January 2023 Critical Patch Update: High Level Summary
Oracle released PeopleTools Critical Patch Update (CPU) on January 17th and in this CPU contains 12 new security patches for Oracle PeopleSoft Enterprise PeopleTools. 10 of these vulnerabilities may be remotely exploitable without authentication and 1 update is specific to PeopleSoft 9.2 application. Following is a list of patches for Middleware Applications and PeopleTools with Base Score of 7.0+
PeopleTools (Versions 8.58, 8.59 and 8.60)
|
Score
|
CVE#
|
Component
|
|
9.8
|
CVE-2021-3918
|
Chatbot Framework
|
|
9.8
|
CVE-2021-3918
|
Elastic Search
|
|
9.8
|
CVE-2022-37434
|
PeopleSoft CDA
|
|
7.5
|
CVE-2022-25857
|
Cloud Manager (SnakeYAML)
|
|
7.5
|
CVE-2022-31129
|
Elastic Search (Moment.js)
|
|
7.5
|
CVE-2022-42003
|
Elastic Search (jackson-databind)
|
|
7.5
|
CVE-2022-27782
|
File Processing (cURL)
|
|
7.5
|
CVE-2020-10735
|
Porting (Python)
|
|
7.5
|
CVE-2022-40149
|
Security (Jettison)
|
Java SE
|
Score
|
CVE#
|
Component
|
|
8.1
|
CVE-2022-43548
|
Node
|
|
|
|
|
WebLogic
|
Score
|
CVE#
|
Component
|
|
9.8
|
CVE-2018-7489
|
Centralized Third Party Jars (jackson-databind)
|
|
9.8
|
CVE-2022-42920
|
Centralized Third party Jars (Apache Commons BCEL)
|
|
7.5
|
CVE-2022-40150
|
Centralized Third Party Jars (Jettison)
|
|
7.5
|
CVE-2022-40153
|
Centralized Third Party Jars (XStream)
|
|
7.5
|
CVE-2022-25647
|
Samples (Google GSON)
|
|
7.5
|
CVE-2023-21842
|
Web Container
|
|
7.5
|
CVE-2023-21837
|
IIOP
|
|
7.5
|
CVE-2023-21838, CVE-2023-21839, CVE-2023-21841
|
T3, IIOP
|
More information on January 2023 CPU
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixPS