Oracle patch management policy

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 349 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2022 Critical Patch Update: Executive Summary and Analysis.

Please note that since the release of the April 2022 Critical Patch Update, Oracle has released a Security Alert for Oracle E-Business Suite CVE-2022-21500 (May 19, 2022). Customers are strongly advised to apply the July 2022 Critical Patch Update for Oracle E-Business Suite, which includes patches for this Alert as well as additional patches.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Autonomous Health Framework Oracle Autonomous Health Framework
Big Data Spatial and Graph, versions prior to 23.1 Database
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0 Enterprise Manager
Enterprise Manager for MySQL Database Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0 Enterprise Manager
JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.3 and prior JD Edwards
JD Edwards EnterpriseOne Tools, versions 9.2.6.3 and prior JD Edwards
MySQL Cluster, versions 7.4.36 and prior, 7.5.26 and prior, 7.6.22 and prior, 8.0.29 and prior, and8.0.29 and prior MySQL
MySQL Enterprise Monitor, versions 8.0.30 and prior MySQL
MySQL Server, versions 5.7.38 and prior, 8.0.29 and prior MySQL
MySQL Shell, versions 8.0.28 and prior MySQL
MySQL Shell for VS Code, versions 1.1.8 and prior MySQL
MySQL Workbench, versions 8.0.29 and prior MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0 Oracle Supply Chain Products
Oracle Agile PLM, version 9.3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.2, 6.2.3 Oracle Supply Chain Products
Oracle Application Express, versions prior to 22.1.1 Database
Oracle Application Testing Suite, version 13.3.0.1 Enterprise Manager
Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2 Oracle Supply Chain Products
Oracle Banking Branch, version 14.5 Contact Support
Oracle Banking Cash Management, version 14.5 Contact Support
Oracle Banking Corporate Lending Process Management, version 14.5 Contact Support
Oracle Banking Credit Facilities Process Management, version 14.5 Contact Support
Oracle Banking Deposits and Lines of Credit Servicing, version 2.7 Contact Support
Oracle Banking Electronic Data Exchange for Corporates, version 14.5 Contact Support
Oracle Banking Liquidity Management, versions 14.2, 14.5 Contact Support
Oracle Banking Origination, version 14.5 Contact Support
Oracle Banking Party Management, version 2.7 Oracle Banking Platform
Oracle Banking Platform, versions 2.6.2, 2.9, 2.12 Oracle Banking Platform
Oracle Banking Supply Chain Finance, version 14.5 Contact Support
Oracle Banking Trade Finance, version 14.5 Contact Support
Oracle Banking Trade Finance Process Management, version 14.5 Contact Support
Oracle Banking Virtual Account Management, version 14.5 Contact Support
Oracle Berkeley DB Berkeley DB
Oracle BI Publisher, versions 12.2.1.3.0, 12.2.1.4.0 Oracle Analytics
Oracle Blockchain Platform Oracle Blockchain Platform
Oracle Business Intelligence Enterprise Edition, version 5.9.0.0.0 Oracle Analytics
Oracle Coherence, versions 3.7.1.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle Commerce Guided Search, version 11.3.2 Oracle Commerce
Oracle Commerce Merchandising, version 11.3.2 Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2 Oracle Commerce
Oracle Communications ASAP, version 7.3 Oracle Communications ASAP
Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.6.0 Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions prior to 12.0.0.4.6, prior to 12.0.0.5.1 Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.3, 22.2.0 Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Console, versions 22.1.2, 22.2.0 Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core Network Exposure Function, version 22.1.1 Oracle Communications Cloud Native Core Network Exposure Function
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 22.1.0, 22.1.2, 22.2.0 Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, versions 22.1.2, 22.2.0 Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Network Slice Selection Function, version 22.1.1 Oracle Communications Cloud Native Core Network Slice Selection Function
Oracle Communications Cloud Native Core Policy, versions 22.1.3, 22.2.0 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 22.1.1 Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, version 22.2.0 Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, version 22.2.0 Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Core Session Manager, versions 8.2.5, 8.4.5 Oracle Communications Core Session Manager
Oracle Communications Design Studio, version 7.4.2 Oracle Communications Design Studio
Oracle Communications Instant Messaging Server, version 10.0.1.5.0 Oracle Communications Instant Messaging Server
Oracle Communications IP Service Activator Oracle Communications IP Service Activator
Oracle Communications Offline Mediation Controller, versions prior to 12.0.0.4.4, prior to 12.0.0.5.1 Oracle Communications Offline Mediation Controller
Oracle Communications Operations Monitor, versions 4.3, 4.4, 5.0 Oracle Communications Operations Monitor
Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1 Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2, 7.5.0 Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, version 8.2.5 Oracle Communications Unified Session Manager
Oracle Crystal Ball, versions 11.1.2.0.0-11.1.2.4.900 Oracle Construction and Engineering Suite
Oracle Data Integrator Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 19c, 21c Database
Oracle E-Business Suite, versions 12.2.3-12.2.11 Oracle E-Business Suite
Oracle Enterprise Communications Broker, version 3.3 Oracle Enterprise Communications Broker
Oracle Enterprise Operations Monitor, versions 4.3, 4.4, 5.0 Oracle Enterprise Operations Monitor
Oracle Enterprise Session Border Controller, versions 8.4, 9.0, 9.1 Oracle Enterprise Session Border Controller
Oracle Essbase, version 21.3 Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, versions 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1 Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Crime and Compliance Management Studio, versions 8.0.8.2.0, 8.0.8.3.0 Oracle Financial Services Crime and Compliance Management Studio
Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1 Oracle Financial Services Enterprise Case Management
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0 Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle FLEXCUBE Core Banking, versions 5.2, 11.6-11.8, 11.10 Contact Support
Oracle FLEXCUBE Private Banking, version 12.1 Contact Support
Oracle FLEXCUBE Universal Banking, versions 12.1-12.4, 14.0-14.3, 14.5 Contact Support
Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.10 Fusion Middleware
Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.30 Global Lifecycle Management
Oracle GoldenGate, versions [19c] prior to 19.1.0.0.220719, [21c] prior to 21.7.0.0.0 Database
Oracle GraalVM Enterprise Edition, versions 20.3.6, 21.3.2, 22.1.0 Java SE
Oracle Graph Server and Client, versions prior to 22.2.0 Database
Oracle Health Sciences Data Management Workbench, versions 2.4.8.7, 2.5.2.1, 3.0.0.0, 3.1.0.3 Health Sciences
Oracle Health Sciences Empirica Signal, versions 9.1.0.52, 9.2.0.52 Health Sciences
Oracle Health Sciences Information Manager, versions 3.0.0.1, 3.0.1.0-3.0.5.0 HealthCare Applications
Oracle Healthcare Foundation, versions 8.1.0, 8.2.0, 8.2.1 HealthCare Applications
Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.1 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Inventory Management, version 9.1 Oracle Hospitality Inventory Management
Oracle Hospitality Materials Control, version 18.1 Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5, version 5.6 Oracle Hospitality OPERA 5 Property Services
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Identity Management Suite Fusion Middleware
Oracle Identity Manager Connector Fusion Middleware
Oracle Java SE, versions 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1 Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle NoSQL Database NoSQL Database
Oracle Policy Automation, versions 12.2.0-12.2.25 Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.24 Oracle Policy Automation
Oracle Product Lifecycle Analytics, version 3.6.1 Oracle Supply Chain Products
Oracle REST Data Services, versions prior to 22.1.1 Database
Oracle Retail Allocation, versions 15.0.3.1, 16.0.3 Retail Applications
Oracle Retail Bulk Data Integration, version 16.0.3 Retail Applications
Oracle Retail Customer Insights, versions 15.0.2, 16.0.2 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0 Retail Applications
Oracle Retail Extract Transform and Load, version 13.2.5 Retail Applications
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 Retail Applications
Oracle Retail Merchandising System, versions 16.0.3, 19.0.1 Retail Applications
Oracle Retail Order Broker, versions 18.0, 19.1 Retail Applications
Oracle Retail Pricing, version 19.0.1 Retail Applications
Oracle Retail Sales Audit, versions 15.0.3.1, 16.0.3 Retail Applications
Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1, 21.0.1 Retail Applications
Oracle SD-WAN Edge, versions 9.0, 9.1 Oracle SD-WAN Edge
Oracle Security Service, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Solaris, versions 10, 11 Systems
Oracle Spatial Studio, versions prior to 22.1.0 Database
Oracle SQL Developer Database
Oracle Stream Analytics, versions [19c] prior to 19.1.0.0.6.4 Database
Oracle TimesTen In-Memory Database, versions prior to 22.1.1.1.0 Database
Oracle Transportation Management, version 1.4.4 Oracle Supply Chain Products
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.36 Virtualization
Oracle WebCenter Content, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle WebCenter Sites Support Tools, versions 4.4.2 and prior Fusion Middleware
Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8 Systems
PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59 PeopleSoft
Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.14, 19.12.0-19.12.13, 20.12.0-20.12.8, 21.12.0-21.12.1 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.4, 18.8.0.0-18.8.25.4, 19.12.0.0-19.12.19.0, 20.12.0.0-20.12.14.0, 21.12.0.0-21.12.4.0 Oracle Construction and Engineering Suite
Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12 Oracle Construction and Engineering Suite
Siebel Applications, versions 22.6 and prior Siebel

