As part of its April 2022 Critical Patch Update (CPU), Oracle has released 520 security patches, including over 300 for vulnerabilities that may be abused remotely without authentication.
Seventy-five of the fixes address security flaws of “critical severity,” including three with a CVSS score of ten. The CVSS score for almost 40 of the remaining vulnerabilities is between 8 and 9. Several of the fixes included in this month’s CPU address CVE-2022-22965, a significant remote code execution (RCE) flaw in the Spring Framework (commonly known as Spring4Shell and SpringShell).
CVE-2022-22963, a serious RCE problem in the Spring Cloud Function, is also fixed by one of these patches. With 149 fixes, Oracle Communications received the most in this quarterly CPU.