VENDOR UPDATE | 22 October 2021

Oracle Database Critical Patch And Security Update October 2021

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Product Critical Patch Summary

This Critical Patch Update contains 16 new security patches for Oracle Database Products:

New security patches for Oracle Database Products:

Oracle Database 12.1.0.2
Oracle Database 12.2.0.1
Oracle Database 19c
Oracle Database 21c

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2021-35599	Zero Downtime DB Migration to Cloud	Local Logon	Local Logon	No	8.2	Local	Low	High	None	Changed	High	High	High	21c
CVE-2021-25122	Oracle Database Enterprise Edition (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.0.1, 19c, 21c
CVE-2021-35619	Java VM	Create Procedure	Oracle Net	No	7.1	Network	High	Low	Required	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-2332	Oracle LogMiner	DBA	Oracle Net	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	12.1.0.2, 12.2.0.1, 19c
CVE-2021-35551	RDBMS Security	DBA	Oracle Net	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	12.2.0.1, 19c, 21c
CVE-2021-35557	Core RDBMS	Create Table	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-35558	Core RDBMS	Create Table	Oracle Net	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	12.1.0.2, 12.2.0.1, 19c, 21c
CVE-2021-26272	Oracle Application Express (CKEditor)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	Prior to 21.1.0
CVE-2021-35576	Oracle Database Enterprise Edition Unified Audit	Local Logon	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 19c

Additional CVEs addressed are:

The patch for CVE-2021-25122 also addresses

CVE-2020-9484
CVE-2021-25329

The patch for CVE-2021-26272 also addresses CVE-2021-26271.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Autonomous Health Framework (Apache Commons IO): CVE-2021-29425.
GraalVM Multilingual Engine:

CVE-2021-29921
CVE-2020-28928
CVE-2021-2341
CVE-2021-2369
CVE-2021-2388
CVE-2021-2432

Oracle Spatial and Graph - GeoRaster (OpenJPEG): CVE-2020-27824.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT