0x00背景介绍
4月20日,天融信阿尔法实验室监测到Oracle官方发布第二季度安全更新,此次共修复了漏洞224个,其中严重漏洞28个,高危漏洞20个,中危漏洞48个,低危漏洞128个,Oracle官方建议用户将此次更新中存在已知漏洞的组件更新至安全版本
0x01重点漏洞描述
此次更新的漏洞中评分9分以上的严重漏洞多达28个,其中由引入了存在Log4shell漏洞的Apache log4j而造成影响的组件多达20个,这20个受到影响的产品和对应的组件如下所示
CVE-2022-23305:
| 影响产品 |
影响组件 |
| Oracle Communications Messaging Server | ISC (Apache Log4j) |
| Oracle Communications Network Integrity | Cartridge Deployer Tool (Apache Log4j) |
| Oracle Communications Unified Inventory Management |
Logging (Apache Log4j) |
| Oracle Communications EAGLE FTP Table Base Retrieval | Core (Apache Log4j) |
| Oracle E-Business Suite Cloud Manager and Cloud Backup Module | Logging (Apache Log4j) |
| Enterprise Manager Base Platform | Oracle Management Service (Apache Log4j) |
| Oracle Financial Services Revenue Management and Billing | Infrastructure (Apache Log4j) |
| Oracle Business Intelligence Enterprise Edition | Analytics Server (Apache Log4j) |
| Oracle Business Intelligence Enterprise Edition | BI Platform Security (Apache Log4j) |
| Oracle Business Intelligence Enterprise Edition | Storage Service Integration (Apache Log4j) |
| Oracle Identity Management Suite | Installer (Apache Log4j) |
| Oracle Identity Manager Connector | General and Misc (Apache Log4j) |
| Oracle JDeveloper | Oracle JDeveloper (Apache Log4j) |
| Oracle Middleware Common Libraries and Tools | Third Party Patch (Apache Log4j) |
| Oracle Tuxedo | Third Party Patch (Apache Log4j) |
| Oracle WebLogic Server | Centralized Third Party Jars (Apache Log4j) |
| Oracle Healthcare Data Repository | FHIR (Apache Log4j) |
| Oracle Hyperion Data Relationship Management | Installation/Configuration (Apache Log4j) |
| Oracle Hyperion Infrastructure Technology | Installation and Configuration (Apache Log4j) |
|
Oracle Advanced Supply Chain Planning |
MscObieeSrvlt (Apache Log4j) |
除了以上这些受Apache log4j影响的组件外,此次安全更新还修复了两个评分高达10分的严重漏洞,其中一个漏洞CVE-2022-22947根据官方描述是受到了Spring Cloud Gateway这个组件的漏洞影响,这两个漏洞所影响的产品及组件如下所示
CVE-2022-21431:
| 影响产品 |
影响组件 |
| Oracle Communications Billing and Revenue Management | Connection Manager |
CVE-2022-22947:
| 影响产品 |
影响组件 |
| Oracle Communications Cloud Native Core Network Exposure Function | NEF (Spring Cloud Gateway) |
| Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Spring Cloud Gateway) |
针对Oracle Weblogic 的T3协议此次更新也修复了一个漏洞
CVE-2022-21420:
| 影响产品 |
影响组件 |
| Oracle Coherence | Core |
0x02受影响版本
CVE-2022-23305:
| 影响产品 |
影响组件 |
影响版本 |
| Oracle Communications Messaging Server | ISC (Apache Log4j) | 8.1 |
| Oracle Communications Network Integrity | Cartridge Deployer Tool (Apache Log4j) | 7.3.6 |
| Oracle Communications Unified Inventory Management |
Logging (Apache Log4j) | 7.4.1, 7.4.2 |
| Oracle Communications EAGLE FTP Table Base Retrieval | Core (Apache Log4j) | 4.5 |
| Oracle E-Business Suite Cloud Manager and Cloud Backup Module | Logging (Apache Log4j) | EBS Cloud Manager and Backup Module: Prior to 22.1.1.1 |
| Enterprise Manager Base Platform | Oracle Management Service (Apache Log4j) | 13.4.0.0, 13.5.0.0 |
| Oracle Financial Services Revenue Management and Billing | Infrastructure (Apache Log4j) | 2.7.0.0, 2.7.0.1, 2.8.0.0 |
| Oracle Business Intelligence Enterprise Edition | Analytics Server (Apache Log4j) | 5.9.0.0.0 |
| Oracle Business Intelligence Enterprise Edition | BI Platform Security (Apache Log4j) | 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0 |
| Oracle Business Intelligence Enterprise Edition | Storage Service Integration (Apache Log4j) | 12.2.1.4.0 |
| Oracle Identity Management Suite | Installer (Apache Log4j) | 12.2.1.3.0, 12.2.1.4.0 |
| Oracle Identity Manager Connector | General and Misc (Apache Log4j) | 11.1.1.5.0 |
| Oracle JDeveloper | Oracle JDeveloper (Apache Log4j) | 12.2.1.3.0 |
| Oracle Middleware Common Libraries and Tools | Third Party Patch (Apache Log4j) | 12.2.1.4.0 |
| Oracle Tuxedo | Third Party Patch (Apache Log4j) | 12.2.2.0.0 |
| Oracle WebLogic Server | Centralized Third Party Jars (Apache Log4j) | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
| Oracle Healthcare Data Repository | FHIR (Apache Log4j) | 8.1.0 |
| Oracle Hyperion Data Relationship Management | Installation/Configuration (Apache Log4j) | Prior to 11.2.8.0 |
| Oracle Hyperion Infrastructure Technology | Installation and Configuration (Apache Log4j) | Prior to 11.2.8.0 |
|
Oracle Advanced Supply Chain Planning |
MscObieeSrvlt (Apache Log4j) | 12.1, 12.2 |
CVE-2022-21431:
| 影响产品 |
影响组件 |
影响版本 |
| Oracle Communications Billing and Revenue Management | Connection Manager | 12.0.0.4, 12.0.0.5 |
CVE-2022-22947:
| 影响产品 |
影响组件 |
影响版本 |
| Oracle Communications Cloud Native Core Network Exposure Function | NEF (Spring Cloud Gateway) |
22.1.0 |
| Oracle Communications Cloud Native Core Network Slice Selection Function | NSSF (Spring Cloud Gateway) |
22.1.0, 1.8.0 |
CVE-2022-21420:
| 影响产品 |
影响组件 |
影响版本 |
| Oracle Coherence | Core |
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
0x03修复建议
Oracle官方已经发布安全补丁,建议用户尽快更新至安全版本,参考链接如下所示:https://www.oracle.com/security-alerts/cpuapr2022.html
0x04声明
天融信阿尔法实验室拥有对此公告的修改和解释权,如欲转载,必须保证此公告的完整性。由于传播、利用此公告而造成的任何后果,均由使用者本人负责,天融信阿尔法实验室不为此承担任何责任。
天融信阿尔法实验室成立于2011年,一直以来,阿尔法实验室秉承“攻防一体”的理念,汇聚众多专业技术研究人员,从事攻防技术研究,在安全领域前瞻性技术研究方向上不断前行。作为天融信的安全产品和服务支撑团队,阿尔法实验室精湛的专业技术水平、丰富的排异经验,为天融信产品的研发和升级、承担国家重大安全项目和客户服务提供强有力的技术支撑。
天融信
阿尔法实验室
长按二维码关注我们
原文始发于微信公众号(天融信阿尔法实验室):【风险提示】天融信关于Oracle 2022年第二季度安全更新风险提示
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论