Oracle Database Server Risk Matrix
This Critical Patch Update contains 2 new security fixes for the Oracle Database Server divided as follows:
- 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
- 1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2841 | Java VM | Create Session, Create Procedure | Multiple | No | 8.5 | Network | High | Low | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0 | |
This Critical Patch Update contains 1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2832 | Oracle GoldenGate | None | HTTP | Yes | 8.6 | Network | Low | None | None | Changed | High | None | None | 12.2.0.1 | |
Oracle Communications Applications Risk Matrix
This Critical Patch Update contains 9 new security fixes for Oracle Communications Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | Oracle Communications Network Intelligence | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.3.x | |
| CVE-2017-5645 | Oracle Communications Unified Inventory Management | Logging (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.x | |
| CVE-2017-15095 | Oracle Communications Calendar Server | WCAP (jackson-databind) | WCAP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 8.x | |
| CVE-2017-15095 | Oracle Communications Contacts Server | REST (jackson-databind) | RESTful Addressbook Protocol | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 8.x | |
| CVE-2016-6304 | Oracle Communications EAGLE LNP Application Processor | Security (OpenSSL) | TLS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 10.1.0.0.0 and Prior | |
| CVE-2017-7805 | Oracle Communications Messaging Server | Security (NSS) | TLS | No | 7.5 | Network | High | Low | None | Un- changed |
High | High | High | 8.x | |
| CVE-2017-5662 | Oracle Communications MetaSolv Solution | Print Preview (Apache Batik) | HTTP | No | 7.3 | Network | Low | Low | Required | Un- changed |
High | None | High | 6.3.0 | |
| CVE-2018-2756 | Oracle Communications Order and Service Management | WebUI | HTTP | No | 6.3 | Network | Low | Low | Required | Un- changed |
High | Low | None | 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x | |
| CVE-2017-3736 | Oracle Communications Network Charging and Control | Common (OpenSSL) | TLS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 | |
Additional CVEs addressed are below:
- The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052.
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2017-3736 also addresses CVE-2017-3735.
Oracle Construction and Engineering Suite Risk Matrix
This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-12617 | Instantis EnterpriseTrack | Web Server (Apache Tomcat) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 17.1, 17.2 | |
| CVE-2017-15095 | Primavera Unifier | Core (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 16.x, 17.x | |
| CVE-2018-2849 | Primavera P6 Enterprise Project Portfolio Management | Web Access | HTTP | No | 7.7 | Network | Low | Low | None | Changed | High | None | None | 16.2, 17.1 – 17.12 | |
| CVE-2017-5662 | Instantis EnterpriseTrack | Sitewand (Apache Batik) | HTTP | No | 7.3 | Network | Low | Low | Required | Un- changed |
High | None | High | 17.1, 17.2 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-12617 also addresses CVE-2017-5664.
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
Oracle E-Business Suite Risk Matrix
This Critical Patch Update contains 12 new security fixes for the Oracle E-Business Suite. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2018), My Oracle Support Note 2369524.1.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2870 | Oracle Human Resources | General Utilities | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2871 | Oracle Human Resources | General Utilities | HTTP | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2804 | Oracle Application Object Library | DB Privileges | HTTP | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2864 | Oracle Application Object Library | Diagnostics | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2867 | Oracle Application Object Library | Diagnostics | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2872 | Oracle General Ledger | Account Hierarchy Manager | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2873 | Oracle General Ledger | Account Hierarchy Manager | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2865 | Oracle General Ledger | Consolidation Hierarchy Viewer | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2866 | Oracle General Ledger | Consolidation Hierarchy Viewer | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2868 | Oracle Human Resources | General Utilities | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2869 | Oracle Human Resources | General Utilities | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | |
| CVE-2018-2874 | Oracle Application Object Library | Logging | None | No | 4.3 | Physical | Low | None | Required | Un- changed |
High | None | None | 12.1.3 | |
Oracle Enterprise Manager Products Suite Risk Matrix
This Critical Patch Update contains 10 new security fixes for the Oracle Enterprise Manager Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | Enterprise Manager Ops Center | Networking (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.2, 12.3.3 | |
| CVE-2017-5645 | Oracle Application Testing Suite | Load Testing for Web Apps (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.5.0.3, 13.1.0.1, 13.2.0.1 | |
| CVE-2015-7501 | Enterprise Manager for MySQL Database | EM Plugin: General (Apache Commons Collections) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.1.0.4 | |
| CVE-2016-0635 | Enterprise Manager for MySQL Database | EM Plugin: General (Spring Framework) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.1.0.4 | |
| CVE-2017-15095 | Enterprise Manager for Virtualization | Generic Virtualization (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 13.2 | |
| CVE-2017-5664 | Enterprise Manager for MySQL Database | EM Plugin: General (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 12.1.0.4 | |
| CVE-2018-2742 | Enterprise Manager Ops Center | Framework | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 12.2.2, 12.3.3 | |
| CVE-2018-2750 | Enterprise Manager Base Platform | UI Framework | HTTP | Yes | 7.1 | Network | Low | None | Required | Changed | Low | Low | Low | 12.1.0.5 | |
| CVE-2017-3736 | Enterprise Manager Base Platform | Discovery Framework (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 12.1.0.5, 13.2.0.0 | |
| CVE-2017-3736 | Enterprise Manager Ops Center | Networking (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 12.2.2, 12.3.3 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2017-3736 also addresses CVE-2017-3735.
