Oracle全系产品10月重要补丁更新通告

一.  漏洞概述

2021年10月20日,绿盟科技监测发现Oracle官方发布了10月重要补丁更新公告CPU(Critical Patch Update),此次共修复了419个不同程度的漏洞,此次安全更新涉及Oracle MySQL、Oracle Weblogic Server、Oracle Java SE、Oracle FusionMiddleware、Oracle Retail Applications等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。

参考链接:https://www.oracle.com/security-alerts/cpuoct2021.html

二、重点漏洞简述

根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞,请相关用户重点进行关注:

Oracle MySQL多个漏洞:

此次安全更新针对Oracle MySQL发布了66个安全补丁, 其中的10个漏洞在未经用户身份验证的情况下即可远程进行利用,即无需用户凭据即可通过网络利用。漏洞编号如下:

CVE-2021-22931

CVE-2021-3711

CVE-2021-3518

CVE-2021-22926

CVE-2021-36222

CVE-2021-35583

CVE-2021-3712

CVE-2021-33037

CVE-2021-29425

CVE-2021-35613

Oracle Financial Services Applications多个漏洞:

此次安全更新针对Oracle Financial Services Applications发布了44个安全补丁。其中的26个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:

CVE-2020-5413

CVE-2020-10683

CVE-2021-21345

Oracle Insurance Applications多个漏洞:

此次安全更新针对Oracle Insurance Applications发布了16个安全补丁。其中的11个漏洞在未经用户身份验证的情况下即可远程进行利用。攻击者可以通过HTTP访问网络发送恶意请求,从而控制产品中的组件进而对关键数据完全访问。严重漏洞编号如下:

CVE-2016-1000031

CVE-2019-13990

CVE-2020-10683

CVE-2019-17195

 Oracle Communications多个漏洞:

此次安全更新针对Oracle Communications发布了71个安全补丁,其中的56个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:

CVE-2021-21345

CVE-2021-21783

CVE-2017-9841

CVE-2021-21783

CVE-2021-11998

CVE-2021-17530

CVE-2021-23017

Oracle Fusion Middleware多个漏洞:

此次安全更新针对Oracle Fusion Middleware发布了38个安全补丁。其中有30个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:

CVE-2019-13990

CVE-2018-8088

CVE-2021-35617

Oracle Retail Applications多个漏洞:

此次安全更新针对Oracle Retail Applications发布了26个安全补丁。其中有9个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:

CVE-2021-2351

Oracle官方10月关键补丁更新漏洞总结如下:

产品漏洞个数未授权远程利用个数最高CVSS评分
Oracle Database Products Risk Matrices928.2
Oracle Database Server928.2
Oracle Essbase5310
Oracle GoldenGate116.5
Oracle Graph Server and Client117.5
Oracle REST Data Services117.5
Oracle Secure Backup117.4
Oracle Commerce205.4
Oracle Communications Applications19149.8
Oracle Communications71569.9
Oracle Construction and Engineering1279.8
Oracle E-Business Suite1848.1
Oracle Enterprise Manager859.8
Oracle Financial Services Applications44269.9
Oracle Fusion Middleware38309.8
Oracle Health Sciences Applications639.8
Oracle Hospitality Applications116.1
Oracle Hyperion656.1
Oracle Insurance Applications16119.8
Oracle Java SE15138.6
Oracle JD Edwards1187.5
Oracle MySQL66109.8
Oracle PeopleSoft1789.1
Oracle Retail Applications2698.3
Oracle Siebel CRM657.5
Oracle Supply Chain537.5
Oracle Systems529.8
Oracle Utilities Applications105.5
Oracle Virtualization817.8

三.  漏洞防护

请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁,并参照补丁安装包中的readme文件进行安装更新,以保证长期有效的防护。

