May, 2022: Patch Monda: Unexpected Patches from Oracle and Mozilla

Welcome to this May Patch Monday Bulletin.  We have our fair share of 3rd party patches to address this past month.  Let's start with some high priority patches.  Oracle normally releases their security updates quarterly.  On May 19th they released a "Security Alert Advisory" for CVE-2022-21500. Normally we report on the end user products of Oracle, such as Java, but since Oracle "strongly recommends that customers apply the updates" as soon as possible, we wanted to include it this month.  Although it's CVSS score is only 7.5, it is remotely exploitable without authentication, so we thought you should be made aware of it. Next is a critical update released by Mozilla after their normal mid-month patches on May 3rd.  On May 20th they released a critical update for Firefox, ESR, Firefox for Android and Thunderbird.  The update addresses two critical CVE's:  CVE-2022-1802 and CVE-2022-1529.  It updates software to the following versions:  Firefox 100.0.2, Firefox for Android 100.0.3, Firefox ESR 91.9.1 and Thunderbird 91.9.1.  Apple has also released updates for macOS Monterey, Big Sur and Catalina.  Google has had a few updates over the past month for Chrome addressing 42 security fixes, 14 of which are rated "High" by Google.  We recommend you review the chart below to determine if your environment contains any of the affected 3rd party products from this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2022-28819

Adobe Character Animator

2021 4.4.2 and earlier

2022 22.3 and earlier

5/10/2022

Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

CVE-2022-28818

Adobe Cold Fusion

2018 Update 13 and earlier

2021 Version 3 and earlier

5/10/2022

Arbitrary Code Execution

Important Priority 2: Update at admin's discretion

Multiple CVE's

Adobe InDesign

17.1 and earlier

5/10/2022

Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

Multiple CVE's

Adobe Framemaker

2019 Release Update 8 and earlier

2020 Release Update 4 and earlier

5/10/2022

Arbitrary Code Execution

Memory Leak

Critical Priority 3: Update at admin's discretion

Multiple CVE's

Adobe InCopy

17.1 and earlier

5/10/2022

Arbitrary Code Execution

Critical Priority 3: Update at admin's discretion

Multiple CVE's

Apple iOS/iPadOS

Before 15.5

5/16/2022

Race Condition,
Arbitrary Code Execution,
Memory Corruption Issue,
Denial of Service,
Security Feature Bypass,
Use After Free

Update as soon as possible

Multiple CVE's

Apple macOS

Monterey before 12.4

Big Sur before 11.6.6

2022-004 Catalina Security Update

5/16/2022

Out of Bounds Read/Write,
Out of Bounds Access,

Arbitrary Code Execution,
Logic Issue,
Denial of Service,
Security Feature Bypass

Update as soon as possible

Multiple CVE's

Apple Xcode

Before 13.4

5/16/2022

Elevation of Privilege,
Logic Issue

Update after testing

Multiple CVE's

Apple Safari

Before 15.5

5/16/2022

Arbitrary Code Execution

Update after testing

Multiple CVE's

Google Chrome

Before 101.0.4951.67

5/12/2022

Use After Free,
Buffer Overflow,

Inappropriate Implementation,
Type Confusion,
Out of Bounds Memory Access

Update as soon as possible

Multiple CVE's

Mozilla Thunderbird

Before 91.9

5/3/2022

Incorrect Security Status,
Spoofing,
Privilege Escalation,
Leaking Security Status,
Improper Implementation,
Arbitrary Code Execution

Update as soon as possible

Multiple CVE's

Mozilla Firefox

Before 100

Before ESR 91.9

5/3/2022

Spoofing,
Privilege Escalation,
Leaking Security Status,
Improper Implementation,
Arbitrary Code Execution

Update as soon as possible

Multiple CVE's

Opera

Before 87

5/17/2022

Use After Free,
Buffer Overflow,

Inappropriate Implementation,
Type Confusion,
Out of Bounds Memory Access

Update as soon as possible

CVE-2022-21500

Oracle

Oracle E-Business Suite 12.1/12.2

5/19/2022

Exposure of PII

Update as soon as possible