CSW Discovers its 50th Zero Day!

October: Oracle Patches 419 Security Vulnerabilities

Posted on Nov 11, 2021 | By Pavithra Shankar

Oracle released security patches for 231 CVEs that fixed 419 vulnerabilities in October 2021. We have analyzed these weaknesses, which include 36 critical vulnerabilities and have highlighted the most important vulnerabilities that ought to be fixed on priority.


Weaponized Vulnerabilities

We have 74 vulnerabilities that have known exploits. Here is what we found -

  • 3 CVEs are associated with the Maze ransomware and APT1 group.

  • CVE-2019-11358, CVE-2020-11022 and CVE-2020-11023 are linked to nine malware threats such as OceanSalt, Auriga, Bangat, BISCUIT, MAPIGET, TARSIP, SEASALT,  KURTON, and  HELAUTO.

  • 1 CVE has an alert issued by CISA.

  • 10 CVEs are classified as Remote Code Execution bugs.

  • 2 CVEs have Privilege Escalation capabilities.

  • 7 CVEs are rated critical and 44 are of high severity.

Old Vulnerabilities

102 old vulnerabilities, discovered between 2016 and 2020, have been patched this month.

  • 3 CVEs are associated with Maze ransomware and the APT1 group. All three vulnerabilities have a correlation with 9 malware threats (OceanSalt, Auriga, Bangat, BISCUIT, MAPIGET, TARSIP, SEASALT,  KURTON, and  HELAUTO)

  • 1 CVE is associated with Privilege Escalation capabilities.

  • 2 CVEs are Remote Code Execution bugs.

  • 4 CVEs have been alerted by CISA.

  • 17 CVEs are rated critical and 53 are of high severity.

CISA Alerts

CISA had issued warning alerts for 6 CVEs that received a patch this October. 

  • 1 CVE has known exploits.

  • CVE-2019-11358 is associated with Maze ransomware, APT1, and 9 malware threats.

  • 2 CVEs are rated critical and 2 are of high severity.

Product Analysis

We analyzed the vulnerabilities fixed in 149 products. Here is our analysis: 

Oracle Fusion Middleware received the highest number of patches, with a total of 71 vulnerabilities addressed, including 56 that could be exploited by unauthenticated attackers remotely. 

MySQL received a huge number of fixes as well, totalling 66. Ten of the flaws can be exploited remotely without authentication.

Financial Services Applications received 44 security fixes (26 remotely exploitable without authentication), while Fusion Middleware received 38 (30 remotely exploitable without authentication). 

Some of the other Oracle products have also received more than ten security patches.

 

Table: Oracle October Patches 2021

 

On October 19, 2021, CISA had issued an alert encouraging customers to apply security patches across multiple products. Users are urged to visit Oracle security advisories as soon as possible in order to download the security patches required to fix these vulnerabilities.

 

Test your defense to know how secure you are…