Oracle – Intelligent Systems Monitoring

Oracle Critical Patch Update Advisory – January 2020

January 13, 2020January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – January 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 334 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Hyperion Planning, version 11.1.2.4	Fusion Middleware
Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2	JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	MySQL
MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior	MySQL
MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior	MySQL
MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Workbench, versions 8.0.18 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.3	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6	Oracle Supply Chain Products
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 12.0.2	Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.3.0	Oracle Financial Services Applications
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clinical, version 5.2	Health Sciences
Oracle Coherence, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Instant Messaging Server, version 10.0.1.3.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Border Controller
Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Router
Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3	Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Inventory Management, versions 7.3, 7.4	Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5	Oracle Communications Unified Session Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1	Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0	Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle GraalVM Enterprise Edition, version 19.3.0.2	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5	Health Sciences
Oracle Healthcare Master Person Index, version 3.0	Health Sciences
Oracle Hospitality Cruise Materials Management, version 7.30.567	Oracle Hospitality Cruise Materials Management
Oracle Hospitality Guest Access, version 4.2	Oracle Hospitality Guest Access
Oracle Hospitality OPERA 5, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Suites Management, versions 3.7, 3.8	Oracle Hospitality Suites Management
Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle iLearning, version 6.1	iLearning
Oracle Java SE, versions 7u241, 8u231, 11.0.5, 13.0.1	Java SE
Oracle Java SE Embedded, version 8u231	Java SE
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 13.4.4	Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Sales Audit, version 15.0.3.16.0.2	Retail Applications
Oracle Secure Global Desktop, versions 5.4, 5.5	Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0	Fusion Middleware
Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4	Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Utilities Work and Asset Management (v1), version 1.9.1.2	Oracle Utilities Applications
Oracle VM Server for SPARC, version 3.6	Systems
Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2	Virtualization
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft PeopleTools, versions 8.56, 8.57	PeopleSoft
Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.10 and prior	Siebel
Sun ZFS Storage Appliance Kit, version 8.8.6	Systems
Tape Library ACSLS, versions 8.5, 8.5.1	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Add of STAR labs: CVE-2020-2674
Afanti of North China Electric Power University: CVE-2020-2550
Alexander Kornbrust of Red Database Security: CVE-2020-2511, CVE-2020-2516, CVE-2020-2527, CVE-2020-2572, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645
ALVES Christopher: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
An Trinh: CVE-2020-6950
Andrej Simko of Accenture: CVE-2020-2582, CVE-2020-2596, CVE-2020-2597, CVE-2020-2657, CVE-2020-2658, CVE-2020-2661, CVE-2020-2662, CVE-2020-2665, CVE-2020-2667, CVE-2020-2668, CVE-2020-2669, CVE-2020-2670, CVE-2020-2671, CVE-2020-2672
Andres Georgieff of Sandia National Laboratories: CVE-2020-2561
André Lenoir of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2020-2682
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2020-2698, CVE-2020-2701, CVE-2020-2726, CVE-2020-2727
Bengt Jonsson of Uppsala University: CVE-2020-2655
Bo Zhang: CVE-2020-2654
Daniel Le Souef of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Daniel Martinez Adan (aDoN90): CVE-2020-2538, CVE-2020-2539
Davide Berardi: CVE-2020-2703
Devin Rosenbauer of Identity Works LLC: CVE-2020-2729
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-2568, CVE-2020-2569, CVE-2020-2731
Ehsan Nikavar: CVE-2020-2531
elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2681, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2704, CVE-2020-2705
Giuseppino Cadeddu of Quantum Leap: CVE-2020-2599
Harold Zang of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Harrison Neal: CVE-2020-2510, CVE-2020-2512, CVE-2020-2515, CVE-2020-2517
Instructor working with Trend Micro Zero Day Initiative: CVE-2020-2693
JanatiIdrissi Zouhair: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Jang from VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2555
Jonas Mattsson of Outpost24 Ghost Labs: CVE-2020-2533, CVE-2020-2534
Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2655
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2540, CVE-2020-2541, CVE-2020-2542, CVE-2020-2543, CVE-2020-2576
Kirtikumar Anandrao Ramchandani: CVE-2020-2545
Kostis Sagonas of Uppsala University: CVE-2020-2655
Long Kuan: CVE-2020-2654
Looke of PingAn Galaxy Lab: CVE-2020-2547, CVE-2020-2548, CVE-2020-2549, CVE-2020-2552
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-2702
Lukasz Mikula: CVE-2020-2563
Marco Ivaldi of Media Service: CVE-2020-2656, CVE-2020-2696
Martin Doyhenard of Onapsis: CVE-2020-2586, CVE-2020-2587
Matthias Kaiser of Apple Information Security: CVE-2020-2546
Michal Skowron: CVE-2020-2537
Microsoft Vulnerability Research of Microsoft Corp.: CVE-2020-2536
Mohammad Sedghi: CVE-2020-2535
Nicolas Verdier of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
Or Hanuka of Motorola Solutions: CVE-2020-2557
Owais Zaman of Sabic: CVE-2020-2592, CVE-2020-2707
Paul Fiterau Brostean of Uppsala University: CVE-2020-2655
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
RACV Information Security Team: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Reno Robert: CVE-2020-2698
Robert Merget of Ruhr-University Bochum: CVE-2020-2655
Rémi Badonnel: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Sravya Nandimandalam: CVE-2020-2519
Stefano Ciccone of Aon’s Cyber Labs: CVE-2020-2551
Tom Tran: CVE-2020-2728
Tomasz Wisniewski: CVE-2020-2688
Tzachy Horesh (Motorola Solutions) of Motorola Solutions: CVE-2020-2557
Vivek Parikh: CVE-2020-2678
ZHAN Julien: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Zhongcheng Li (CK01) of Topsec Alpha Team: CVE-2020-2725
Zohaib Tasneem of Sabic: CVE-2020-2707

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

An Trinh
Andres Georgieff of Sandia National Laboratories
Benjamin Horvat of Cologne-Intelligence
Josh Bressers of Elastic
Marek Cybul
Markus Loewe
Martin Doyhenard of Onapsis
Matias Mevied of Onapsis
Quentin Rhoads-Herrera of Critical Start
Tolga Han Jonas Özgan of Cologne-Intelligence
Vahagn Vardanyan
Vladimir Egorov

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Aditya Shende
Ahmet Gürel
Andy Bentley
Apoorv Raj Saxena of FireCompass
Arcot Manju
Hardikkumar Patel
Jimmy Bruneel
Joby Y Daniel
Lutfu Mert Ceylan
Mohamed Yaser
Mohammed Rafi
Pankaj Kumar Thakur (Nepal)
Roger Meyer
Sai Kiran Battaluri
Saiteja Pinoju
Zeel D. Chavda

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 April 2020
14 July 2020
20 October 2020
19 January 2021

References

Modification History

Date	Note
2020-January-17	Rev 3. Updated MOS note number for Oracle Communications Session Border Controller.
2020-January-15	Rev 2. JavaSE and Database Versions Updated.
2020-January-14	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 12 new security patches for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2511	Core RDBMS	Create Session	OracleNet	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2510	Core RDBMS	None	OracleNet	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2518	Java VM	Create Session	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-10072	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2512	Database Gateway for ODBC	None	OracleNet	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2515	Database Gateway for ODBC	Create Session	OracleNet	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2527	Core RDBMS	Create Index, Create Table	OracleNet	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2731	Core RDBMS	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2568	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2569	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.2.0.1, 18c, 19c
CVE-2020-2517	Database Gateway for ODBC	Create Procedure, Create Database Link	OracleNet	No	3.3	Network	High	High	None	Un- changed	None	Low	Low	12.2.0.1, 18c, 19c
CVE-2020-2516	Core RDBMS	Create Materialized View, Create Table	OracleNet	No	2.4	Network	Low	High	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

This patch also addresses four additional vulnerabilities: CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232. For Windows platform – due to CVE-2019-0232 – the CVSS 3.0 score is 8.1.

Additional CVEs addressed are below:

The patch for CVE-2019-10072 also addresses CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Communications Applications. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Communications Instant Messaging Server	Presence-api (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2017-5645	Oracle Communications Instant Messaging Server	Core (Log4j)	XMPP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2018-16395	Oracle Communications Interactive Session Recorder	Security (Ruby)	TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1, 6.2, 6.3
CVE-2018-11058	Oracle Communications IP Service Activator	Database Client (NZ)	TCPS/HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.4, 7.4.0
CVE-2019-8457	Oracle Communications Unified Inventory Management	Tools (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2019-3862	Oracle Communications Diameter Signaling Router (DSR)	Platform (libssh2)	SSH	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-0227	Oracle Communications Design Studio	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.4.1.1.0, 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-16168	Oracle Communications Design Studio	Core (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-10072	Oracle Communications Instant Messaging Server	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0.1.3.0
CVE-2018-6829	Oracle Communications Interactive Session Recorder	General (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	6.0, 6.1, 6.2, 6.3
CVE-2019-11477	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-11477	Oracle Communications Session Router	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2
CVE-2019-11477	Oracle Communications Subscriber-Aware Load Balancer	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 8.1, 8.3
CVE-2018-15756	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 7.4
CVE-2019-11477	Oracle Enterprise Communications Broker	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	PCz3.0, PCz3.1, PCz3.2
CVE-2019-11477	Oracle Enterprise Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.5, 8.0, 8.1, 8.2, 8.3
CVE-2019-11358	Oracle Communications Interactive Session Recorder	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2, 6.3
CVE-2019-17091	Oracle Communications Unified Inventory Management	Maps (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-11358	Oracle Communications Unified Inventory Management	Maps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-1559	Oracle Communications Diameter Signaling Router (DSR)	Platform (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-1559	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Session Router	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Unified Session Manager	Routing (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.3.5, 8.2.5
CVE-2018-0734	Oracle Enterprise Communications Broker	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	PCz3.0, PCz3.1, PCz3.2
CVE-2018-0734	Oracle Enterprise Session Border Controller	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	7.5, 8.0, 8.1, 8.2, 8.3

Additional CVEs addressed are below:

The patch for CVE-2018-0734 also addresses CVE-2018-0735, CVE-2018-5407, CVE-2019-1547 and CVE-2019-1559.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2018-11784 and CVE-2019-0232.
The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479.
The patch for CVE-2019-14379 also addresses CVE-2018-14718, CVE-2018-19362, CVE-2019-12086 and CVE-2019-14439.
The patch for CVE-2019-1559 also addresses CVE-2018-0734.
The patch for CVE-2019-16168 also addresses CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14540	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-14540	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-10088	Primavera Unifier	Core (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-0227	Primavera Gateway	Provider (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.2.11, 17.12.6
CVE-2019-0227	Primavera Unifier	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2556	Primavera P6 Enterprise Project Portfolio Management	Core	None	No	7.3	Local	Low	Low	Required	Changed	Low	High	Low	16.2.0.0-16.2.19.0, 17.12.0.0-17.12.16.0, 18.8.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0
CVE-2012-1695	Instantis EnterpriseTrack	Mobile (Mobile Application Framework)	HTTP	Yes	6.8	Network	High	None	None	Changed	None	High	None	17.1, 17.2, 17.3	See Note 1
CVE-2019-11358	Primavera Gateway	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-17091	Primavera P6 Enterprise Project Portfolio Management	Web Access (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.15.0, 18.1.0.0-18.8.15.0, 19.12.0.0
CVE-2019-12415	Primavera Gateway	Admin (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.12.6, 18.8.8.1
CVE-2019-12415	Primavera Unifier	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2707	Primavera P6 Enterprise Project Portfolio Management	WebAccess	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0

Notes:

JRockit is removed.

Additional CVEs addressed are below:

The patch for CVE-2012-1695 also addresses CVE-2012-3135.
The patch for CVE-2019-0227 also addresses CVE-2014-3596 and CVE-2018-8032.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-14540 also addresses CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 23 new security patches for the Oracle E-Business Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2020), My Oracle Support Note 2613782.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2586	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2587	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2651	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2652	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2653	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2669	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2670	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2671	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2672	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2582	Oracle iStore	Shopping Cart	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2658	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2661	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2662	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2665	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2591	Oracle Web Applications Desktop Integrator	Application Service	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2020-2603	Oracle Field Service	Wireless	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2666	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.5-12.2.9
CVE-2020-2566	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2596	Oracle CRM Technical Foundation	Message Hooks	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2657	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2667	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2668	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2597	Oracle One-to-One Fulfillment	Call Phone Number Page	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 50 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	Enterprise Manager Ops Center	Networking (Oracle Security Service)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-5482	Enterprise Manager Ops Center	Networking (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2904	Oracle Application Testing Suite	Load Testing for Web Apps (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2016-4000	Oracle Application Testing Suite	Oracle Flow Builder (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2673	Oracle Application Testing Suite	Oracle Flow Builder	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Oracle Flow Builder (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2019-11358	Oracle Application Testing Suite	Oracle Flow Builder (jQuery)	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2609	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2017-14735	Oracle Application Testing Suite	Load Testing for Web Apps (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-14735	Oracle Application Testing Suite	Oracle Flow Builder (Antisamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2631	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2636	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2626	Enterprise Manager Base Platform	Cloud Control Manager – OMS	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2634	Enterprise Manager Base Platform	Configuration Standard Framewk	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2624	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2633	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2642	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2645	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2617	Enterprise Manager Base Platform	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2610	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2611	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2612	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2618	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2619	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2620	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2621	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2616	Enterprise Manager Base Platform	Enterprise Manager Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2622	Enterprise Manager Base Platform	Event Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2629	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2630	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2613	Enterprise Manager Base Platform	Global EM Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2628	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2639	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2625	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2643	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2623	Enterprise Manager Base Platform	Metrics Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2615	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2644	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2608	Enterprise Manager Base Platform	Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2632	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2635	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2614	Enterprise Manager for Fusion Middleware	APM Mesh	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2637	Enterprise Manager for Oracle Database	Change Manager – web based	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2641	Enterprise Manager for Oracle Database	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2638	Enterprise Manager for Oracle Database	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2640	Enterprise Manager for Oracle Database	Target Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-12415	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	none	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2646	Enterprise Manager Base Platform	Command Line Interface	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-1547	Enterprise Manager Ops Center	Networking (RSA Bsafe)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	12.3.3, 12.4.0

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5482 also addresses CVE-2019-5481.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 24 new security patches for Oracle Financial Services Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.3-7.3.5, 8.0.0-8.0.8
CVE-2019-0227	Oracle Financial Services Funds Transfer Pricing	Web Service (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.2-8.0.7
CVE-2020-2718	Oracle Banking Corporate Lending	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2713	Oracle Banking Payments	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	14.1.0-14.3.0
CVE-2020-2688	Oracle Financial Services Analytical Applications Infrastructure	Object Migration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.4-8.0.8
CVE-2020-2723	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2699	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2716	Oracle Banking Corporate Lending	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2711	Oracle Banking Payments	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	14.1.0-14.3.0
CVE-2020-2721	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2684	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2715	Oracle Banking Corporate Lending	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2717	Oracle Banking Corporate Lending	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2710	Oracle Banking Payments	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2712	Oracle Banking Payments	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2730	Oracle Financial Services Revenue Management and Billing	File Upload	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	2.7.0.0, 2.7.0.1, 2.8.0.0
CVE-2020-2720	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2722	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2685	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2683	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTPS	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2719	Oracle Banking Corporate Lending	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2714	Oracle Banking Payments	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	14.1.0-14.3.0
CVE-2020-2724	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2700	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.0.1-12.4.0, 14.0.0-14.3.0

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Food and Beverage Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2697	Oracle Hospitality Suites Management	Request Tracker	None	No	4.9	Physical	Low	Low	None	Un- changed	High	Low	None	3.7, 3.8

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Fusion Middleware. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update January 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2555	Oracle Coherence	Caching,CacheStore,Invocation	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2551	Oracle WebLogic Server	WLS Core Components	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2546	Oracle WebLogic Server	Application Container – JavaEE	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2728	Identity Manager	OIM – LDAP user and role Synch	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-0227	Oracle Big Data Discovery	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	1.6
CVE-2019-0227	Oracle Endeca Information Discovery Studio	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	3.2.0
CVE-2017-12626	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-0227	Oracle Tuxedo	TX SALT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.1.0.0, 12.1.3.0.0
CVE-2020-6950	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle WebLogic Server	Third Party Tools (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2543	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2549	Oracle WebLogic Server	WLS Core Components	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0
CVE-2020-2537	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2538	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0
CVE-2020-2540	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2541	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2576	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2542	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2530	Oracle HTTP Server	Web Listener	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2533	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2534	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2539	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Analytics Server and Analytics Web General (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	3.2.0
CVE-2019-12415	Oracle Enterprise Repository	Security Subsystem (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2020-2729	Identity Manager	Advanced Console	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2536	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.5.4	See Note 1
CVE-2019-10247	Oracle Endeca Information Discovery Integrator	Integrator Acquistion System (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0
CVE-2020-2545	Oracle HTTP Server	OSSL Module	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2545	Oracle Security Service	SSL API	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2550	Oracle WebLogic Server	WLS Core Components	None	No	5.1	Local	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2547	Oracle WebLogic Server	Console	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2548	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0
CVE-2020-2552	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2535	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2544	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2519	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2531	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-15845	Oracle GraalVM Enterprise Edition	Interpreter and runtime (Ruby)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.3.0.2	See Note 1
CVE-2020-2604	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	19.3.0.2	See Note 2
CVE-2019-16776	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	19.3.0.2
CVE-2020-2595	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	19.3.0.2
CVE-2020-2581	Oracle GraalVM Enterprise Edition	LLVM Interpreter	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	19.3.0.2

Notes:

This vulnerability is in the standard Ruby libraries, not in the TruffleRuby interpreter.
GraalVM Enterprise 19.3 and above includes both Java SE 8 and Java SE 11.