Note:

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

References

Modification History

Date Note
2022-October-31 Rev 4. Updated Credit section
2022-July-28 Rev 3. Updated the affected versions WebLogic CVE-2021-40690
2022-July-25 Rev 2. Updated the version details for WebCenter Sites Support Tools and Credit added for CVE-2022-21551
2022-July-19 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 23 new security patches for Oracle Database Products divided as follows:

Oracle Database Server Risk Matrix

This Critical Patch Update contains 9 new security patches plus additional third party patches noted below for Oracle Database Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?		 CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score		 Attack
Vector		 Attack
Complex		 Privs
Req'd		 User
Interact		 Scope Confid-
entiality		 Inte-
grity		 Avail-
ability
CVE-2020-35169 Oracle Database - Enterprise Edition None TCPS Yes 9.1 Network Low None None Un-
changed		 High High None 12.1.0.2, 19c, 21c
CVE-2022-21510 Oracle Database - Enterprise Edition Sharding Local Logon None No 8.8 Local Low Low None Changed High High High None See Note 1
CVE-2022-21511 Oracle Database - Enterprise Edition Recovery EXECUTE ON DBMS_IR.EXECUTESQLSCRIPT Oracle Net No 7.2 Network Low High None Un-
changed		 High High High None See Note 1
CVE-2022-21565 Java VM Create Procedure Oracle Net No 6.5 Network Low Low None Un-
changed		 None High None 12.1.0.2, 19c, 21c
CVE-2022-24729 Oracle Application Express (CKEditor) User Account HTTP No 5.7 Network Low Low Required Un-
changed		 None None High Prior to 22.1.1
CVE-2021-41184 Oracle Application Express (jQueryUI) User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 22.1.1
CVE-2022-0839 Oracle SQLcl (Liquibase) Local Logon None No 5.0 Local Low Low Required Un-
changed		 High None None 19c
CVE-2021-45943 Oracle Spatial and Graph (GDAL) Create Session Oracle Net No 4.3 Network Low Low None Un-
changed		 None None Low 19c, 21c
CVE-2022-21432 Oracle Database - Enterprise Edition RDBMS Security DBA role Oracle Net No 2.7 Network Low High None Un-
changed		 None None Low 12.1.0.2, 19c, 21c

Notes:

  1. None of the supported versions are affected.

Additional CVEs addressed are:

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Database Server Client-Only Installations

Oracle Autonomous Health Framework Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Autonomous Health Framework. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Autonomous Health Framework. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?		 CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score		 Attack
Vector		 Attack
Complex		 Privs
Req'd		 User
Interact		 Scope Confid-
entiality		 Inte-
grity		 Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family: