Oracle Critical Patch Update Advisory - April 2023
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 433 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2023 Critical Patch Update: Executive Summary and Analysis.
Affected Products and Patch Information
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.
Oracle Blockchain Platform Risk Matrix
This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Blockchain Platform. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE ID | Product | Component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complex | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2021-23017 | Oracle Blockchain Platform | BCS Console (nginx) | UDP | Yes | 7.7 | Network | High | None | None | Un- changed | High | High | Low | Prior to 21.1.3 | |
| CVE-2022-28327 | Oracle Blockchain Platform | BCS Console (Golang Go) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed | None | None | High | Prior to 21.1.3 | |
| CVE-2022-25647 | Oracle Blockchain Platform | BCS Console (Google Gson) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed | None | None | High | Prior to 21.1.3 | |
| CVE-2020-35169 | Oracle Blockchain Platform | BCS Console (Dell BSAFE Micro Edition Suite) | Oracle Net | Yes | 7.4 | Network | High | None | None | Un- changed | High | High | None | Prior to 21.1.3 | |
| CVE-2022-32215 | Oracle Blockchain Platform | BCS Console (Node.js) | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed | Low | Low | None | Prior to 21.1.3 | |
| CVE-2020-36518 | Oracle Blockchain Platform | BCS Console (jackson-databind) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed | None | None | High | Prior to 21.1.3 | |
| CVE-2021-36090 | Oracle Blockchain Platform | BCS Console (Apache Commons Compress) | HTTP | No | 4.9 | Network | Low | High | None | Un- changed | None | None | High | Prior to 21.1.3 | |
