Oracle has released its Critical Patch Update for October 2021 to include 419 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the Critical Patch Update (CPU), Oracle has addressed 9 vulnerabilities in Oracle Database products.
Two of the Oracle Database vulnerabilities are rated High severity to include one vulnerability in Oracle Database Enterprise Edition (Apache Tomcat) CVE-2021-25122 that can be remotely exploited without authentication.
In addition, Oracle patched 66 new vulnerabilities in Oracle MySQL, 10 of these vulnerabilities may be remotely exploitable without authentication.
One of the patches addressed a Critical vulnerability CVE-2021-22931 in the Cluster General (Node.js) component of MySQL Cluster. Another update fixed a Critical vulnerability CVE-2021-3711 in the Server: Packaging (OpenSSL) component of MySQL Server. Each of these issues have a CVSS score of 9.8.
In addition, 8 other High severity flaws were also addressed.
Oracle Java patches
Oracle patched 15 vulnerabilities in Oracle Java SE, 13 of these vulnerabilities may be remotely exploitable without authentication and 3 of those are rated High severity as noted below:
- CVE-2021-3517 Java SE (JavaFX (libxml) component)
- CVE-2021-35560 Java SE (Deployment component)
- CVE-2021-27290 Oracle GraalVM Enterprise Edition (Node (Node.js) component).
Each of these 3 issues can be exploited remotely without user credentials.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 8 new security vulnerabilities in Oracle Enterprise Manager, 5 of these can be exploited remotely without user credentials.
One of the patches addressed a Critical vulnerability CVE-2021-26691 in the Networking (Apache HTTP Server) component of Enterprise Manager Ops Center. This issue has a CVSS score of 9.8.
An additional 6 flaws were rated High severity and affected multiple other Oracle Enterprise Manager products.
Oracle Fusion Middleware patches
Also, Oracle has patched 38 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 30 of these vulnerabilities without user authentication.
In all, 3 Critical vulnerabilities in multiple Fusion components were addressed as summarized below:
- CVE-2019-13990 Oracle WebCenter Sites (WebCenter Sites (Terracotta Quartz Scheduler) component)
- CVE-2018-8088 Oracle WebLogic Server (Web Services (slf4j-ext) component)
- CVE-2021-35617 Oracle WebLogic Server (Coherence Container component).
All of these issues can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include total counts and Critical severity vulnerabilities) in the CPU for October 2021:
- Oracle Communications Applications (19 total, 1 critical)
- Oracle Communications (71 total, 14 critical)
- Oracle Construction and Engineering Suite (12 total, 1 critical)
- Oracle E-Business Suite (18 total, 0 critical)
- Oracle Financial Services Applications (44 total, 6 critical)
- Oracle Health Sciences Applications (6 total, 1 critical)
- Oracle Hospitality Applications (1 total, 0 critical)
- Oracle Hyperion (6 total, 0 critical)
- Oracle Insurance Applications (16 total, 4 critical)
- Oracle JD Edwards (11 total, 0 critical)
- Oracle PeopleSoft (17 total, 1 critical)
- Oracle Policy Automation (0 total, 0 critical)
- Oracle Retail Applications (26 total, 0 critical)
- Oracle Siebel CRM (6 total, 0 critical)
- Oracle Supply Chain Products (5 total, 0 critical)
- Oracle Systems (5 total, 1 critical)
- Oracle Utilities Applications (1 total, 0 critical)
- Oracle Virtualization (8 total, 0 critical).
Overall, the 419 April patches are up from the 342 patches released in the July 2021 CPU.