【安全更新】Oracle全系产品4月关键补丁更新通告

一、漏洞概述

2021年4月21日，绿盟科技监测发现Oracle官方发布了4月关键补丁更新公告CPU（Critical Patch Update），共修复了400个不同程度的漏洞，此次安全更新涉及Oracle Database Server、Oracle Java SE、Oracle Fusion Middleware、Oracle MySQL、Oracle Communications等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序，对漏洞进行修复。

参考链接：https://www.oracle.com/security-alerts/cpuapr2021.html

二、重点漏洞概述

根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞，请相关用户重点进行关注：

Oracle MySQL多个漏洞：

此次安全更新针对Oracle MySQL发布了49个安全补丁, 其中的9个漏洞在未经用户身份验证的情况下即可远程进行利用。漏洞编号如下：

CVE-2020-17527

CVE-2020-17530

CVE-2020-1971

CVE-2020-28196

CVE-2020-8277

CVE-2021-2307

CVE-2021-23841

CVE-2021-3449

CVE-2021-3450

Oracle Communications Applications多个漏洞：

此次安全更新针对Oracle Communications Applications发布了13个安全补丁。其中的12个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下：

CVE-2020-11612

CVE-2019-0228

CVE-2020-28052

Oracle E-Business Suite多个漏洞：

此次安全更新针对Oracle E-Business Suite发布了70个安全补丁。其中的22个漏洞在未经用户身份验证的情况下即可远程进行利用。攻击者可以通过HTTP访问网络，从而破坏套件中的产品，从而对关键数据的未授权访问或对所有套件中产品可访问数据的完全访问。高危漏洞编号如下：

CVE-2021-2200

CVE-2021-2205

Oracle Virtualization多个漏洞：

此次安全更新针对Oracle Virtualization发布了24个安全补丁，其中的5个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下：

CVE-2021-2177

CVE-2021-2221

CVE-2021-2248

Oracle Fusion Middleware多个漏洞：

此次安全更新针对Oracle Fusion Middleware发布了45个安全补丁。其中有36个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下：

CVE-2020-9480

CVE-2020-10683

CVE-2021-2302

CVE-2020-11612

CVE-2021-2136

CVE-2021-2135

Oracle Retail Applications多个漏洞：

此次安全更新针对Oracle Retail Applications发布了35个安全补丁。其中有31个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下：

CVE-2019-0228

CVE-2020-10683

Oracle官方4月关键补丁更新漏洞总结如下：

产品	漏洞个数	未授权远程利用个数	最高CVSS评分
Oracle Database Products Risk Matrices	10	4	7.5
Oracle Database Server	10	4	7.5
Oracle Global Lifecycle Management	1	1	6.5
Oracle NoSQL Database	4	3	7.5
Oracle REST Data Services	1	1	5.3
Oracle Spatial Studio	2	1	5.3
Oracle SQL Developer	1	1	7.5
Oracle Commerce	4	4	7.5
Oracle Communications Applications	13	12	9.8
Oracle Communications	22	9	9.8
Oracle Construction and Engineering	8	6	9.8
Oracle E-Business Suite	70	22	9.1
Oracle Enterprise Manager	9	8	9.8
Oracle Financial Services Applications	15	10	9.8
Oracle Food and Beverage Applications	2	1	7.5
Oracle Fusion Middleware	45	36	9.8
Oracle Health Sciences Applications	3	3	9.1
Oracle Hospitality Applications	6	4	9.8
Oracle Hyperion	2	1	9.6
Oracle iLearning	1	0	5.5
Oracle Insurance Applications	1	1	7.3
Oracle Java SE	4	4	7.5
Oracle JD Edwards	10	10	9.8
Oracle MySQL	49	10	9.8
Oracle PeopleSoft	18	13	8.3
Oracle Retail Applications	35	31	9.8
Oracle Siebel CRM	8	7	8.1
Oracle Storage Gateway	6	2	10
Oracle Supply Chain	5	5	9.8
Oracle Support Tools	1	0	4.9
Oracle Systems	5	1	10
Oracle Utilities Applications	5	5	9.8
Oracle Virtualization	24	5	10

三、漏洞防护

请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁，并参照补丁安装包中的readme文件进行安装更新，以保证长期有效的防护。

