Oracle于美国时间2022年1月18日发布了Oracle多款产品的季度累积补丁集,其中涉及Oracle WebLogic中间件的漏洞共 25 个,其中高危漏洞 1 个,基础分值 9.8 分。
随着漏洞公告的正式发布,Oracle官方也为MOS授权用户提供了相关产品的补丁下载(包括服务延展补丁)。此外,Oracle JDK的两个主流版本的小版本号已经分别升级到了1.7.0_331、1.8.0_321。
截至1月19日上午8点40分,官方还未将相关版本的最新漏洞补丁挂载到MOS上。
CVE-ID | 受影响产品 | 产品组件 | 协议 | 远程利用 无需授权? | 基础分值 | 攻击媒介 | 攻击复杂度 | 用户交互 | 保密性 | 可用性 | 受影响版本 (Oracle On-support) |
CVE-2022-21306 | Oracle WebLogic Server | Core | T3 | Yes | 9.8 | Network | Low | None | High | High | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2021-4104 | Oracle WebLogic Server | Centralized Thirdparty Jars (Apache Log4j) | HTTP | No | 7.5 | Network | High | None | High | High | 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21292 | Oracle WebLogic Server | Samples | HTTP | Yes | 7.5 | Network | Low | None | High | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2020-5258 | Oracle WebLogic Server | Samples (dojo) | HTTP | Yes | 7.5 | Network | Low | None | None | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21371 | Oracle WebLogic Server | Web Container | HTTP | Yes | 7.5 | Network | Low | None | High | None | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2021-27568 | Oracle WebLogic Server | Web Services (json-smart) | HTTP | Yes | 7.5 | Network | Low | None | None | High | 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2021-44832 | Oracle WebLogic Server | Centralized Thirdparty Jars (Apache Log4j) | HTTP | No | 6.6 | Network | High | None | High | High | 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21252 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.5 | Network | Low | None | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21347 | Oracle WebLogic Server | Core | T3 | Yes | 6.5 | Network | Low | None | None | Low | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21350 | Oracle WebLogic Server | Core | T3 | Yes | 6.5 | Network | Low | None | None | Low | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21353 | Oracle WebLogic Server | Core | T3 | Yes | 6.5 | Network | Low | None | None | Low | 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2020-2934 | Oracle WebLogic Server | Datasource (MySQL Connector) | SQL | Yes | 6.3 | Network | Low | Required | Low | Low | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21361 | Oracle WebLogic Server | Sample apps | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2020-11023 | Oracle WebLogic Server | Sample apps (jQuery) | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21257 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21258 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 14.1.1.0.0 |
CVE-2022-21259 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21260 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21261 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21262 | Oracle WebLogic Server | Samples | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2022-21386 | Oracle WebLogic Server | Web Container | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2019-10219 | Oracle WebLogic Server | Web Services (JBoss Enterprise Application Platform) | HTTP | Yes | 6.1 | Network | Low | Required | Low | None | 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |
CVE-2018-1324 | Oracle WebLogic Server | WLST (Apache Commons Compress) | None | No | 5.5 | Local | Low | Required | None | High | 14.1.1.0.0 |
CVE-2020-13956 | Oracle WebLogic Server | Samples (Apache HttpClient) | HTTP | Yes | 5.3 | Network | Low | None | None | None | 12.2.1.4.0 14.1.1.0.0 |
CVE-2021-29425 | Oracle WebLogic Server | Third Party Tools (Apache Commons IO) | HTTP | Yes | 4.8 | Network | High | None | Low | None | 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 |