0x00背景介绍
4
月20日,天融信阿尔法实验室监测到Oracle官方发布第二季度安全更新,此次共修复了漏洞224个,其中严重漏洞28个,高危漏洞20个,中危漏洞48个,低危漏洞128个,Oracle官方建议用户将此次更新中存在已知漏洞的组件更新至安全版本
0x01
重点漏洞描述
此次更新的
漏洞中评分9分以上的严重漏洞多达28个,其中由引入了存在Log4shell漏洞的Apache log4j而造
成影响的组件多达20个,这20个受到影响的产品和对应的组件如下所示
CVE-2022-23305:
影响产品
|
影响组件
|
Oracle Communications Messaging Server
|
ISC (Apache Log4j)
|
Oracle Communications Network Integrity
|
Cartridge Deployer Tool (Apache Log4j)
|
Oracle Communications Unified Inventory Management
|
Logging (Apache Log4j)
|
Oracle Communications EAGLE FTP Table Base Retrieval
|
Core (Apache Log4j)
|
Oracle E-Business Suite Cloud Manager and Cloud Backup Module
|
Logging (Apache Log4j)
|
Enterprise Manager Base Platform
|
Oracle Management Service (Apache Log4j)
|
Oracle Financial Services Revenue Management and Billing
|
Infrastructure (Apache Log4j)
|
Oracle Business Intelligence Enterprise Edition
|
Analytics Server (Apache Log4j)
|
Oracle Business Intelligence Enterprise Edition
|
BI Platform Security (Apache Log4j)
|
Oracle Business Intelligence Enterprise Edition
|
Storage Service Integration (Apache Log4j)
|
Oracle Identity Management Suite
|
Installer (Apache Log4j)
|
Oracle Identity Manager Connector
|
General and Misc (Apache Log4j)
|
Oracle JDeveloper
|
Oracle JDeveloper (Apache Log4j)
|
Oracle Middleware Common Libraries and Tools
|
Third Party Patch (Apache Log4j)
|
Oracle Tuxedo
|
Third Party Patch (Apache Log4j)
|
Oracle WebLogic Server
|
Centralized Third Party Jars (Apache Log4j)
|
Oracle Healthcare Data Repository
|
FHIR (Apache Log4j)
|
Oracle Hyperion Data Relationship Management
|
Installation/Configuration (Apache Log4j)
|
Oracle Hyperion Infrastructure Technology
|
Installation and Configuration (Apache Log4j)
|
Oracle Advanced Supply Chain Planning
|
MscObieeSrvlt (Apache Log4j)
|
除了以上这些受Apache log4j影响的组件外,此次安全更新还修复了两个评分高达10分的严重漏洞,其中一个漏洞CVE-2022-22947根据官方描述是受到了Spring Cloud Gateway这个组件的漏洞影响,这两个漏洞所影响的产品及组件如下所示
CVE-2022-21431:
影响产品
|
影响组件
|
Oracle Communications Billing and Revenue Management
|
Connection Manager
|
CVE-2022-22947
:
影响产品
|
影响组件
|
Oracle Communications Cloud Native Core Network Exposure Function
|
NEF (Spring Cloud Gateway)
|
Oracle Communications Cloud Native Core Network Slice Selection Function
|
NSSF (Spring Cloud Gateway)
|
针对Oracle Weblogic 的T3协议此次更新也修复了一个漏洞
CVE-2022-21420:
影响产品
|
影响组件
|
Oracle Coherence
|
Core
|
0x02受影响版本
CVE-2022-23305:
影响产品
|
影响组件
|
影响版本
|
Oracle Communications Messaging Server
|
ISC (Apache Log4j)
|
8.1
|
Oracle Communications Network Integrity
|
Cartridge Deployer Tool (Apache Log4j)
|
7.3.6
|
Oracle Communications Unified Inventory Management
|
Logging (Apache Log4j)
|
7.4.1, 7.4.2
|
Oracle Communications EAGLE FTP Table Base Retrieval
|
Core (Apache Log4j)
|
4.5
|
Oracle E-Business Suite Cloud Manager and Cloud Backup Module
|