On January 19, 2021, Oracle officially
released the Critical Patch Update (CPU) Advisory for January 2021.
This security update fixed 329 security
vulnerabilities, of which Oracle Fusion Middleware has 60 vulnerability patch updates, mainly covering Oracle Weblogic, Oracle Endeca Information Discovery Integrator, Oracle WebCenter Portal, Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, and other products. Among the 60 vulnerability patches in the Oracle Fusion Middleware, 47 vulnerabilities can be exploited remotely without authentication.
Vulnerability Detail
Multiple critical vulnerabilities in Oracle WebLogic Server
Weblogic exists multiple deserialization vulnerabilities this time, these vulnerabilities allow unauthenticated attackers to send constructed malicious requests through HTTP, IIOP, and T3 protocols to execute code in Oracle WebLogic Server. The critical vulnerability numbers are as follows:
- CVE-2021-1994
- CVE-2021-2047
- CVE-2021-2064
- CVE-2021-2108
- CVE-2021-2075
- CVE-2019-17195
Multiple Critical Vulnerabilities in Oracle Communications
This critical security update contains 12 new security patches for Oracle Communications. Seven of these vulnerabilities can be exploited remotely without authentication, that is, an attacker can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
- CVE-2019-7164
- CVE-2020-24750
Oracle E-Business Suite multiple serious vulnerabilities
This security update contains 31 new security patches for Oracle E-Business Suite. 29 of these vulnerabilities can be exploited remotely without authentication, that is, an attacker can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
- CVE-2021-2029
- CVE-2021-2100
- CVE-2021-2101
Oracle Enterprise Manager multiple serious vulnerabilities
This security update contains 8 new security patches for Oracle Enterprise Manager. All vulnerabilities can be exploited remotely without authentication, that is, an attacker can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
- CVE-2019-13990
- CVE-2020-11973
- CVE-2016-1000031
- CVE-2020-11984
- CVE-2020-10683
Oracle Financial Services Applications multiple serious vulnerabilities
This security patch update contains 50 new security patches for Oracle Financial Services Applications. Among them, 41 vulnerabilities can be exploited remotely without authentication, that is, an attacker can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
- CVE-2020-11612
- CVE-2019-10744
- CVE-2020-8174
- CVE-2019-3773
- CVE-2019-0230
- CVE-2020-1945
Oracle Retail Applications multiple serious vulnerabilities
This security patch update contains 32 new security patches for Oracle Retail Applications. Among them, 20 vulnerabilities can be exploited remotely without authentication, that is, an attacker can be exploited through the network without user credentials. The critical vulnerability numbers are as follows:
- CVE-2020-10683
- CVE-2020-9546
- CVE-2020-9546
- CVE-2020-1945
- CVE-2020-5421
Solution
In this regard, we recommend that users install the Critical Patch Update (CPU) Advisory for January 2021 in time.