注：Oracle官方补丁需要用户持有正版软件的许可账号，使用该账号登陆https://support.oracle.com后，可以下载最新补丁。

附录：受影响产品及补丁信息

受影响产品及版本号	可用补丁
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, versions 3.5, 3.6	https://support.oracle.com/rs?type=doc&id=2764116.1
Agile Product Lifecycle Management Integration Pack for SAP: Design to Release, versions 3.5, 3.6	https://support.oracle.com/rs?type=doc&id=2764116.1
Enterprise Manager Base Platform, version 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Enterprise Manager for Fusion Middleware, versions 12.2.1.4, 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Enterprise Manager for Virtualization, version 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Enterprise Manager Ops Center, version 12.4.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
FMW Platform, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Hyperion Analytic Provider Services, versions 11.1.2.4, 12.2.1.4	https://support.oracle.com/rs?type=doc&id=2749094.1
Hyperion Financial Management, version 11.1.2.4	https://support.oracle.com/rs?type=doc&id=2749094.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	https://support.oracle.com/rs?type=doc&id=2759893.1
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.3	https://support.oracle.com/rs?type=doc&id=2764116.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.4.0, prior to 9.2.5.3	https://support.oracle.com/rs?type=doc&id=2764116.1
JD Edwards World Security, version A9.4	https://support.oracle.com/rs?type=doc&id=2764116.1
MySQL Cluster, versions 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2764660.1
MySQL Enterprise Monitor, versions 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2764660.1
MySQL Server, versions 5.7.33 and prior, 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2764660.1
MySQL Workbench, versions 8.0.23 and prior	https://support.oracle.com/rs?type=doc&id=2764660.1
Oracle Advanced Supply Chain Planning, versions 12.1, 12.2	https://support.oracle.com/rs?type=doc&id=2764116.1
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	https://support.oracle.com/rs?type=doc&id=2764116.1
Oracle API Gateway, version 11.1.2.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Application Express, versions prior to 20.2	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Application Testing Suite, version 13.3.0.1	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Banking Platform, versions 2.4.0, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0	https://support.oracle.com/rs?type=doc&id=2763992.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Cloud Infrastructure Storage Gateway, versions prior to 1.4	https://support.oracle.com
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Commerce Guided Search, versions 11.3.0, 11.3.1, 11.3.2	https://support.oracle.com/rs?type=doc&id=2768282.1
Oracle Commerce Merchandising, versions 0, 11.0.0, 11.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2	https://support.oracle.com/rs?type=doc&id=2768282.1
Oracle Communications Application Session Controller, version 3.9m0p3	https://support.oracle.com/rs?type=doc&id=2766613.1
Oracle Communications Calendar Server, version 8.0	https://support.oracle.com/rs?type=doc&id=2765939.1
Oracle Communications Contacts Server, version 8.0	https://support.oracle.com/rs?type=doc&id=2765941.1
Oracle Communications Converged Application Server – Service Controller, version 6.2	https://support.oracle.com/rs?type=doc&id=2652618.1
Oracle Communications Design Studio, version 7.4.2	https://support.oracle.com/rs?type=doc&id=2765926.1
Oracle Communications Interactive Session Recorder, versions 6.3, 6.4	https://support.oracle.com/rs?type=doc&id=2766616.1
Oracle Communications Messaging Server, versions 8.0.2, 8.1, 8.1.0	https://support.oracle.com/rs?type=doc&id=2765925.1
Oracle Communications MetaSolv Solution, versions 6.3.0, 6.3.1	https://support.oracle.com/rs?type=doc&id=2769144.1
Oracle Communications Performance Intelligence Center Software, versions 10.4.0.2, 10.4.0.3	https://support.oracle.com/rs?type=doc&id=2766633.1
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0	https://support.oracle.com/rs?type=doc&id=2766634.1
Oracle Communications Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4	https://support.oracle.com/rs?type=doc&id=2739349.1
Oracle Communications Session Router, versions Cz8.2, Cz8.3, Cz8.4	https://support.oracle.com/rs?type=doc&id=2739349.1
Oracle Communications Subscriber-Aware Load Balancer, versions Cz8.2, Cz8.3, Cz8.4	https://support.oracle.com/rs?type=doc&id=2739349.1
Oracle Communications Unified Inventory Management, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1	https://support.oracle.com/rs?type=doc&id=2765938.1
Oracle Communications Unified Session Manager, version SCz8.2.5	https://support.oracle.com/rs?type=doc&id=2766637.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	https://support.oracle.com/rs?type=doc&id=2759182.1
Oracle Endeca Information Discovery Studio, version 3.2.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Enterprise Communications Broker, versions PCZ3.1, PCZ3.2, PCZ3.3	https://support.oracle.com/rs?type=doc&id=2764238.1
Oracle Enterprise Repository, version 11.1.1.7.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Enterprise Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4	https://support.oracle.com/rs?type=doc&id=2739350.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	https://support.oracle.com/rs?type=doc&id=2763211.1
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	https://support.oracle.com
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	https://support.oracle.com
Oracle Fusion Middleware, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.22	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle GraalVM Enterprise Edition, versions 19.3.5, 20.3.1.2, 21.0.0.2	https://support.oracle.com/rs?type=doc&id=2762944.1
