BACK TO NEWS & UPDATES
VENDOR UPDATE | 22 July 2021

Oracle Database Critical Patch And Security Update July 2021

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Product Critical Patch Summary

This Critical Patch Update contains 16 new security patches for Oracle Database Products:

  • New security patches for Oracle Database Products:
    • Oracle Database 12.1.0.2
    • Oracle Database 12.2.0.1
    • Oracle Database 19c

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2021-2351 Advanced Networking Option None Oracle Net Yes 8.3 Network High None Required Changed High High High 12.1.0.2, 12.2.0.1, 19c See Note 1
CVE-2021-2328 Oracle Text Create Any Procedure, Alter Any Table Oracle Net No 7.2 Network Low High None Un-
changed		 High High High 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2329 Oracle XML DB Create Any Procedure, Create Public Synonym Oracle Net No 7.2 Network Low High None Un-
changed		 High High High 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2337 Oracle XML DB Create Any Procedure, Create Public Synonym Oracle Net No 7.2 Network Low High None Un-
changed		 High High High 12.1.0.2, 12.2.0.1, 19c  
CVE-2020-27193 Oracle Application Express (CKEditor) Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 21.1.0.00.01  
CVE-2020-26870 Oracle Application Express Application Builder (DOMPurify) Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 21.1.0.00.01  
CVE-2021-2460 Oracle Application Express Data Reporter Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 21.1.0.00.04  
CVE-2021-2333 Oracle XML DB Alter User Oracle Net No 4.9 Network Low High None Un-
changed		 High None None 12.1.0.2, 12.2.0.1, 19c  
CVE-2019-17545 Oracle Spatial and Graph (GDAL) Create Session Oracle Net No 4.4 Local High Low Required Un-
changed		 None None High 12.2.0.1, 19c  
CVE-2021-2330 Core RDBMS Create Table Oracle Net No 4.3 Network Low Low None Un-
changed		 None None Low 19c  
CVE-2020-7760 Enterprise Manager Express User Interface (CodeMirror) User Account HTTP No 4.3 Network Low Low None Un-
changed		 None None Low 19c  
CVE-2021-2438 Java VM Create Procedure Oracle Net No 4.3 Network Low Low None Un-
changed		 None None Low 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2334 Oracle Database - Enterprise Edition Data Redaction Create Session Oracle Net No 3.5 Network Low Low Required Un-
changed		 None Low None 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2335 Oracle Database - Enterprise Edition Data Redaction Create Session Oracle Net No 3.5 Network Low Low Required Un-
changed		 None Low None 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2336 Oracle Database - Enterprise Edition Data Redaction Create Session Oracle Net No 3.5 Network Low Low Required Un-
changed		 None Low None 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-2326 Database Vault DBA Oracle Net No 2.7 Network Low High None Un-
changed		 Low None None 12.2.0.1, 19c  

Notes:

The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: “Changes in Native Network Encryption with the July 2021 Critical Patch Update” (Doc ID 2791571.1).

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • MapViewer (OWASP ESAPI)Oracle Spatial and Graph (OpenJPEG): CVE-2020-27844, CVE-2018-21010, CVE-2019-12973, CVE-2020-15389, CVE-2020-27814, CVE-2020-27841, CVE-2020-27842, CVE-2020-27843 and CVE-2020-27845.
  • Oracle Database - Enterprise Edition (Kerberos): CVE-2020-28196.
  • Oracle Database Migration Assistant for Unicode (Apache POI): CVE-2019-12415.
  • Oracle Spatial and Graph (jackson-databind): CVE-2020-25649.
  • Oracle Spatial and Graph MapViewer (Apache Batik): CVE-2020-11987 and CVE-2019-17566.
  • Oracle Spatial and Graph MapViewer (Apache HttpClient): CVE-2020-13956.
  • Oracle Spatial and Graph MapViewer (Apache XMLGraphics Commons): CVE-2020-11988.
  • Oracle Spatial and Graph MapViewer (Google Guava): CVE-2020-8908.
  • Oracle Spatial and Graph Network Data Model (jackson-databind): CVE-2020-25649.
  • RDBMS (Perl): CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.
  • RDBMS (Python): CVE-2021-23336.

Oracle Database Server Client-Only Installations

  • The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2021-2351.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

Latest Articles

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • SplashBI
nlight-IT

Services

Company

Legal

Social

 

Copyright © 2024 nlightn-IT Ltd
Website by Cloudblue