3450.
The patch for CVE-2020-8285 also addresses CVE-2020-8284, CVE-2020-8286, CVE-2021-22876 and CVE-2021-22890.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Commerce. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2463	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2
CVE-2020-2555	Oracle Commerce Platform	Dynamo Application Framework (Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2
CVE-2020-2604	Oracle Commerce Guided Search	Content Acquisition System (Java SE)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.3.2
CVE-2021-20190	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Experience Manage (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.3.2
CVE-2020-2604	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Tools and Frameworks (Java SE)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.3.2
CVE-2020-25649	Oracle Commerce Platform	Dynamo Application Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.2.0, 11.3.0-11.3.2
CVE-2021-26272	Oracle Commerce Merchandising	Experience Manager, Business Control Center (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	11.1.0, 11.2.0, 11.3.0-11.3.2
CVE-2021-2462	Oracle Commerce Service Center	Commerce Service Center	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.0.0, 11.1.0, 11.2.0, 11.3.0-11.3.2
CVE-2021-2345	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Tools and Frameworks	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.1.5
CVE-2021-2346	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Tools and Frameworks	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.1.5
CVE-2021-2348	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Tools and Frameworks	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.3.1.5

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-36189.

Oracle Communications Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle Communications BRM – Elastic Charging Engine	CN ECE (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	12.0.0.3.0
CVE-2021-21345	Oracle Communications Unified Inventory Management	Drools Ruleset (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1
CVE-2020-11612	Oracle Communications BRM – Elastic Charging Engine	HTTP GW (Netty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2021-3177	Oracle Communications Offline Mediation Controller	UDC CORE (Python)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2020-17530	Oracle Communications Pricing Design Center	CNE (Apache Struts)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2019-17195	Oracle Communications Pricing Design Center	CNE (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2021-22112	Oracle Communications Unified Inventory Management	REST API (Spring Security)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.4.1
CVE-2020-10878	Oracle Communications Offline Mediation Controller	UDC CORE (Perl)	TCP/IP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	12.0.0.3.0
CVE-2020-10878	Oracle Communications Pricing Design Center	Transformation for PDC (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	12.0.0.3.0
CVE-2020-14195	Oracle Communications Instant Messaging Server	Managing Messages (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2021-3345	Oracle Communications Billing and Revenue Management	Accounts Receivable (libgcrypt)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2020-27216	Oracle Communications Offline Mediation Controller	CN OCOMC (Eclipse Jetty)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2020-27216	Oracle Communications Pricing Design Center	Transformation for PDC (Eclipse Jetty)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.0.0.3.0
CVE-2020-8286	Oracle Communications Billing and Revenue Management	Balances (cURL)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.0.3.0
CVE-2020-25649	Oracle Communications Billing and Revenue Management	Business Operation Center (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	7.5.0.23.0, 12.0.0.3.0
CVE-2020-25649	Oracle Communications Convergent Charging Controller	Common fns (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.4.0.0
CVE-2020-25649	Oracle Communications Network Charging and Control	OUI (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.4.0.0
CVE-2019-17566	Oracle Communications Offline Mediation Controller	CN OCOMC (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.0.3.0
CVE-2020-28196	Oracle Communications Offline Mediation Controller	NM Core (Kerberos)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0.3.0
CVE-2020-5258	Oracle Communications Pricing Design Center	Server for PDC (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.0.3.0
CVE-2020-17527	Oracle Communications Pricing Design Center	Transformation for PDC (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0.3.0
CVE-2020-28196	Oracle Communications Pricing Design Center	Transformation for PDC (Kerberos)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0.3.0
CVE-2020-25648	Oracle Communications Pricing Design Center	CNE (NSS)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0.3.0
CVE-2020-25649	Oracle Communications Unified Inventory Management	Media Resource (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	7.4.1
CVE-2020-8203	Oracle Communications Billing and Revenue Management	Billing Care (Lodash)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	7.5.0.23.0, 12.0.0.3.0
CVE-2019-10086	Oracle Communications Pricing Design Center	Transformation for PDC (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.0.0.3.0
CVE-2020-9484	Oracle Communications Instant Messaging Server	Managing Messages (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2020-7017	Oracle Communications Billing and Revenue Management	Balance Monitoring Manager (Kibana)	HTTP	No	6.7	Network	High	Low	Required	Un- changed	High	High	Low	12.0.0.3.0
CVE-2019-3740	Oracle Communications Unified Inventory Management	Inventory Organizer (BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1
CVE-2020-17521	Oracle Communications BRM – Elastic Charging Engine	Elastic charging controller (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.3.0.9.0, 12.0.0.3.0
CVE-2021-21290	Oracle Communications Design Studio	Modeling (Netty)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	7.4.2
CVE-2021-20227	Oracle Communications Network Charging and Control	Common fns (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	6.0.1.0, 12.0.1.0-12.0.4.0
CVE-2020-11987	Oracle Communications Offline Mediation Controller	UDC CORE (Apache Batik)	TCP/IP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.0.0.3.0

Additional CVEs addressed are:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-11612 also addresses CVE-2021-21290.
The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062.
The patch for CVE-2020-25649 also addresses CVE-2020-24616, CVE-2020-24750, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-27216 also addresses CVE-2020-27218.
The patch for CVE-2020-7017 also addresses CVE-2020-7016.
The patch for CVE-2020-8286 also addresses CVE-2020-8284 and CVE-2020-8285.
The patch for CVE-2021-21345 also addresses CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
The patch for CVE-2021-3177 also addresses CVE-2021-23336.

Oracle Communications Risk Matrix

This Critical Patch Update contains 26 new security patches for Oracle Communications. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	Oracle Communications Cloud Native Core Security Edge Protection Proxy	Configuration (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.7.0
CVE-2020-11612	Oracle Communications Cloud Native Core Service Communication Proxy	KPI (Netty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.5.2
CVE-2020-11998	Oracle Communications Diameter Signaling Router (DSR)	Provisioning (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0-8.5.0
CVE-2019-12260	Oracle Communications EAGLE Software	Measurements (VxWorks)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	46.6.0-46.8.2
CVE-2020-10878	Oracle SD-WAN Aware	Monitoring (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	8.2, 9.0
CVE-2020-10543	Oracle SD-WAN Edge	Publications (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	8.2, 9.0, 9.1
CVE-2020-27216	Oracle Communications Services Gatekeeper	Call Control Common Service (Eclipse Jetty)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	7.0
CVE-2020-5258	Oracle Communications Application Session Controller	Signaling (dojo)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	3.9
CVE-2019-10746	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Configuration (Kibana)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.4.0
CVE-2020-7733	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Signaling (Kibana)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.7.0
CVE-2017-9735	Oracle Communications Cloud Native Core Policy	Configuration (Jetty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.5.0
CVE-2020-5398	Oracle Communications Cloud Native Core Policy	Configuration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	1.5.0
CVE-2019-12399	Oracle Communications Cloud Native Core Policy	Measurements (Apache Kafka)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.9.0
CVE-2020-25649	Oracle Communications Cloud Native Core Unified Data Repository	UDR (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	1.4.0
CVE-2020-25649	Oracle Communications Evolved Communications Application Server	Session Design Center GUI (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	7.1
CVE-2020-25649	Oracle Communications Services Gatekeeper	OCSG Policy service (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	7.0
CVE-2019-10086	Oracle Communications Cloud Native Core Console	Signaling (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	1.4.0
CVE-2019-10086	Oracle Communications Cloud Native Core Policy	Measurements (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	1.9.0
CVE-2019-10086	Oracle Communications Cloud Native Core Unified Data Repository	Measurements (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	1.6.0
CVE-2019-10086	Oracle Communications Evolved Communications Application Server	Managing and Using Subscriber Data (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.1
CVE-2018-15686	Oracle Communications Cloud Native Core Network Function Cloud Native Environment	Signaling (Calico)	None	No	6.3	Local	High	High	Required	Un- changed	High	High	High	1.4.0
CVE-2020-24553	Oracle Communications Cloud Native Core Policy	Signaling (Go)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.5.0
CVE-2020-17521	Oracle Communications Evolved Communications Application Server	Control Engine (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	7.1
CVE-2020-29582	Oracle Communications Cloud Native Core Network Slice Selection Function	Signaling (Calico)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	1.2.1
CVE-2020-27218	Oracle Communications Services Gatekeeper	Subscriber profile (Eclipse Jetty)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	7.0
CVE-2016-0762	Oracle Communications Diameter Signaling Router (DSR)	Provisioning (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.0.0-8.5.0

Additional CVEs addressed are:

The patch for CVE-2016-0762 also addresses CVE-2021-30369, CVE-2021-30640 and CVE-2021-33037.
The patch for CVE-2017-9735 also addresses CVE-2017-7656, CVE-2017-7657 and CVE-2017-7658.
The patch for CVE-2019-10746 also addresses CVE-2019-15604, CVE-2019-15605 and CVE-2019-15606.
The patch for CVE-2020-10543 also addresses CVE-2020-10878 and CVE-2020-12723.
The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-25649 also addresses CVE-2020-24616, CVE-2020-24750, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-27218 also addresses CVE-2020-27216.
The patch for CVE-2020-29582 also addresses CVE-2019-0205, CVE-2019-0210, CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2019-20330, CVE-2020-13949, CVE-2020-28052, CVE-2020-8554, CVE-2020-8908 and CVE-2021-21275.
The patch for CVE-2020-7733 also addresses CVE-2020-7016 and CVE-2020-7017.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle Construction and Engineering. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	Primavera Gateway	Admin (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.8.0-18.8.11
CVE-2021-25122	Instantis EnterpriseTrack	HTTP Server (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	17.1, 17.2, 17.3
CVE-2020-25649	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0
CVE-2020-8203	Primavera Gateway	Admin (Lodash)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0
CVE-2021-2366	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14, 20.12.0-20.12.3
CVE-2021-21409	Primavera Gateway	Admin (Netty)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10
CVE-2021-27906	Primavera Unifier	Core (Apache PDFbox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	17.7-17.12, 18.8, 19.12, 20.12
CVE-2021-2386	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	20.12.0-20.12.3
CVE-2020-5258	Primavera Unifier	Core UI (dojo)	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	17.7-17.12, 18.8, 19.12, 20.12
CVE-2020-25649	Primavera Unifier	Project Delivery (jackson-databind)	None	No	3.9	Local	Low	Low	Required	Un- changed	Low	Low	None	17.7-17.12, 18.8, 19.12, 20.12

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-36189.
The patch for CVE-2021-21409 also addresses CVE-2021-21290.
The patch for CVE-2021-25122 also addresses CVE-2021-25329.
The patch for CVE-2021-27906 also addresses CVE-2021-27807 and CVE-2021-31811.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle E-Business Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2021), My Oracle Support Note 2770321.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2355	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2436	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2359	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2361	Oracle Advanced Inbound Telephony	SDK client integration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2398	Oracle Advanced Outbound Telephony	Region Mapping	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2360	Oracle Approvals Management	AME Page rendering	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2406	Oracle Collaborative Planning	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2393	Oracle E-Records	E-signatures	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2405	Oracle Engineering	Change Management	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.3-12.2.10
CVE-2021-2362	Oracle Field Service	Wireless	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2365	Oracle Human Resources	People Management	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2364	Oracle iSupplier Portal	Accounts	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2363	Oracle Public Sector Financials (International)	Authorization	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2415	Oracle Time and Labor	Timecard	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2434	Oracle Web Applications Desktop Integrator	Application Service	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2380	Oracle Applications Framework	Attachments / File Upload	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2343	Oracle Workflow	Workflow Notification Mailer	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.3, 12.2.3-12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Enterprise Manager. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2773670.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Enterprise Manager Base Platform	Application Service Level Mgmt (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4.0.0
CVE-2019-5064	Enterprise Manager Base Platform	Application Service Level Mgmt (OpenCV)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	13.4.0.0
CVE-2020-10878	Oracle Configuration Manager	Content Server (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	12.1.2.0.8
CVE-2020-1971	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.4.0.0
CVE-2019-2897	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	13.4.0.0
CVE-2019-2897	Enterprise Manager Base Platform	System Monitoring	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	13.4.0.0
CVE-2019-10086	Oracle Application Testing Suite	Load Testing for Web Apps (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.3.0.1
CVE-2017-14735	Enterprise Manager Base Platform	UI Framework (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.4.0.0

Additional CVEs addressed are:

The patch for CVE-2019-5064 also addresses CVE-2019-5063.
The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-1971 also addresses CVE-2020-1967.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Financial Services Applications. 17 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle Banking Enterprise Default Management	Collections (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	2.10.0, 2.12.0
CVE-2021-21345	Oracle Banking Platform	Collections (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	2.4.0, 2.7.1, 2.9.0, 2.12.0
CVE-2019-0228	Oracle Banking Liquidity Management	Onboarding (Apache PDFbox)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.2, 14.3, 14.5
CVE-2021-26117	Oracle FLEXCUBE Private Banking	Financial Planning (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-5413	Oracle FLEXCUBE Private Banking	Financial Planning (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-11998	Oracle FLEXCUBE Private Banking	Financial Planning (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-27218	Oracle FLEXCUBE Private Banking	Financial Planning (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	12.0.0, 12.1.0
CVE-2020-24750	Oracle Banking Liquidity Management	Onboarding (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.2,14.3, 14.5
CVE-2020-25649	Oracle Banking Treasury Management	Accounting (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.4
CVE-2020-11979	Oracle Banking Treasury Management	Capital Workflow (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.4
CVE-2020-11979	Oracle Financial Services Analytical Applications Infrastructure	Rate Management (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	8.0.6-8.0.9, 8.1.0, 8.1.1
CVE-2020-11979	Oracle FLEXCUBE Private Banking	Order Management (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.0, 12.1.0
CVE-2020-8203	Oracle Banking Liquidity Management	DashBoard (Lodash)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	None	High	High	14.2,14.3, 14.5
CVE-2019-10086	Oracle Financial Services Revenue Management and Billing Analytics	Dashboards (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	2.7.0, 2.8.0
CVE-2020-7712	Oracle Financial Services Regulatory Reporting with AgileREPORTER	Reports (Apache ZooKeeper)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.9.6.3
CVE-2020-27193	Oracle Banking Party Management	Web UI (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0
CVE-2020-27193	Oracle Financial Services Analytical Applications Infrastructure	Rate Management (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.9, 8.1.0, 8.1.1
CVE-2020-11022	Oracle Financial Services Revenue Management and Billing Analytics	Dashboards (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0, 2.8.0
CVE-2021-2323	Oracle FLEXCUBE Universal Banking	Flex-Branch	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3,12.4, 14.0-14.4,
CVE-2020-11987	Oracle FLEXCUBE Universal Banking	General Ledger (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	14.1.0-14.4.0
CVE-2021-2324	Oracle FLEXCUBE Universal Banking	Loans And Deposits	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	12.0-12.4, 14.0-14.4,
CVE-2021-2448	Oracle Financial Services Crime and Compliance Investigation Hub	Reports	None	No	3.7	Local	High	High	Required	Changed	Low	Low	None	20.1.2

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-11998 also addresses CVE-2020-11973 and CVE-2020-1941.
The patch for CVE-2020-24750 also addresses CVE-2020-24616.
The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-27193 also addresses CVE-2021-26271 and CVE-2021-26272.
The patch for CVE-2020-27218 also addresses CVE-2020-27216.
The patch for CVE-2020-5413 also addresses CVE-2019-10086 and CVE-2020-9489.
The patch for CVE-2021-21345 also addresses CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
The patch for CVE-2021-26117 also addresses CVE-2020-11973 and CVE-2020-1941.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Food and Beverage Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2395	Oracle Hospitality Reporting and Analytics	iCare, Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2021-3156	MICROS Compact Workstation 3	Workstation 310 (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	310
CVE-2021-3156	MICROS ES400 Series	Express Station 4 (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	400-410
CVE-2021-3156	MICROS Kitchen Display System Hardware	Kitchen Display System 210 (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	210
CVE-2021-3156	MICROS Workstation 5A	Workstation 5A (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	5A
CVE-2021-3156	MICROS Workstation 6	Workstation 6 (Sudo)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	610-655

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 48 new security patches for Oracle Fusion Middleware. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2021 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2773670.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle BAM (Business Activity Monitoring)	General (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-21345	Oracle WebCenter Portal	Security Framework (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2456	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2019-17195	Oracle Data Integrator	Runtime Java agent for ODI (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2020-10683	Oracle JDeveloper	Oracle JDeveloper (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2020-28052	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2394	Oracle WebLogic Server	Core	T3, IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2397	Oracle WebLogic Server	Core	T3, IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2382	Oracle WebLogic Server	Security	T3, IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2392	Oracle BI Publisher	BI Publisher Security	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2396	Oracle BI Publisher	E-Business Suite – XDO	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2391	Oracle BI Publisher	Scheduler	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-5421	Oracle Enterprise Data Quality	General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2428	Oracle Coherence	Core	T3, IIOP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2458	Identity Manager	Identity Console	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2400	Oracle BI Publisher	E-Business Suite – XDO	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2371	Oracle Coherence	Core	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2344	Oracle Coherence	Core	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-25649	Oracle GoldenGate Application Adapters	Application Adapters (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	19.1.0.0.0
CVE-2019-12402	Oracle JDeveloper	Oracle JDeveloper (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2021-25122	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2378	Oracle WebLogic Server	Core	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2376	Oracle WebLogic Server	Web Services	T3, IIOP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2015-0254	Oracle WebLogic Server	Third Party Tools (Apache Standard Taglibs)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.3.6.0.0, 12.1.3.0.0
CVE-2019-10086	Real-Time Decisions (RTD) Solutions	WLS Deployment Template for RT (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.2.0.0
CVE-2021-2450	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2451	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2419	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2420	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2423	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2449	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2452	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2430	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2431	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-2453	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2020-1945	Oracle Data Integrator	Install, config, upgrade (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-11358	Identity Manager	UI Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-12415	Oracle JDeveloper	OAM (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.4.0
CVE-2021-27906	Oracle Outside In Technology	Outside In Clean Content SDK (Apache PDFBox)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.5.5
CVE-2021-2457	Identity Manager	Request Management & Workflow	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.2.3.0
CVE-2021-2401	Oracle BI Publisher	E-Business Suite – XDO	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-13956	Oracle Data Integrator	Install, config, upgrade (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-11987	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	11.1.1.7.0
CVE-2020-11987	Oracle Fusion Middleware MapViewer	Install (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.1.4.0
CVE-2021-2403	Oracle WebLogic Server	Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2358	Oracle Access Manager	Rest interfaces for Access Mgr	HTTPS	No	4.9	Network	Low	High	None	Un- changed	High	None	None	11.1.2.3.0
CVE-2020-8908	Oracle Data Integrator	Install, config, upgrade (Guava)	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2555	Oracle Access Manager	Installation Component (Oracle Coherence)	HTTPS	No	3.1	Adjacent Network	High	High	None	Un- changed	Low	Low	None	11.1.2.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS Base Score depend on the software that uses Outside In Technology. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

The patch for CVE-2020-1945 also addresses CVE-2020-11979.
The patch for CVE-2020-5421 also addresses CVE-2021-22118.
The patch for CVE-2021-21345 also addresses CVE-2019-10173, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
The patch for CVE-2021-2397 also addresses CVE-2020-14756.
The patch for CVE-2021-25122 also addresses CVE-2021-25329.
The patch for CVE-2021-27906 also addresses CVE-2021-27807.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21290	Oracle Hospitality Suite8	Spa and Leisure (Netty)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.13, 8.14

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hyperion. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	Hyperion Infrastructure Technology	Installation and Configuration (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4, 11.2.5.0
CVE-2019-17566	Hyperion Financial Reporting	Installation (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.1.2.4, 11.2.5.0
CVE-2017-14735	Hyperion Infrastructure Technology	Common Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4, 11.2.5.0
CVE-2021-2445	Hyperion Infrastructure Technology	Lifecycle Management	HTTP	No	5.7	Network	High	High	Required	Un- changed	High	High	None	11.2.5.0
CVE-2021-2347	Hyperion Infrastructure Technology	Lifecycle Management	HTTP	No	5.2	Network	Low	High	Required	Un- changed	High	Low	None	11.2.5.0
CVE-2021-2439	Oracle Hyperion BI+	UI and Visualization	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	11.1.2.4, 11.2.5.0

Additional CVEs addressed are:

The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Insurance Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22112	Oracle Insurance Policy Administration	Architecture (Spring Security)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0, 11.3.0
CVE-2020-35490	Oracle Insurance Policy Administration J2EE	Security Information (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.0.2
CVE-2020-25649	Oracle Insurance Policy Administration	Architecture (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.0.2, 11.1.0-11.3.0
CVE-2020-25649	Oracle Insurance Rules Palette	Architecture (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.0.2, 11.1.0-11.3.0

Additional CVEs addressed are:

The patch for CVE-2020-35490 also addresses CVE-2020-35491.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Java SE. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-29921	Oracle GraalVM Enterprise Edition	Python interpreter and runtime (CPython)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Oracle GraalVM Enterprise Edition: 20.3.2, 21.1.0
CVE-2021-2388	Java SE, Oracle GraalVM Enterprise Edition	Hotspot	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2, 21.1.0	See Note 1
CVE-2020-28928	Oracle GraalVM Enterprise Edition	LLVM Interpreter (musl libc)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Oracle GraalVM Enterprise Edition: 20.3.2, 21.1.0
CVE-2021-2369	Java SE, Oracle GraalVM Enterprise Edition	Library	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2, 21.1.0	See Note 1
CVE-2021-2432	Java SE	JNDI	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u301	See Note 2
CVE-2021-2341	Java SE, Oracle GraalVM Enterprise Edition	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2, 21.1.0	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle JD Edwards. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2.5.3 and Prior
CVE-2019-17195	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2.5.3 and prior
CVE-2019-17195	JD Edwards EnterpriseOne Tools	Business Logic Inf SEC (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2.5.3 and prior
CVE-2019-17195	JD Edwards EnterpriseOne Tools	Web Runtime SEC (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2.5.3 and prior
CVE-2020-25649	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.2.5.3 and prior
CVE-2020-25649	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.2.5.3 and prior
CVE-2020-25649	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.2.5.3 and prior
CVE-2021-2375	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2.5.3 and prior
CVE-2021-2373	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2.5.3 and Prior

Additional CVEs addressed are:

The patch for CVE-2020-25649 also addresses CVE-2020-36189.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-22884	MySQL Cluster	Cluster: JS module (Node.js)	Multiple	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.0.25 and prior
CVE-2021-22901	MySQL Server	Server: Packaging (curl)	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-25122	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTPS/2	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.23 and prior
CVE-2019-17543	MySQL Server	Server: Compiling (LZ4)	MySQL Protocol	No	7.5	Network	High	Low	None	Un- changed	High	High	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-3450	MySQL Connectors	Connector/C++ (OpenSSL)	MySQL Protocol	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.0.23 and prior
CVE-2021-3450	MySQL Connectors	Connector/ODBC (OpenSSL)	MySQL Protocol	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.0.23 and prior
CVE-2021-3450	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.0.23 and prior
CVE-2021-2417	MySQL Server	Server: GIS	MySQL Protocol	No	6.0	Network	Low	High	None	Un- changed	Low	Low	High	8.0.25 and prior
CVE-2021-2389	MySQL Server	InnoDB	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2390	MySQL Server	InnoDB	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2429	MySQL Server	InnoDB	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2356	MySQL Server	Server: Replication	MySQL Protocol	No	5.9	Network	High	Low	None	Un- changed	None	Low	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2385	MySQL Server	Server: Replication	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2339	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2352	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2399	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2370	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2440	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2354	MySQL Server	Server: Federated	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2402	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2342	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2357	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2367	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2412	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2021-2383	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2384	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2387	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2444	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2410	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2418	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2425	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2426	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2427	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2437	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2441	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2422	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2424	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.25 and prior
CVE-2021-2372	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.34 and prior, 8.0.25 and prior
CVE-2021-2374	MySQL Server	InnoDB	None	No	4.1	Local	High	High	None	Un- changed	High	None	None	8.0.25 and prior
CVE-2021-2411	MySQL Cluster	Cluster: JS module	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	8.0.25 and prior
CVE-2021-2340	MySQL Server	Server: Memcached	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	8.0.25 and prior

Additional CVEs addressed are:

The patch for CVE-2021-22884 also addresses CVE-2021-22883 and CVE-2021-23840.
The patch for CVE-2021-22901 also addresses CVE-2021-22897 and CVE-2021-22898.
The patch for CVE-2021-25122 also addresses CVE-2021-25329.
The patch for CVE-2021-3450 also addresses CVE-2021-3449.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	PeopleSoft Enterprise PeopleTools	REST Services (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.58, 8.59
CVE-2021-27568	PeopleSoft Enterprise PeopleTools	REST Services (netplex json-smart-v1)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.58, 8.59
CVE-2021-22884	PeopleSoft Enterprise PeopleTools	Elastic Search (Node.js)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.58, 8.59
CVE-2021-3450	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.57, 8.58. 8.59
CVE-2020-7017	PeopleSoft Enterprise PeopleTools	Elastic Search (Kibana)	HTTP	No	6.7	Network	High	Low	Required	Un- changed	High	High	Low	8.58
CVE-2021-2421	PeopleSoft Enterprise CS Campus Community	Integration and Interfaces	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.0, 9.2
CVE-2021-2404	PeopleSoft Enterprise HCM Candidate Gateway	e-mail notification	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	9.2
CVE-2021-2455	PeopleSoft Enterprise HCM Shared Components	Person Search	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	9.2
CVE-2021-2408	PeopleSoft Enterprise PT PeopleTools	Notification Configuration	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.59
CVE-2021-21290	PeopleSoft Enterprise PeopleTools	Elastic Search (Netty)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.57, 8.58, 8.59
CVE-2021-2407	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.57, 8.58, 8.59
CVE-2020-13956	PeopleSoft Enterprise PT PeopleTools	Cloud Manager (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.57, 8.58, 8.59
CVE-2021-2377	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.57, 8.58, 8.59
CVE-2020-8908	PeopleSoft Enterprise PeopleTools	Elastic Search (Google Guava)	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	8.57, 8.58, 8.59

Additional CVEs addressed are:

The patch for CVE-2020-7017 also addresses CVE-2020-7016.
The patch for CVE-2021-22884 also addresses CVE-2018-7160 and CVE-2021-22883.
The patch for CVE-2021-3450 also addresses CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3449.

Oracle Policy Automation Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	Oracle Policy Automation	Hub (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0-12.2.22

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 23 new security patches for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-21345	Oracle Retail Xstore Point of Service	Xenvironment (XStream)	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	High	16.0.6, 17.0.4, 18.0.3, 19.0.2
CVE-2019-0219	Oracle Retail Xstore Point of Service	Xenvironment (Apache cordova-plugin-inappbrowser)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0.6, 17.0.4, 18.0.3, 19.0.2
CVE-2020-5421	Oracle Retail Customer Management and Segmentation Foundation	Promotions (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0-19.0
CVE-2020-5421	Oracle Retail Merchandising System	Foundation (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0.3
CVE-2021-22118	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	16.0.3.0, 15.0.3.1, 14.1.3.2
CVE-2021-22118	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	16.0.3.0, 15.0.3.1, 14.1.3.2
CVE-2021-22118	Oracle Retail Order Broker	System Administration (Spring Framework)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2020-5398	Oracle Retail Back Office	Pricing (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.1
CVE-2020-5398	Oracle Retail Central Office	Transaction Tracker (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.1
CVE-2020-11979	Oracle Retail Merchandising System	Procurement (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1.3.2
CVE-2020-5398	Oracle Retail Point-of-Service	Queue Management (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.1
CVE-2020-5398	Oracle Retail Returns Management	Main Dashboard (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.1
CVE-2020-25649	Oracle Retail Service Backbone	RSB Installation (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3.0, 15.0.3.1, 14.1.3.2
CVE-2020-17527	Oracle Retail Xstore Point of Service	Xenvironment (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1
CVE-2020-8277	Oracle Retail Xstore Point of Service	Xenvironment (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1
CVE-2020-25649	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.6, 17.0.4, 18.0.3, 19.0.2
CVE-2020-25638	Oracle Retail Customer Management and Segmentation Foundation	Segment (Hibernate)	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	19.0
CVE-2019-10086	Oracle Retail Merchandising System	Foundation (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	15.0.3.1
CVE-2019-10086	Oracle Retail Price Management	Manage Allocation (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.0, 14.1, 15.0, 16.0
CVE-2020-5421	Oracle Retail Customer Engagement	Internal Operations (Spring Framework)	HTTP	No	6.5	Network	High	Low	Required	Changed	Low	High	None	16.0-19.0
CVE-2021-27807	Oracle Retail Customer Management and Segmentation Foundation	Segment (Apache PDFbox)	HTTP	No	6.5	Network	High	Low	Required	Changed	Low	High	None	19.0
CVE-2020-11987	Oracle Retail Order Broker	Store Connect (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	15.0, 16.0
CVE-2020-11987	Oracle Retail Order Management System Cloud Service	Internal Operations (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	19.5

Additional CVEs addressed are:

The patch for CVE-2020-11987 also addresses CVE-2019-17566.
The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-5398 also addresses CVE-2020-5397 and CVE-2020-5421.
The patch for CVE-2020-5421 also addresses CVE-2020-5413.
The patch for CVE-2020-8277 also addresses CVE-2020-8174.
The patch for CVE-2021-21345 also addresses CVE-2020-26217, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
The patch for CVE-2021-27807 also addresses CVE-2021-27906.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Siebel CRM. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-24750	Siebel Core – Server Framework	Services (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	21.5 and Prior
CVE-2020-27216	Siebel Core – Automation	Test Automation (Eclipse Jetty)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	21.5 and Prior
CVE-2017-5637	Siebel Core – Server Framework	Cloud Gateway (Zookeeper)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	21.5 and Prior
CVE-2021-2338	Siebel Apps – Marketing	Email Marketing Stand-Alone	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	21.5 and Prior
CVE-2021-2368	Siebel CRM	Siebel Core – Server Infrastructure	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	21.5 and Prior
CVE-2021-2353	Siebel Core – Server Framework	Loging	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	21.5 and Prior

Additional CVEs addressed are:

The patch for CVE-2017-5637 also addresses CVE-2019-0201 and CVE-2020-11612.
The patch for CVE-2020-27216 also addresses CVE-2020-27218.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11979	Oracle Agile Engineering Data Management	Installation Issues (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.2.1.0
CVE-2020-13935	Oracle Agile Engineering Data Management	Installation Issues (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.2.1.0
CVE-2012-0881	Oracle Transportation Management	UI Infrastructure (Apache Xerces2 Java Parser)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.4.3
CVE-2021-26272	Oracle Agile PLM	Security (CKEditor)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	9.3.5, 9.3.6
CVE-2021-24122	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	9.3.3, 9.3.6

Additional CVEs addressed are:

The patch for CVE-2020-11979 also addresses CVE-2020-1945.
The patch for CVE-2020-13935 also addresses CVE-2020-13934.
The patch for CVE-2021-24122 also addresses CVE-2020-17527, CVE-2021-25122 and CVE-2021-25329.
The patch for CVE-2021-26272 also addresses CVE-2020-27193 and CVE-2021-26271.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11023	OSS Support Tools	Diagnostic Assistant (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 2.12.41

Additional CVEs addressed are:

The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022.

Oracle Systems Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Systems. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5461	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NSS)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2400, prior to XCP3100
CVE-2017-16931	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (libxml2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2400, prior to XCP3100
CVE-2018-7183	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NTP)	NTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2400, prior to XCP3100
CVE-2021-3177	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8
CVE-2020-10683	StorageTek Tape Analytics SW Tool	Software (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3
CVE-2019-10086	Oracle Solaris Cluster	Application Integration (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	4.4
CVE-2018-0739	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to XCP2400, prior to XCP3100
CVE-2020-5421	StorageTek Tape Analytics SW Tool	Software (Spring Framework)	HTTP	No	6.5	Network	High	Low	Required	Changed	Low	High	None	2.3
CVE-2019-3740	StorageTek Tape Analytics SW Tool	Software (BSAFE Crypto-J)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	2.3
CVE-2016-4429	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (glibc)	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	Prior to XCP2400, prior to XCP3100
CVE-2021-2381	Oracle Solaris	Kernel	None	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11

Additional CVEs addressed are:

The patch for CVE-2018-0739 also addresses CVE-2017-3735, CVE-2018-0737 and CVE-2020-1968.
The patch for CVE-2018-7183 also addresses CVE-2020-11868.
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2021-3177 also addresses CVE-2020-27783, CVE-2021-20227, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-28041, CVE-2021-29921, CVE-2021-3449, CVE-2021-3450, CVE-2021-3520 and CVE-2021-3560.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2447	Oracle Secure Global Desktop	Server	Multiple	No	9.9	Network	Low	Low	None	Changed	High	High	High	5.6
CVE-2021-2446	Oracle Secure Global Desktop	Client	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	5.6
CVE-2021-2409	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 6.1.24
CVE-2021-2443	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 6.1.24	See Note 1
CVE-2021-2454	Oracle VM VirtualBox	Core	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 6.1.24
CVE-2021-2442	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 6.1.24

Notes:

This vulnerability applies to Solaris x86 and Linux systems only.

