Rewterz Threat Advisory – Multiple Oracle Vulnerabilities

Severity

High

Analysis Summary

CVE-2022-21266 

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Pipeline Manager component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21273 

An unspecified vulnerability in Oracle E-Business Suite related to the Oracle Project Costing: Expenses, Currenty Override component could allow an authenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21274 

An unspecified vulnerability in Oracle E-Business Suite related to the Oracle Sourcing: Intelligence RFx Creation component could allow an authenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21275 

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Connection Manager component could allow an unauthenticated attacker to take control of the system.

CVE-2022-21276 

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Connection Manager component could allow an authenticated attacker to take control of the system.

CVE-2022-21371 

An unspecified vulnerability in Oracle WebLogic Server related to the component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.

CVE-2022-21382 

An unspecified vulnerability in Oracle Enterprise Session Border Controller related to the WebUI component could allow an authenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.

CVE-2022-21389 

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Connection Manager component could allow an unauthenticated attacker to take control of the system.

CVE-2022-21390 

An unspecified vulnerability in Oracle Communications Billing and Revenue Management related to the Webservices Manager component could allow an unauthenticated attacker to take control of the system.

CVE-2022-21391 

An unspecified vulnerability inOracle Communications Billing and Revenue Management related to the Connection Manager component could allow an authenticated attacker to take control of the system.

CVE-2022-21392 

An unspecified vulnerability in Oracle Enterprise Manager Base Platform related to the Policy Framework component could allow an authenticated attacker to cause high confidentiality impact, low integrity impact, and no availability impact.

CVE-2022-21395 

An unspecified vulnerability in Oracle Communications Operations Monitor related to the Mediation Engine component could allow an authenticated attacker to take control of the system.

Impact

• Information Disclosure
• Unauthorized Access

Affected Vendors

Oracle

Affected Products

• Oracle Communications Billing and Revenue Management 12.0.0.3
• Oracle Communications Billing and Revenue Management 12.0.0.4
• Oracle E-Business Suite 12.2.3
• Oracle E-Business Suite 12.2.11
• Oracle WebLogic Server 12.1.3.0
• Oracle WebLogic Server 12.2.1.3
• Oracle Enterprise Session Border Controller 8.4
• Oracle Enterprise Session Border Controller 9.0
• Oracle Enterprise Manager Base Platform 13.4.0.0
• Oracle Enterprise Manager Base Platform 13.5.0.0
• Oracle Communications Operations Monitor 3.4

Remediation

Refer to Oracle Critical Patch Update Advisory – January 2022 for patch, upgrade or suggested workaround information.
https://www.oracle.com/security-alerts/cpujan2022.html