- The fix for CVE-2017-5664 also addresses CVE-2017-12617.
- The fix for CVE-2018-2742 also addresses CVE-2016-3092, CVE-2017-10393 and CVE-2017-10400.
Oracle Financial Services Applications Risk Matrix
This Critical Patch Update contains 36 new security fixes for Oracle Financial Services Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-7489 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.x | See Note 1 |
| CVE-2018-7489 | Oracle Financial Services Hedge Management and IFRS Valuations | Hedge Definition, Valuation-run definition (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.4, 8.0.5 | |
| CVE-2018-7489 | Oracle Financial Services Market Risk Measurement and Management | Infrastructure (jackson-databind) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 8.0.5 | |
| CVE-2017-5645 | Oracle FLEXCUBE Core Banking | Securities (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.5.0, 11.6.0, 11.7.0 | |
| CVE-2017-5645 | Oracle FLEXCUBE Private Banking | Core (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.0.0, 12.1.0 | |
| CVE-2017-15095 | Oracle Banking Enterprise Collections | Infrastructure (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 2.6 | |
| CVE-2017-15095 | Oracle Banking Enterprise Originations | Infrastructure (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 2.6 | |
| CVE-2017-15095 | Oracle Banking Enterprise Product Manufacturing | Infrastructure (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 2.6 | |
| CVE-2017-15095 | Oracle Banking Platform | Infrastructure (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 2.4, 2.5, 2.6 | |
| CVE-2017-12617 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (Apache Tomcat) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 7.3.x, 8.0.x | See Note 1 |
| CVE-2018-2855 | Oracle Financial Services Basel Regulatory Capital Basic | Portfolio, Attribution | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 8.0.x | |
| CVE-2018-2856 | Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach | Portfolio, Attribution | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 8.0.x | |
| CVE-2017-5662 | Oracle Financial Services Analytical Applications Infrastructure | Link Analysis and Metadata browser (Apache Batik) | HTTP | No | 7.3 | Network | Low | Low | Required | Un- changed |
High | None | High | 7.3.x, 8.0.x | See Note 1 |
| CVE-2018-2746 | Oracle Banking Corporate Lending | Core module | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2746 | Oracle Banking Payments | Payments Core | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2746 | Oracle FLEXCUBE Enterprise Limits and Collateral Management | Infrastructure | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 12.3.0, 14.0.0 | |
| CVE-2018-2746 | Oracle FLEXCUBE Investor Servicing | Infrastructure | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 12.0.4, 12.1.0, 12.3.0, 12.4.0 | |
| CVE-2018-2746 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0 | |
| CVE-2018-2747 | Oracle Banking Corporate Lending | Core module | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2747 | Oracle Banking Payments | Payments Core | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2747 | Oracle FLEXCUBE Enterprise Limits and Collateral Management | Infrastructure | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.3.0, 14.0.0 | |
| CVE-2018-2747 | Oracle FLEXCUBE Investor Servicing | Infrastructure | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 12.0.4, 12.1.0, 12.3.0, 12.4.0 | |
| CVE-2018-2747 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0 | |
| CVE-2018-2748 | Oracle Banking Corporate Lending | Core module | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2748 | Oracle Banking Payments | Payments Core | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2854 | Oracle Financial Services Basel Regulatory Capital Basic | Portfolio, Attribution | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.x | |
| CVE-2018-2859 | Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach | Portfolio, Attribution | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.0.x | |
| CVE-2018-2807 | Oracle FLEXCUBE Core Banking | Securities | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.5.0, 11.6.0, 11.7.0 | |
| CVE-2018-2748 | Oracle FLEXCUBE Enterprise Limits and Collateral Management | Infrastructure | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.3.0, 14.0.0 | |
| CVE-2018-2748 | Oracle FLEXCUBE Investor Servicing | Infrastructure | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 12.0.4, 12.1.0, 12.3.0, 12.4.0 | |
| CVE-2018-2748 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0 | |
| CVE-2018-2749 | Oracle Banking Corporate Lending | Core module | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2749 | Oracle Banking Payments | Payments Core | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.3.0, 12.4.0, 12.5.0, 14.0.0 | |
| CVE-2018-2749 | Oracle FLEXCUBE Enterprise Limits and Collateral Management | Infrastructure | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.3.0, 14.0.0 | |
| CVE-2018-2749 | Oracle FLEXCUBE Investor Servicing | Infrastructure | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 12.0.4, 12.1.0, 12.3.0, 12.4.0 | |
| CVE-2018-2749 | Oracle FLEXCUBE Universal Banking | Infrastructure | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0 | |
Notes:
- Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.
Additional CVEs addressed are below:
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.
Oracle Fusion Middleware Risk Matrix
This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | Oracle Big Data Discovery | Data Processing (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.6.0 | |
| CVE-2017-5645 | Oracle Business Intelligence Data Warehouse Administration Console | DAC Installation (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.6.4 | |
| CVE-2017-5645 | Oracle Endeca Information Discovery Integrator | Integrator Acquisition System (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 3.1, 3.2 | |
| CVE-2017-5645 | Oracle Endeca Server | Product Code (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 7.7 | |
| CVE-2017-5645 | Oracle Enterprise Repository | Core Issues – 12c (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.7.0, 12.1.3.0.0 | |
| CVE-2017-5645 | Oracle Enterprise Repository | Security Subsystem (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.7.0, 12.1.3.0.0 | |
| CVE-2016-5019 | Oracle Fusion Middleware MapViewer | Tile Server (Apache MyFaces Trinidad) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.1.1.7.0, 11.1.1.9.0 | |
| CVE-2017-5645 | Oracle Managed File Transfer | MFT Runtime Server (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2017-5645 | Oracle WebCenter Portal | Security Framework (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2017-5645 | Oracle WebLogic Server | WL Diagnostics Framework (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 | |
| CVE-2018-2628 | Oracle WebLogic Server | WLS Core Components | T3 | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 | |
| CVE-2016-6814 | Oracle Big Data Discovery | Data Processing (Apache Groovy) | HTTP | Yes | 9.6 | Network | Low | None | Required | Changed | High | High | High | 1.6.0 | |
| CVE-2018-2739 | Oracle Access Manager | Web Server Plugin | HTTP | Yes | 9.3 | Network | Low | None | Required | Changed | High | High | None | 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0 | |
| CVE-2018-2879 | Oracle Access Manager | Authentication Engine | HTTP | Yes | 9.0 | Network | High | None | None | Changed | High | High | High | 11.1.2.3.0, 12.2.1.3.0 | See Note 1 |
| CVE-2015-7501 | Oracle Business Intelligence Enterprise Edition | Security (Apache Commons Collections) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.1.1.7.0, 11.1.1.9.0 | |
| CVE-2015-7501 | Oracle GoldenGate Veridata | None (Apache Commons Collections) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.2.0.1.2, 12.1.3.0.0 | |
| CVE-2015-7501 | Oracle WebLogic Portal | – (Apache Commons Collections) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 10.3.6.0.0 | |
| CVE-2015-7501 | Real-Time Decisions (RTD) Solutions | Configuration (Apache Commons Collections) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 3.2.0.0.0 | |
| CVE-2018-2834 | Oracle Data Visualization Desktop | Security | HTTP | No | 8.5 | Local | Low | None | Required | Changed | Low | High | High | 12.2.4.1.1 | See Note 2 |
| CVE-2018-2828 | Oracle WebCenter Content | Content Server | HTTP | No | 8.2 | Network | Low | Low | Required | Changed | High | Low | Low | 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2018-2791 | Oracle WebCenter Sites | Advanced UI | HTTP | Yes | 8.2 | Network | Low | None | Required | Changed | High | Low | None | 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2017-12617 | Management Pack for Oracle GoldenGate | Monitor (Apache Tomcat) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.2.1.0.13 | |
| CVE-2017-15095 | Oracle WebCenter Portal | Security Framework (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2017-12617 | Oracle WebCenter Sites | Advanced UI (Apache Tomcat) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.1.1.8.0 | |
| CVE-2017-7525 | Oracle WebLogic Server | Sample apps (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 | |
| CVE-2018-2770 | Oracle Adaptive Access Manager | OAAM Admin | HTTP | No | 7.6 | Network | Low | Low | Required | Changed | High | Low | None | 11.1.2.3.0 | |
| CVE-2015-7940 | Oracle Mobile Security Suite | LEGACY: BMAX (Bouncy Castle Java package) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 3.0.1 | |
| CVE-2018-2765 | Oracle Security Service | Oracle SSL API | HTTPS | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2016-3092 | Oracle WebCenter Sites | Advanced UI (Apache Commons Fileupload) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.1.1.8.0, 12.2.1.2.0 | |
| CVE-2015-7940 | Oracle WebLogic Server | CIE Related Components (Bouncy Castle Java package) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 12.1.3.0, 12.2.1.2 | |
| CVE-2017-5662 | Oracle Business Intelligence Enterprise Edition | BI Platform Security (Apache Batik) | HTTP | No | 7.3 | Network | Low | Low | Required | Un- changed |
High | None | High | 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 | |
| CVE-2017-5662 | Oracle Enterprise Repository | Security Subsystem (Apache Batik) | HTTP | No | 7.3 | Network | Low | Low | Required | Un- changed |
High | None | High | 11.1.1.7.0, 12.1.3.0.0 | |
| CVE-2013-1768 | Oracle WebLogic Server | WLS Security (Apache OpenJPA) | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 12.2.1.3 | |
| CVE-2018-2768 | Oracle Outside In Technology | Outside In Filters | HTTP | Yes | 7.1 | Network | Low | None | Required | Un- changed |
High | None | Low | 8.5.3 | See Note 3 |
| CVE-2018-2806 | Oracle Outside In Technology | Outside In Filters | HTTP | Yes | 7.1 | Network | Low | None | Required | Un- changed |
High | None | Low | 8.5.3 | See Note 3 |
| CVE-2018-2801 | Oracle Outside In Technology | Outside In Image Export SDK | HTTP | Yes | 7.1 | Network | Low | None | Required | Un- changed |
High | None | Low | 8.5.3 | See Note 3 |
| CVE-2018-2587 | Oracle Access Manager | Web Server Plugin | HTTP | Yes | 6.5 | Network | High | None | None | Un- changed |
Low | High | None | 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0 | |
| CVE-2017-3736 | Oracle Endeca Information Discovery Studio | Endeca Server (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 7.6.1.0.0, 7.7.0.0.0 | |
| CVE-2018-2760 | Oracle HTTP Server | OSSL Module | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 12.1.3, 12.2.1.2 | |
| CVE-2017-3736 | Oracle Tuxedo | Docs-ATMI-IB (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 12.1.1.0.0 | |
Notes:
- Please refer to Doc ID My Oracle Support Note 2386496.1 for instructions on how to address this issue.
- Please refer to Doc ID My Oracle Support Note 2384640.1 for instructions on how to address this issue.
- Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Additional CVEs addressed are below:
- The fix for CVE-2017-12617 also addresses CVE-2016-3092, CVE-2016-8745, CVE-2017-5664 and CVE-2017-7674.
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.
- The fix for CVE-2017-7525 also addresses CVE-2017-15707.
Oracle Hospitality Applications Risk Matrix
This Critical Patch Update contains 13 new security fixes for Oracle Hospitality Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2829 | Oracle Hospitality Simphony | Enterprise Management Console | HTTP | Yes | 8.6 | Network | Low | None | None | Un- changed |
High | Low | Low | 2.10 | |
| CVE-2017-13082 | MICROS Handheld Terminal | MC40 Zebra Handheld unit (Fusion) | WPA, WPA2 | Yes | 8.1 | Adjacent Network |
Low | None | None | Un- changed |
High | High | None | Prior to Fusion 2.03.0.0.021R | |
| CVE-2018-2803 | Oracle Hospitality Reporting and Analytics | Report | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 9.0 | |
| CVE-2018-2833 | Oracle Hospitality Simphony | Enterprise Management Console | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 2.7, 2.8, 2.9, 2.10 | |
| CVE-2018-2851 | Oracle Hospitality Simphony First Edition | Enterprise Management Console | HTTP | No | 8.1 | Network | Low | Low | None | Un- changed |
High | High | None | 1.6, 1.7 | |
| CVE-2018-2824 | Oracle Hospitality Simphony | Enterprise Management Console | HTTP | No | 7.7 | Network | Low | Low | None | Changed | High | None | None | 2.8, 2.9, 2.10 | |
| CVE-2018-2827 | Oracle Hospitality Suite8 | Profile | HTTP | No | 7.6 | Network | Low | Low | Required | Un- changed |
High | Low | High | 8.x | |
| CVE-2018-2848 | Oracle Hospitality Simphony First Edition | Client Application Loader | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 1.6, 1.7 | |
| CVE-2018-2850 | Oracle Hospitality Cruise Fleet Management System | Fleet Management System Suite | Multiple | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 9.x | |
| CVE-2018-2847 | Oracle Hospitality Simphony First Edition | Operations | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | 1.6, 1.7 | |
| CVE-2018-2852 | Oracle Hospitality Guest Access | Base | HTTP | No | 6.4 | Network | Low | Low | None | Changed | Low | Low | None | 4.2.0, 4.2.1 | |
| CVE-2018-2802 | Oracle Hospitality Simphony | Client Application Loader | HTTP | No | 5.4 | Network | Low | Low | None | Un- changed |
Low | Low | None | 2.8, 2.9 | |
| CVE-2018-2853 | Oracle Hospitality Simphony First Edition | Operations, Client Application Loader | HTTP | No | 5.4 | Network | Low | Low | None | Un- changed |
Low | Low | None | 1.6, 1.7 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-13082 also addresses CVE-2017-13077, CVE-2017-13078 and CVE-2017-13080.