Additional CVEs addressed are below:

The patch for CVE-2019-15845 also addresses CVE-2019-16201, CVE-2019-16254 and CVE-2019-16255.
The patch for CVE-2019-16776 also addresses CVE-2019-16775 and CVE-2019-16777.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Clinical	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2
CVE-2019-2904	Oracle Health Sciences Data Management Workbench	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4, 2.5
CVE-2018-15756	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17359	Oracle Hospitality Guest Access	Base (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.2
CVE-2020-2675	Oracle Hospitality OPERA 5	Login	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.5
CVE-2020-2676	Oracle Hospitality OPERA 5	Printing	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5
CVE-2020-2677	Oracle Hospitality OPERA 5	Login	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	5.5, 5.6
CVE-2020-2599	Oracle Hospitality Cruise Materials Management	MMS All	None	No	4.2	Physical	High	None	None	Un- changed	High	None	None	7.30.567

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Hyperion Planning	Application Development Framework	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4
CVE-2020-2563	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2709	Oracle iLearning	Learner Pages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	6.1

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2604	Java SE, Java SE Embedded	Serialization	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2019-16168	Java SE	JavaFX (SQLite)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 8u231	See Note 2
CVE-2019-13117	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2019-13118	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2020-2601	Java SE, Java SE Embedded	Security	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2585	Java SE	JavaFX	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 8u231	See Note 1
CVE-2020-2655	Java SE	JSSE	HTTPS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 11.0.5, 13.0.1	See Note 1
CVE-2020-2593	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2654	Java SE	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1	See Note 3
CVE-2020-2590	Java SE, Java SE Embedded	Security	Kerberos	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2659	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231; Java SE Embedded: 8u231	See Note 1
CVE-2020-2583	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-14379	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jackson databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 19 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16168	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.18 and prior
CVE-2020-2579	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2627	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2570	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2573	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2574	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2577	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2589	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.17 and prior
CVE-2020-2580	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2020-2588	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2660	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2679	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Enterprise Backup	Security (OpenSSL)	TLS	No	4.7	Local	High	Low	None	Un- changed	High	None	None	3.12.4 and prior, 4.1.3 and prior
CVE-2020-2584	MySQL Server	Server: Options	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	High	None	None	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2694	MySQL Server	Server: Information Schema	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	8.0.18 and prior
CVE-2020-2572	MySQL Server	Server: Audit Plugin	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	5.7.28 and prior, 8.0.18 and prior
CVE-2019-8457	MySQL Cluster	Cluster: General (SQLite)	Multiple	Yes	0.0	Network	Low	None	Required	Un- changed	None	None	None	7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	See Note 1

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 9.8. SQLite is removed from MySQL Cluster releases with the January 2020 Critical Patch Update.

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-15708	PeopleSoft Enterprise PeopleTools	Portal (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-2729	PeopleSoft Enterprise PeopleTools	Security (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2017-12626	PeopleSoft Enterprise PeopleTools	Change Impact Analyzer (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57
CVE-2019-0227	PeopleSoft Enterprise PeopleTools	Portal (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2017-1000376	PeopleSoft PeopleTools	PeopleCode (libffi)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.56, 8.57
CVE-2020-2598	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2600	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2606	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2607	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2663	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2602	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2695	PeopleSoft Enterprise CC Common Application Objects	Approval Framework	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.1, 9.2
CVE-2019-1547	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.56, 8.57
CVE-2020-2561	PeopleSoft Enterprise HCM Human Resources	Company Dir / Org Chart Viewer	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2020-2687	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2017-15708 also addresses CVE-2019-10086.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Retail Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Retail Assortment Planning	Application Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-2904	Oracle Retail Clearance Optimization Engine	Dataset Componen (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	Dataset Component (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	General Application (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.3
CVE-2019-12814	Oracle Retail Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.0
CVE-2019-2904	Oracle Retail Markdown Optimization	Common Component Integration (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2019-12419	Oracle Retail Order Broker	Order Broker Foundation (CXF)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2019-2904	Oracle Retail Sales Audit	Operational Insights (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3. 16.0.2
CVE-2018-1258	Oracle Retail Clearance Optimization Engine	Dataset Component (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.0.5
CVE-2018-1258	Oracle Retail Markdown Optimization	Common Component Integration (Spring Framework)	HTTPS	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.4.4
CVE-2016-1181	Oracle Retail Clearance Optimization Engine	Dataset Component (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-1181	Oracle Retail Markdown Optimization	Common Component Integration (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.4.4
CVE-2018-8039	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2019-0227	Oracle Retail Order Broker	System Administration (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0
CVE-2020-2650	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	16.0
CVE-2020-2648	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	6.2	Physical	Low	High	None	Un- changed	High	High	High	16.0
CVE-2019-17091	Oracle Retail Assortment Planning	Application Core (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0.3
CVE-2019-12415	Oracle Retail Clearance Optimization Engine	General Application (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.0
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3, 16.0.3
CVE-2020-2567	Oracle Retail Customer Management and Segmentation Foundation	Security	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	18.0
CVE-2020-2649	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	16.0

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2016-5019 also addresses CVE-2019-2904.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12419 also addresses CVE-2019-12406.
The patch for CVE-2019-12814 also addresses CVE-2018-11307, CVE-2019-12384, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267 and CVE-2019-17531.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (jackson databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.8 and prior
CVE-2019-14379	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.10 and prior
CVE-2020-2564	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.10 and prior
CVE-2020-2559	Siebel UI Framework	UIF Open UI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.7 and prior
CVE-2020-2560	Siebel UI Framework	SWSE Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	19.10 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Systems Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle Systems. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-9636	Sun ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8.6
CVE-2019-2729	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2016-1000031	Tape Library ACSLS	Software (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2020-2696	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10
CVE-2020-2565	Oracle Solaris	Consolidation Infrastructure	None	No	7.5	Local	High	Low	Required	Changed	High	High	High	11
CVE-2019-2725	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2018-15756	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2020-2605	Oracle Solaris	Filesystem	None	No	7.1	Local	Low	Low	None	Un- changed	None	High	High	11
CVE-2019-11358	Tape Library ACSLS	Software (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5, 8.5.1
CVE-2020-2680	Oracle Solaris	Filesystem	None	No	6.0	Local	Low	High	None	Changed	None	None	High	11
CVE-2020-2558	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2578	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2647	Oracle Solaris	Kernel	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	10, 11
CVE-2020-2664	Oracle Solaris	Filesystem	None	No	4.6	Local	Low	Low	Required	Changed	Low	Low	None	11
CVE-2020-2656	Oracle Solaris	X Window System	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	10, 11
CVE-2019-9579	Oracle Solaris	SMB Server	None	No	3.3	Local	Low	Low	None	Un- changed	None	Low	None	11
CVE-2020-2571	Oracle VM Server for SPARC	Templates	None	No	3.3	Local	Low	None	Required	Un- changed	None	Low	None	3.6

Additional CVEs addressed are below:

The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-9636 also addresses CVE-2017-15906, CVE-2018-1000030, CVE-2018-1060, CVE-2018-11759, CVE-2018-15473, CVE-2018-17189, CVE-2018-20684, CVE-2019-0215, CVE-2019-1559, CVE-2019-5718 and CVE-2019-9208.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Oracle Agile PLM MCAD Connector	CAX Client (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	3.4, 3.5, 3.6
CVE-2019-0232	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2.0, 6.2.1
CVE-2017-12626	Oracle Agile PLM	Security (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2019-10072	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.5, 9.3.6
CVE-2019-0227	Oracle Agile PLM Framework	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	9.3.3
CVE-2020-2592	Oracle AutoVue	Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.2
CVE-2019-10247	Oracle AutoVue	Security (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.2
CVE-2020-2557	Oracle Demantra Demand Management	Security	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Utilities Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Utilities Work and Asset Management (v1)	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2
CVE-2019-11358	Oracle Real-Time Scheduler	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2019-11358	Oracle Utilities Mobile Workforce Management	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2014-3004	Oracle Utilities Framework	Common (Castor)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2674	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2682	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-0227	Oracle Secure Global Desktop	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	5.4, 5.5
CVE-2020-2698	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2701	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2702	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2726	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2681	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2689	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2690	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2691	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2692	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2703	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16
CVE-2020-2704	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2705	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2725	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2678	Oracle VM VirtualBox	Core	None	No	6.4	Local	High	Low	None	Changed	Low	High	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-17091	Oracle Secure Global Desktop	Core (Mojarra)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2020-2727	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2693	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-10092	Oracle Secure Global Desktop	Web Server (Apache HTTPD Server)	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2019-1547	Oracle Secure Global Desktop	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	5.4, 5.5

Additional CVEs addressed are below:

The patch for CVE-2019-10092 also addresses CVE-2019-10098.
The patch for CVE-2019-1547 also addresses CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Critical Patch Update Advisory – October 2019

October 14, 2019January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2019

Description

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 219 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Diagnostic Assistant, version 2.12.36	Support Tools
Enterprise Manager Base Platform, versions 13.2, 13.3	Enterprise Manager
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071	Systems
Hyperion Data Relationship Management, version 11.1.2.4	Fusion Middleware
Hyperion Enterprise Performance Management Architect, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 4.0.1.0	JD Edwards
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0	Retail Applications
MICROS Retail XBRi Loss Prevention, version 10.8.3	Retail Applications
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.17 and prior	MySQL
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior	MySQL
MySQL Workbench, versions 8.0.17 and prior	MySQL
Oracle Agile PLM, versions 9.3.3-9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, versions 13.2, 13.3	Enterprise Manager
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clusterware, version 19.0.0.0.0	Support Tools
Oracle Data Integrator, version 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Retail Performance Analytics
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle Forms, version 12.2.1.3.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, version 19.2.0	Oracle GraalVM Enterprise Edition
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13	Java SE
Oracle Java SE Embedded, version 8u221	Java SE
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle NoSQL Database, versions prior to 19.3.12	NoSQL Database
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15	Oracle Policy Automation
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 17.0	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 16.0	Retail Applications
Oracle Retail Xstore Office, version 7.1	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0	Retail Applications
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, version 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Virtual Directory, version 11.1.1.9.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14	Virtualization
Oracle Web Services, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.8 and prior	Siebel

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Alaa Kachouh of Bankmed: CVE-2019-3019
Alexander Kornbrust of Red Database Security: CVE-2018-2875, CVE-2019-2895, CVE-2019-2939
Alpha66647777: CVE-2019-2978
Amaal Khalid of SecureMisr: CVE-2019-2979, CVE-2019-2980
Andrej Simko of Accenture: CVE-2019-2930, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3024
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2930
Andrzej Dyjak of sigsegv.pl: CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972
anhdaden of STAR Labs: CVE-2019-2984, CVE-2019-3002, CVE-2019-3005
Anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2019-3026, CVE-2019-3031
Badcode of Knownsec 404 Team: CVE-2019-2888
Bartlomiej Stasiek: CVE-2019-2941
Dimitrios – Georgios Karetsos of COSMOTE – Mobile Telecommunications S.A.: CVE-2019-2959
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2019-2954, CVE-2019-2955
Ehsan Nikavar: CVE-2019-2898
Emad Al-Mousa of Saudi Aramco: CVE-2019-2940
Huyna of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-3017
Imre Rad: CVE-2019-2996
Jakub Palaczynski: CVE-2019-2927
Jakub Palaczynski of ING Tech Poland: CVE-2019-2886
Jan Jancar of Masaryk University: CVE-2019-2894
Jean-Benjamin Rousseau of SEC Consult Vulnerability Lab: CVE-2019-17091
Krzysztof Bednarski of ING Tech Poland: CVE-2019-2886
Kyle Stiemann of Liferay: CVE-2019-17091
Laura Rowieska: CVE-2019-2897
Lewei Qu of Baidu, Inc.: CVE-2019-3021
lofiboy of infiniti Team, VinCSS (a member of Vingroup): CVE-2019-2926, CVE-2019-2944
Longofo of Knownsec 404 Team: CVE-2019-2888
Lukasz Mikula: CVE-2019-2932
Lukasz Rupala of ING Tech Poland: CVE-2019-2900, CVE-2019-3012
Marco Ivaldi of Media Service: CVE-2019-3010
Marek Cybul: CVE-2019-3014, CVE-2019-3015
Michal Skowron: CVE-2019-2897
MitAh of Tencent Security Xuanwu Lab: CVE-2019-2999
TSM_007 of TSM: CVE-2019-3012
Owais Zaman of Sabic: CVE-2019-3020
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2019-2993, CVE-2019-3011
Ramnath Shenoy of NCC Group: CVE-2019-3015
Resecurity, Inc.: CVE-2019-3028
Rob Hamm of sas.com: CVE-2019-2949
RunningSnail: CVE-2019-2889
Saeed Shiravi: CVE-2019-3012
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2019-2959
Steven Danneman of Security Innovation: CVE-2019-2922, CVE-2019-2923, CVE-2019-2924
tint0 of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-2904
Tomasz Wisniewski: CVE-2019-2906
Vahagn Vardanyan: CVE-2019-2905, CVE-2019-2907
Venustech ADLab: CVE-2019-2887, CVE-2019-2890
Vladimir Egorov: CVE-2019-2905, CVE-2019-2907
Walid Faour: CVE-2019-3025
Zohaib Tasneem of Sabic: CVE-2019-3020

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Amit Kaplan of GE
An Trinh
Bartlomiej Zogala
Ben Heimerdinger of Code White GmbH
Cornelius Aschermann of Ruhr-University Bochum
George R
Joshua Graham of TSS
Lucas Fink
Markus Wulftange of Code White GmbH
Roberto Suggi Liverani of NATO Communications and Information Agency
Roy Haroush of GE
Sergej Schumilo of Ruhr-University Bochum
Simon Worner
Tin Duong of Fortinet’s FortiGuard Labs
voidfyoo of Chaitin Tech

