Urgent action is required to apply the critical patch updates, as Oracle products are everywhere and threat actors actively target unpatched Oracle networks in the wake of such announcements.
Background
Oracle released its October Critical Patch Update yesterday, addressing 419 security vulnerabilities across the entire Oracle product line.
Due to the severity of the vulnerabilities patched and the ubiquity of Oracle products, CISA has released an advisory to further encourage expedient patching of Oracle environments.
Oracle has reported a spike in customer compromise after Critical Patch Update cycles because threat actors actively target the newly announced and documented unpatched Oracle environments.
Critical patch details
Oracle releases its security patches on a quarterly basis, seldom releasing security updates outside this window. Since this is done once per quarter along the entire line of Oracle products, they often contain a multitude of critical and high rated vulnerabilities.
Oracle’s Quarterly Critical Patch Update Cycle releases on the Tuesday closest to the 17th day of January, April, July and October. The next 4 are scheduled for 18 January 2022, 19 April 2022, 19 July 2022 and 18 October, 2022.
Oracle products are ubiquitous across corporate environments. Since Oracle MySQL database and Oracle Java SE platforms are included (as well as common tools like Middleware and PeopleSoft), it is likely you have impacted Oracle tools in your environment.
Mitigations
It’s highly recommended to apply the patches if possible.
Consult the official Oracle advisory for additional details.
Resources
Official Oracle Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
CISA Advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/10/19/oracle-releases-october-2021-critical-patch-update
Oracle Critical Patch Updates Page
https://www.oracle.com/security-alerts/
