BACK TO NEWS & UPDATES
VENDOR UPDATE | 22 October 2021

Oracle Database Critical Patch And Security Update October 2021

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Product Critical Patch Summary

This Critical Patch Update contains 16 new security patches for Oracle Database Products:

  • New security patches for Oracle Database Products:
    • Oracle Database 12.1.0.2
    • Oracle Database 12.2.0.1
    • Oracle Database 19c
    • Oracle Database 21c

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2021-35599 Zero Downtime DB Migration to Cloud Local Logon Local Logon No 8.2 Local Low High None Changed High High High 21c  
CVE-2021-25122 Oracle Database Enterprise Edition (Apache Tomcat) None HTTP Yes 7.5 Network Low None None Un-
changed		 High None None 12.2.0.1, 19c, 21c  
CVE-2021-35619 Java VM Create Procedure Oracle Net No 7.1 Network High Low Required Un-
changed		 High High High 12.1.0.2, 12.2.0.1, 19c, 21c  
CVE-2021-2332 Oracle LogMiner DBA Oracle Net No 6.7 Network Low High None Un-
changed		 Low High High 12.1.0.2, 12.2.0.1, 19c  
CVE-2021-35551 RDBMS Security DBA Oracle Net No 5.5 Network Low High None Un-
changed		 None Low High 12.2.0.1, 19c, 21c  
CVE-2021-35557 Core RDBMS Create Table Oracle Net No 4.3 Network Low Low None Un-
changed		 None None Low 12.1.0.2, 12.2.0.1, 19c, 21c  
CVE-2021-35558 Core RDBMS Create Table Oracle Net No 4.3 Network Low Low None Un-
changed		 None None Low 12.1.0.2, 12.2.0.1, 19c, 21c  
CVE-2021-26272 Oracle Application Express (CKEditor) None HTTP Yes 4.3 Network Low None Required Un-
changed		 None None Low Prior to 21.1.0  
CVE-2021-35576 Oracle Database Enterprise Edition Unified Audit Local Logon Oracle Net No 2.7 Network Low High None Un-
changed		 None Low None 12.1.0.2, 12.2.0.1, 19c  

Additional CVEs addressed are:

  • The patch for CVE-2021-25122 also addresses
    • CVE-2020-9484
    • CVE-2021-25329
  • The patch for CVE-2021-26272 also addresses CVE-2021-26271.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Autonomous Health Framework (Apache Commons IO): CVE-2021-29425.
  • GraalVM Multilingual Engine:
    • CVE-2021-29921
    • CVE-2020-28928
    • CVE-2021-2341
    • CVE-2021-2369
    • CVE-2021-2388
    • CVE-2021-2432
  • Oracle Spatial and Graph - GeoRaster (OpenJPEG): CVE-2020-27824.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

Latest Articles

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • Tmaxsoft
  • Tmaxsoft
  • SplashBI
nlight-IT

Services

Company

Legal

Social

 

Copyright © 2024 nlightn-IT Ltd
Website by Cloudblue