• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Mirai Botnet – Active IOCs
April 21, 2022
Rewterz Threat Alert – APT Group Gamaredon – Active IOCs – Russian-Ukrainian Cyber Warfare
April 21, 2022

Rewterz Threat Advisory – Multiple Oracle Vulnerabilities

April 21, 2022

Severity

Medium

Analysis Summary

CVE-2022-21498, CVSS 6.5

An unspecified vulnerability in Oracle Database Server related to the Java VM component could allow an authenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21497, CVSS 8.1

An unspecified vulnerability in Oracle Web Services Manager related to the Web Services Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21496, CVSS 5.3

An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21494, CVSS 4

An unspecified vulnerability in Oracle Solaris related to the Kernel component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21493, CVSS 5.9

An unspecified vulnerability in Oracle Solaris related to the Kernel component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21492, CVSS 6.1

An unspecified vulnerability in Oracle Business Intelligence Enterprise Edition related to the Analytics Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21491, CVSS 7.8

An unspecified vulnerability in Oracle VM VirtualBox related to the Core component could allow an authenticated attacker to take control of the system.

CVE-2022-21490, CVSS 6.3

An unspecified vulnerability in Oracle MySQL Cluster related to the Cluster: General component could allow an authenticated attacker to take control of the system.

CVE-2022-21489, CVSS 6.3

An unspecified vulnerability in Oracle MySQL Cluster related to the Cluster: General component could allow an authenticated attacker to take control of the system.

CVE-2022-21488, CVSS 3.8

An unspecified vulnerability in Oracle VM VirtualBox related to the Core component could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21487, CVSS 3.8

An unspecified vulnerability in Oracle VM VirtualBox related to the Core component could allow an authenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.

CVE-2022-21486, CVSS 2.9

An unspecified vulnerability in Oracle MySQL Cluster related to the Cluster: General component could allow an authenticated attacker to cause low confidentiality impact, no integrity impact, and low availability impact.

CVE-2022-21485, CVSS 2.9

An unspecified vulnerability in Oracle MySQL Cluster related to the Cluster: General component could allow an authenticated attacker to cause low confidentiality impact, no integrity impact, and low availability impact.

CVE-2022-21484, CVSS 2.9

An unspecified vulnerability in Oracle MySQL Cluster related to the Cluster: General component could allow an authenticated attacker to cause low confidentiality impact, no integrity impact, and low availability impact.

CVE-2022-21462, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21461, CVSS 5.5

An unspecified vulnerability in Oracle Solaris related to the Kernel component could allow an authenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21460, CVSS 4.4

An unspecified vulnerability in Oracle MySQL Server related to the Server: Logging component could allow an authenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21459, CVSS 4.4

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and high availability impact.

CVE-2022-21458, CVSS 6.1

An unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools related to the Navigation Pages, Portal, Query component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21457, CVSS 5.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: PAM Auth Plugin component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21456, CVSS 6.1

An unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools related to the Navigation Pages, Portal, Query component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21454, CVSS 6.5

An unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools related to the Navigation Pages, Portal, Query component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21453, CVSS 6.1

An unspecified vulnerability in Oracle WebLogic Server related to the Console component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21452, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21451, CVSS 4.4

An unspecified vulnerability in Oracle MySQL Server related to the InnoDB component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21450, CVSS 5.4

An unspecified vulnerability in Oracle PeopleSoft Enterprise PRTL Interaction Hub related to the My Links component could allow an authenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21448, CVSS 6.1

An unspecified vulnerability in Oracle Business Intelligence Enterprise Edition related to the Visual Analyzer component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21447, CVSS 6.5

An unspecified vulnerability in Oracle PeopleSoft Enterprise CS Academic Advisement related to the Advising Notes component could allow an authenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21446, CVSS 8.2

An unspecified vulnerability in Oracle Solaris related to the Utility component could allow an unauthenticated attacker to cause low confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21445, CVSS 9.8

An unspecified vulnerability in Oracle JDeveloper related to the ADF Faces component could allow an unauthenticated attacker to take control of the system.

CVE-2022-21444, CVSS 4.4

An unspecified vulnerability in Oracle MySQL Server related to the Server: DDL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21443, CVSS 3.7

An unspecified vulnerability in Oracle Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.