No Related Posts

Oracle Critical Patch Update Advisory – April 2021

April 19, 2021January 25, 2022 Oracle Leave a comment

Oracle Critical Patch Update Advisory – April 2021

Description

This Critical Patch Update contains 391 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2021 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, versions 3.5, 3.6	Oracle Supply Chain Products
Agile Product Lifecycle Management Integration Pack for SAP: Design to Release, versions 3.5, 3.6	Oracle Supply Chain Products
Enterprise Manager Base Platform, version 13.4.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 12.2.1.4, 13.4.0.0	Enterprise Manager
Enterprise Manager for Virtualization, version 13.4.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
FMW Platform, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Hyperion Analytic Provider Services, versions 11.1.2.4, 12.2.1.4	Fusion Middleware
Hyperion Financial Management, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.3	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.4.0, prior to 9.2.5.3	JD Edwards
JD Edwards World Security, version A9.4	JD Edwards
MySQL Cluster, versions 8.0.23 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.23 and prior	MySQL
MySQL Server, versions 5.7.33 and prior, 8.0.23 and prior	MySQL
MySQL Workbench, versions 8.0.23 and prior	MySQL
Oracle Advanced Supply Chain Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Express, versions prior to 20.2	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Banking Platform, versions 2.4.0, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0	Oracle Banking Platform
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Cloud Infrastructure Storage Gateway, versions prior to 1.4	Contact Support
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search, versions 11.3.0, 11.3.1, 11.3.2	Oracle Commerce
Oracle Commerce Merchandising, versions 0, 11.0.0, 11.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2	Oracle Commerce
Oracle Communications Application Session Controller, version 3.9m0p3	Oracle Communications Application Session Controller
Oracle Communications Calendar Server, version 8.0	Oracle Communications Calendar Server
Oracle Communications Contacts Server, version 8.0	Oracle Communications Contacts Server
Oracle Communications Converged Application Server – Service Controller, version 6.2	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Design Studio, version 7.4.2	Oracle Communications Design Studio
Oracle Communications Interactive Session Recorder, versions 6.3, 6.4	Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, versions 8.0.2, 8.1, 8.1.0	Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, versions 6.3.0, 6.3.1	Oracle Communications MetaSolv Solution
Oracle Communications Performance Intelligence Center Software, versions 10.4.0.2, 10.4.0.3	Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4	Oracle Communications Session Border Controller
Oracle Communications Session Router, versions Cz8.2, Cz8.3, Cz8.4	Oracle Communications Session Router
Oracle Communications Subscriber-Aware Load Balancer, versions Cz8.2, Cz8.3, Cz8.4	Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Inventory Management, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1	Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, version SCz8.2.5	Oracle Communications Unified Session Manager
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions PCZ3.1, PCZ3.2, PCZ3.3	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Contact Support
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Contact Support
Oracle Fusion Middleware, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0	Fusion Middleware
Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.22	Global Lifecycle Management
Oracle GraalVM Enterprise Edition, versions 19.3.5, 20.3.1.2, 21.0.0.2	Oracle GraalVM Enterprise Edition
Oracle Graph Server and Client	Database
Oracle Health Sciences Empirica Signal, versions 9.0, 9.1	Health Sciences
Oracle Health Sciences Information Manager, versions 3.0.0-3.0.2	Health Sciences
Oracle Healthcare Foundation, versions 7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1	Health Sciences
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Inventory Management, version 9.1.0	Oracle Hospitality Inventory Management
Oracle Hospitality OPERA 5, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality RES 3700, versions 5.7.0-5.7.6	Oracle Hospitality RES
Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Identity Manager Connector, version 11.1.1.5.0	Fusion Middleware
Oracle iLearning, versions 6.2, 6.3	iLearning
Oracle Insurance Data Gateway, version 1.0.2.3	Oracle Insurance Applications
Oracle Java SE, versions 7u291, 8u281, 11.0.10, 16	Java SE
Oracle Java SE Embedded, version 8u281	Java SE
Oracle NoSQL Database, versions prior to 20.3	NoSQL Database
Oracle Outside In Technology, version 8.5.5	Fusion Middleware
Oracle Platform Security for Java, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Rapid Planning, version 12.1.3	Oracle Supply Chain Products
Oracle REST Data Services, versions prior to 20.4.3.50.1904	Database
Oracle Retail Advanced Inventory Planning, version 14.1	Retail Applications
Oracle Retail Assortment Planning, version 16.0.3	Retail Applications
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Category Management Planning & Optimization, version 16.0.3	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0	Retail Applications
Oracle Retail Insights Cloud Service Suite, version 19.0	Retail Applications
Oracle Retail Item Planning, version 16.0.3	Retail Applications
Oracle Retail Macro Space Optimization, version 16.0.3	Retail Applications
Oracle Retail Merchandise Financial Planning, version 16.0.3	Retail Applications
Oracle Retail Merchandising System, version 16.0.3	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Regular Price Optimization, version 16.0.3	Retail Applications
Oracle Retail Replenishment Optimization, version 16.0.3	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Sales Audit, version 14.0	Retail Applications
Oracle Retail Size Profile Optimization, version 16.0.3	Retail Applications
Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5	Retail Applications
Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2	Retail Applications
Oracle SD-WAN Aware, version 8.2	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.2, 9.0	Oracle SD-WAN Edge
Oracle Secure Backup	Oracle Secure Backup
Oracle Secure Global Desktop, version 5.6	Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Service Bus, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Spatial Studio, versions prior to 19.1.0, prior to 20.1.1	Database
Oracle SQL Developer, versions prior to 20.4.1.407.6	Database
Oracle Storage Cloud Software Appliance, versions prior to 16.3.1.4.2	Contact Support
Oracle TimesTen In-Memory Database	Database
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.20	Virtualization
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle WebLogic Server Proxy Plug-In, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
OSS Support Tools, versions prior to 2.12.41	Support Tools
PeopleSoft Enterprise CS Campus Community, version 9.2	PeopleSoft
PeopleSoft Enterprise FIN Common Application Objects, version 9.2	PeopleSoft
PeopleSoft Enterprise FIN Expenses, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2	PeopleSoft
Primavera Gateway, versions 17.12.0-17.12.10	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 21.2 and prior	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0xfoxone: CVE-2021-2240
Alessandra Zullo: CVE-2021-2152
Andrej Simko of Accenture: CVE-2021-2150, CVE-2021-2155, CVE-2021-2182, CVE-2021-2183, CVE-2021-2184, CVE-2021-2185, CVE-2021-2186, CVE-2021-2187, CVE-2021-2188, CVE-2021-2189, CVE-2021-2190, CVE-2021-2195, CVE-2021-2198, CVE-2021-2199, CVE-2021-2200
Aobo Wang of Chaitin Security Research Lab: CVE-2021-2312
Artur Obuchowski and Jakub Sajniak of STM Cyber: CVE-2021-2053
Bartłomiej Stasiek: CVE-2021-2218, CVE-2021-2219, CVE-2021-2220
Billy Jheng Bing-Jhong (st424204) working with Trend Micro Zero Day Initiative: CVE-2021-2250, CVE-2021-2321
Calvin Fong (Lord_Idiot) of STAR Labs working with Trend Micro Zero Day Initiative: CVE-2021-2250, CVE-2021-2321
Charley Celice of Quorum Cyber: CVE-2021-2214
ChenNan of Chaitin Security Research Lab: CVE-2021-2280, CVE-2021-2281, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284, CVE-2021-2285, CVE-2021-2286, CVE-2021-2287, CVE-2021-2306
Cl0und of Syclover Security Team: CVE-2021-2135, CVE-2021-2136
Codeplutos of AntGroup FG Security Lab: CVE-2021-2135
Damian Bury: CVE-2021-2140
DongJun Shin working with Trend Micro Zero Day Initiative: CVE-2021-2309
Emad Al-Mousa of Saudi Aramco: CVE-2021-2173, CVE-2021-2175, CVE-2021-2207
Esteban Montes Morales of Accenture: CVE-2021-2181
Ghost Said: CVE-2021-2204
Girlelecta: CVE-2021-2242
JungHyun Kim (jidoc01) of VirtualBoBs working with Trend Micro Zero Day Initiative: CVE-2021-2279, CVE-2021-2291
JunYoung Park (candymate) of VirtualBoBs working with Trend Micro Zero Day Initiative: CVE-2021-2266
Kajetan Rostojek: CVE-2021-2191
Kun Yang of Chaitin Security Research Lab: CVE-2021-2280, CVE-2021-2281, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284, CVE-2021-2285, CVE-2021-2286, CVE-2021-2287, CVE-2021-2306, CVE-2021-2312
Longofo of Knownsec 404 Team: CVE-2021-2211, CVE-2021-2277, CVE-2021-2294
Lucas Leong (wmliang) of Trend Micro Zero Day Initiative: CVE-2021-2296, CVE-2021-2297
Markus Loewe: CVE-2021-2161
Martin Neumann of Accenture: CVE-2021-2205, CVE-2021-2206, CVE-2021-2209, CVE-2021-2210
Martí Guasch Jimenez: CVE-2021-2167
Matthias Gerstner of SUSE: CVE-2021-2264
Matthias Kaiser of Apple Information Security: CVE-2021-2135
Max Van Amerongen (maxpl0it) working with Trend Micro Zero Day Initiative: CVE-2021-2145, CVE-2021-2310
Maxime Escourbiac of Michelin CERT: CVE-2021-2153
Michał Skowron: CVE-2021-2219
Muhammad Alifa Ramdhan (n0psledbyte) working with Trend Micro Zero Day Initiative: CVE-2021-2250, CVE-2021-2321
Okan Cokun of Biznet: CVE-2021-2008
Patrick Star of BMH Security Team: CVE-2021-2204
peterjson of RedTeam@VNG Corporation working with Trend Micro Zero Day Initiative: CVE-2021-2244
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2021-2211, CVE-2021-2302, CVE-2021-2303
r00t4dm at Cloud-Penetrating Arrow Lab: CVE-2021-2211, CVE-2021-2277, CVE-2021-2294
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2021-2158
thiscodecc of MoyunSec V-Lab: CVE-2021-2211, CVE-2021-2277, CVE-2021-2294
threedr3am: CVE-2021-2136
Tomasz Wiśniewski: CVE-2021-2219
Torben Capiau of Accenture: CVE-2021-2197
UnicodeSec potats0: CVE-2021-2211
Venustech ADLab: CVE-2021-2135
Veronica Venturi: CVE-2021-2152
Waleed Ezz Eldin of Cysiv (Previously SecureMisr): CVE-2021-2141
Wei Bo of UGUARDSEC Security Team: CVE-2021-2157
Will Dormann of CERT/CC: CVE-2021-2307
Xianglai Liu of Dbappsecurity Team: CVE-2021-2277
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-2169, CVE-2021-2230
Yi Ren of Alibaba: CVE-2021-2203
Yuyue Wang of Alibaba: CVE-2021-2203

