Oracle released patches for 342 security vulnerabilities in July 2021, which include 49 critical vulnerabilities. We have analyzed these weaknesses and have highlighted the most important vulnerabilities that ought to be fixed on priority.
Weaponized Vulnerabilities
We have 57 vulnerabilities that are known exploits. Here is what we found –
-
2 CVEs are associated with the Maze ransomware and APT1 group.
-
CVE-2020-11022 and CVE-2020-11023 are linked to nine malware threats such as (OceanSalt, Auriga, Bangat, BISCUIT, MAPIGET, TARSIP, SEASALT,ย KURTON, andย HELAUTO).
-
2 CVEs have been alerted by CISA.
-
22 CVEs are classified as Remote Code Execution bugs.
-
13 CVEs have Privilege Escalation capabilities.
-
16 CVEs are rated critical and 28 are of high severity.
As part of the July 2021 CPU, Oracle issued a fix for CVE-2019-2729, a serious deserialization vulnerability in Oracle WebLogic Server. This vulnerability in Hyperion Infrastructure Technology exists within the Installation and Configuration component and was first addressed as an out-of-band update in June 2019. Classified under the weakness enumeration CWE-284 (Improper Access Control), this critical CVE has a CVSS v3 score of 9.8.
Old Vulnerabilities
165 old vulnerabilities have been patched, ranging from the year 2012 to 2020.
-
3 CVEs are associated with Maze ransomware and the APT1 group. All three vulnerabilities have a correlation with 9 malware threats (OceanSalt, Auriga, Bangat, BISCUIT, MAPIGET, TARSIP, SEASALT,ย KURTON, andย HELAUTO)
-
9 CVEs are associated with Privilege Escalation.
-
14 CVEs are Remote Code Execution bugs.
-
29 CVEs are rated critical and 97 are of high severity.
CISA Alerts
CISA had issued warning alerts to 16 vulnerabilities.
-
9 CVEs have known exploits.
-
CVE-2019-11358 is associated with Maze ransomware, APT1, and 9 malware threats.
-
4 CVEs are rated critical and 11 are of high severity.
Product Analysis
We analyzed the vulnerabilities fixed in 18 products – Oracle Fusion Middleware received the most fixes in this quarterly round of updates, with a total of 48 vulnerabilities addressed, including 35 that could be exploited by unauthenticated attackers from afar. Nine of these are critical-severity defects, with CVSS ratings of 9.8 and 9.9.
PeopleSoft, Systems Risk, Commerce, Construction and Engineering, Essbase, JD Edwards, Enterprise Manager, Java SE, Hyperion, and Virtualization are the other product families that received fixes this month.
Table: Oracle July Critical Patch Update 2021
On 20 July 2021, CISA had issued an overall advisory to patch all these Oracle vulnerabilities. Therefore, we recommend Oracle users to update to the latest version as soon as possible.
Does your organization have a patch management program? Talk to CSWโs Experts to prioritize the threats that need immediate attention!