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Arun Babu
Ben Stock of CISPA Helmholtz Center for Information Security (Germany)
Dudy Shaul
Khiem Tran
Malavika SK
Nick Nikiforakis
Pooja B Sen
Ronak Nahar
Sajjad Hashemian
Shubham Garg [nullb0t] of JMIETI
Stefano Calzavara
Wai Yan Aung

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 January 2020
14 April 2020
14 July 2020
20 October 2020

References

Modification History

Date	Note
2019-October-15	Rev 1. Initial Release.
2019-November-26	Rev 2. Update Entry for CVE-2019-2941

Oracle Database Server Risk Matrix

This Critical Patch Update contains 11 new security patches for the Oracle Database Server divided as follows:

10 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2909	Java VM	None	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2956	Core RDBMS (jackson-databind)	Create Session	Multiple	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2913	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2939	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2018-2875	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2734	Core RDBMS	Create Session, Execute on DBMS_ADVISOR	OracleNet	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2018-11784	WLM (Apache Tomcat)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2019-2954	Core RDBMS	Create Session, Create Procedure	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2955	Core RDBMS	Local Logon	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2940	Core RDBMS	Create Session	OracleNet	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c

Additional CVEs addressed are below:

The patch for CVE-2018-11784 also addresses CVE-2018-8034.
The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-14721	Oracle NoSQL Database	NoSQL (jackson-databind)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 19.3.12

Additional CVEs addressed are below:

The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Construction and Engineering. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-6056	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-14379	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12, 18.8
CVE-2019-14379	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-3020	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	9.3	Network	Low	None	Required	Changed	High	High	None	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.11
CVE-2019-0232	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0211	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0227	Instantis EnterpriseTrack	Generic (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2017-12626	Instantis EnterpriseTrack	Generic (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2017-12626	Primavera Gateway	Admin (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.12
CVE-2017-12626	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
CVE-2017-12626	Primavera Unifier	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2976	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	17.1.0-17.12.12
CVE-2019-11358	Primavera Unifier	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The patch for CVE-2017-6056 also addresses CVE-2016-5425.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-14379 also addresses CVE-2019-12086, CVE-2019-14439, CVE-2019-14540 and CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 10 new security patches for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2019), My Oracle Support Note 2586423.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2942	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-2990	Oracle iStore	Order Tracker	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-2994	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2019-2995	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3000	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3022	Oracle Content Manager	Content	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3027	Oracle Application Object Library	Login Help	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.5-12.2.9
CVE-2019-2930	Oracle Field Service	Wireless	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-3024	Oracle Installed Base	Engineering Change Order	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.3-12.2.9
CVE-2019-2925	Oracle Workflow	Worklist	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.8

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Command Line Interface (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 13.3
CVE-2019-5443	Enterprise Manager Ops Center	Networking (cURL)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2895	Enterprise Manager for Exadata	Exadata Plug-In Deploy and Ins	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
CVE-2019-9517	Enterprise Manager Ops Center	OS Provisioning (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.3.3, 12.4.0
CVE-2019-11358	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.3, 12.4.0
CVE-2019-11358	Oracle Application Testing Suite	Load Testing for Web Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2, 13.3
CVE-2019-10247	Enterprise Manager Base Platform	Agent Next Gen (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	13.2, 13.3

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-9517 also addresses CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2019-10098.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
CVE-2019-14379	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2-8.0.8
CVE-2019-2980	Oracle FLEXCUBE Direct Banking	eMail	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.2, 12.0.3
CVE-2019-11358	Oracle Financial Services Enterprise Financial Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Retail Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-2979	Oracle FLEXCUBE Direct Banking	Payments	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	None	High	None	12.0.2, 12.0.3
CVE-2019-3019	Oracle Banking Digital Experience	Loan Calculator	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3025	Oracle Hospitality RES 3700	Interface	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	5.7
CVE-2019-2934	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2937	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2947	Oracle Hospitality Reporting and Analytics	Inventory Integration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2936	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-11358	Oracle Hospitality Materials Control	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2019-2952	Oracle Hospitality Reporting and Analytics	Admin-Configuration	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 37 new security patches for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2019 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle JDeveloper and ADF	ADF Faces	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2016-1000031	Oracle Virtual Directory	Virtual Directory Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2019-2905	Oracle Business Intelligence Enterprise Edition	Installation	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2906	BI Publisher (formerly XML Publisher)	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2891	Oracle WebLogic Server	Console	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2900	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-0188	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2017-12626	Oracle Enterprise Repository	Security Subsystem – 12c (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0
CVE-2018-15756	Oracle GoldenGate Application Adapters	3rd Party (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.2.1.0
CVE-2019-12086	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2970	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2901	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2902	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2903	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2971	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2972	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2016-1000031	Oracle SOA Suite	BPEL Service Engine and Fabric Layer (Apache Commons FileUpload)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2907	Oracle Web Services	SOAP with Attachments API for Java	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-2890	Oracle WebLogic Server	Web Services	T3	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2943	Oracle Data Integrator	Studio	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2897	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2016-7103	Oracle Business Intelligence Enterprise Edition	BI Platform Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2886	Oracle Forms	Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle JDeveloper and ADF	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle Service Bus	Web Container (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2889	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-17091	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle WebLogic Server	Web Services (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-1559	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Secure Store (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-3012	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2888	Oracle WebLogic Server	EJB Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2898	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2887	Oracle WebLogic Server	Web Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2899	Oracle JDeveloper and ADF	OAM	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GraalVM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2986	Oracle GraalVM Enterprise Edition	LLVM Interpreter	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.2.0
CVE-2019-9511	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.2.0
CVE-2019-2989	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	19.2.0

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Health Sciences Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Oracle Healthcare Foundation	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1.1, 7.2.2
CVE-2019-11358	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.1, 3.3.1

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Hospitality Guest Access	Base (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2953	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.80
CVE-2019-10247	Oracle Hospitality Guest Access	Base (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2927	Hyperion Data Relationship Management	Access and Security	HTTP	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.1.2.4
CVE-2019-2959	Hyperion Financial Reporting	Security Models	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2941	Hyperion Profitability and Cost Management	Modeling	HTTP	No	4.0	Network	High	High	Required	Changed	Low	Low	None	11.1.2.4

Oracle Java SE Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2949	Java SE, Java SE Embedded	Kerberos	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2989	Java SE, Java SE Embedded	Networking	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2958	Java SE, Java SE Embedded	Libraries	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-11068	Java SE	JavaFX (libxslt)	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 8u221	See Note 1
CVE-2019-2977	Java SE	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	None	Low	Java SE: 11.0.4, 13	See Note 2
CVE-2019-2975	Java SE, Java SE Embedded	Scripting	Multiple	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	Java SE: 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2999	Java SE	Javadoc	Multiple	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	Java SE: 7u231, 8u221, 11.0.4, 13	See Note 2
CVE-2019-2996	Java SE, Java SE Embedded	Deployment	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 8u221; Java SE Embedded: 8u221	See Note 2
CVE-2019-2987	Java SE	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 11.0.4, 13	See Note 1
CVE-2019-2962	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2988	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2992	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2964	Java SE, Java SE Embedded	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 3
CVE-2019-2973	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2981	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2978	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2894	Java SE, Java SE Embedded	Security	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2983	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2933	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2945	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle JD Edwards. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Deployment (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.1.0

Oracle MySQL Risk Matrix

This Critical Patch Update contains 34 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-8457	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.17 and prior
CVE-2019-5443	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-10072	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-1543	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.17 and prior
CVE-2019-3011	MySQL Server	Server: C API	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2966	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2967	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2974	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior
CVE-2019-2946	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3004	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2914	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2969	MySQL Server	Client programs	MySQL Protocol	No	6.2	Local	Low	None	None	Un- changed	High	None	None	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2991	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.017 and prior
CVE-2019-2920	MySQL Connectors	Connector/ODBC	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	5.3.13 and prior, 8.0.17 and prior
CVE-2019-2993	MySQL Server	Server: C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2922	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2923	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2924	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-1549	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Workbench	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.17 and prior
CVE-2019-2963	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2968	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3003	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2997	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2948	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2950	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2982	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2998	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2960	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2957	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2938	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3018	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3009	MySQL Server	Server: Connection	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2910	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2911	MySQL Server	Information Schema	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-1549 also addresses CVE-2019-1547, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-0729	PeopleSoft Enterprise PeopleTools	Integration Broker (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-3862	PeopleSoft Enterprise PeopleTools	File Processing (libssh2)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.56, 8.57
CVE-2019-2932	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	8.56, 8.57
CVE-2019-2915	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2985	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3014	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2929	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2931	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-11358	PeopleSoft Enterprise PeopleTools	Portal, Charting (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3001	PeopleSoft Enterprise SCM eProcurement	eProcurement	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2019-3023	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.56, 8.57
CVE-2019-2951	PeopleSoft Enterprise HCM Human Resources	US Federal Specific	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2019-3015	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2019-3862 also addresses CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861 and CVE-2019-3863.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Policy Automation Connector for Siebel	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10.4.6
CVE-2019-11358	Oracle Policy Automation	Determinations Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15
CVE-2019-11358	Oracle Policy Automation Connector for Siebel	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.6
CVE-2019-11358	Oracle Policy Automation for Mobile Devices	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0-12.2.15

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Retail Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-19362	MICROS Retail XBRi Loss Prevention	Retail (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.3
CVE-2019-14379	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-0232	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.4
CVE-2018-15756	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2019-12086	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-11358	Oracle Retail Customer Insights	Retail Science Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-2896	MICROS Relate CRM Software	Internal Operations	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0,
CVE-2019-2884	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	17.0
CVE-2018-3300	Oracle Retail Xstore Office	Internal Operations	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	7.1
CVE-2019-10247	Oracle Retail Xstore Point of Service	Dataloader (jackson-databind)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	7.1, 15.0, 16.0, 17.0
CVE-2019-2883	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	17.0
CVE-2019-2872	Oracle Retail Xstore Point of Service	Point of Sale	None	No	2.7	Physical	High	High	Required	Un- changed	Low	Low	None	17.0.3, 18.0.1, 19.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241 and CVE-2019-10246.
The patch for CVE-2019-14379 also addresses CVE-2019-12086 and CVE-2019-14439.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2965	Siebel Core – DB Deployment and Configuration	Install – Configuration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	19.8 and prior
CVE-2019-11358	Siebel Mobile Applications	CG Mobile Connected (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.8 and prior
CVE-2018-8037	Siebel UI Framework	Customizable Prod/Configurator (Apache Tomcat)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.7 and prior
CVE-2019-2935	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.8 and prior

Oracle Systems Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Systems . 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000007	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-3010	Oracle Solaris	XScreenSaver	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11
CVE-2015-5180	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (glibc)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3071
CVE-2018-7185	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NTP)	NTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-18066	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (Net SNMP)	SNMP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-0732	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-6109	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSH)	SSH	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	Prior to XCP2361, Prior to XCP3070
CVE-2017-17558	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (USB Driver)	None	No	6.6	Physical	Low	Low	None	Un- changed	High	High	High	Prior to XCP2360, Prior to XCP3060
CVE-2018-12404	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to XCP2361, Prior to XCP3070
CVE-2019-2765	Oracle Solaris	Filesystem	None	No	5.3	Local	High	Low	None	Changed	Low	Low	Low	10, 11
CVE-2019-2961	Oracle Solaris	SMF services & legacy daemons	None	No	3.6	Local	High	Low	None	Un- changed	None	Low	Low	11
CVE-2019-3008	Oracle Solaris	LDAP Library	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11

Additional CVEs addressed are below:

The patch for CVE-2017-17558 also addresses CVE-2017-16531.
The patch for CVE-2018-0732 also addresses CVE-2016-8610 and CVE-2019-1559.
The patch for CVE-2018-1000007 also addresses CVE-2018-1000120 and CVE-2018-16842.
The patch for CVE-2018-12404 also addresses CVE-2018-12384.
The patch for CVE-2018-18066 also addresses CVE-2018-18065.
The patch for CVE-2019-6109 also addresses CVE-2018-20685 and CVE-2019-6111.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2019-0232	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.3-9.3.6
CVE-2019-11358	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Support Tools. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Diagnostic Assistant	Libraries (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.12.36
CVE-2019-12814	Oracle Clusterware	Trace File Analyzer (TFA) Collector (jackson-databind)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.0.0.0.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3028	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3017	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2944	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3026	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3021	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2984	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3002	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3005	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3031	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-1547	Oracle VM VirtualBox	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2926	Oracle VM VirtualBox	Core	None	No	2.3	Local	Low	High	None	Un- changed	None	None	Low	Prior to 5.2.34, prior to 6.0.14

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Security Alert for CVE-2019-2729 – 18 Jun 2019

June 17, 2019January 19, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2729

Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2729
Fangrun Li of Creditease Security Team: CVE-2019-2729
Foren Lim: CVE-2019-2729
Jkgh006: CVE-2019-2729
Lucifaer of 360CERT at QiHu360: CVE-2019-2729
Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
WenHui Wang of State Grid: CVE-2019-2729
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
Yuxuan Chen: CVE-2019-2729
Zhao Chang of Venustech ADLab: CVE-2019-2729
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date	Note
2019-July-11	Rev 4. Updated credit statement.
2019-June-21	Rev 3. Updated credit statement.
2019-June-20	Rev 2. Removed irrelevant paragraph about Oracle Database.
2019-June-18	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

No Related Posts

Oracle Security Alert for CVE-2019-2725 – 26 Apr 2019

April 25, 2019January 19, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2725

Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2725
Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
Icematcha of Qianxin Yunying Labs: CVE-2019-2725
icez of Tophant Competence Center: CVE-2019-2725
Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
Song Keya of Minsheng Banking Corp.: CVE-2019-2725
Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
ZengShuai Hao: CVE-2019-2725
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date	Note
2019-May-29	Rev 4. Updated Credit Statement.
2019-May-1	Rev 3. Updated Credit Statement.
2019-April-30	Rev 2. Updated WebLogic Server Versions.
2019-April-26	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2725	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0

No Related Posts

Oracle Critical Patch Update Advisory – April 2019

April 15, 2019January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – April 2019