Oracle Java SE Risk Matrix
This Critical Patch Update contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2825 | Java SE | Libraries | Multiple | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Java SE: 10 | See Note 1 |
| CVE-2018-2826 | Java SE | Libraries | Multiple | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Java SE: 10 | See Note 1 |
| CVE-2018-2814 | Java SE, Java SE Embedded | Hotspot | Multiple | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 | See Note 1 |
| CVE-2018-2811 | Java SE | Install | None | No | 7.7 | Local | High | None | Required | Changed | High | High | High | Java SE: 8u162, 10 | See Note 2 |
| CVE-2018-2794 | Java SE, JRockit | Security | None | No | 7.7 | Local | High | None | Required | Changed | High | High | High | Java SE: 6u181, 7u171, 8u162, 10, JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2783 | Java SE, Java SE Embedded, JRockit | Security | Multiple | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | Java SE: 6u181, 7u161, 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2798 | Java SE, Java SE Embedded, JRockit | AWT | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2796 | Java SE, Java SE Embedded, JRockit | Concurrency | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2799 | Java SE, Java SE Embedded, JRockit | JAXP | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2797 | Java SE, Java SE Embedded, JRockit | JMX | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2795 | Java SE, Java SE Embedded, JRockit | Security | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2815 | Java SE, Java SE Embedded, JRockit | Serialization | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 | See Note 3 |
| CVE-2018-2800 | Java SE, JRockit | RMI | Multiple | Yes | 4.2 | Network | High | None | Required | Un- changed |
Low | Low | None | Java SE: 6u181, 7u171, 8u162; JRockit: R28.3.17 | See Note 4 |
| CVE-2018-2790 | Java SE, Java SE Embedded | Security | Multiple | Yes | 3.1 | Network | High | None | Required | Un- changed |
None | Low | None | Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 | See Note 1 |
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
- Applies to installation process on client deployment of Java.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Oracle JD Edwards Products Risk Matrix
This Critical Patch Update contains 3 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | JD Edwards World Security | Security Vulnerability (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | A9.2, A9.3, A9.4 | |
| CVE-2017-15095 | JD Edwards EnterpriseOne Tools | EnterpriseOne Mobility Sec (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 9.2.2 | |
| CVE-2017-3736 | JD Edwards EnterpriseOne Tools | Enterprise Infrastructure SEC (OpenSSL) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 9.2.2 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
Oracle MySQL Risk Matrix
This Critical Patch Update contains 33 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2755 | MySQL Server | Server: Replication | MySQL Protocol | No | 7.7 | Local | High | None | Required | Changed | High | High | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2805 | MySQL Server | GIS Extension | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.39 and prior | |
| CVE-2018-2782 | MySQL Server | InnoDB | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2784 | MySQL Server | InnoDB | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2819 | MySQL Server | InnoDB | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2758 | MySQL Server | Server : Security : Privileges | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2817 | MySQL Server | Server: DDL | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2775 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2780 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2017-3737 | MySQL Enterprise Monitor | Monitoring: Agent (OpenSSL) | HTTPS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior | |
| CVE-2018-2761 | MySQL Server | Client programs | MySQL Protocol | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2786 | MySQL Server | InnoDB | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 5.7.21 and prior | |
