0x01 Vulnerability overview
Recently, Oracle officially released the security update in January 2021 and released 329 vulnerability patches, including 60 vulnerability patch updates for Oracle Fusion Middleware, mainly covering
-
Oracle Weblogic
-
Oracle Endeca Information Discovery Integrator
-
Oracle WebCenter Portal
-
Oracle BI Publisher
-
Oracle Business Intelligence Enterprise Edition
And other products, 47 of the 60 vulnerability patches can be exploited remotely without authentication.
0x01 Vulnerability description
Oracle WebLogic Server
Weblogic has updated several deserialization vulnerabilities this time, which allow unauthenticated attackers to send constructed malicious requests through HTTP, IIOP and T3 protocols to execute code. Critical vulnerability number is as follows:
-
CVE-2021-1994
-
CVE-2021-2047
-
CVE-2021-2064
-
CVE-2021-2108
-
CVE-2021-2075
-
CVE-2019-17195
-
Oracle Communications
12 new security patches, of which 7 vulnerabilities can be exploited remotely without authentication, that is, they can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2019-7164
-
CVE-2020-24750
-
Oracle E-Business Suite
31 new security patches, 29 of which can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2021-2029
-
CVE-2021-2100
-
CVE-2021-2101
-
Oracle Enterprise Manager
8 new security patches, all vulnerabilities can be exploited remotely without authentication, that is, they can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2019-13990
-
CVE-2020-11973
-
CVE-2016-1000031
-
CVE-2020-11984
-
CVE-2020-10683
-
Oracle Financial Services Applications
50 new security patches, of which 41 vulnerabilities can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2020-11612
-
CVE-2019-10744
-
CVE-2020-8174
-
CVE-2019-3773
-
CVE-2019-0230
-
CVE-2020-1945
-
Oracle Retail Applications
32 new security patches, 20 of which can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2020-10683
-
CVE-2020-9546
-
CVE-2020-9546
-
CVE-2020-1945
-
CVE-2020-5421
-
CVE-2017-8028
-
Oracle Database Server
8 new security patches. One of these vulnerabilities can be exploited remotely without authentication, that is, these vulnerabilities can be exploited through the network without user credentials. Critical vulnerability number is as follows:
-
CVE-2021-2035
-
CVE-2021-2018
https://www.oracle.com/security-alerts/cpujan2021.html
0x03 repair suggestions
At present, the official vulnerability repair version has been released. It is recommended that users upgrade to the secure version:
The official Oracle patch needs to be downloaded after logging in to your account.