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 297 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.3.3	Enterprise Manager
FMW Platform, version 12.2.1.3.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4	JD Edwards
MICROS Lucas, versions 2.9.5.6, 2.9.5.7	Retail Applications
MICROS Relate CRM Software, version 11.4	Retail Applications
MICROS Retail-J, version 12.1.2	Retail Applications
MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior	MySQL
MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior	MySQL
MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior	MySQL
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1	Oracle Supply Chain Products
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0	Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32	Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Business Transaction Management, version 12.1.0	Enterprise Manager
Oracle Commerce Merchandising, version 11.2.0.3	Oracle Commerce
Oracle Commerce Platform, versions 11.2.0.3, 11.3.1	Oracle Commerce
Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0	Oracle Communications Application Session Controller
Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0	Oracle Communications EAGLE Application Processor
Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2	Oracle Communications EAGLE LNP Application Processor
Oracle Communications Instant Messaging Server, version 10.0.1	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2	Oracle Communications Interactive Session Recorder
Oracle Communications LSMS, versions 13.1, 13.2, 13.3	Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0, 8.1	Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4, 4.0	Oracle Communications Operations Monitor
Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4	Oracle Communications Policy Management
Oracle Communications Pricing Design Center, versions 11.1, 12.0	Oracle Communications Pricing Design Center
Oracle Communications Service Broker, version 6.0	Oracle Communications Service Broker
Oracle Communications Service Broker Engineered System Edition, version 6.0	Oracle Communications Service Broker Engineered System Edition
Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0	Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Configuration Manager, version 12.1.0	Enterprise Manager
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0	Oracle Enterprise Communications Broker
Oracle Enterprise Operations Monitor, versions 3.4, 4.0	Oracle Enterprise Operations Monitor
Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 – 7.3.5, 8.0.0 – 8.0.7	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.4 – 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Data Integration Hub, versions 8.0.5 – 8.0.7	Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 – 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 – 8.0.7	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, versions 8.0.2 – 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 – 8.0.7	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Profitability Management, versions 8.0.4 – 8.0.6	Oracle Financial Services Profitability Management
Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle Health Sciences Data Management Workbench, version 2.4.8	Health Sciences
Oracle Healthcare Master Person Index, versions 3.0, 4.0	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0.11	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 12.2.1.3.0	Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5.8	Fusion Middleware
Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12	Java SE
Oracle Java SE Embedded, version 8u201	Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Knowledge, versions 8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1	Oracle Knowledge
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.3, 8.5.4	Fusion Middleware
Oracle Real-Time Scheduler, version 2.3.0	Oracle Utilities Applications
Oracle Retail Allocation, version 15.0.2	Retail Applications
Oracle Retail Convenience Store Back Office, version 3.6	Retail Applications
Oracle Retail Customer Engagement, versions 16.0, 17.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0	Retail Applications
Oracle Retail Merchandising System, versions 15.0, 16.0	Retail Applications
Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0	Retail Applications
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Workforce Management Software, version 1.60.9.0.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.0, 7.1	Retail Applications
Oracle Secure Global Desktop, version 5.4	Virtualization
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Traffic Director, version 11.1.1.9.0	Fusion Middleware
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0.0	Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0	Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, version 2.3.0	Oracle Utilities Applications
Oracle Utilities Network Management System, version 1.12.0.3	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6	Virtualization
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
OSS Support Tools, version 19.1	Support Tools
PeopleSoft Enterprise ELM, version 9.2	PeopleSoft
PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7 – 17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, version 19.3	Siebel

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Andrej Simko of Accenture: CVE-2019-2603, CVE-2019-2639, CVE-2019-2640, CVE-2019-2641, CVE-2019-2642, CVE-2019-2643, CVE-2019-2651, CVE-2019-2652, CVE-2019-2653, CVE-2019-2654, CVE-2019-2660, CVE-2019-2661, CVE-2019-2662, CVE-2019-2663, CVE-2019-2664, CVE-2019-2665
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2551, CVE-2019-2600, CVE-2019-2603, CVE-2019-2604, CVE-2019-2622, CVE-2019-2652, CVE-2019-2669, CVE-2019-2670, CVE-2019-2671, CVE-2019-2673, CVE-2019-2674, CVE-2019-2675, CVE-2019-2676, CVE-2019-2677
Andres Georgieff of Sandia National Laboratories: CVE-2019-2586, CVE-2019-2621
Andy Nguyen: CVE-2019-2678, CVE-2019-2679, CVE-2019-2680
anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2019-2722
Athul Jayaram: CVE-2019-2706
Badcode of Knownsec 404 Team: CVE-2019-2615, CVE-2019-2618
Corwin de Boor: CVE-2019-2684
Devin Rosenbauer of Identity Works LLC: CVE-2019-2572
Dhiraj Mishra: CVE-2018-3123
Ehsan Nikavar: CVE-2019-2605
fluoroacetate working with Trend Micro’s Zero Day Initiative: CVE-2019-2723
Frank Lycops: CVE-2019-2704
huyna of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-2574
Jakub Palaczynski: CVE-2019-2591
James Forshaw: CVE-2019-2721
Jason Matthyser of MWR Labs working with Trend Micro Zero Day Initiative: CVE-2019-2574, CVE-2019-2656, CVE-2019-2657
Jonas Mattsson of Outpost24 Ghost Labs: CVE-2019-2578, CVE-2019-2579
Jonathan Jacobi: CVE-2019-2703
Juan Pablo Perez Etchegoyen of Onapsis: CVE-2019-2568
Krzysztof Przybylski of STM Solutions: CVE-2019-2720
Lionel Debroux: CVE-2019-2708
Luca Rupp of Usd AG: CVE-2019-2709
Lucas Pinheiro of Microsoft Corp.: CVE-2019-2696
Lukasz Mikula: CVE-2019-2598
Lukasz Rupala of ING Tech Poland: CVE-2019-2595, CVE-2019-2601
Martin Doyhenard of Onapsis: CVE-2019-2633, CVE-2019-2638
Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698
Matthew McPeak of Tempus Consulting Group: CVE-2019-2567
Matthias Kaiser of Apple Information Security: CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648, CVE-2019-2649, CVE-2019-2650
Mehdi Esmaeilpour: CVE-2019-2605
Michael Nielson: CVE-2019-2692
Minle Chen of PingAn Galaxy Lab: CVE-2019-2615, CVE-2019-2618
Niklas Baumstark working with Trend Micro’s Zero Day Initiative: CVE-2019-2690
Omri Herscovici of Check Point Software: CVE-2019-2608, CVE-2019-2609, CVE-2019-2610, CVE-2019-2611, CVE-2019-2612, CVE-2019-2613, CVE-2019-2705
Omur Ugur of Turk Telekom: CVE-2019-2576
Quentin Rhoads-Herrera of Critical Start: CVE-2019-2564
Robert Xiao: CVE-2019-2684
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2019-2713
Steven Seeley of Source Incite working with iDefense: CVE-2019-2557
TheFloW working with Trend Micro Zero Day Initiative: CVE-2019-2574
Vahagn Vardanyan: CVE-2019-2575, CVE-2019-2588, CVE-2019-2616
Vladimir Egorov: CVE-2019-2575, CVE-2019-2588, CVE-2019-2616
Wang Cheng of Venustech ADLab: CVE-2019-2615, CVE-2019-2647
Yaniv Balmas of Check Point Software: CVE-2019-2608, CVE-2019-2609, CVE-2019-2610, CVE-2019-2611, CVE-2019-2612, CVE-2019-2613, CVE-2019-2705

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Ian McLauchlan of Miton
Jakub Tyrlik
Jean-Benjamin Rousseau of SEC Consult Vulnerability Lab
Guillaume Crouquet of SEC Consult Vulnerability Lab
Richard O’Donnell of IRM Security
Thomas Friedlein of Federal Motor Transport Authority (Germany)

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Ankit Singh
Bharat
Brian Carpenter
Celal Erdik of Ebruu Tech Limited
Chirag Gupta
David Wilkins
Dhamu Harker
F0xman
Grishma Sinha of Lucideus Tech
Ismail Tasdelen
jw c
Kamal Elsayed Hussein
lhf012
Mansouri Badis
Markus Wulftange of Code White
Mohit Tirkey
Pratik Luhana
Rajat Sharma
Sagar Gharbudve
Sameer Phad
Sanjay Singh Jhala
Seth Duda
Shubham Maheshwari
Small Boys
Vismit Sudhir Rakhecha (Druk) (2 reports)
Wai Yan Aung
Yashraj Choudhary
Zhouyuan of Fortinet, Inc.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 July 2019
15 October 2019
14 January 2020
14 April 2020

References

Modification History

Date	Note
2019-May-28	Rev 6. Updated Security-In-Depth Contributors section.
2019-May-16	Rev 5. Corrected CVE# in Enterprise Manager Products Suite risk matrix. CVE-2018-0161 was replaced with CVE-2019-2726.
2019-May-3	Rev 4. Updated Security-In-Depth Contributors section.
2019-May-1	Rev 3. Updated CVSS score for CVE-2019-2633 and CVE-2019-2638.
2019-April-19	Rev 2. Updated credit for CVE-2019-2696.
2019-April-16	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2517	Core RDBMS	DBFS_ROLE	Oracle Net	No	9.1	Network	Low	High	None	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2516	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2619	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2518	Java VM	Create Session, Create Procedure	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2571	RDBMS DataPump	DBA role	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2582	Core RDBMS	None	Oracle Net	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0.1, 18c

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Berkeley DB. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2708	Data Store	Local Logon	Local Logon	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 6.138, prior to 6.2.38, prior to 18.1.32

Oracle Commerce Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2713	Oracle Commerce Merchandising	Asset Manager	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.2.0.3
CVE-2019-2659	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3
CVE-2019-2712	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3, 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 26 new security fixes for Oracle Communications Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1
CVE-2019-3822	Oracle Communications Operations Monitor	Security (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2018-11219	Oracle Communications Operations Monitor	Security (Redis)	RESP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2017-5645	Oracle Communications Pricing Design Center	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1, 12.0
CVE-2016-1000031	Oracle Communications Service Broker	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Service Broker Engineered System Edition	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2018-11236	Oracle Communications Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-11236	Oracle Enterprise Communications Broker	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-11236	Oracle Enterprise Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1258	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2, 7.3.4, 7.3.5, 7.4.0
CVE-2017-5664	Oracle Communications Application Session Controller	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2016-1181	Oracle Communications Policy Management	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1, 12.2, 12.3, 12.4
CVE-2018-16864	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-16864	Oracle Enterprise Communications Broker	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-16864	Oracle Enterprise Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1000180	Oracle Communications Application Session Controller	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications EAGLE LNP Application Processor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2
CVE-2017-5664	Oracle Communications Instant Messaging Server	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	10.0.1
CVE-2018-0732	Oracle Communications Operations Monitor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4, 4.0
CVE-2017-0861	Oracle Communications EAGLE Application Processor	Security (Kernel)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	16.1.0, 16.2.0
CVE-2015-9251	Oracle Communications Interactive Session Recorder	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2
CVE-2015-9251	Oracle Enterprise Operations Monitor	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.0
CVE-2018-12404	Oracle Communications Messaging Server	Security (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1
CVE-2017-5753	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3
CVE-2017-5754	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2016-1182.
The fix for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693 and CVE-2018-7566.
The fix for CVE-2017-5664 also addresses CVE-2016-8735, CVE-2017-12617 and CVE-2018-11784.
The fix for CVE-2018-0732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0734, CVE-2018-0737 and CVE-2018-0739.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11219 also addresses CVE-2018-11218.
The fix for CVE-2018-11236 also addresses CVE-2018-11237 and CVE-2018-6485.
The fix for CVE-2018-12404 also addresses CVE-2018-12384.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-16864 also addresses CVE-2018-16865.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Construction and Engineering Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera P6 Enterprise Project Portfolio Management	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2016-1000031	Primavera Unifier	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11763	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2018-0734	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11784	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2019-2701	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	18.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-11763 also addresses CVE-2017-9798.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 35 new security fixes for the Oracle E-Business Suite. 33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2019), My Oracle Support Note 2514102.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2638	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2633	Oracle Work in Process	Messages	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2663	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2682	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2665	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2639	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2671	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2675	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2600	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2651	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2661	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2655	Oracle Interaction Center Intelligence	Business Intelligence (OLTP)	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2652	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2583	Oracle iSupplier Portal	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2660	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2604	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2664	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2677	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2551	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2603	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2653	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2654	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2662	Oracle Territory Management	Territory Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2640	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2641	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2642	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2643	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2018-0734	Application Server	Technology Stack Triage (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	0.9.8, 1.0.0, 1.0.1
CVE-2019-2621	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2669	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2676	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2670	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2673	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2674	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2622	Oracle Service Contracts	Renewals	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Enterprise Manager Ops Center	Networking (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3
CVE-2016-4000	Oracle Configuration Manager	Collector of Config and Diag (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0
CVE-2018-1258	Enterprise Manager Base Platform	Enterprise Manager Install (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-1258	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.3
CVE-2018-11763	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.3
CVE-2018-1000180	Oracle Business Transaction Management	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.0
CVE-2018-1656	Enterprise Manager Base Platform	Agent Next Gen (IBM Java)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.2.0.0.0, 13.3.0.0.0
CVE-2019-2726	Enterprise Manager Ops Center	Services Integration	HTTP	No	6.3	Network	High	Low	None	Changed	None	None	High	12.3.3
CVE-2019-2557	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	13.3.0.1
CVE-2018-0734	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-0734	Enterprise Manager Ops Center	Networking (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3.3

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11763 also addresses CVE-2018-17189, CVE-2018-17199 and CVE-2019-0190.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The fix for CVE-2018-1656 also addresses CVE-2018-12539.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Financial Services Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Banking Platform	Collections (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0
CVE-2016-1000031	Oracle FLEXCUBE Private Banking	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-1258	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-11775	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2015-9251	Oracle Financial Services Analytical Applications Infrastructure	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.3-7.3.5, 8.0.0-8.0.7
CVE-2015-9251	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5-8.0.7
CVE-2015-9251	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Liquidity Risk Management	Internal Operations (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.6
CVE-2015-9251	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.7
CVE-2015-9251	Oracle Financial Services Market Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6
CVE-2015-9251	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.6
CVE-2015-9251	Oracle Financial Services Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-9251	Oracle Hospitality Reporting and Analytics	Report (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 53 new security fixes for Oracle Fusion Middleware. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle API Gateway	Oracle API Gateway (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-19362	Oracle Business Process Management Suite	Runtime Engine (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-3253	Oracle Data Integrator	Install, config, upgrade (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2016-1000031	Oracle Endeca Information Discovery Integrator	Other Issues (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-3822	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-1000031	Oracle Identity Analytics	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle JDeveloper	None (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2017-8287	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2017-8105	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2016-1000031	Oracle WebCenter Portal	Security Framework (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-19362	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2658	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2019-2646	Oracle WebLogic Server	EJB Container	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2645	Oracle WebLogic Server	WLS Core Components	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-1258	Oracle WebLogic Server	WLS Core Components (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2578	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0
CVE-2019-2595	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2706	Oracle Business Process Management Suite	BPM Foundation Services	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2019-2705	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3, 8.5.4	See Note 1
CVE-2018-14718	Oracle JDeveloper	Oracle JDeveloper (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2601	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1000180	Oracle API Gateway	Oracle API Gateway (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-11761	Oracle Business Process Management Suite	Runtime Engine (Apache Tika)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle SOA Suite	B2B Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2647	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2648	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2649	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2650	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-8013	Oracle Data Integrator	Install, config, upgrade (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2608	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2616	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1305	FMW Platform	Provisioning (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2018-1305	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2609	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2610	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2611	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2612	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2613	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2015-9251	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0734	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-0734	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1.0.0
CVE-2019-2618	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2576	Oracle Service Bus	Web Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2572	Oracle SOA Suite	Fabric Layer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0
CVE-2018-0495	Oracle Traffic Director	Security (NSS)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-2568	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.0	Network	Low	Low	None	Changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2588	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2615	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2579	Oracle WebCenter Sites	Advanced UI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.2.1.3.0
CVE-2019-2605	Oracle Business Intelligence Enterprise Edition	Web Catalog	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2720	Oracle Data Integrator	ODI Tools	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2017-8287 also addresses CVE-2017-8105.
The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Healthcare Master Person Index	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2629	Oracle Health Sciences Data Management Workbench	User Interface	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.4.8

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Hospitality Guest Access	Base (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2702	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	Yes	9.3	Network	Low	None	None	Changed	High	Low	None	8.0.80
CVE-2016-7103	Oracle Hospitality Cruise Fleet Management	FMS Suite (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.0.11
CVE-2018-11763	Oracle Hospitality Guest Access	Base (Apache HTTP Server)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	4.2.0, 4.2.1
CVE-2018-11784	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The fix for CVE-2016-7103 also addresses CVE-2015-9251.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2699	Java SE	Windows DLL	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u202	See Note 1
CVE-2019-2697	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2698	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2602	Java SE, Java SE Embedded	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 3
CVE-2019-2684	Java SE, Java SE Embedded	RMI	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle JD Edwards Products. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	JDENET	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-2565	JD Edwards World Technical Foundation	Service Enablement	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	A9.2, A9.3.1, A9.4
CVE-2015-9251	JD Edwards EnterpriseOne Tools	Web Runtime (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2564	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2632	MySQL Server	Server : Pluggable Auth	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2693	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2694	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2695	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2692	MySQL Connectors	Connector/J	JDBC	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.0.15 and prior
CVE-2019-1559	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.12 and prior, 8.0.15 and prior
CVE-2019-1559	MySQL Server	Server: Compiling (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2018-3123	MySQL Server	Server: libmysqld	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2623	MySQL Server	Server: Options	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2018-0734	MySQL Enterprise Backup	Enterprise Backup (OpenSSL)	TLS	No	5.1	Local	High	None	None	Un- changed	High	None	None	3.12.3 and prior, 4.1.2 and prior
CVE-2019-2634	MySQL Server	Server: Replication	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2580	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2585	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2593	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2624	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2628	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2566	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2626	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2644	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2631	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2581	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2596	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2607	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2625	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2681	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2685	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2687	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2688	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2689	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2683	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2592	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2587	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2635	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2584	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2589	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2606	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2620	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2627	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2691	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2636	MySQL Server	Server: Group Replication Plugin	MySQL Procotol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2614	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2617	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2630	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-1559	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	4.0.8 and prior, 8.0.14 and prior	See Note 1

Notes:

MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the SSL/TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 5.9.

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2598	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	8.7	Network	Low	High	None	Changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2590	PeopleSoft Enterprise HCM Talent Acquisition Manager	Job Opening	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	9.2
CVE-2018-1000180	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2594	PeopleSoft Enterprise PT PeopleTools	Application Server	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2707	PeopleSoft Enterprise ELM Enterprise Learning Management	Application Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2591	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2637	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-0734	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2597	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2700	PeopleSoft Enterprise ELM	Enterprise Learning Mgmt	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2
CVE-2019-2573	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57
CVE-2019-2586	PeopleSoft Enterprise PT PeopleTools	RemoteCall	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-9515	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Dozer)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2019-3772	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0, 18.0
CVE-2016-1000031	Oracle Retail Order Broker	System Administration (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	System Administration (Jasper)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2018-19362	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.60.9.0.0
CVE-2016-1000031	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1
CVE-2018-3314	MICROS Relate CRM Software	Customer	HTTP	No	8.2	Network	High	Low	None	Changed	High	High	None	11.4
CVE-2018-12023	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0
CVE-2018-14718	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3120	MICROS Lucas	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	2.9.5.6, 2.9.5.7
CVE-2018-2880	MICROS Retail-J	Back Office	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-15756	Oracle Retail Invoice Matching	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2018-15756	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.1, 5.2, 15.0, 16.0
CVE-2018-11763	Oracle Retail Xstore Point of Service	Point of Sale (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-11763	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-1000180	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.0, 7.1
CVE-2019-2424	Oracle Retail Convenience Store Back Office	Level 3 Maintenance Functions	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.6
CVE-2019-2558	Oracle Retail Point-of-Service	Infrastructure	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-1305	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.4
CVE-2015-9251	Oracle Retail Allocation	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0.2
CVE-2015-9251	Oracle Retail Invoice Matching	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2018-3312	Oracle Retail Customer Engagement	Segment	HTTP	No	5.5	Network	High	High	None	Un- changed	Low	High	Low	16.0, 17.0
CVE-2018-11784	Oracle Retail Order Broker	System Administration (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0
CVE-2018-11784	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2018-12023 also addresses CVE-2018-12022.
The fix for CVE-2018-1305 also addresses CVE-2018-11784 and CVE-2018-1304.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-19362.
The fix for CVE-2018-19362 also addresses CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-7489.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Supported Versions Affected	Notes	Integrity	Availability
CVE-2014-0114	Oracle Knowledge	Information Manager Console (Apache Commons BeanUtils)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-1000031	Oracle Knowledge	Information Manager Console (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-2141	Oracle Knowledge	Information Manager Console (JGroups)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2015-1832	Oracle Knowledge	Information Manager Console (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-0635	Oracle Knowledge	AnswerFlow (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0
CVE-2014-0107	Oracle Knowledge	Information Manager Console (Apache Xalan)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2719	Oracle Knowledge	Web Applications (InfoCenter)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2570	Siebel Core – Server BizLogic Script	Integration – Scripting	HTTP	No	4.7	Network	Low	High	None	Un- changed	Low	Low	Low	19.3

Additional CVEs addressed are below:

The fix for CVE-2014-0114 also addresses CVE-2016-1000031 and CVE-2016-3092.
The fix for CVE-2015-1832 also addresses CVE-2016-2141.
The fix for CVE-2016-1000031 also addresses CVE-2016-3092.
The fix for CVE-2016-2141 also addresses CVE-2015-1832.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Sun Systems Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2704	Oracle Solaris	IPS Package Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11
CVE-2018-20685	Oracle Solaris	SunSSH	SSH	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	10
CVE-2019-2577	Oracle Solaris	File Locking Services	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	11

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2016-1000031	Oracle Agile PLM	Application Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5
CVE-2019-2567	Oracle Configurator	Active Model Generation	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1, 12.2
CVE-2019-2709	Oracle Transportation Management	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.3.7, 6.4.2, 6.4.3
CVE-2019-2575	Oracle AutoVue 3D Professional Advanced	Format Handling – 2D	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.0, 21.0.1

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-9251	OSS Support Tools	Remote Diagnostic Agent (jQuery)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.1

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Utilities Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-14952	Oracle Utilities Framework	Common (icu4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-8088	Oracle Utilities Framework	Common (slf4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2016-1000031	Oracle Utilities Framework	User Interface (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-1258	Oracle Utilities Network Management System	Web Gateway client (Spring Framework)	T3	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.12.0.3
CVE-2015-9251	Oracle Real-Time Scheduler	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0
CVE-2015-9251	Oracle Utilities Mobile Workforce Management	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0

Additional CVEs addressed are below:

The fix for CVE-2017-14952 also addresses CVE-2014-7923, CVE-2014-7926, CVE-2014-7940, CVE-2014-8146, CVE-2014-8147, CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2016-7415, CVE-2017-17484, CVE-2017-7867 and CVE-2017-7868.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-3822	Oracle Secure Global Desktop	Core (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.4
CVE-2019-2656	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2680	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2696	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2703	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2721	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2722	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2723	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2657	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2690	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2679	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	Low	None	Changed	Low	None	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2678	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2574	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-1559	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.4
CVE-2018-11784	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.4

Additional CVEs addressed are below:

The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2019-1559 also addresses CVE-2018-0734, CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

No Related Posts

Oracle Critical Patch Update Advisory – January 2019

January 14, 2019January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – January 2019

Description

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 284 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2, 13.3	Enterprise Manager
Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3, 13.3.1	Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3	Enterprise Manager
Hyperion BI+, version 11.1.2.4	Fusion Middleware
Java Advanced Management Console, version 2.12	Java SE
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MySQL Connectors, versions 2.1.8 and prior, 8.0.13 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.7 and prior, 8.0.13 and prior	MySQL
MySQL Server, versions 5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior	MySQL
MySQL Workbench, versions 8.0.13 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle Argus Safety, versions 8.1, 8.2	Health Sciences
Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2	Oracle Banking Platform
Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Communications Billing and Revenue Management, versions 7.5, 12.0	Oracle Communications Billing and Revenue Management
Oracle Communications Converged Application Server, versions prior to 7.0.0.1	Oracle Communications Converged Application Server
Oracle Communications Converged Application Server – Service Controller, version 6.1	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Diameter Signaling Router (DSR), versions prior to 8.3	Oracle Communications Diameter Signaling Router
Oracle Communications Online Mediation Controller, version 6.1	Oracle Communications Online Mediation Controller
Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1	Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications Policy Management, versions prior to 12.5	Oracle Communications Policy Management
Oracle Communications Service Broker, version 6.0	Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, versions prior to 6.1.0.4.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0	Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions prior to 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, version SCz7.3.5	Oracle Communications Unified Session Manager
Oracle Communications WebRTC Session Controller, versions prior to 7.2	Oracle Communications WebRTC Session Controller
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c	Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8	E-Business Suite
Oracle Endeca Server, version 7.7.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz2.1, PCz2.2, PCz3.0	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions ECz7.4.0, ECz7.5.0, ECz8.0.0, ECz8.1.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7	Oracle Financial Services Analytical Applications Infrastructure
Oracle FLEXCUBE Direct Banking, version 12.0.2	Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.1	Fusion Middleware
Oracle Health Sciences Information Manager, version 3.0	Health Sciences
Oracle Healthcare Foundation, versions 7.1, 7.2	Health Sciences
Oracle Healthcare Master Person Index, versions 3.0, 4.0	Health Sciences
Oracle Hospitality Cruise Fleet Management, version 9.0.10	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.8	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, version 2.10	Oracle Hospitality Simphony
Oracle HTTP Server, version 12.2.1.3	Fusion Middleware
Oracle Insurance Calculation Engine, version 10.2	Oracle Insurance Applications
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2, 5.4, 5.5	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.0, 10.2	Oracle Insurance Applications
Oracle Java SE, versions 7u201, 8u192, 11.0.1	Java SE
Oracle Java SE Embedded, version 8u191	Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 19.1.0.0.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.3, 8.5.4	Fusion Middleware
Oracle Reports Developer, version 12.2.1.3	Fusion Middleware
Oracle Retail Back Office, versions 13.3, 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Central Office, versions 13.3, 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.8.1	Retail Applications
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Integration Bus, version 17.0	Retail Applications
Oracle Retail Merchandising System, version 14.1	Retail Applications
Oracle Retail Returns Management, versions 13.3, 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Sales Audit, version 15.0	Retail Applications
Oracle Retail Service Backbone, versions 13.1, 13.2, 14.0, 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Workforce Management Software, versions 1.60.9, 1.64.0	Retail Applications
Oracle Retail Xstore Payment, version 3.3	Retail Applications
Oracle Secure Global Desktop (SGD), version 5.4	Virtualization
Oracle Service Architecture Leveraging Tuxedo, versions 12.1.3.0.0, 12.2.2.0.0	Fusion Middleware
Oracle SOA Suite, versions 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Transportation Management, versions 6.3.7, 6.4.1, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Utilities Framework, version 4.3.0.1-4.3.0.4	Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.26, prior to 6.0.4	Virtualization
Oracle Web Cache, version 11.1.1.9.0	Fusion Middleware
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Sites, version 11.1.1.8.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3	Fusion Middleware
OSS Support Tools, versions prior to 19.1	Support Tools
PeopleSoft Enterprise CC Common Application Objects, version 9.2	PeopleSoft
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise HCM eProfile Manager Desktop, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.1-17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 18.10, 18.11	Siebel
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.8.2	Systems
Tape Library ACSLS, version 8.4	Systems

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

An Example working with Trend Micro Zero Day Initiative: CVE-2019-2554
Andrej Simko of Accenture: CVE-2019-2497
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2400, CVE-2019-2445, CVE-2019-2447, CVE-2019-2470, CVE-2019-2485, CVE-2019-2491, CVE-2019-2492, CVE-2019-2496, CVE-2019-2497
Andres Georgieff of Sandia National Laboratories: CVE-2019-2419, CVE-2019-2439
Anonymous Researcher: CVE-2019-2511
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2019-2524, CVE-2019-2525, CVE-2019-2526
Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2016-9389, CVE-2016-9583, CVE-2017-14229, CVE-2019-2456, CVE-2019-2457, CVE-2019-2458, CVE-2019-2459, CVE-2019-2460, CVE-2019-2461, CVE-2019-2462, CVE-2019-2463, CVE-2019-2464, CVE-2019-2465, CVE-2019-2466, CVE-2019-2467, CVE-2019-2468, CVE-2019-2469
Bui Thanh of Aalto University: CVE-2019-2503
cPanel Security Team: CVE-2019-2537
Daniel Kalinowski of LLama’s Bytes: CVE-2019-2398
Deapesh Misra of iDefense, Accenture: CVE-2019-2496
E. Anonymous working with Trend Micro Zero Day Initiative: CVE-2019-2450
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2019-2444
YongTao Wang & Sai Cheng of Qihoo360 PegasusTeam: CVE-2019-2426
Ex Allocate Pool With Tag working with Trend Micro Zero Day Initiative: CVE-2019-2451
Exhibit A working with Trend Micro Zero Day Initiative: CVE-2019-2555
Guillaume Teissier of Orange CERT-CC: CVE-2019-2399
Huy Ngo (Viettel Cyber Security) working with Trend Micro’s Zero Day Initiative: CVE-2019-2520, CVE-2019-2521, CVE-2019-2522, CVE-2019-2523
Huy Ngo of Viettel Cyber Security: CVE-2019-2509
Ionel Cristinel Anichitei of Bit Defender: CVE-2019-2508
Jason Matthyser of MWR Labs working with Trend Micro Zero Day Initiative: CVE-2019-2548
Jayson Grace of Sandia National Laboratories: CVE-2019-2419, CVE-2019-2423
Jonathan Jacobi: CVE-2019-2556
Kamlapati Choubey of Trend Micro’s Zero Day Initiative: CVE-2018-3147
Karl Henselin: CVE-2019-2538
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2016-9389, CVE-2016-9392, CVE-2017-13745, CVE-2019-2472, CVE-2019-2473, CVE-2019-2474, CVE-2019-2475, CVE-2019-2476, CVE-2019-2477, CVE-2019-2478, CVE-2019-2479, CVE-2019-2480
Krzysztof Wrobel: CVE-2019-2439
Lukasz Mikula: CVE-2019-2427
Maciej Grabiec: CVE-2019-2414
Marcin Wołoszyn of ING Services Polska: CVE-2019-2415
Marios Gyftos: CVE-2019-2430, CVE-2019-2431, CVE-2019-2432
Mark Haase: CVE-2019-2413
Martin Doyhenard of Onapsis: CVE-2019-2546
Michal Bazyli: CVE-2019-2414
Mohamed M. Fouad of SecureMisr: CVE-2019-2413
Mohamed Sayed of SecureMisr: CVE-2019-2453
Mohamed Yusuf of SecureMisr: CVE-2019-2549, CVE-2019-2550
Niklas Baumstark working with Trend Micro’s Zero Day Initiative: CVE-2019-2446, CVE-2019-2448, CVE-2019-2525
Philippe Arteau of GoSecure: CVE-2019-2438
Piotr Madej of ING Tech Poland: CVE-2019-2395
Quang Nguyen of Viettel Cyber Security: CVE-2019-2509
rack911labs.com: CVE-2019-2537
Rajesh Tv: CVE-2019-2396
Reno Robert: CVE-2019-2552, CVE-2019-2553
rgod of 9sg Security Team working with Trend Micro’s Zero Day Initiative: CVE-2019-2449
Root Object working with Trend Micro’s Zero Day Initiative: CVE-2019-2500, CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506
Saif ElSherei of Microsoft Corp: CVE-2019-2429
Stamatis Kapiris: CVE-2019-2430, CVE-2019-2431, CVE-2019-2432
Steven Seeley of Source Incite working with iDefense: CVE-2018-3304, CVE-2018-3305
Zhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2398, CVE-2019-2452
Zhouyuan Yang of Fortinet’s FortiGuard Labs: CVE-2019-2527

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Amardeep Chana of MWR InfoSecurity
George R of Advanced Information Security Corporation
Jarrod Farncomb of TSS
Lukasz Rupala
Maksymilian Arciemowicz
Martin Balao of Red Hat
Michael Weissbacher of Northeastern University
Zhiyi Zhang of 360 ESG Codesafe Team