注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。

附录:受影响产品及补丁信息

受影响产品及版本号可用补丁
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0https://support.oracle.com/rs?type=doc&id=2796575.1
Enterprise Manager for Oracle Database, version 13.4.0.0https://support.oracle.com/rs?type=doc&id=2796575.1
Enterprise Manager Ops Center, version 12.4.0.0https://support.oracle.com/rs?type=doc&id=2796575.1
Essbase Administration Services, versions prior to 11.1.2.4.46https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Financial Management, versions 11.1.2.4, 11.2.6.0https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Financial Reporting, versions 11.1.2.4, 11.2.6.0https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Infrastructure Technology, version 11.2.6.0https://support.oracle.com/rs?type=doc&id=2796575.1
Hyperion Planning, versions 11.1.2.4, 11.2.6.0https://support.oracle.com/rs?type=doc&id=2796575.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3https://support.oracle.com/rs?type=doc&id=2809438.1
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.6.0https://support.oracle.com/rs?type=doc&id=2810363.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.0https://support.oracle.com/rs?type=doc&id=2810363.1
JD Edwards World Security, version A9.4https://support.oracle.com/rs?type=doc&id=2810363.1
MySQL Client, versions 8.0.26 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Cluster, versions 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, 8.0.26 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Connectors, versions 8.0.26 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Enterprise Monitor, versions 8.0.25 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Server, versions 5.7.35 and prior, 8.0.26 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
MySQL Workbench, versions 8.0.26 and priorhttps://support.oracle.com/rs?type=doc&id=2809354.1
Oracle Agile PLM, versions 9.3.3, 9.3.6https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Application Express, versions prior to 21.1.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Application Testing Suite, version 13.3.0.1https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Banking Cash Management, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Corporate Lending Process Management, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Credit Facilities Process Management, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Enterprise Default Management, versions 2.10.0, 2.12.0https://support.oracle.com/rs?type=doc&id=2808888.1
Oracle Banking Extensibility Workbench, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0https://support.oracle.com/rs?type=doc&id=2808888.1
Oracle Banking Supply Chain Finance, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Trade Finance Process Management, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Banking Virtual Account Management, versions 14.2, 14.3, 14.5https://support.oracle.com/
Oracle Business Activity Monitoring, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Commerce Guided Search, version 11.3.2https://support.oracle.com/rs?type=doc&id=2811064.1
Oracle Commerce Merchandising, version 11.3.2https://support.oracle.com/rs?type=doc&id=2811064.1
Oracle Communications Application Session Controller, version 3.9https://support.oracle.com/rs?type=doc&id=2815518.1
Oracle Communications Billing and Revenue Management, versions 7.5.0.0.0, 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications BRM – Elastic Charging Engine, version 12.0.0.3https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications Calendar Server, version 8.0.0.6.0https://support.oracle.com/rs?type=doc&id=2808816.1
Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0https://support.oracle.com/rs?type=doc&id=2809116.1
Oracle Communications Cloud Native Core Policy, version 1.11.0https://support.oracle.com/rs?type=doc&id=2809114.1
Oracle Communications Control Plane Monitor, versions 3.4, 4.2, 4.3, 4.4https://support.oracle.com/rs?type=doc&id=2809423.1
Oracle Communications Converged Application Server – Service Controller, version 6.2https://support.oracle.com/rs?type=doc&id=2809113.1
Oracle Communications Design Studio, version 7.4.2https://support.oracle.com/rs?type=doc&id=2808817.1
Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.0.0https://support.oracle.com/rs?type=doc&id=2809085.1
Oracle Communications EAGLEhttps://support.oracle.com/rs?type=doc&id=2809087.1
Oracle Communications EAGLE FTP Table Base Retrieval, version 4.5https://support.oracle.com/rs?type=doc&id=2809115.1
Oracle Communications EAGLE LNP Application Processor, versions 46.7, 46.8, 46.9https://support.oracle.com/rs?type=doc&id=2809093.1
Oracle Communications Element Manager, versions 8.2.0.0-8.2.4.0https://support.oracle.com/rs?type=doc&id=2809094.1
Oracle Communications Fraud Monitor, versions 3.4-4.4https://support.oracle.com/rs?type=doc&id=2809422.1
Oracle Communications Interactive Session Recorder, version 6.4https://support.oracle.com/rs?type=doc&id=2809118.1
Oracle Communications LSMS, versions 13.1-13.4https://support.oracle.com/rs?type=doc&id=2809119.1
Oracle Communications Messaging Server, version 8.1https://support.oracle.com/rs?type=doc&id=2808816.1
Oracle Communications MetaSolv Solution, version 6.3.1https://support.oracle.com/rs?type=doc&id=2808878.1
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2808879.1
Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4https://support.oracle.com/rs?type=doc&id=2809120.1
Oracle Communications Policy Management, version 12.5.0https://support.oracle.com/rs?type=doc&id=2809110.1
Oracle Communications Pricing Design Center, version 12.0.0.3.0https://support.oracle.com/rs?type=doc&id=2808815.1
Oracle Communications Services Gatekeeper, version 7.0https://support.oracle.com/rs?type=doc&id=2809111.1
Oracle Communications Session Border Controller, versions 8.4, 9.0https://support.oracle.com/rs?type=doc&id=2809267.1
Oracle Communications Session Report Manager, versions 8.0.0.0-8.2.5.0https://support.oracle.com/rs?type=doc&id=2811990.1
