Oracle’s first bug-fix release for 2023 includes 71 critical patches out of a total 327 security updates.
A large number of the fixes are for third-party software used in a number of different Oracle products.
An Apache Commons Text vulnerability, CVE-2022-42889, affects 15 components in the company’s Communications, Communications Applications, Construction and Engineering, Engineering Manager, Financial Services, Fusion middleware, HealthCare, Hyperion, JD Edwards, and Utilities suites.
The bug offers remote code execution (RCE) to an attacker because Apache Commons Text has a bug in its string interpolation.
Five components in Fusion and Support Tools inherit an unsafe deserialisation vulnerability in Apache’s Mina SSHD, CVE-2022-45047. Mina SSHD is a client- and server-side SSH implementation written in Java.
Six components in Communications, Fusion, MySQL and PeopleSoft were patched to upgrade zlib against CVE-2022-37434, a heap-based buffer overflow.
Seven components in Communications, Communications Applications and MySQL need a patch to fix CVE-2022-31692, a possible authorisation bypass in Spring Security.
Three Communications and Fusion components use a version of FreeType vulnerable to CVE-2022-27404, a heap buffer overflow and have been patched.
One Communications components and three Financial Services components inherited a vulnerability in CVE-2022-33980, an interpolation bug in Apache Commons Configuration.
Log4j pops up in Fusion, but it’s not the infamous Log4Shell bug: CVE-2022-23305 is a SQL bug in the logging library.
Communications and HealthCare Applications components have been patched against CVE-2018-1273, an old SSL bug in Spring Data Commons, and two PeopleSoft components are vulnerable to CVE-2021-3918, a prototype pollution bug in JSON-Schema.
Oracle’s full critical patch advisory is here.