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abhishek Misal
Abu
Arun Mishra
Ben Murray
Markus Pieton of Code White
Mohit Kumar
Nicolas Santiago Miguez of Deloitte Risk Advisory Pty Ltd
Niraj Gautam of Light Pay Coin
nullx0c0de
Osman Ahmed Hassan
Ranjeet Jaiswal
Sarapremashish Butola
Seth Duda
Shoeb Patel (CaptainFreak)
Srinivas M

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 April 2019
16 July 2019
15 October 2019
14 January 2020

References

Modification History

Date	Note
2019-April-18	Rev 6. Updated CVSS score for CVE-2019-2546.
2019-April-16	Rev 5. Updated credit entry for CVE-2018-3304 and CVE-2018-3305.
2019-March-12	Rev 4. Updated credit entry for CVE-2019-2438, CVE-2019-2439 and CVE-2019-2546.
2019-February-01	Rev 3. Updated credit entry for CVE-2019-2426.
2019-January-30	Rev 2. Updated affected versions of CVE-2019-2527 for Oracle Virtualization.
2019-January-15	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Database Server. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2444	Core RDBMS	Local Logon	Local Logon	No	8.2	Local	Low	Low	Required	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2406	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 18c
CVE-2019-2547	Java VM	Create Session, Create Procedure	Multiple	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle Communications Applications. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Communications Converged Application Server – Service Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-1000031	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Commons Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2017-5645	Oracle Communications Online Mediation Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2018-11776	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 12.5
CVE-2017-5645	Oracle Communications Service Broker	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Services Gatekeeper	Security (Apache Commons Collections Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-9206	Oracle Communications Services Gatekeeper	Security (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2017-5645	Oracle Communications WebRTC Session Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2016-6814	Oracle Communications Unified Inventory Management	Security (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	prior to 7.4.0
CVE-2016-0635	Oracle Communications Converged Application Server	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2018-1258	Oracle Communications Diameter Signaling Router (DSR)	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 8.3
CVE-2018-1258	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 10.2.1
CVE-2018-1258	Oracle Communications Services Gatekeeper	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-14718	Oracle Communications Billing and Revenue Management	Billing Operations Center, Billing Care (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.5, 12.0
CVE-2016-1181	Oracle Communications Converged Application Server	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2017-15095	Oracle Communications Diameter Signaling Router (DSR)	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2016-1181	Oracle Communications WebRTC Session Controller	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2018-1000180	Oracle Communications Converged Application Server	Security (Bouncy Castle)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.0.0.1
CVE-2017-9798	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 8.3
CVE-2018-5390	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-1000180	Oracle Communications WebRTC Session Controller	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-1000300	Oracle Communications WebRTC Session Controller	Security (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	prior to 7.2
CVE-2017-0379	Oracle Communications WebRTC Session Controller	Security (libgcrypt)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-8013	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 8.3
CVE-2018-8013	Oracle Communications WebRTC Session Controller	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 7.2
CVE-2019-2399	Oracle Communications Diameter Signaling Router (DSR)	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	prior to 8.3
CVE-2015-9251	Oracle Communications Converged Application Server	Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.0.0.1
CVE-2015-9251	Oracle Communications WebRTC Session Controller	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.2
CVE-2018-0732	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-0732	Oracle Communications Unified Session Manager	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.3.5
CVE-2018-0732	Oracle Communications WebRTC Session Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	prior to 7.2
CVE-2018-0732	Oracle Enterprise Communications Broker	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	PCz2.1, PCz2.2, PCz3.0
CVE-2018-0732	Oracle Enterprise Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	ECz7.4.0, ECz7.5.0, ECz8.0.0, ECz8.1.0

Additional CVEs addressed are below:

The fix for CVE-2016-0635 also addresses CVE-2018-1258.
The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2017-0379 also addresses CVE-2017-9526.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2018-0732 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.
The fix for CVE-2018-1000180 also addresses CVE-2015-7940 and CVE-2018-1000613.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-11776 also addresses CVE-2016-1000031.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The fix for CVE-2018-14718 also addresses CVE-2017-15095, CVE-2017-7525, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-7489.
The fix for CVE-2018-5390 also addresses CVE-2018-6922.
The fix for CVE-2018-9206 also addresses CVE-2015-9251.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-9206	Primavera Unifier	Core (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-14718	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-0732	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2512	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2019), My Oracle Support Note 2480398.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2489	Oracle One-to-One Fulfillment	OCM Query	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2453	Oracle Performance Management	Performance Management Plan	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2445	Oracle Content Manager	Cover Letter	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2497	Oracle CRM Technical Foundation	Messages	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2400	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2440	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2498	Oracle Partner Management	Partner Dash board	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2447	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2470	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2546	Oracle Applications Manager	SQL Extensions	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	None	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2488	Oracle CRM Technical Foundation	Session Management	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2396	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2496	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2491	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2492	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2485	Oracle Mobile Field Service	Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Agent Next Gen (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1258	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-12023	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-14718	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-0732	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1000300	Enterprise Manager Ops Center	Networking (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-0732	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.2, 12.3.3
CVE-2018-3303	Enterprise Manager Base Platform	EM Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.2, 13.3
CVE-2018-3304	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-3305	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2015-9251	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.2, 12.3.3

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-12023 also addresses CVE-2018-11307, CVE-2018-12022 and CVE-2018-14718.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Financial Services Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-4000	Oracle Banking Platform	Patching (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2016-1000031	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2017-5645	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-14718	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2018-14718	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2018-1000632	Oracle FLEXCUBE Investor Servicing	Infrastructure (dom4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2017-14735	Oracle Banking Platform	Infrastructure (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.5.0, 2.6.0, 2.6.1
CVE-2019-2549	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.2
CVE-2019-2550	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.0.2

Additional CVEs addressed are below:

The fix for CVE-2018-14718 also addresses CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2401	Oracle Hospitality Reporting and Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2402	Oracle Hospitality Simphony	Client Application Loader	HTTP	Yes	7.7	Network	High	None	None	Un- changed	High	High	Low	2.10
CVE-2019-2425	Oracle Hospitality Reporting and Analytics	Report	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	9.1.0
CVE-2019-2403	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.10
CVE-2019-2407	Oracle Hospitality Reporting and Analytics	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2397	Oracle Hospitality Reporting and Analytics	Report	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 62 new security fixes for Oracle Fusion Middleware. 57 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Fusion Middleware MapViewer	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2017-5645	Oracle GoldenGate Application Adapters	Application Adapters (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.1
CVE-2018-1275	Oracle Service Architecture Leveraging Tuxedo	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.2.0.0
CVE-2017-5645	Oracle SOA Suite	Installation & Templates (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-1832	Oracle WebLogic Server	Third Party Tools (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	12.2.1.3
CVE-2018-14718	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2414	Oracle HTTP Server	Web Listener	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-1000180	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0732	Oracle Endeca Server	Third Party (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.7.0
CVE-2018-1000180	Oracle Enterprise Repository	Security Subsystem – 12c (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2019-2467	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2468	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2473	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2474	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2475	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2476	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2477	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2479	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2017-13745	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2018-1000180	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-1000180	Oracle WebLogic Server	WLS Core Components (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3
CVE-2019-2462	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2538	Oracle Managed File Transfer	MFT Runtime Server	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	19.1.0.0.0, 12.2.1.3.0
CVE-2019-2429	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2438	Oracle Web Cache	ESI/Partial Page Caching	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2018-11775	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0
CVE-2019-2452	Oracle WebLogic Server	WLS Core Components	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2019-2456	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2463	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2469	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2418	Oracle WebLogic Server	WLS Core Components	T3	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Business Process Management Suite	Runtime Engine (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2413	Oracle Reports Developer	Valid Session	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3
CVE-2017-14735	Oracle WebCenter Sites	Third Party Tools (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2015-9251	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2019-2395	Oracle WebLogic Server	WLS – Web Services	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	None	Low	10.3.6.0
CVE-2019-2457	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2458	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2459	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2460	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2461	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2464	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2465	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2466	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2472	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2478	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2480	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9583	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2427	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2019-2441	Oracle WebLogic Server	Application Container – JavaEE	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2398	Oracle WebLogic Server	WLS – Deployment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2017-14229	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	8.5.3	See Note 1

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2015-1832 also addresses CVE-2018-1313.
The fix for CVE-2016-9392 also addresses CVE-2016-9389.
The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613 and CVE-2018-3246.
The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Health Sciences Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Health Sciences Information Manager	Health Policy Engine (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0
CVE-2018-1258	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2430	Oracle Argus Safety	Console	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1, 8.2
CVE-2019-2431	Oracle Argus Safety	Console	HTTP	Yes	6.1	Network	High	None	Required	Changed	None	High	None	8.1, 8.2
CVE-2015-9251	Oracle Healthcare Foundation	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1, 7.2
CVE-2019-2432	Oracle Argus Safety	Login	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	8.1, 8.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-5684	Oracle Hospitality Cruise Fleet Management	Corporate Access Module (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	9.0.10
CVE-2016-5684	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Shared Libraries (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	8.0.8
CVE-2019-2411	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	TCP	No	7.6	Network	Low	Low	Required	Changed	None	Low	High	8.0.8
CVE-2019-2409	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.3	Local	Low	Low	Required	Changed	Low	Low	High	8.0.8
CVE-2019-2410	Oracle Hospitality Cruise Shipboard Property Management System	DGS RES Online, FMS Sender, FMS Receiver, OHC WPF Security	None	No	5.1	Local	Low	None	None	Un- changed	Low	Low	None	8.0.8

Additional CVEs addressed are below:

The fix for CVE-2016-5684 also addresses CVE-2015-0852.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2415	Hyperion BI+	Foundation UI & Servlets	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	11.1.2.4

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Insurance Calculation Engine	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.2
CVE-2018-1258	Oracle Insurance Rules Palette	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.0, 10.2
CVE-2018-8013	Oracle Insurance Policy Administration J2EE	User Interface (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.0, 10.2
CVE-2015-9251	Oracle Insurance Insbridge Rating and Underwriting	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.2, 5.4, 5.5
CVE-2017-14735	Oracle Insurance Policy Administration J2EE	Core (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.0, 10.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Java SE Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2540	Java Advanced Management Console	Server	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Java Advanced Management Console: 2.12
CVE-2018-11212	Java SE	ImageIO (libjpeg)	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2426	Java SE	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2449	Java SE	Deployment	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 8u192	See Note 2
CVE-2019-2422	Java SE	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-8013	JD Edwards EnterpriseOne Tools	Web Runtime SEC (Apache Batik)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards World Security	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-10933	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.13 and prior
CVE-2019-2435	MySQL Connectors	Connector/Python	TLS	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.13 and prior, 2.1.8 and prior
CVE-2018-0732	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2534	MySQL Server	Server: Replication	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2533	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.13 and prior
CVE-2019-2529	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2482	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2434	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2455	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2503	MySQL Server	Server: Connection Handling	MySQL Protocol	No	6.4	Adjacent Network	High	Low	None	Un- changed	High	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2436	MySQL Server	Server: Replication	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.13 and prior
CVE-2018-0734	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2536	MySQL Server	Server: Packaging	MySQL Protocol	No	5.0	Local	High	High	Required	Changed	None	None	High	8.0.13 and prior
CVE-2019-2502	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2510	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2539	MySQL Server	Server: Connection	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2494	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2495	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2537	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2420	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2481	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2507	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2530	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2528	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2531	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2486	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2532	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2535	MySQL Server	Server: Options	MySQL Protocol	No	4.1	Local	High	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2513	MySQL Server	Shell	None	No	2.5	Local	High	Low	Required	Changed	Low	None	None	8.0.13 and prior
CVE-2018-0732	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	8.0.13 and prior, 4.0.7 and prior	See Note 1

Notes:

MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 20 new security fixes for Oracle PeopleSoft Products. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2416	PeopleSoft Enterprise PeopleTools	Application Server	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-1000300	PeopleSoft Enterprise PeopleTools	File Processing (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2405	PeopleSoft Enterprise PeopleTools	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-0732	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2019-2433	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2443	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2417	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2421	PeopleSoft Enterprise HCM eProfile Manager Desktop	Guided Self Service	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2442	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2015-9251	PeopleSoft Enterprise PeopleTools	Mobile Application Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2423	PeopleSoft Enterprise PeopleTools	PIA Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2499	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2439	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2471	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2519	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2419	PeopleSoft Enterprise CC Common Application Objects	Form and Approval Builder	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2	See Note 1
CVE-2019-2404	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2490	PeopleSoft Enterprise PeopleTools	Panel Processor	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2019-2408	PeopleSoft Enterprise PeopleTools	Feeds	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2493	PeopleSoft Enterprise CS Campus Community	Frameworks	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	9.0, 9.2

Notes:

This Enterprise Common Component is used by all PeopleSoft Application products. Please refer to the MOS Note Doc ID 2493366.1 for patch information.

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Retail Back Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Central Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Returns Management	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Service Backbone	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-7658	Oracle Retail Xstore Payment	Security (Jetty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3
CVE-2018-1258	Oracle Retail Customer Insights	Other (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3311	Oracle Retail Xstore Payment	Security	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	3.3
CVE-2018-1000180	Oracle Retail Convenience and Fuel POS Software	Point of Sale (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.8.1
CVE-2018-8013	Oracle Retail Integration Bus	RIB Kernel (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.0
CVE-2018-3125	Oracle Retail Merchandising System	Security (SQL Logger)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	14.1
CVE-2017-14735	Oracle Retail Back Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2017-14735	Oracle Retail Central Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Customer Insights	Other (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2017-14735	Oracle Retail Returns Management	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Sales Audit	Operational Insights (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2015-9251	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.60.9, 1.64.0

Additional CVEs addressed are below:

The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-3311 also addresses CVE-2015-4760.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-9206	Siebel UI Framework	UIF Open UI (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.10, 18.11

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Tape Library ACSLS	Software (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2018-1275	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2016-0635	Tape Library ACSLS	Software (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.4
CVE-2019-2541	Oracle Solaris	DHCP Client	DHCP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10
CVE-2019-2437	Oracle Solaris	Kernel	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11
CVE-2019-2412	Sun ZFS Storage Appliance Kit (AK)	Object Store	None	No	6.4	Local	High	High	None	Un- changed	High	High	High	prior to 8.8.2
CVE-2018-3646	Oracle Solaris	Kernel	None	No	5.6	Local	High	Low	None	Changed	High	None	None	11
CVE-2018-3639	Oracle Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11
CVE-2019-2543	Oracle Solaris	Kernel	KSSL	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2544	Oracle Solaris	Kernel	None	No	4.0	Local	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2545	Oracle Solaris	LDoms IO	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	10, 11

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-8965	Oracle Agile PLM	Gantt Chart (JViews)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-0732	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2019-2487	Oracle Transportation Management	UI Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	6.3.7, 6.4.1, 6.4.2, 6.4.3
CVE-2017-14735	Oracle Agile PLM	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2015-9251	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-0732	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 19.1

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-4000	Oracle Utilities Network Management System	System wide (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2
CVE-2015-9251	Oracle Utilities Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.3.0.1-4.3.0.4

Additional CVEs addressed are below:

The fix for CVE-2016-4000 also addresses CVE-2018-1000180 and CVE-2018-1000613.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2500	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2524	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2552	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-3309	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	prior to 5.2.22
CVE-2019-2520	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2521	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2522	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2523	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2526	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2548	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-11763	Oracle Secure Global Desktop (SGD)	Web Server (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.4
CVE-2019-2511	Oracle VM VirtualBox	Core	SOAP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2508	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2509	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2527	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.26, prior to 6.0.4
CVE-2019-2450	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2451	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2555	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2554	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2556	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2018-11784	Oracle Secure Global Desktop (SGD)	Application Server (Apache Tomcat)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4
CVE-2018-0734	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.0
CVE-2019-2525	Oracle VM VirtualBox	Core	None	No	5.6	Local	High	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2446	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2448	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2501	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2504	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2505	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2506	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2553	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

No Related Posts

Oracle Critical Patch Update Advisory – October 2018

October 15, 2018January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2018

Description

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 301 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2018 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Application Management Pack for Oracle E-Business Suite, versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7	E-Business Suite
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2	Enterprise Manager
Enterprise Manager for MySQL Database, version 13.2	Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions Prior to XCP2352 and Prior to XCP3050	Systems
Hyperion BI+, version 11.1.2.4	Fusion Middleware
Hyperion Common Events, version 11.1.2.4	Fusion Middleware
Hyperion Data Relationship Management, version 11.1.2.4.345	Fusion Middleware
Hyperion Essbase Administration Services, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2	JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
MICROS Lucas, version 2.9.5	Retail Applications
MICROS PC Workstation 2015, versions Prior to BIOS 01.3.0.2i	MICROS PC Workstation
MICROS Relate CRM Software, versions 10.8, 11.4	Retail Applications
MICROS Retail-J, versions 12.1.2, 13.0.0	Retail Applications
MICROS XBRi, versions 10.5.0, 10.6.0, 10.7.0, 10.8.1, 10.8.2, 10.8.3	Retail Applications
MySQL Connectors, versions 8.0.12 and prior	MySQL
MySQL Enterprise Monitor, versions 3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior	MySQL
MySQL Server, versions 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior	MySQL
Oracle Adaptive Access Manager, versions 11.1.1.7.0, 11.1.2.3.0	Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Big Data Discovery, version 1.6.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Application Session Controller, versions Prior to 3.7.1M0	Oracle Communications Application Session Controller
Oracle Communications Instant Messaging Server, versions prior to 10.0.1	Oracle Communications Instant Messaging Server
Oracle Communications Messaging Server, versions prior to 8.0.2	Oracle Communications Convergence
Oracle Communications MetaSolv Solution, version 6.3.0	Oracle Communications MetaSolv Solution
Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1	Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications User Data Repository, versions prior to 12.2.0	Oracle Communications User Data Repository
Oracle Configuration Manager, versions 12.1.2.0.2, 12.1.2.0.5	Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c	Database
Oracle Demantra Demand Management, versions 7.3.5, 12.2	Oracle Supply Chain Products
Oracle Directory Server Enterprise Edition, version 11.1.1.7	Fusion Middleware
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7	E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, versions 3.1.0, 3.2.0	Fusion Middleware
Oracle Endeca Server, versions 7.6.1, 7.7.0	Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0	Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 12.1.3.0, 12.2.1.3	Fusion Middleware
Oracle GlassFish Server, version 3.1.2	Fusion Middleware
Oracle GoldenGate, versions 12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0	Oracle GoldenGate
Oracle GoldenGate for Big Data, versions 12.2.0.1, 12.3.1.1, 12.3.2.1	Fusion Middleware
Oracle Healthcare Translational Research, version 3.1.0	Health Sciences
Oracle Hospitality Cruise Fleet Management, version 9.0	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Gift and Loyalty, version 9.0, 9.1	Oracle Hospitality Gift and Loyalty
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.0, 9.1	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 12.2.1.3	Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5.8	Fusion Middleware
Oracle Identity Management Suite, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle iLearning, versions 6.1, 6.2	iLearning
Oracle Insurance Calculation Engine, versions 10.1.1, 10.2.1	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.0, 10.1, 10.2, 11.0, 11.1	Oracle Insurance Applications
Oracle Java SE, versions 6u201, 7u191, 8u181, 11	Java SE
Oracle Java SE Embedded, version 8u181	Java SE
Oracle JRockit, version R28.3.19	Java SE
Oracle Outside In Technology, versions 8.5.3, 8.54	Fusion Middleware
Oracle Real-Time Decision Server, version 3.2.1	Fusion Middleware
Oracle Retail Allocation, versions 15.0, 16.0	Retail Applications
Oracle Retail Assortment Planning, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Back Office, versions 13.3, 13.4, 14, 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0	Retail Applications
Oracle Retail Extract Transform and Load, versions 13.0, 13.1, 13.2	Retail Applications
Oracle Retail Financial Integration, versions 13.2, 14.0, 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Integration Bus, version 14.1.2	Retail Applications
Oracle Retail Invoice Matching, versions 15.0, 16.0	Retail Applications
Oracle Retail Open Commerce Platform, versions 5.3, 6.0, 6.0.1	Retail Applications
Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0	Retail Applications
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.0, 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Sales Audit, versions 15.0, 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2	Retail Applications
Oracle Service Bus, versions 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Transportation Management, version 6.3.7	Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0	Fusion Middleware
Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.20	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3, prior to Docker 12.2.1.3.20180913	Fusion Middleware
OSS Support Tools, versions prior to 18.4	Support Tools
PeopleSoft Enterprise Interaction Hub, version 9.1.0.0	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 18.8, 17.7 – 17.12	Oracle Construction and Engineering Suite
Primavera Unifier, versions 15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 18.7, 18.8, 18.9	Siebel
Solaris, versions 10, 11.3, 11.4	Systems
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123	Systems
Spatial, versions 2.0, 2.1, 2.2	Oracle Big Data Graph

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

360 A-TEAM: CVE-2018-3245
Add of MeePwn working with Trend Micro’s Zero Day Initiative: CVE-2018-2909, CVE-2018-3290, CVE-2018-3296, CVE-2018-3297
Andrej Simko of Accenture: CVE-2018-3242, CVE-2018-3243
Andrej Simko of Accenture working with iDefense Labs: CVE-2018-3256
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2018-3291, CVE-2018-3292, CVE-2018-3298
Artem Smotrakov: CVE-2018-3139
Aurelien Salomon of Pure Hacking: CVE-2018-3204
Badcode of Knownsec 404 Team: CVE-2018-3245, CVE-2018-3250
Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2018-18223, CVE-2018-18224, CVE-2018-3217, CVE-2018-3218, CVE-2018-3219, CVE-2018-3220, CVE-2018-3221, CVE-2018-3222, CVE-2018-3223, CVE-2018-3224, CVE-2018-3225, CVE-2018-3226, CVE-2018-3227, CVE-2018-3228, CVE-2018-3229, CVE-2018-3230, CVE-2018-3231, CVE-2018-3232, CVE-2018-3233, CVE-2018-3234, CVE-2018-3302
Devin Rosenbauer of Identity Works LLC: CVE-2018-3179
Felix Dörre: CVE-2018-3180
Giulio Comi of Horizon Security: CVE-2018-3205, CVE-2018-3206, CVE-2018-3207
Graham Steel of Cryptosense: CVE-2018-3210
Gregory Smiley of Security Compass: CVE-2018-3181
Hans-Martin Münch: CVE-2018-3168
Hasan Alqawzai: CVE-2018-3184
Huy Ngo of Viettel Cyber Security: CVE-2018-3295
Hysterical Raisins working with Trend Micro’s Zero Day Initiative: CVE-2018-2909, CVE-2018-3287, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298
HzH4k: CVE-2018-3245
Independent security researcher via Beyond Security’s SecuriTeam Secure Disclosure program: CVE-2018-3294
Jacob Baines of Tenable, Inc.: CVE-2018-2912, CVE-2018-2913, CVE-2018-2914
Jakub Palaczynski: CVE-2018-3262
Jason Lang of TrustedSec: CVE-2018-3253
Jayson Grace of Sandia National Laboratories: CVE-2018-3235, CVE-2018-3236, CVE-2018-3237
Jim LaValley, Towerwall, Inc.: CVE-2018-3241, CVE-2018-3281
Jimi Sebree of Tenable, Inc.: CVE-2018-3213
John Moss of IRM Security: CVE-2018-3167
Jon King of OPNAV N1, US Navy: CVE-2018-3192
Jonas Mattsson: CVE-2018-3238
Kamlapati Choubey of Trend Micro’s Zero Day Initiative: CVE-2018-3147
Koustav Sadhukhan: CVE-2018-2909, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298
Krzysztof Szafrański: CVE-2018-3183
Li Qiang of the Qihoo 360 Gear Team: CVE-2018-3289, CVE-2018-3290, CVE-2018-3293, CVE-2018-3295
Li Zhengdong of Hitax: CVE-2018-3191
Liam Glanfield of IRM Security: CVE-2018-3167
Liao Xinxi of NSFOCUS Security Team: CVE-2018-3245
Lilei of Venustech ADLab: CVE-2018-3245
Lokesh Sharma: CVE-2018-3138
loopx9: CVE-2018-3191
Lukasz Mikula: CVE-2018-3132, CVE-2018-3254
Lukasz Plonka of ING Services Polska: CVE-2018-3208
Maciej Grabiec: CVE-2018-3140, CVE-2018-3141, CVE-2018-3142
Marcin Wołoszyn of ING Services Polska: CVE-2018-3175, CVE-2018-3176, CVE-2018-3177, CVE-2018-3178
Mark Earnest of Identity Works LLC: CVE-2018-3179
Matthias Kaiser of Code White: CVE-2018-3191, CVE-2018-3197, CVE-2018-3201
Mauricio Correa of Xlabs: CVE-2018-3172
Michael Orlitzky: CVE-2018-3174
Nelson William Gamazo Sanchez of Trend Micro’s Zero Day Initiative: CVE-2018-3211
Or Hanuka of Motorola Solutions: CVE-2018-3127
Pawel Gocyla: CVE-2018-2902
Ph0rse of Qihoo 360 Group 0kee Team: CVE-2018-3245
Quang Nguyen of Viettel Cyber Security: CVE-2018-3295
Root Object working with Trend Micro’s Zero Day Initiative: CVE-2018-3288, CVE-2018-3289, CVE-2018-3293
Sean Metcalf of Trimarc Security: CVE-2018-3253
Tobias Ospelt of modzero: CVE-2018-3214
Tom Tervoort of Secura: CVE-2018-2911
Tzachy Horesh of Motorola Solutions: CVE-2018-3127
Vahagn Vardanyan: CVE-2018-3215
WenHui Wang: CVE-2018-3245, CVE-2018-3249
Xiao Pingge: CVE-2018-3246
Zhiyi Zhang of 360 ESG Codesafe Team: CVE-2018-3245, CVE-2018-3248, CVE-2018-3249, CVE-2018-3252

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Antonio Sanso
Cyril Vallicari of ZIWIT/HTTPCS
Gregory Smiley of Security Compass
Martin Buchholz of Google
Mingxuan Song of CNCERT
Sarath Nair

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Alexander Kornbrust of Red Database Security
Hemanth Joseph of hemanthjoseph.com
Joby John
Jose Domingo Carrillo
Kranthi Kumar
Mayank of Birla Institute of Technology, Mesra
Mohammed Fayadh
Pethuraj M (mr7)
Pranshu Tiwari
Rajat Sharma
Richard Alvariez
Samet Sahin
Sébastien Kaul
Zach Edwards of victorymedium.com
Zekvan Arslan

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

15 January 2019
16 April 2019
16 July 2019
15 October 2019

References

Modification History

Date	Note
2018-October-16	Rev 1. Initial Release.
2018-October-17	Rev 2. Updated Oracle Java SE Risk Matrix.
2018-October-18	Rev 3. Updated affected versions of CVE-2018-3128 and CVE-2018-3131 in Oracle Food and Beverage Applications Risk Matrix
2018-October-19	Rev 4. Updated CVSS score of CVE-2018-3253 and credit statement.
2018-October-30	Rev 5. Updated credit statement.
2018-December-18	Rev 6. Updated affected versions for Oracle Outside In Technology vulnerabilities.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 7 new security fixes for the Oracle Database Server divided as follows:

3 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3259	Java VM	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2018-3299	Oracle Text	None	Multiple	Yes	8.2	Network	Low	None	Required	Changed	None	Low	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2018-7489	Rapid Home Provisioning	RHP User	HTTP	No	2.3	Adjacent Network	High	Low	Required	Un- changed	None	None	Low	18c

Additional CVEs addressed are below:

The fix for CVE-2018-7489 also addresses CVE-2017-15095.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-6814	Spatial	Big Data Graph (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	2.0, 2.1, 2.2

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-2913	Oracle GoldenGate	Monitoring Manager	TCP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0	See Note1
CVE-2018-2912	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0
CVE-2018-2914	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0

Notes:

For Linux and Windows platforms, the CVSS score is 9.0 with Access Complexity as High. For all other platforms, the cvss score is 10.0.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-0235	Oracle Communications Application Session Controller	Security (Glibc)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2017-5645	Oracle Communications Messaging Server	Convergence (Apache Log4J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 8.0.2
CVE-2016-0729	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 12.2.0
CVE-2015-7501	Oracle Communications Application Session Controller	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2015-7501	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-0635	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-1182	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	Prior to 10.2.0
CVE-2017-15095	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Prior to 10.0.1
CVE-2018-8013	Oracle Communications MetaSolv Solution	Print preview, Gateway Events (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	6.3.0
CVE-2016-5080	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Objective System ASN1C)	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-5019	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Trinidad)	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	Prior to 10.2.1
CVE-2016-2107	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 3.7.1M0
CVE-2017-3736	Oracle Communications Performance Intelligence Center (PIC) Software	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 10.2.1
CVE-2014-3490	Oracle Communications Performance Intelligence Center (PIC) Software	Security (resteasy-jaxrs)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 10.2.0

Additional CVEs addressed are below:

The fix for CVE-2015-0235 also addresses CVE-2014-7817.
The fix for CVE-2016-0729 also addresses CVE-2015-0252.
The fix for CVE-2016-1182 also addresses CVE-2012-1007, CVE-2014-0014 and CVE-2016-1181.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Construction and Engineering Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-1275	Primavera Gateway	Web Access (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-7489	Primavera Gateway	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-12023	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-8013	Instantis EnterpriseTrack	Generic (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.1, 17.2, 17.3
CVE-2018-1305	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	17.1, 17.2, 17.3
CVE-2015-9251	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2, 16.2, 17.12
CVE-2018-3241	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3281	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3148	Primavera Unifier	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-11039	Primavera P6 Enterprise Project Portfolio Management	Web Access (Spring Framework)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	18.8

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1258.
The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2018-12023.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2018), My Oracle Support Note 2445688.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3138	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3243	Oracle Applications Framework	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2018-3235	Oracle Applications Manager	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3189	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3190	Oracle E-Business Intelligence	Overview Page/Report Rendering	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3188	Oracle iStore	Web interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3242	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3196	Oracle Partner Management	Partner Dashboard	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3011	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3151	Oracle iProcurement	E-Content Manager Catalog	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3236	Oracle User Management	Reports	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3167	Application Management Pack for Oracle E-Business Suite	User Monitoring	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3244	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3237	Oracle Applications Manager	Support Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3256	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2971	Oracle Applications Framework	REST Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Enterprise Manager Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Ops Center	Networking (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2017-5645	Oracle Configuration Manager	Collector of Config and Diag (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.2.0.2, 12.1.2.0.5
CVE-2018-1258	Enterprise Manager for MySQL Database	EM Plugin: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2
CVE-2018-0739	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.0.5, 13.2

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Financial Services Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-12023	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2015-9251	Oracle Banking Platform	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.6.0, 2.6.1, 2.6.2

Additional CVEs addressed are below:

The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Food and Beverage Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3128	Oracle Hospitality Reporting and Analytics	Report	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.0, 9.1
CVE-2018-3131	Oracle Hospitality Gift and Loyalty	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0, 9.1
CVE-2015-9251	Oracle Hospitality Materials Control	MobileAuthWebService (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2017-5715	MICROS PC Workstation 2015	BIOS	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 01.3.0.2i