Oracle Communications Session Route Manager, versions 8.0.0.0-8.2.5.0https://support.oracle.com/rs?type=doc&id=2812072.1
Oracle Data Integrator, version 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21chttps://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Documaker, versions 12.6.0-12.6.4https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10https://support.oracle.com/rs?type=doc&id=2484000.1
Oracle Enterprise Communications Broker, versions 3.2, 3.3https://support.oracle.com/rs?type=doc&id=2809298.1
Oracle Enterprise Repository, version 11.1.1.7.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Enterprise Telephony Fraud Monitor, versions 3.4, 4.2, 4.3, 4.4https://support.oracle.com/rs?type=doc&id=2810340.1
Oracle Ethernet Switch ES2-64, Oracle Ethernet Switch ES2-72, version 2.0.0.14https://support.oracle.com/rs?type=doc&id=2809232.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.1https://support.oracle.com/rs?type=doc&id=2809214.1
Oracle Financial Services Enterprise Case Management, versions 8.0.7.2.0, 8.0.8.1.0https://support.oracle.com/
Oracle Financial Services Model Management and Governance, versions 8.0.8.0.0-8.1.0.0.0https://support.oracle.com/rs?type=doc&id=2814201.1
Oracle FLEXCUBE Core Banking, versions 11.7, 11.8, 11.9, 11.10https://support.oracle.com/
Oracle Global Lifecycle Management OPatchhttps://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GoldenGate, versions prior to 19.1.0.0.0.210420https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle GraalVM Enterprise Edition, versions 20.3.3, 21.2.0https://support.oracle.com/rs?type=doc&id=2810386.1
Oracle Graph Server and Client, versions prior to 21.3.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Health Sciences Central Coding, versions 6.2.0, 6.3.0https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Health Sciences InForm, version 6.3.0https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Healthcare Foundation, versions 7.3, 8.0, 8.1https://support.oracle.com/rs?type=doc&id=2806298.1
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0https://support.oracle.com/rs?type=doc&id=2806436.1
Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Insurance Calculation Engine, versions 11.0.0-11.3.1https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle Insurance Policy Administration, versions 11.0.0-11.3.1https://support.oracle.com/rs?type=doc&id=2809145.1
Oracle Java SE, versions 7u311, 8u301, 11.0.12, 17https://support.oracle.com/rs?type=doc&id=2810386.1
Oracle NoSQL Databasehttps://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Outside In Technology, version 8.5.5https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Real-Time Decision Server, versions 3.2.0.0, 11.1.1.9.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle REST Data Services, versions prior to 21.3https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Retail Advanced Inventory Planning, versions 14.1, 15.0, 16.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Assortment Planning, version 16.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Back Office, versions 14.0, 14.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Central Office, versions 14.0, 14.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Extract Transform and Load, version 13.2.8https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.4.0, 16.0.3.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Merchandising System, versions 15.0.3, 19.0.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Point-of-Service, versions 14.0, 14.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Predictive Application Server, versions 14.1.3, 15.0.3, 16.0.3https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Returns Management, versions 14.0, 14.1https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.4.0, 16.0.3.0, 19.0.1.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Retail Store Inventory Management, versions 14.1, 15.0, 16.0https://support.oracle.com/rs?type=doc&id=2801874.1
Oracle Secure Backup, versions prior to 18.1.0.1.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Secure Global Desktop, version 5.6https://support.oracle.com/rs?type=doc&id=2810981.1
Oracle Solaris, version 11https://support.oracle.com/rs?type=doc&id=2809232.1
Oracle Spatial Studiohttps://support.oracle.com/rs?type=doc&id=2796575.1
Oracle SQL Developerhttps://support.oracle.com/rs?type=doc&id=2796575.1
Oracle Transportation Management, version 6.4.3https://support.oracle.com/rs?type=doc&id=2810378.1
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0https://support.oracle.com/rs?type=doc&id=2809748.1
Oracle VM VirtualBox, versions prior to 6.1.28https://support.oracle.com/rs?type=doc&id=2810981.1
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle WebLogic Server Proxy Plug-In, versions 12.2.1.3.0, 12.2.1.4.0https://support.oracle.com/rs?type=doc&id=2796575.1
Oracle ZFS Storage Appliance Kit, version 8.8https://support.oracle.com/rs?type=doc&id=2809232.1
PeopleSoft Enterprise CC Common Application Objects, version 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Academic Advisement, version 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise CS Student Records, version 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59https://support.oracle.com/rs?type=doc&id=2810361.1
PeopleSoft Enterprise SCM, version 9.2https://support.oracle.com/rs?type=doc&id=2810361.1
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.12, 19.12.0-19.12.11, 20.12.0-20.12.7https://support.oracle.com/rs?type=doc&id=2809438.1
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12https://support.oracle.com/rs?type=doc&id=2809438.1
Siebel Applications, versions 21.9 and priorhttps://support.oracle.com/rs?type=doc&id=2810362.1
Tekelec Platform Distribution, versions 7.4.0-7.7.1https://support.oracle.com/rs?type=doc&id=2809117.1
Tekelec Virtual Operating Environment, versions 3.4.0-3.7.1https://support.oracle.com/rs?type=doc&id=2809138.1

声明

本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。

绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。

Spread the word. Share this post!

Meet The Author

Leave Comment