CVE-2022-21442, CVSS 8.8

An unspecified vulnerability in Oracle GoldenGate related to the OGG Core Library component could allow an authenticated attacker to take control of the system.

CVE-2022-21441, CVSS 7.5

An unspecified vulnerability in Oracle WebLogic Server related to the Core component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21440, CVSS 5.5

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause no confidentiality impact, low integrity impact, and high availability impact.

CVE-2022-21438, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21437, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21436, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21435, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

CVE-2022-21434, CVSS 5.3

An unspecified vulnerability in Oracle Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21431, CVSS 10

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Connection Manager component could allow an unauthenticated attacker to take control of the system.

CVE-2022-21430, CVSS 8.5

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Connection Manager component could allow an authenticated attacker to take control of the system.

CVE-2022-21427, CVSS 4.9

An unspecified vulnerability in Oracle MySQL Server related to the Server: FTS component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.

Impact

  • Denial Of Service
  • Unauthorized Access
  • Information Disclosure

Indicators Of Compromise

CVE

  • CVE-2022-21498
  • CVE-2022-21497
  • CVE-2022-21496
  • CVE-2022-21494
  • CVE-2022-21493
  • CVE-2022-21492
  • CVE-2022-21491
  • CVE-2022-21490
  • CVE-2022-21489
  • CVE-2022-21488
  • CVE-2022-21487
  • CVE-2022-21486
  • CVE-2022-21485
  • CVE-2022-21484
  • CVE-2022-21462
  • CVE-2022-21461
  • CVE-2022-21460
  • CVE-2022-21459
  • CVE-2022-21458
  • CVE-2022-21457
  • CVE-2022-21456
  • CVE-2022-21455
  • CVE-2022-21454
  • CVE-2022-21453
  • CVE-2022-21452
  • CVE-2022-21451
  • CVE-2022-21450
  • CVE-2022-21448
  • CVE-2022-21447
  • CVE-2022-21446
  • CVE-2022-21445
  • CVE-2022-21444
  • CVE-2022-21443
  • CVE-2022-21442
  • CVE-2022-21441
  • CVE-2022-21440
  • CVE-2022-21438
  • CVE-2022-21437
  • CVE-2022-21436
  • CVE-2022-21435
  • CVE-2022-21434
  • CVE-2022-21433
  • CVE-2022-21432
  • CVE-2022-21431
  • CVE-2022-21430
  • CVE-2022-21427

Affected Vendors

Oracle

Affected Products

  • Oracle Java SE 11.0.14
  • Oracle Java SE 8u321
  • Oracle Java SE 7u331
  • Oracle Java SE 17.0.2
  • Oracle Java SE 18
  • Oracle Solaris 11
  • Oracle Database Server 12.1.0.2
  • Oracle Database Server 19c
  • Oracle Web Services 12.2.1.4.0
  • Oracle Web Services 12.2.1.3.0
  • Oracle MySQL Server 8.0.28
  • Oracle MySQL Server 5.7.37
  • Oracle GoldenGate 23.0
  • Oracle VM VirtualBox 6.1.33
  • Oracle MySQL Cluster 8.0.28
  • Oracle MySQL Cluster 7.4.35
  • Oracle MySQL Cluster 7.5.25
  • Oracle MySQL Cluster 7.6.21
  • Oracle JDeveloper 12.2.1.3.0
  • Oracle WebLogic Server 12.2.1.3.0
  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle PeopleSoft Enterprise PeopleTools 8.58
  • Oracle PeopleSoft Enterprise PeopleTools 8.59
  • Oracle Business Intelligence 5.9.0.0.0 Enterprise
  • Oracle PeopleSoft Enterprise CS Academic Advisement 9.2
  • Oracle PeopleSoft Enterprise PRTL Interaction Hub 9.1.00
  • Oracle Communications Billing and Revenue Management 12.0.0.4
  • Oracle Communications Billing and Revenue Management 12.0.0.5

Remediation

Refer to Oracle Critical Patch Update Advisory – April 2022 for the patch, upgrade, or suggested workaround information.

Oracle Critical Patch

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.