Security-In-Depth Contributors

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program:

Artem
Markus Loewe
Mohit Rawat
Ofir Moskovitch

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abdulaziz Almisfer
Abhishek Misal
Aditra Andri Laksana
Adrián Pedrazzoli
Ali Hassan Ghori
Ankur Vaidya
Aswin Krishna (733n_wolf)
Aurélien Salomon
Bader Almutairi
Danish Tariq
Derek Chapman
George Crook
Hamit Cibo
Jehad Alqurashi
Luca Ottoni
Mohamed Ahmed Naji
Mohamed ELobeid
Qasim Shaikh
Rahul PS
Reworr
Srikar V – exp1o1t9r
Waleed Ezz Eldin of Cysiv (Previously SecureMisr) [2 reports]
Yevgeny Zharovsky

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

20 July 2021
19 October 2021
18 January 2022
19 April 2022

References

Modification History

Date	Note
2021-September-4	Rev 7. Removed CVE-2021-21345 from the additional CVE list of BAM.
2021-July-28	Rev 6. Removed Oracle Weblogic Server version 12.1.3.0.0 for CVE-2021-2135.
2021-June-29	Rev 5. Affected version changes to CVE-2020-10683 in the Fusion Middleware Matrix.
2021-May-5	Rev 4. Added CVE-2019-17638 to the Fusion Middleware Matrix for Weblogic Server and it is CVSS 0.
2021-April-26	Rev 3. Added CVE-2021-2321 to the Virtualization risk matrix and updated the Credit Statement section.
2021-April-22	Rev 2. Affected version changed for CVE-2021-2008, Note added for CVE-2021-2264, Database matrix client-only updated.
2021-April-20	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 18 new security patches for Oracle Database Products divided as follows:

10 new security patches for Oracle Database Products
1 new security patch for Oracle Global Lifecycle Management
No new security patches for Oracle Graph Server and Client, but third party patches are provided
4 new security patches for Oracle NoSQL Database
1 new security patch for Oracle REST Data Services
No new security patches for Oracle Secure Backup, but third party patches are provided
2 new security patches for Oracle Spatial Studio
No new security patches for Oracle TimesTen In-Memory Database, but third party patches are provided

Oracle Database Server Risk Matrix

This Critical Patch Update contains 10 new security patches plus additional third party patches noted below for Oracle Database Products. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-5360	Oracle Database – Enterprise Edition Security (Dell BSAFE Micro Edition Suite)	None	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-17527	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	18c, 19c
CVE-2019-3740	Oracle Database – Enterprise Edition (Dell BSAFE Crypto-J)	None	Oracle Net	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-11023	Oracle Application Express (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2021-2234	Java VM	Create Session	Oracle Net	No	5.3	Network	High	Low	None	Un- changed	None	High	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-7760	Oracle Application Express (CodeMirror)	Valid User Account	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	Prior to 20.2
CVE-2021-2173	Recovery	DBA Level Account	Oracle Net	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2175	Database Vault	Create Any View, Select Any View	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2245	Oracle Database – Enterprise Edition Unified Audit	Create Audit Policy	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	18c,19c
CVE-2021-2207	Oracle Database – Enterprise Edition	RMAN executable	Local Logon	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

Additional CVEs addressed are:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022.
The patch for CVE-2020-17527 also addresses CVE-2020-13943 and CVE-2020-9484.
The patch for CVE-2020-5360 also addresses CVE-2020-5359.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Database Configuration Assistant (Apache Commons Compress): CVE-2019-12402.

Oracle Database Server Client-Only Installations:

The following Oracle Database Server Vulnerability included in the Critical Patch Update affects client-only installations: CVE-2020-5360.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3740	Oracle Global Lifecycle Management OPatch	Patch Installer (Dell BSAFE Crypto-J)	Oracle Net	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	Prior to 12.2.0.1.22

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Global Lifecycle Management OPatch
- Patch Installer (Apache Commons Compress): CVE-2019-12402.
- Patch Installer (jackson-databind): CVE-2020-36189, CVE-2020-14195 and CVE-2020-25649.

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Graph Server and Client. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for the Oracle Graph Server and Client. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Graph Server and Client
- Packaging/Install (lodash): CVE-2020-8203.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 4 new security patches plus additional third party patches noted below for Oracle NoSQL Database. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-13956	Oracle NoSQL Database	Administration (Apache HttpClient)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 20.3
CVE-2020-11612	Oracle NoSQL Database	Administration (Netty)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 20.3
CVE-2021-22883	Oracle NoSQL Database	Administration (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 20.3
CVE-2020-8908	Oracle NoSQL Database	Administration (Google Guava)	Local Logon	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	Prior to 20.3

Additional CVEs addressed are:

The patch for CVE-2020-11612 also addresses CVE-2021-21290.
The patch for CVE-2021-22883 also addresses CVE-2021-22884 and CVE-2021-23840.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle NoSQL Database
- Administration (Go): CVE-2020-24553.
- Administration (jackson-databind): CVE-2019-14379, CVE-2019-12086, CVE-2019-16942, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649 and CVE-2020-36189.

Oracle REST Data Services Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-27223	Oracle REST Data Services	General (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 20.4.3.050.1904

Additional CVEs addressed are:

The patch for CVE-2020-27223 also addresses CVE-2020-27218.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle REST Data Services
- General (jackson-databind): CVE-2019-14379, CVE-2019-12086, CVE-2019-16942, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24750, CVE-2020-25649 and CVE-2020-36189.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Secure Backup. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Secure Backup. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Secure Backup
- Install (Flexera InstallShield): CVE-2016-2542.
- Oracle Secure Backup (PHP): CVE-2020-7060, CVE-2020-7059 and CVE-2020-7069.

Oracle Spatial Studio Risk Matrix

This Critical Patch Update contains 2 new security patches plus additional third party patches noted below for Oracle Spatial Studio. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-13956	Oracle Spatial Studio	Install (Apache HttpClient)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 20.1.1
CVE-2020-7760	Oracle Spatial Studio	Install (CodeMirror)	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	Prior to 19.1.0

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Spatial Studio
- Install (Apache POI): CVE-2019-12415.
- Install (jackson-databind): CVE-2020-36189, CVE-2019-12086, CVE-2020-14195, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187 and CVE-2020-36188.

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle SQL Developer. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-13956	Oracle SQL Developer (Apache HttpClient)	Install (Apache HttpClient)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 20.4.1.407.0006

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle SQL Developer
- General Infrastructure (Bootstrap): CVE-2019-8331, CVE-2018-14040, CVE-2018-14041 and CVE-2018-14042.
- General Infrastructure (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022.
- Install (Apache Kafka): CVE-2019-12399.
- Install (Apache Log4j): CVE-2020-9488.
- Install (dom4j): CVE-2018-1000632.
- NoSQL Extension (jackson-databind): CVE-2020-25649.
Oracle SQL Developer Install
- Install (Apache POI): CVE-2019-12415.

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle TimesTen In-Memory Database. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle TimesTen In-Memory Database. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
There are no exploitable vulnerabilities for these products. Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle TimesTen In-Memory Database
- Install (Go): CVE-2020-24553, CVE-2020-14039, CVE-2020-15586, CVE-2020-16845 and CVE-2020-7919.
- Install (Perl): CVE-2020-10878 and CVE-2020-12723.
- Kubernetes Operator (Go): CVE-2020-24553, CVE-2020-14039, CVE-2020-15586, CVE-2020-16845 and CVE-2020-7919.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-12423	Oracle Commerce Guided Search	Content Acquisition System (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.3.2
CVE-2020-11022	Oracle Commerce Guided Search	Workbench, Experience Manager (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.3.1, 11.3.2
CVE-2020-11022	Oracle Commerce Merchandising	Business Control Center (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.3.1, 11.3.2
CVE-2020-27193	Oracle Commerce Merchandising	Experience Manager, Business Control Center (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.0.0, 11.1,0, 11.2.0, 11.3.0, 11.3.1, 11.3.2

Additional CVEs addressed are:

The patch for CVE-2019-12423 also addresses CVE-2019-12406, CVE-2019-1241, CVE-2019-12419 and CVE-2019-17573.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2020-27193 also addresses CVE-2020-9281.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Communications Applications. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11612	Oracle Communications Design Studio	Inventory Services (Netty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.4.2
CVE-2019-0228	Oracle Communications Messaging Server	Message Store (Apache PDFBox)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.0
CVE-2020-11612	Oracle Communications Messaging Server	Message Store (Netty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.0
CVE-2020-28052	Oracle Communications Messaging Server	Message Store (Bouncy Castle Java Library)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2
CVE-2020-5421	Oracle Communications Unified Inventory Management	Reservations (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.4, 7.3.5
CVE-2020-24750	Oracle Communications Calendar Server	Event Reminders (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0
CVE-2020-24750	Oracle Communications Contacts Server	Contact Sharing (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0
CVE-2020-24750	Oracle Communications Messaging Server	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.1
CVE-2020-13871	Oracle Communications Messaging Server	Message Store (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.1
CVE-2020-11979	Oracle Communications Unified Inventory Management	Security Component (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	7.4.0, 7.4.1
CVE-2019-10086	Oracle Communications Unified Inventory Management	Inventory Group (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.4, 7.3.5, 7.4.0, 7.4.1
CVE-2020-13954	Oracle Communications Messaging Server	Message Store (Apache CXF)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1
CVE-2020-11987	Oracle Communications MetaSolv Solution	Planning and Modeling (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	6.3.0, 6.3.1

Additional CVEs addressed are:

The patch for CVE-2020-13871 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-15358 and CVE-2020-9327.
The patch for CVE-2020-13954 also addresses CVE-2020-25649, CVE-2020-28052 and CVE-2020-36189.
The patch for CVE-2020-24750 also addresses CVE-2020-24616.
The patch for CVE-2020-28052 also addresses CVE-2020-13954, CVE-2020-25649 and CVE-2020-36189.

Oracle Communications Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Communications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-28052	Oracle Communications Application Session Controller	Security (Bouncy Castle Java Library)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.9m0p3
CVE-2021-22112	Oracle Communications Interactive Session Recorder	Provision API (Spring Security)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	6.3, 6.4
CVE-2020-10188	Oracle Communications Performance Intelligence Center Software	Mediation server (Telnet)	Telnet	No	8.3	Network	Low	Low	None	Un- changed	High	High	Low	10.4.0.2
CVE-2020-25649	Oracle Communications Interactive Session Recorder	Provision API (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.3, 6.4
CVE-2020-1971	Oracle Communications Session Border Controller	Routing (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Cz8.2, Cz8.3, Cz8.4
CVE-2020-25649	Oracle SD-WAN Edge	Config (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.0
CVE-2020-17527	Oracle SD-WAN Edge	MGMT (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.0
CVE-2019-10086	Oracle Communications Performance Intelligence Center Software	PMAC (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.4.0.3
CVE-2020-8203	Oracle Communications Session Border Controller	Routing (Lodash)	HTTP	No	6.4	Network	High	Low	Required	Un- changed	None	High	High	Cz8.4
CVE-2020-8203	Oracle Communications Session Router	Routing (Lodash)	HTTP	No	6.4	Network	High	Low	Required	Un- changed	None	High	High	Cz8.4
CVE-2020-8203	Oracle Communications Subscriber-Aware Load Balancer	Routing (Lodash)	HTTP	No	6.4	Network	High	Low	Required	Un- changed	None	High	High	Cz8.3, Cz8.4
CVE-2020-8203	Oracle Enterprise Communications Broker	Routing (Lodash)	HTTP	No	6.4	Network	High	Low	Required	Un- changed	None	High	High	PCZ3.3
CVE-2019-3900	Oracle SD-WAN Edge	OS (Linux Kernel)	Multiple	No	6.3	Network	High	Low	None	Changed	None	None	High	8.2
CVE-2020-1927	Oracle SD-WAN Aware	OS (Linux Kernel)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.2
CVE-2020-17521	Oracle Communications Services Gatekeeper	PRM (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	6.0, 6.1, 7.0
CVE-2020-11987	Oracle Communications Application Session Controller	Security (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	3.9m0p3
CVE-2020-27218	Oracle Communications Converged Application Server – Service Controller	SC Admin server (Eclipse Jetty)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	6.2
CVE-2020-1971	Oracle Communications Session Router	Routing (OpenSSL)	TLS	No	4.2	Network	High	High	Required	Un- changed	None	None	High	Cz8.2, Cz8.3, Cz8.4
CVE-2020-1971	Oracle Communications Subscriber-Aware Load Balancer	Routing (OpenSSL)	TLS	No	4.2	Network	High	High	Required	Un- changed	None	None	High	Cz8.2, Cz8.3, Cz8.4
CVE-2020-1971	Oracle Communications Unified Session Manager	Routing (OpenSSL)	TLS	No	4.2	Network	High	High	Required	Un- changed	None	None	High	SCz8.2.5
CVE-2020-1971	Oracle Enterprise Communications Broker	Routing (OpenSSL)	TLS	No	4.2	Network	High	High	Required	Un- changed	None	None	High	PCZ3.1, PCZ3.2, PCZ3.3
CVE-2020-1971	Oracle Enterprise Session Border Controller	Routing (OpenSSL)	TLS	No	4.2	Network	High	High	Required	Un- changed	None	None	High	Cz8.2, Cz8.3, Cz8.4

Additional CVEs addressed are:

The patch for CVE-2019-3900 also addresses CVE-2018-14613, CVE-2018-16884, CVE-2019-10638, CVE-2019-10639, CVE-2019-11487, CVE-2019-11599, CVE-2019-14898, CVE-2019-15218, CVE-2019-16746, CVE-2019-17075, CVE-2019-17133, CVE-2019-18885, CVE-2019-19052, CVE-2019-19063, CVE-2019-19066, CVE-2019-19073, CVE-2019-19074, CVE-2019-19078, CVE-2019-19535, CVE-2019-19922, CVE-2019-20812, CVE-2019-3874, CVE-2019-5108, CVE-2020-10751, CVE-2020-10769, CVE-2020-12114, CVE-2020-12771, CVE-2020-16166 and CVE-2020-24394.
The patch for CVE-2020-1927 also addresses CVE-2019-10098.
The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-27218 also addresses CVE-2020-27216.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Construction and Engineering. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0219	Instantis EnterpriseTrack	Browser (Apache Cordova InAppBrowser)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2020-17527	Instantis EnterpriseTrack	WebServer (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	17.1, 17.2, 17.3
CVE-2020-11022	Primavera Unifier	Core UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2016-5725	Primavera Gateway	Admin (JCraft JSch)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	17.12.0-17.12.10
CVE-2020-17521	Primavera Gateway	Admin (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.12.0-17.12.10
CVE-2020-17521	Primavera Unifier	Platform (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2020-11987	Instantis EnterpriseTrack	Dashboards and Reports (Apache Batik)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2020-13956	Primavera Unifier	Core (HTTP Client)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 70 new security patches plus additional third party patches noted below for Oracle E-Business Suite. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2021), My Oracle Support Note 2759182.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2200	Oracle Applications Framework	Home page	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.2.10
CVE-2021-2205	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.2.7-12.2.10
CVE-2021-2209	Oracle Email Center	Message Display	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2182	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2183	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2184	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2185	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2186	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2187	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2188	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2197	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2150	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2199	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2198	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2195	Oracle Partner Management	Attribute Admin Setup	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2206	Oracle Trade Management	Quotes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2210	Oracle Trade Management	Quotes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2247	Oracle Advanced Collections	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2269	Oracle Advanced Pricing	Price Book	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3
CVE-2021-2314	Oracle Application Object Library	Profiles	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2222	Oracle Bill Presentment Architecture	Template Search	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2288	Oracle Bills of Material	Bill Issues	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2227	Oracle Cash Management	Bank Account Transfer	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2224	Oracle Compensation Workbench	Compensation Workbench	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2295	Oracle Concurrent Processing	BI Publisher Integration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2251	Oracle CRM Technical Foundation	Data Source	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2156	Oracle Customers Online	Customer Tab	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2229	Oracle Depot Repair	LOVs	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2292	Oracle Document Management and Collaboration	Document Management	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2225	Oracle E-Business Intelligence	DBI Setups	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2274	Oracle E-Business Tax	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2290	Oracle Engineering	Change Management	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2233	Oracle Enterprise Asset Management	Setup	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2236	Oracle Financials Common Modules	Advanced Global Intercompany	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2237	Oracle General Ledger	Account Hierarchy Manager	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2316	Oracle HRMS (France)	French HR	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2260	Oracle Human Resources	iRecruitment	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3
CVE-2021-2228	Oracle Incentive Compensation	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2231	Oracle Installed Base	APIs	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3
CVE-2021-2276	Oracle iSetup	General Ledger Update Transform, Reports	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2241	Oracle iStore	Shopping Cart	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2267	Oracle Labor Distribution	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2249	Oracle Landed Cost Management	Shipment Workbench	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2261	Oracle Lease and Finance Management	Quotes	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2273	Oracle Legal Entity Configurator	Create Contracts	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2252	Oracle Loans	Loan Details, Loan Accounting Events	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2238	Oracle MES for Process Manufacturing	Process Operations	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3
CVE-2021-2259	Oracle Payables	India Localization, Results	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2289	Oracle Product Hub	Template, GTIN search	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2254	Oracle Project Contracts	Hold Management	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2258	Oracle Projects	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2262	Oracle Purchasing	Endeca	HTTPS	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3
CVE-2021-2268	Oracle Quoting	Courseware	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2223	Oracle Receivables	Receipts	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2255	Oracle Service Contracts	Authoring	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2270	Oracle Site Hub	Sites	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2263	Oracle Sourcing	Intelligence, RFx	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2272	Oracle Subledger Accounting	Inquiries	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2239	Oracle Time and Labor	Timecard	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2235	Oracle Transportation Execution	Install and Upgrade	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2246	Oracle Universal Work Queue	Work Provider Site Level Administration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2021-2271	Oracle Work in Process	Resource Exceptions	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.8
CVE-2021-2181	Oracle Document Management and Collaboration	Attachments	HTTP	No	7.6	Network	Low	High	None	Changed	High	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2020-1967	Application Server	Technology Stack (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3
CVE-2021-2189	Oracle Sales Offline	Template	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2190	Oracle Sales Offline	Template	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2275	Oracle Applications Manager	View Reports	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3-12.2.10
CVE-2017-14735	Oracle E-Business Suite Technology Stack	Attachments, iRecruitment, Contracts (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3, 12.2.3-12.2.10
CVE-2021-2153	Oracle Internet Expenses	Mobile Expenses	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.2.3-12.2.10
CVE-2021-2155	Oracle One-to-One Fulfillment	Documents	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.10

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle E-Business Suite Information Discovery
- Installer (Apache Log4j): CVE-2020-9488.

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Enterprise Manager. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2749094.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17195	Enterprise Manager Base Platform	Enterprise Manager Install (Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4.0.0
CVE-2019-5064	Oracle Application Testing Suite	Load Testing for Web Apps (OpenCV)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	13.3.0.1
CVE-2020-10878	Enterprise Manager Base Platform	EM on Market Place (Perl)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	13.4.0.0
CVE-2020-11994	Enterprise Manager Base Platform	Reporting Framework (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.4.0.0
CVE-2020-1971	Enterprise Manager Ops Center	Satellite Framework (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.4.0.0
CVE-2021-2008	Enterprise Manager for Fusion Middleware	FMW Control Plugin	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.9, 12.2.1.3
CVE-2019-10086	Enterprise Manager for Virtualization	Administration operations (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4.0.0
CVE-2021-2134	Enterprise Manager for Fusion Middleware	FMW Control Plugin	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.2.1.4
CVE-2021-2053	Enterprise Manager Base Platform	UI Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.4.0.0

Additional CVEs addressed are:

The patch for CVE-2019-5064 also addresses CVE-2019-5063.
The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723.
The patch for CVE-2020-1971 also addresses CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Financial Services Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11998	Oracle FLEXCUBE Private Banking	Financial Planning (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-5413	Oracle FLEXCUBE Private Banking	Order Management (Spring Integration)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2019-3773	Oracle FLEXCUBE Private Banking	Order Management (Spring Web Services)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2019-17638	Oracle FLEXCUBE Private Banking	Demographics (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	12.0.0, 12.1.0
CVE-2020-26217	Oracle Banking Platform	Collections (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.4.0, 2.7.1, 2.9.0
CVE-2020-5421	Oracle FLEXCUBE Private Banking	Financial Planning (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-25649	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0
CVE-2019-17566	Oracle Financial Services Analytical Applications Infrastructure	Rate Management (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2019-10086	Oracle Banking Platform	Collections (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	2.4.0, 2.7.1, 2.9.0
CVE-2019-10086	Oracle FLEXCUBE Private Banking	Loans and Pledges (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.0.0, 12.1.0
CVE-2020-5408	Oracle FLEXCUBE Private Banking	Order Management (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2020-27193	Oracle Banking Platform	Alerts (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0, 2.7.0, 2.7.1, 2.8.0, 2.9.0
CVE-2021-2140	Oracle Financial Services Analytical Applications Infrastructure	Rules Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-9489	Oracle FLEXCUBE Private Banking	Financial Planning (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2021-2141	Oracle FLEXCUBE Direct Banking	Pre Login	Oracle Net	No	2.0	Network	High	High	Required	Un- changed	None	Low	None	12.0.2, 12.0.3

Additional CVEs addressed are:

The patch for CVE-2019-10086 also addresses CVE-2020-5413 and CVE-2020-9489.
The patch for CVE-2019-17638 also addresses CVE-2019-17632 and CVE-2020-27218.
The patch for CVE-2019-3773 also addresses CVE-2019-10086, CVE-2020-5413 and CVE-2020-9489.
The patch for CVE-2020-11998 also addresses CVE-2020-11973 and CVE-2020-1941.
The patch for CVE-2020-25649 also addresses CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188 and CVE-2020-36189.
The patch for CVE-2020-27193 also addresses CVE-2020-9281.
The patch for CVE-2020-5408 also addresses CVE-2020-5407.
The patch for CVE-2020-5413 also addresses CVE-2019-10086 and CVE-2020-9489.
The patch for CVE-2020-5421 also addresses CVE-2020-5408.
The patch for CVE-2020-9489 also addresses CVE-2019-10086, CVE-2020-5408 and CVE-2020-5413.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Food and Beverage Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-20843	Oracle Hospitality RES 3700	Common (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.7.0-5.7.6
CVE-2021-2311	Oracle Hospitality Inventory Management	Export to Reporting and Analytics	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 45 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update April 2021 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2749094.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9480	Oracle Business Intelligence Enterprise Edition	Analytics Server (Apache Spark)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.5.0.0.0
CVE-2020-10683	Oracle Fusion Middleware	Centralized Thirdparty Jars (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2021-2302	Oracle Platform Security for Java	OPSS	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-11612	Oracle WebCenter Portal	Security Framework (Netty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2136	Oracle WebLogic Server	Core	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2135	Oracle WebLogic Server	Coherence Container	T3, IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-17638	FMW Platform	Common Components (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-26217	Oracle BAM (Business Activity Monitoring)	General (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-26217	Oracle Endeca Information Discovery Studio	Studio (XStream)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.2.0.0
CVE-2020-5421	Oracle Fusion Middleware	Centralized Thirdparty Jars (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2242	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	8.5.5	See Note 1
CVE-2020-24750	Oracle Identity Manager Connector	General and Misc (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.5.0
CVE-2020-11979	Oracle API Gateway	Oracle API Gateway (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.1.2.4.0
CVE-2019-17566	Oracle API Gateway	Oracle API Gateway (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.1.2.4.0
CVE-2020-1971	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.2.4.0
CVE-2020-1971	Oracle Business Intelligence Enterprise Edition	BI Platform Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2277	Oracle Coherence	Core	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-25649	Oracle Coherence	Core (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.4.0, 14.1.1.0.0
CVE-2020-11979	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	3.2.0.0
CVE-2018-1000180	Oracle Enterprise Repository	Security Subsystem (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.7.0
CVE-2019-17566	Oracle Fusion Middleware MapViewer	Install (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.2.1.4.0
CVE-2020-5360	Oracle HTTP Server	SSL Module (Dell BSAFE Micro Edition Suite)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-5360	Oracle Security Service	C Oracle SSL API (Dell BSAFE Micro Edition Suite)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12402	Oracle WebCenter Portal	Security Framework (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2157	Oracle WebLogic Server	TopLink Integration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-5360	Oracle WebLogic Server Proxy Plug-In	SSL Module (Dell BSAFE Micro Edition Suite)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10086	Oracle Fusion Middleware	Centralized Thirdparty Jars (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2240	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.5	See Note 1
CVE-2019-10086	Oracle Service Bus	Web Container (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10086	Oracle WebLogic Server	Core (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.3.6.0.0
CVE-2019-3740	Oracle WebLogic Server	Core (Dell BSAFE Crypto-J)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	10.3.6.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2294	Oracle WebLogic Server	Core	T3, IIOP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-0221	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Apache Tomcat)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5.0.0.0
CVE-2020-11022	Oracle Business Intelligence Enterprise Edition	BI Platform Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.4.0
CVE-2021-2142	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0
CVE-2021-2211	Oracle WebLogic Server	Web Services	T3, IIOP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-27842	Oracle Outside In Technology	Installation (OpenJPEG)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2021-20227	Oracle Outside In Technology	Installation (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	8.5.5	See Note 1
CVE-2020-9489	Oracle WebCenter Portal	Security Framework (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2021-2191	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2315	Oracle HTTP Server	Web Listener	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2204	Oracle WebLogic Server	Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2214	Oracle WebLogic Server	Console	HTTP	No	4.4	Network	High	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-2152	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	No	4.0	Network	High	High	Required	Changed	Low	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS Base Score depend on the software that uses Outside In Technology. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

The patch for CVE-2018-1000180 also addresses CVE-2018-1000613.
The patch for CVE-2019-17566 also addresses CVE-2020-11987.
The patch for CVE-2019-17638 also addresses CVE-2019-0232, CVE-2019-10072, CVE-2019-10246, CVE-2019-10247, CVE-2019-17632, CVE-2020-13934, CVE-2020-13935 and CVE-2020-9484.
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-11979 also addresses CVE-2017-5645 and CVE-2020-1945.
The patch for CVE-2020-24750 also addresses CVE-2020-24616.
The patch for CVE-2020-26217 also addresses CVE-2019-10173.
The patch for CVE-2020-27842 also addresses CVE-2020-27841, CVE-2020-27843, CVE-2020-27844 and CVE-2020-27845.
The patch for CVE-2020-5360 also addresses CVE-2020-5359.
The patch for CVE-2021-20227 also addresses CVE-2020-13434 and CVE-2020-13435.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle WebLogic Server
- Core: CVE-2019-17638, CVE-2019-0232, CVE-2019-10072, CVE-2019-10246, CVE-2019-10247, CVE-2019-17632, CVE-2020-13934, CVE-2020-13935 and CVE-2020-9484.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1945	Oracle Health Sciences Information Manager	Health Record Locator (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	3.0.0-3.0.2
CVE-2020-25649	Oracle Health Sciences Empirica Signal	Topics, REST Services (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.0, 9.1
CVE-2019-10086	Oracle Healthcare Foundation	Self Service Analytics (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1

Additional CVEs addressed are:

The patch for CVE-2020-1945 also addresses CVE-2017-5645.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1285	Oracle Hospitality OPERA 5	Logging (Apache log4net)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.5, 5.6
CVE-2020-17530	Oracle Hospitality OPERA 5	Login (Apache Struts)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.6
CVE-2021-22112	Oracle Hospitality Cruise Shipboard Property Management System	Next-Gen SPMS (Spring Security)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	20.1.0
CVE-2019-17566	Oracle Hospitality OPERA 5	Integration (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	5.5, 5.6
CVE-2019-10086	Oracle Hospitality OPERA 5	Integrations (Apache Commons Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	5.5, 5.6
CVE-2020-17521	Oracle Hospitality OPERA 5	Reporting (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	5.6, 5.6

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2244	Hyperion Analytic Provider Services	JAPI	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	11.1.2.4, 12.2.1.4
CVE-2021-2158	Hyperion Financial Management	Task Automation	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-17521	Oracle iLearning	Installation (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	6.2, 6.3

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Insurance Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10086	Oracle Insurance Data Gateway	Security (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	1.0.2.3

Oracle Java SE Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-23841	Oracle GraalVM Enterprise Edition	Node (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2, 21.0.0.2
CVE-2021-3450	Oracle GraalVM Enterprise Edition	Node (Node.js)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2, 21.0.0.2
CVE-2021-2161	Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2, 21.0.0.2	See Note 1
CVE-2021-2163	Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition	Libraries	Multiple	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2, 21.0.0.2	See Note 2

Notes:

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Additional CVEs addressed are:

The patch for CVE-2021-23841 also addresses CVE-2021-23839 and CVE-2021-23840.
The patch for CVE-2021-3450 also addresses CVE-2020-7774, CVE-2021-22883, CVE-2021-22884 and CVE-2021-3449.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 10 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-28052	JD Edwards EnterpriseOne Tools	E1 Dev Platform Tech – Cloud (Bouncy Castle Java Library)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.5.3
CVE-2019-17566	JD Edwards EnterpriseOne Tools	Web Runtime (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Prior to 9.2.4.0
CVE-2020-1971	JD Edwards EnterpriseOne Tools	OneWorld Tools Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 9.2.5.3
CVE-2020-1971	JD Edwards World Security	World Software Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	A9.4
CVE-2019-10086	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	Prior to 9.2.5.3
CVE-2019-10086	JD Edwards EnterpriseOne Tools	Portal SEC (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	Prior to 9.2.5.3
CVE-2020-9281	JD Edwards EnterpriseOne Tools	Web Runtime (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 9.2.5.2
CVE-2020-11022	JD Edwards EnterpriseOne Tools	Web Runtime (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 9.2.5.0
CVE-2016-5725	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (JCraft JSch)	SFTP	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Prior to 9.2.5.0
CVE-2020-9488	JD Edwards World Security	World Software Security (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	A9.4

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2019-5428.
The patch for CVE-2020-1971 also addresses CVE-2019-1551, CVE-2020-1967, CVE-2020-1968 and CVE-2020-9488.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 49 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-17530	MySQL Enterprise Monitor	Monitoring: General (Apache Struts)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.23 and prior
CVE-2020-8277	MySQL Cluster	Cluster: JS module (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2020-17527	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.23 and prior
CVE-2021-23841	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2020-1971	MySQL Server	Server: Compiling (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.7.32 and prior, 8.0.22 and prior
CVE-2021-3449	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2020-28196	MySQL Server	Server: Security: Encryption (MIT Kerberos)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-23841	MySQL Server	Server: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-3450	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.0.23 and prior
CVE-2021-2144	MySQL Server	Server: Parser	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	5.7.29 and prior, 8.0.19 and prior
CVE-2021-2172	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2298	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2178	MySQL Server	Server: Replication	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.32 and prior, 8.0.22 and prior
CVE-2021-2202	MySQL Server	Server: Replication	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.32 and prior, 8.0.22 and prior
CVE-2021-2307	MySQL Server	Server: Packaging	None	No	6.1	Local	Low	None	Required	Un- changed	High	Low	None	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2304	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.23 and prior
CVE-2019-7317	MySQL Workbench	Workbench (libpng)	MySQL Workbench	Yes	5.3	Network	High	None	Required	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2180	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2194	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2154	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior
CVE-2021-2166	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2196	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2300	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2305	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2179	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2226	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	High	None	None	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2160	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.17 and prior
CVE-2021-2164	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2169	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2170	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2193	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2203	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2212	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2213	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.22 and prior
CVE-2021-2278	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2299	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2230	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2146	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2201	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2208	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2215	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2217	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2293	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.23 and prior
CVE-2021-2174	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2171	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2162	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.7.33 and prior, 8.0.23 and prior
CVE-2021-2301	MySQL Server	Server: Information Schema	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.23 and prior
CVE-2021-2308	MySQL Server	Server: Information Schema	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.23 and prior
CVE-2021-2232	MySQL Server	Server: Group Replication Plugin	None	No	1.9	Local	High	High	None	Un- changed	None	None	Low	8.0.23 and prior

Additional CVEs addressed are:

The patch for CVE-2019-7317 also addresses CVE-2018-14550.
The patch for CVE-2020-17530 also addresses CVE-2019-0230 and CVE-2019-0233.
The patch for CVE-2021-23841 also addresses CVE-2021-23840.
The patch for CVE-2021-3449 also addresses CVE-2021-3450.
The patch for CVE-2021-3450 also addresses CVE-2021-3449.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 18 new security patches plus additional third party patches noted below for Oracle PeopleSoft. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2218	PeopleSoft Enterprise PT PeopleTools	Health Center	HTTP	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	8.56, 8.57
CVE-2020-28052	PeopleSoft Enterprise PeopleTools	XML Messaging (Bouncy Castle Java Library)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2020-8286	PeopleSoft Enterprise PeopleTools	File Processing (cURL)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	8.58
CVE-2017-18640	PeopleSoft Enterprise PT PeopleTools	Application Server (SnakeYAML)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2021-2219	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	8.56, 8.57, 8.58
CVE-2019-10086	PeopleSoft Enterprise PT PeopleTools	Weblogic (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.56, 8.57, 8.58
CVE-2017-1000061	PeopleSoft Enterprise PeopleTools	XML Messaging (xmlSec)	None	No	7.1	Local	Low	None	Required	Un- changed	High	None	High	8.56, 8.57, 8.58
CVE-2021-2151	PeopleSoft Enterprise PeopleTools	Security	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise FIN Common Application Objects	Common Objects (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-11022	PeopleSoft Enterprise FIN Expenses	Expenses (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2021-2216	PeopleSoft Enterprise PeopleTools	Multichannel Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-27193	PeopleSoft Enterprise PeopleTools	Rich Text Editor (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise PT PeopleTools	Weblogic (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-11022	PeopleSoft Enterprise SCM Purchasing	Purchasing (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-1971	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2021-2220	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2021-2159	PeopleSoft Enterprise CS Campus Community	Frameworks	HTTP	No	3.5	Network	Low	Low	Required	Un- changed	Low	None	None	9.2

Additional CVEs addressed are:

The patch for CVE-2017-18640 also addresses CVE-2019-12402.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-8286 also addresses CVE-2020-8284 and CVE-2020-8285.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

PeopleSoft Enterprise PeopleTools
- Security (Apache Log4j): CVE-2019-17571.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 35 new security patches for Oracle Retail Applications. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Retail Xstore Point of Service	Xenvironment (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.4, 16.0.6, 17.0.4, 18.0.3
CVE-2019-0228	Oracle Retail Xstore Point of Service	Xstore Office (Apache PDFbox)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0.6, 18.0.3
CVE-2020-5421	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1
CVE-2020-5421	Oracle Retail Xstore Point of Service	Xenvironment (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2,
CVE-2020-11979	Oracle Retail Advanced Inventory Planning	Operations & Maintenance (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2020-11979	Oracle Retail Assortment Planning	Custom Workbooks (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11987	Oracle Retail Back Office	Pricing (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2020-11979	Oracle Retail Category Management Planning & Optimization	ODI Integration (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11987	Oracle Retail Central Office	Pricing (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2020-11979	Oracle Retail EFTLink	Unified Payments (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	19.0.1, 20.0.0
CVE-2020-11979	Oracle Retail Item Planning	AAI Framework (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11979	Oracle Retail Macro Space Optimization	ODI Integration (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11979	Oracle Retail Merchandise Financial Planning	Merchandising Insights (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11979	Oracle Retail Merchandising System	Financials (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11987	Oracle Retail Point-of-Service	Mobile POS (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2020-11979	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2020-11979	Oracle Retail Regular Price Optimization	Operations & Maintenance (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11979	Oracle Retail Replenishment Optimization	AAI Framework (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11987	Oracle Retail Returns Management	Main Dashboard (Apache Batik)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	14.1
CVE-2017-12626	Oracle Retail Sales Audit	Sales Audit Maintenance (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	14.0
CVE-2020-11979	Oracle Retail Size Profile Optimization	Solver (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	16.0.3
CVE-2020-11979	Oracle Retail Xstore Point of Service	Xenvironment (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2
CVE-2019-10086	Oracle Retail Advanced Inventory Planning	Operations & Maintenance (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2019-10086	Oracle Retail Back Office	Pricing (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2019-10086	Oracle Retail Central Office	Commerce Anywhere (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2019-10086	Oracle Retail Point-of-Service	Pricing (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2019-10086	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	16.0
CVE-2019-10086	Oracle Retail Returns Management	Main Dashboard (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2019-3740	Oracle Retail Predictive Application Server	RPAS Server (DELL BSAFE Crypto-J)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	15.0
CVE-2020-17521	Oracle Retail Merchandising System	Foundation (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	16.0.3
CVE-2020-17521	Oracle Retail Store Inventory Management	SIM Integration (Apache Groovy)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.1.3.10, 15.0.3.5, 16.0.3.5
CVE-2020-27218	Oracle Retail EFTLink	Unified Payments (Eclipse Jetty)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	20.0.0
CVE-2020-9488	Oracle Retail EFTLink	Unified Payments (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1
CVE-2020-9488	Oracle Retail Insights Cloud Service Suite	OBIEE – Metadata (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	19.0
CVE-2020-9488	Oracle Retail Xstore Point of Service	Xenvironment (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2

Additional CVEs addressed are:

The patch for CVE-2020-11979 also addresses CVE-2017-5645 and CVE-2020-1945.
The patch for CVE-2020-11987 also addresses CVE-2019-17566.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Siebel CRM. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14195	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	21.2 and prior
CVE-2020-5398	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	21.1 and prior
CVE-2019-0227	Siebel UI Framework	SWSE Server (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	21.0 and prior
CVE-2019-10080	Siebel UI Framework	EAI (Jersey)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	21.2 and prior
CVE-2020-9281	Siebel Apps – Customer Order Management	Customizable Prod/Configurator (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	21.0 and prior
CVE-2016-7103	Siebel UI Framework	UIF Open UI (jQuery UI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	21.2 and prior
CVE-2019-11358	Siebel UI Framework	UIF Open UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	21.2 and prior
CVE-2020-9488	Siebel UI Framework	EAI (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	21.2 and prior

Additional CVEs addressed are:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-24616 and CVE-2020-24750.

Oracle Storage Gateway Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Storage Gateway. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2317	Oracle Cloud Infrastructure Storage Gateway	Management Console	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 1.4	See Note 1
CVE-2021-2256	Oracle Storage Cloud Software Appliance	Management Console	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 16.3.1.4.2	See Note 2
CVE-2021-2318	Oracle Cloud Infrastructure Storage Gateway	Management Console	HTTP	No	9.1	Network	Low	High	None	Changed	High	High	High	Prior to 1.4	See Note 1
CVE-2021-2319	Oracle Cloud Infrastructure Storage Gateway	Management Console	HTTP	No	9.1	Network	Low	High	None	Changed	High	High	High	Prior to 1.4	See Note 1
CVE-2021-2320	Oracle Cloud Infrastructure Storage Gateway	Management Console	HTTP	No	9.1	Network	Low	High	None	Changed	High	High	High	Prior to 1.4	See Note 1
CVE-2021-2257	Oracle Storage Cloud Software Appliance	Management Console	HTTP	No	4.1	Network	Low	High	None	Changed	Low	None	None	Prior to 16.3.1.4.2	See Note 2

Notes:

Updating the Oracle Cloud Infrastructure Storage Gateway to version 1.4 or later will address these vulnerabilities. Download the latest version of Oracle Cloud Infrastructure Storage Gateway from here. Refer to Document 2768897.1 for more details.
Updating the Oracle Storage Cloud Software Appliance to version 16.3.1.4.2 or later will address these vulnerabilities. Download the latest version of Oracle Storage Cloud Software Appliance from here. Refer to Document 2768897.1 for more details.

Oracle Supply Chain Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Rapid Planning	User interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3
CVE-2021-2253	Oracle Advanced Supply Chain Planning	Core	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1, 12.2
CVE-2019-10086	Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite	Installer (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.5, 3.6
CVE-2019-10086	Agile Product Lifecycle Management Integration Pack for SAP: Design to Release	Core (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.5, 3.6
CVE-2019-10086	Oracle Agile PLM	Security (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	9.3.3, 9.3.5, 9.3.6

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Support Tools. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2303	OSS Support Tools	Diagnostic Assistant	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	Prior to 2.12.41

Oracle Systems Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1472	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.8
CVE-2021-2167	Oracle Solaris	Common Desktop Environment	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	10
CVE-2021-2192	Oracle Solaris	Kernel	None	No	6.1	Local	Low	Low	None	Un- changed	None	Low	High	11	See Note 1
CVE-2021-2149	Oracle ZFS Storage Appliance Kit	Core	None	No	2.5	Local	High	Low	None	Un- changed	None	Low	None	8.8
CVE-2021-2147	Oracle ZFS Storage Appliance Kit	Installation	None	No	1.8	Local	High	High	Required	Un- changed	None	Low	None	8.8

Notes:

This vulnerability applies to Oracle Solaris on SPARC systems only.

Additional CVEs addressed are:

The patch for CVE-2020-1472 also addresses CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421, CVE-2020-26422, CVE-2021-22173, CVE-2021-22174, CVE-2021-22191 and CVE-2021-23336.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17495	Oracle Utilities Framework	General (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-28052	Oracle Utilities Framework	Securty (Bouncy Castle Java Library)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2020-11979	Oracle Utilities Framework	General (Apache Ant)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-25649	Oracle Utilities Framework	General (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2019-10086	Oracle Utilities Framework	General (Apache Commons BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-2177	Oracle Secure Global Desktop	Gateway	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	5.6
CVE-2021-2248	Oracle Secure Global Desktop	Server	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	5.6
CVE-2021-2221	Oracle Secure Global Desktop	Client	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	5.6
CVE-2021-2264	Oracle VM VirtualBox	Core	None	No	8.4	Local	Low	Low	None	Changed	High	High	None	Prior to 6.1.20	See Note 1
CVE-2021-2279	Oracle VM VirtualBox	Core	RDP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Prior to 6.1.20
CVE-2021-2309	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 6.1.20
CVE-2021-2250	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 6.1.20	See Note 2
CVE-2021-2145	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 6.1.20
CVE-2021-2310	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 6.1.20
CVE-2021-3450	Oracle Secure Global Desktop	Core (OpenSSL)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.6
CVE-2021-2280	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2281	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	None	High	None	Prior to 6.1.20
CVE-2021-2282	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2283	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2284	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	None	High	None	Prior to 6.1.20
CVE-2021-2285	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2286	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	None	High	None	Prior to 6.1.20
CVE-2021-2287	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2306	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2266	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2321	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2296	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2297	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 6.1.20
CVE-2021-2291	Oracle VM VirtualBox	Core	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	Prior to 6.1.20
CVE-2021-2312	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 6.1.20	See Note 2

Notes:

This vulnerability applies to Linux systems only.
This vulnerability applies to Windows systems only.

Additional CVEs addressed are:

The patch for CVE-2021-3450 also addresses CVE-2021-3449.

No Related Posts