| CVE-2018-2787 | MySQL Server | InnoDB | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2812 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 5.5 | Network | Low | High | None | Un- changed |
None | Low | High | 5.7.21 and prior | |
| CVE-2018-2877 | MySQL Cluster | Cluster: ndbcluster/plugin | None | No | 5.0 | Local | Low | Low | Required | Un- changed |
None | None | High | 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior | |
| CVE-2018-2759 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2766 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2777 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2810 | MySQL Server | InnoDB | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2818 | MySQL Server | Server : Security : Privileges | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2839 | MySQL Server | Server: DML | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2778 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2779 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2781 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2816 | MySQL Server | Server: Optimizer | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2846 | MySQL Server | Server: Performance Schema | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2769 | MySQL Server | Server: Pluggable Auth | MySQL Protocol | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2776 | MySQL Server | Group Replication GCS | XCom | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2762 | MySQL Server | Server: Connection | MySQL Protocol | No | 4.4 | Local | Low | High | None | Un- changed |
None | None | High | 5.7.21 and prior | |
| CVE-2018-2771 | MySQL Server | Server: Locking | MySQL Protocol | No | 4.4 | Network | High | High | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2813 | MySQL Server | Server: DDL | MySQL Protocol | No | 4.3 | Network | Low | Low | None | Un- changed |
Low | None | None | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2018-2773 | MySQL Server | Client programs | None | No | 4.1 | Local | High | High | None | Un- changed |
None | None | High | 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior | |
| CVE-2016-9878 | MySQL Enterprise Monitor | EM Plugin: General (Spring Framework) | HTTP | No | 3.8 | Physical | High | High | None | Un- changed |
High | None | None | 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior | |
Additional CVEs addressed are below:
- The fix for CVE-2017-3737 also addresses CVE-2017-3738.
Oracle PeopleSoft Products Risk Matrix
This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2772 | PeopleSoft Enterprise PeopleTools | Rich Text Editor | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 8.54, 8.55, 8.56 | |
| CVE-2018-2774 | PeopleSoft Enterprise PT PeopleTools | SQR | HTTP | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 8.54, 8.55, 8.56 | |
| CVE-2018-2793 | PeopleSoft Enterprise PT PeopleTools | PsAdmin | None | No | 6.2 | Local | Low | None | None | Un- changed |
High | None | None | 8.54, 8.55, 8.56 | |
| CVE-2018-2878 | PeopleSoft Enterprise HCM Shared Components | Notepad | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 9.2 | |
| CVE-2018-2788 | PeopleSoft Enterprise PeopleTools | Fluid Core | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.55, 8.56 | |
| CVE-2018-2821 | PeopleSoft Enterprise PeopleTools | Rich Text Editor | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 8.54, 8.55, 8.56 | |
| CVE-2018-2838 | PeopleSoft Enterprise PRTL Interaction Hub | EPPCM_HIER_TOP | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 9.1 | |
| CVE-2017-3736 | PeopleSoft Enterprise PeopleTools | Security (OpenSSL) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 8.54, 8.55, 8.56 | |
| CVE-2018-2752 | PeopleSoft Enterprise HCM | Security | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 9.2 | |
| CVE-2018-2785 | PeopleSoft Enterprise PeopleTools | Stylesheet | HTTP | Yes | 4.7 | Network | Low | None | Required | Changed | None | Low | None | 8.54, 8.55, 8.56 | |
| CVE-2018-2820 | PeopleSoft Enterprise PeopleTools | Fluid Core | HTTP | No | 4.3 | Network | Low | Low | None | Un- changed |
Low | None | None | 8.54, 8.55, 8.56 | |
| CVE-2018-2809 | PeopleSoft Enterprise PeopleTools | Fluid Homepage & Navigation | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 8.54, 8.55, 8.56 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.
Oracle Retail Applications Risk Matrix
This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | MICROS Lucas | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.9.5 | |
| CVE-2017-5645 | Oracle Retail Advanced Inventory Planning | Operations & Maintenance (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 13.2, 13.4, 14.1, 15.0 | |
| CVE-2017-5645 | Oracle Retail Back Office | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.0.4, 14.1.3 | |
| CVE-2017-5645 | Oracle Retail Central Office | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.0.4, 14.1.3 | |
| CVE-2017-5645 | Oracle Retail EFTLink | Installation (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 1.1.124, 15.0.1, 16.0.2 | |
| CVE-2017-5645 | Oracle Retail Insights | Integration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.0, 14.1, 15.0, 16.0 | |
| CVE-2017-5645 | Oracle Retail Invoice Matching | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0 | |
| CVE-2017-5645 | Oracle Retail Order Broker | System Administration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 5.0, 5.1, 5.2, 15.0, 16.0 | |
| CVE-2017-5645 | Oracle Retail Order Management System | Upgrade Install (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 4.0, 4.5, 4.7, 5.0 | |
| CVE-2017-5645 | Oracle Retail Point-of-Service | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 14.0.4, 14.1.3 | |
| CVE-2017-5645 | Oracle Retail Price Management | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0 | |
| CVE-2017-5645 | Oracle Retail Returns Management | Security (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.3.8, 2.4.9, 14.0.4, 14.1.3 | |
| CVE-2017-5645 | Oracle Retail Store Inventory Management | SIM Integration (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1 | |
| CVE-2016-6814 | Oracle Retail Insights | ODI Configuration (Apache Groovy) | HTTP | Yes | 9.6 | Network | Low | None | Required | Changed | High | High | High | 14.0, 14.1, 15.0, 16.0 | |
| CVE-2016-0635 | Oracle Retail Invoice Matching | Security (Spring Framework) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 | |
| CVE-2016-3506 | Oracle Retail Merchandising System | Installation | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 15.0 | |
| CVE-2017-15095 | Oracle Retail Order Broker | System Administration (jackson-databind) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 5.2 | |
| CVE-2017-12617 | Oracle Retail Order Broker | Upgrade Install (Apache Tomcat) | HTTP | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 5.2, 15.0 | |
| CVE-2018-2840 | Oracle Retail Xstore Point of Service | Xstore Office | HTTP | Yes | 7.6 | Network | Low | None | Required | Un- changed |
High | Low | Low | 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2 | |
| CVE-2016-9878 | Oracle Retail Customer Engagement | Internal Operations (Spring Framework) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 16.0 | |
| CVE-2017-5664 | Oracle Retail Order Management System | Upgrade Install (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 5.0 | |
| CVE-2016-9878 | Oracle Retail Predictive Application Server | RPAS Fusion Client (Spring Framework) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 13.4.3, 14.0.3, 14.1.3 | |
| CVE-2017-9798 | Oracle Retail Xstore Point of Service | Xstore Office (Apache HTTP Server) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 6.0.11, 6.5.11, 7.0.6, 7.1.6 | |
| CVE-2017-5645 | Oracle Retail Xstore Point of Service | Xenvironment (Apache Log4j) | HTTP | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 6.0.11, 7.0.6, 7.1.6, 15.0.1 | |
| CVE-2018-2876 | Oracle Retail Integration Bus | RIB Kernal(Apache Commons Collections) | HTTP | Yes | 7.1 | Network | Low | None | Required | Changed | Low | Low | Low | 13.2 | |
| CVE-2018-2862 | Oracle Retail Point-of-Service | User Interface | HTTP | No | 7.1 | Network | Low | Low | None | Un- changed |
High | Low | None | 13.3.8, 13.4.9, 14.0.4, 14.1.3 | |
| CVE-2017-15095 | Oracle Retail Xstore Point of Service | Xenvironment (jackson-databind) | HTTP | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2 | |
| CVE-2018-2861 | Oracle Retail Back Office | Security | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | None | Low | 13.4.9, 14.0.4, 14.1.3 | |
| CVE-2018-2738 | Oracle Retail Central Office | Security | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 13.4.9, 14.0.4, 14.1.3 | |
| CVE-2018-2737 | Oracle Retail Returns Management | Security | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 2.3.8, 2.4.9, 14.0.4, 14.1.3 | |
| CVE-2016-5007 | Oracle Retail Xstore Point of Service | Point of Sale (Spring Framework) | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1 | |
Additional CVEs addressed are below:
- The fix for CVE-2016-5007 also addresses CVE-2014-0054.
- The fix for CVE-2016-9878 also addresses CVE-2016-5007.
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2017-5645 also addresses CVE-2017-12617.
- The fix for CVE-2018-2876 also addresses CVE-2015-7501.
Oracle Siebel CRM Risk Matrix
This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5664 | Siebel UI Framework | EAI (Apache Tomcat) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 17.0 | |
| CVE-2018-2789 | Siebel Core – Server Framework | Services | HTTP | No | 5.0 | Network | Low | Low | None | Changed | Low | None | None | 17.0 | |
Oracle Sun Systems Products Suite Risk Matrix
This Critical Patch Update contains 14 new security fixes for the Oracle Sun Systems Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-17562 | Integrated Lights Out Manager (ILOM) | System Management (GoAhead) | HTTP | No | 9.1 | Network | Low | High | None | Changed | High | High | High | 3.x, 4.x | |
| CVE-2018-2754 | Solaris | ZVNET Driver | None | No | 7.7 | Local | Low | None | None | Un- changed |
None | High | High | 11.3 | |
| CVE-2018-2764 | Solaris | Kernel | NFS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 10, 11.3 | |
| CVE-2018-2718 | Solaris | RPC | NFS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 10, 11.3 | |
| CVE-2018-2822 | Solaris Cluster | Cluster Geo | None | No | 6.6 | Local | Low | Low | None | Un- changed |
High | Low | Low | 4.3 | |
| CVE-2018-2857 | Sun ZFS Storage Appliance Kit (AK) | HTTP data path subsystems | HTTP | No | 6.3 | Network | Low | Low | None | Un- changed |
Low | Low | Low | Prior to 8.7.17 | |
| CVE-2018-2753 | Solaris | Python modules | None | No | 6.0 | Local | High | Low | Required | Un- changed |
High | High | None | 11.3 | |
| CVE-2017-5753 | Solaris | Kernel | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | 10, 11.3 | |
| CVE-2018-2858 | Sun ZFS Storage Appliance Kit (AK) | HTTP data path subsystems | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | Prior to 8.7.17 | |
| CVE-2018-2808 | Solaris | Kernel | None | No | 5.0 | Local | Low | Low | Required | Un- changed |
None | None | High | 11.3 | |
| CVE-2018-2863 | Sun ZFS Storage Appliance Kit (AK) | API frameworks | HTTP | No | 5.0 | Network | Low | Low | None | Changed | Low | None | None | Prior to 8.7.17 | |
| CVE-2018-2563 | Solaris | LDAP Library | LDAP | No | 4.2 | Network | High | Low | None | Un- changed |
Low | Low | None | 10, 11.3 | |
| CVE-2018-2792 | Hardware Management Pack | Ipmitool | Multiple | No | 3.8 | Network | Low | High | None | Un- changed |
Low | Low | None | Prior to 2.4.3 | |
| CVE-2018-2763 | Solaris | NTPD | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | Low | None | 11.3 | |
Oracle Supply Chain Products Suite Risk Matrix
This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-15095 | Oracle Agile PLM Framework | Web Client (CS) | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 9.3.6 | |
| CVE-2018-2823 | Oracle Transportation Management | Database | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
None | High | None | 6.4.3 | |
| CVE-2018-2572 | Oracle Agile Product Lifecycle Management for Process | Installation | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 6.1.1.6, 6.2.0.0, 6.2.1.0 | |
| CVE-2017-3736 | Oracle Agile Engineering Data Management | Install (OpenSSL) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 6.1.3, 6.2.0, 6.2.1 | |
| CVE-2017-3736 | Oracle Transportation Management | Install (OpenSSL) | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 6.2 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-15095 also addresses CVE-2017-7525.
- The fix for CVE-2017-3736 also addresses CVE-2017-3735.
Oracle Support Tools Risk Matrix
This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-3736 | OSS Support Tools | Services Tools Bundle (OpenSSL) | HTTP | No | 6.5 | Network | Low | Low | None | Un- changed |
High | None | None | Prior to 18.2 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-3736 also addresses CVE-2017-3735.
Oracle Utilities Applications Risk Matrix
This Critical Patch Update contains 1 new security fix for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-5645 | Oracle Utilities Framework | Logging (Apache Log4j) | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 2.2.0, 4.2.0, 4.3.0 | |
Oracle Virtualization Risk Matrix
This Critical Patch Update contains 13 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req’d |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-2842 | Oracle VM VirtualBox | Core | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2843 | Oracle VM VirtualBox | Core | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2844 | Oracle VM VirtualBox | Core | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2830 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | Low | Required | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2835 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | Low | Required | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2836 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | Low | Required | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2837 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | Low | Required | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-2860 | Oracle VM VirtualBox | Core | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2017-9798 | Oracle Secure Global Desktop (SGD) | Web Server (Apache HTTP Server) | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 5.3 | |
| CVE-2018-2845 | Oracle VM VirtualBox | Core | None | No | 6.6 | Local | Low | Low | None | Un- changed |
Low | Low | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2018-0739 | Oracle VM VirtualBox | Core (OpenSSL) | TLS | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | Prior to 5.1.36, Prior to 5.2.10 | |
| CVE-2017-3737 | Oracle Secure Global Desktop (SGD) | Core (OpenSSL) | TLS | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 5.3 | |
| CVE-2018-2831 | Oracle VM VirtualBox | Core | None | No | 3.8 | Local | Low | Low | None | Changed | Low | None | None | Prior to 5.1.36, Prior to 5.2.10 | |
Additional CVEs addressed are below:
- The fix for CVE-2017-3737 also addresses CVE-2017-3738.