Oracle Graph Server and Client	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Health Sciences Empirica Signal, versions 9.0, 9.1	https://support.oracle.com/rs?type=doc&id=2760190.1
Oracle Health Sciences Information Manager, versions 3.0.0-3.0.2	https://support.oracle.com/rs?type=doc&id=2760190.1
Oracle Healthcare Foundation, versions 7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1	https://support.oracle.com/rs?type=doc&id=2760190.1
Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0	https://support.oracle.com/rs?type=doc&id=2758870.1
Oracle Hospitality Inventory Management, version 9.1.0	https://support.oracle.com/rs?type=doc&id=2753194.1
Oracle Hospitality OPERA 5, versions 5.5, 5.6	https://support.oracle.com/rs?type=doc&id=2758188.1
Oracle Hospitality RES 3700, versions 5.7.0-5.7.6	https://support.oracle.com/rs?type=doc&id=2754008.1
Oracle HTTP Server, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Identity Manager Connector, version 11.1.1.5.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle iLearning, versions 6.2, 6.3	https://support.oracle.com/rs?type=doc&id=2764116.1
Oracle Insurance Data Gateway, version 1.0.2.3	https://support.oracle.com/rs?type=doc&id=2760529.1
Oracle Java SE, versions 7u291, 8u281, 11.0.10, 16	https://support.oracle.com/rs?type=doc&id=2762944.1
Oracle Java SE Embedded, version 8u281	https://support.oracle.com/rs?type=doc&id=2762944.1
Oracle NoSQL Database, versions prior to 20.3	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Outside In Technology, version 8.5.5	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Platform Security for Java, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Rapid Planning, version 12.1.3	https://support.oracle.com/rs?type=doc&id=2764116.1
Oracle REST Data Services, versions prior to 20.4.3.50.1904	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Retail Advanced Inventory Planning, version 14.1	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Assortment Planning, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Back Office, version 14.1	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Category Management Planning & Optimization, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Central Office, version 14.1	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Insights Cloud Service Suite, version 19.0	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Item Planning, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Macro Space Optimization, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Merchandise Financial Planning, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Merchandising System, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Point-of-Service, version 14.1	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Regular Price Optimization, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Replenishment Optimization, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Returns Management, version 14.1	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Sales Audit, version 14.0	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Size Profile Optimization, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2	https://support.oracle.com/rs?type=doc&id=2757913.1
Oracle SD-WAN Aware, version 8.2	https://support.oracle.com/rs?type=doc&id=2766632.1
Oracle SD-WAN Edge, versions 8.2, 9.0	https://support.oracle.com/rs?type=doc&id=2766631.1
Oracle Secure Backup	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Secure Global Desktop, version 5.6	https://support.oracle.com/rs?type=doc&id=2764185.1
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Service Bus, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Solaris, versions 10, 11	https://support.oracle.com/rs?type=doc&id=2765282.1
Oracle Spatial Studio, versions prior to 19.1.0, prior to 20.1.1	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle SQL Developer, versions prior to 20.4.1.407.6	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Storage Cloud Software Appliance, versions prior to 16.3.1.4.2	https://support.oracle.com
Oracle TimesTen In-Memory Database	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0	https://support.oracle.com/rs?type=doc&id=2760203.1
Oracle VM VirtualBox, versions prior to 6.1.20	https://support.oracle.com/rs?type=doc&id=2764185.1
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle WebLogic Server Proxy Plug-In, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2749094.1
Oracle ZFS Storage Appliance Kit, version 8.8	https://support.oracle.com/rs?type=doc&id=2765282.1
OSS Support Tools, versions prior to 2.12.41	https://support.oracle.com/rs?type=doc&id=2766621.1
PeopleSoft Enterprise CS Campus Community, version 9.2	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise FIN Common Application Objects, version 9.2	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise FIN Expenses, version 9.2	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise SCM eProcurement, version 9.2	https://support.oracle.com/rs?type=doc&id=2764116.1
PeopleSoft Enterprise SCM Purchasing, version 9.2	https://support.oracle.com/rs?type=doc&id=2764116.1
Primavera Gateway, versions 17.12.0-17.12.10	https://support.oracle.com/rs?type=doc&id=2759893.1
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12	https://support.oracle.com/rs?type=doc&id=2759893.1
Siebel Applications, versions 21.2 and prior	https://support.oracle.com/rs?type=doc&id=2764116.1

声明

本安全公告仅用来描述可能存在的安全问题，绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，绿盟科技以及安全公告作者不为此承担任何责任。

绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告，必须保证此安全公告的完整性，包括版权声明等全部内容。未经绿盟科技允许，不得任意修改或者增减此安全公告内容，不得以任何方式将其用于商业目的。