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 65 new security fixes for Oracle Fusion Middleware. 56 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	BI Publisher (formerly XML Publisher)	BI Publisher Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2017-5645	Oracle API Gateway	Oracle API Gateway (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-1275	Oracle Big Data Discovery	Data Processing (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.6.0
CVE-2018-1275	Oracle GoldenGate for Big Data	Other issues (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 12.3.1.1, 12.3.2.1
CVE-2017-5645	Oracle Identity Analytics	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle Identity Management Suite	Suite Level Patch Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2017-15095	Oracle Identity Manager	Installer (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3191	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3197	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0
CVE-2018-3201	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-3245	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3252	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-1258	Oracle Endeca Information Discovery Integrator	Other Issues (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.1.0, 3.2.0
CVE-2018-1258	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-2911	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	3.1.2
CVE-2016-1182	Oracle Adaptive Access Manager	OAAM Server (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	11.1.1.7.0, 11.1.2.3.0
CVE-2018-3204	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0
CVE-2016-1182	Oracle Real-Time Decision Server	Platform Installation (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	3.2.1
CVE-2017-7805	Oracle Directory Server Enterprise Edition	Admin Console (Sun Security Libraries)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.1.1.7
CVE-2018-3152	Oracle GlassFish Server	Administration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.1.2
CVE-2018-1000300	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle Tuxedo	Docs-ATMI-IB (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1.0
CVE-2018-3246	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0, 12.2.1.3
CVE-2018-3213	Oracle WebLogic Server	Docker Images	T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to Docker 12.2.1.3.20180913
CVE-2018-8013	Oracle Business Intelligence Enterprise Edition	Oracle Business Intelligence Enterprise Edition (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-8013	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 12.1.3.0.0
CVE-2018-3179	Oracle Identity Manager	Advanced Console	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3168	Oracle Identity Analytics	Core Components	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	11.1.1.5.8
CVE-2018-3217	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3, 8.5.4	See Note1
CVE-2018-3218	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3, 8.5.4	See Note1
CVE-2018-3219	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3, 8.5.4	See Note1
CVE-2018-3220	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3, 8.5.4	See Note1
CVE-2018-3221	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3302	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3222	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3223	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3224	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3225	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3226	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3227	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3228	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3229	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3230	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3231	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3232	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3233	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3234	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-18223	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-18224	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note1
CVE-2018-3238	Oracle WebCenter Sites	Advanced UI	HTTP	No	6.9	Network	Low	High	Required	Changed	High	Low	None	11.1.1.8.0
CVE-2018-0739	Oracle Endeca Server	Product Code (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	7.6.1, 7.7.0
CVE-2018-1305	Oracle WebCenter Sites	Advanced UI (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.8.0, 12.2.1.3.0
CVE-2018-3249	Oracle WebLogic Server	WLS – Web Services	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.3.6.0
CVE-2018-3248	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	10.3.6.0
CVE-2015-9251	Oracle Endeca Information Discovery Studio	Studio (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.0
CVE-2017-14735	Oracle Fusion Middleware MapViewer	Install (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Service Bus	OSB Core Functionality (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2015-9251	Oracle WebCenter Sites	Advanced UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2018-3250	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0
CVE-2018-3215	Oracle Endeca Information Discovery Integrator	Integrator ETL	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	3.1.0, 3.2.0
CVE-2018-3210	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.1.2
CVE-2018-3254	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-3253	Oracle Virtual Directory	Virtual Directory Manager	HTTP	No	8.5	Network	High	Low	None	Changed	High	High	High	11.1.1.7.0, 11.1.1.9.0
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note1
CVE-2018-2902	Oracle WebLogic Server	Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0, 12.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2016-1182 also addresses CVE-2014-0114 and CVE-2016-1181.
The fix for CVE-2017-15095 also addresses CVE-2017-7525 and CVE-2018-7489.
The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1275 also addresses CVE-2016-0635, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-9251	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Hospitality Guest Access	Base (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2018-3160	Oracle Hospitality Cruise Shipboard Property Management System	OHC Admin, OHC Management	None	No	7.7	Local	Low	High	Required	Changed	High	High	High	8.0
CVE-2018-3158	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2018-3163	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	9.0
CVE-2018-3166	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	9.0
CVE-2018-1305	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	4.2.0, 4.2.1
CVE-2018-3159	Oracle Hospitality Cruise Fleet Management	Sender and Receiver	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2015-9251	Oracle Hospitality Guest Access	Base (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.2.0, 4.2.1
CVE-2018-3181	Oracle Hospitality Cruise Shipboard Property Management System	OHC ENOAD	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hyperion. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3208	Hyperion Data Relationship Management	Access and Security	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4.345
CVE-2018-3142	Hyperion Essbase Administration Services	EAS Console	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4
CVE-2018-3175	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3176	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3177	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3178	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3140	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3141	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	11.1.2.4
CVE-2018-3184	Hyperion BI+	IQR – Foundation Services	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3146	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.1, 6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Insurance Calculation Engine	Calculation engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2018-1275	Oracle Insurance Calculation Engine	Calculation engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2017-5645	Oracle Insurance Rules Palette	Rules Palette (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-1275	Oracle Insurance Rules Palette	Rules Palette (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-8013	Oracle Insurance Calculation Engine	Architecture (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.1.1, 10.2.1

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1270.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3183	Java SE, Java SE Embedded, JRockit	Scripting	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note1
CVE-2018-3209	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u181	See Note2
CVE-2018-3169	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note2
CVE-2018-3149	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note1
CVE-2018-3211	Java SE, Java SE Embedded	Serviceability	None	No	6.6	Local	Low	Low	Required	Un- changed	High	High	None	Java SE: 8u181, 11; Java SE Embedded: 8u181	See Note3
CVE-2018-3180	Java SE, Java SE Embedded, JRockit	JSSE	SSL/TLS	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note1
CVE-2018-3214	Java SE, Java SE Embedded, JRockit	Sound	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u181; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note1
CVE-2018-3157	Java SE	Sound	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 11	See Note4
CVE-2018-3150	Java SE	Utility	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11	See Note4
CVE-2018-13785	Java SE, Java SE Embedded	Deployment (libpng)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note2
CVE-2018-3136	Java SE, Java SE Embedded	Security	Multiple	Yes	3.4	Network	High	None	Required	Changed	None	Low	None	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note2
CVE-2018-3139	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). This vulnerability can only be exploited when Java Usage Tracker functionality is being used.
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Additional CVEs addressed are below:

The fix for CVE-2018-13785 also addresses CVE-2018-14048.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-7489	JD Edwards EnterpriseOne Orchestrator	IoT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Business Logic Inf (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0739	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (OpenSSL)	JDENET	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	9.2

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 38 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-11776	MySQL Enterprise Monitor	Monitoring: General (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-8014	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-3258	MySQL Connectors	Connector/J	X Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.0.12 and prior
CVE-2018-1258	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2016-9843	MySQL Server	InnoDB (zlib)	MySQL Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3155	MySQL Server	Server: Parser	MySQL Protocol	No	7.7	Network	Low	Low	None	Changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3143	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3156	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3251	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3182	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3137	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3203	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3133	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3145	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3144	MySQL Server	Server: Security: Audit	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3185	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3195	MySQL Server	Server: DDL	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.12 and prior
CVE-2018-3247	MySQL Server	Server: Merge	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3187	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3174	MySQL Server	Client programs	MySQL Protocol	No	5.3	Local	High	High	None	Changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3171	MySQL Server	Server: Partition	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3277	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3162	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3173	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3200	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3170	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3212	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3280	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3276	MySQL Server	Server: Memcached	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3186	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3161	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3278	MySQL Server	Server: RBR	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3279	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3282	MySQL Server	Server: Storage Engines	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3285	MySQL Server	Server: Windows	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3284	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3283	MySQL Server	Server: Logging	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3286	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	8.0.12 and prior

Additional CVEs addressed are below:

The fix for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-8014 also addresses CVE-2018-1304, CVE-2018-1305, CVE-2018-8034 and CVE-2018-8037.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle PeopleSoft Products. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-9798	PeopleSoft Enterprise PeopleTools	PeopleSoft CDA (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3192	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-3165	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2018-3193	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3194	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3164	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3255	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3301	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3153	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3257	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3154	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3206	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3207	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3132	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3205	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3130	PeopleSoft Enterprise Interaction Hub	Application Portal	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.1.0.0
CVE-2018-3239	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3261	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3202	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3198	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3135	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56
CVE-2018-3262	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2018-3129	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	MICROS Relate CRM Software	Web Services (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8, 11.4
CVE-2018-7489	Oracle Retail Allocation	General (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-7489	Oracle Retail Assortment Planning	Application Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2016-1000031	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.0, 13.1, 13.2
CVE-2018-7489	Oracle Retail Invoice Matching	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Open Commerce Platform	Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Open Commerce Platform	Framework (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-1275	Oracle Retail Open Commerce Platform	Framework (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.0
CVE-2018-1275	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1, 15.0, 16.0
CVE-2018-7489	Oracle Retail Sales Audit	Operational Insights (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-1258	MICROS Lucas	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.9.5
CVE-2018-1258	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2, 14.0, 14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1.2
CVE-2017-15095	Oracle Retail Open Commerce Platform	Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-3115	Oracle Retail Sales Audit	Operational Insights	HTTP	No	7.7	Network	High	Low	None	Changed	High	Low	Low	15.0, 16.0
CVE-2018-2889	MICROS Retail-J	Internal Operations	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-8013	Oracle Retail Back Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.3, 13.4, 14, 14.1
CVE-2018-8013	Oracle Retail Central Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-8013	Oracle Retail Order Broker	Upgrade Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	5.1, 5.2, 15.0, 16.0
CVE-2018-8013	Oracle Retail Point-of-Service	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-8013	Oracle Retail Returns Management	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-3122	Oracle Retail Open Commerce Platform	Integrations	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	6.0, 6.0.1, 5.3
CVE-2018-3126	Oracle Retail Xstore Point of Service	Xenvironment	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	15.0.2, 16.0.4, 17.0.2
CVE-2018-7489	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2
CVE-2018-2887	MICROS Retail-J	Back Office	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.0.0, 12.1.2
CVE-2018-1305	MICROS XBRi	Retail (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.8.3, 10.8.2, 10.8.1, 10.7.0, 10.6.0, 10.5.0
CVE-2018-1305	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

The fix for CVE-2017-5533 also addresses CVE-2017-5529.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1275 also addresses CVE-2017-5529, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.
The fix for CVE-2018-7489 also addresses CVE-2017-7525, CVE-2018-11307 and CVE-2018-12022.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Siebel UI Framework	EAI (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.7, 18.8, 18.9
CVE-2018-1305	Siebel Apps – Marketing	Mktg/Campaign Mgmt (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	18.7, 18.8, 18.9
CVE-2018-3059	Siebel UI Framework	UIF Open UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.7, 18.8, 18.9

Additional CVEs addressed are below:

The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 19 new security fixes for the Oracle Sun Systems Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-7167	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2352 and Prior to XCP3050
CVE-2016-7167	SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP1123	See Note1
CVE-2018-3273	Solaris	Remote Administration Daemon (RAD)	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2016-5244	Solaris	Kernel	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.4
CVE-2018-3275	Solaris	LibKMIP	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.3
CVE-2018-3272	Solaris	Kernel Zones Virtualized NIC Driver	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	11.3
CVE-2018-3274	Solaris	Kernel	SMB	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	11.3
CVE-2018-3263	Solaris	Sudo	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2015-6937	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.4
CVE-2018-3267	Solaris	LFTP	FTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3
CVE-2018-3271	Solaris	Kernel Zones	None	No	5.3	Local	High	High	None	Changed	None	None	High	11.3
CVE-2018-3172	Solaris	RPC	Portmap v3	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	10, 11.4
CVE-2018-3268	Solaris	SMB Server	SMB	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.3
CVE-2018-3265	Solaris	Zones	None	No	4.9	Local	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2018-3264	Solaris	Kernel	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	11.3
CVE-2018-3269	Solaris	SMB Server	SMB	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	11.3
CVE-2018-3266	Solaris	Verified Boot	None	No	3.9	Local	High	High	None	Un- changed	Low	Low	Low	11.3
CVE-2018-2922	Solaris	Kernel	None	No	2.5	Local	High	Low	None	Un- changed	Low	None	None	11.3
CVE-2018-3270	Solaris	Kernel	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11.3

Notes:

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers are not affected by CVE-2017-7407 and CVE-2016-7141.

Additional CVEs addressed are below:

The fix for CVE-2015-6937 also addresses CVE-2015-7990.
The fix for CVE-2016-7167 also addresses CVE-2015-3144, CVE-2015-3145, CVE-2015-3153, CVE-2015-3236, CVE-2015-3237, CVE-2016-0755, CVE-2016-3739, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-9586 and CVE-2017-7407.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Agile PLM	Application Server (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.1.3, 6.2.0, 6.2.1
CVE-2018-1305	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.3.7
CVE-2018-3134	Oracle Agile Product Lifecycle Management for Process	User Group Management	None	No	5.0	Local	High	Low	Required	Un- changed	Low	High	None	6.2.0.0
CVE-2018-3127	Oracle Demantra Demand Management	Product Security	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	7.3.5, 12.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-0739	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to 18.4

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3294	Oracle VM VirtualBox	Core	VRDP	No	9.0	Network	Low	Low	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3288	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3289	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3290	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3296	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3297	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-2909	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3298	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3291	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3292	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3293	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3295	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3287	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-0732	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 5.2.20

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

No Related Posts

Oracle Security Alert for CVE-2018-11776 – 31 August 2018

August 31, 2018January 19, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2018-11776

Description

This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system.

Products incorporating Struts 2 are not necessarily vulnerable. For a list of Oracle products, their statuses, and available patches, please refer to Security Alert CVE-2018-11776 Products and Versions. Oracle recommends that customers frequently review Security Alert CVE-2018-11776 Products and Versions and plan to apply the updates as soon as they are released by Oracle. The Security Alert CVE-2018-11776 Products and Versions page will be updated as new information becomes available.

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-31	Rev 1. Initial Release.

Third Party Component Risk Matrix

This Security Alert contains 1 new security fix for Third Party Component. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-11776	Apache Struts 2	Core	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.34 and before 2.5.16 and before

No Related Posts

Oracle Security Alert for CVE-2018-3110 – 10 August 2018

August 9, 2018January 19, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2018-3110

Description

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.

If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.

Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18	Database

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-10	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	PrivsReq’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3110	Java VM	Create Session	Oracle Net	No	9.9	Network	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18

No Related Posts

Oracle Critical Patch Update Advisory – July 2018

July 16, 2018January 19, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – July 2018

Description

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 334 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2018 Critical Patch Update: Executive Summary and Analysis.

Many industry experts anticipate that exploits leveraging known flaws in modern processor designs will continue to be disclosed for the foreseeable future (i.e., “Spectre” variants). For information related to these issues, please refer to:

the January 2018 Critical Patch Update (and later) Advisories,
the “Addendum to the January 2018 Critical Patch Update Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754)” (Doc ID 2347948.1), and
“Information about processor vulnerabilities CVE-2018-3640 (“Spectre v3a”) and CVE-2018-3639 (“Spectre v4″)” (Doc ID 2399123.1).

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, version 9.3.4	Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.x	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.x	Enterprise Manager
Enterprise Manager for MySQL Database, versions 13.2.2.0.0 and prior	Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.8, 13.2.2	Enterprise Manager
Enterprise Manager for Peoplesoft, versions 13.1.1.1, 13.2.1.1	Enterprise Manager
Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3	Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3	Enterprise Manager
FMW Platform, versions 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Hardware Management Pack, version 11.3	Systems
Hyperion Data Relationship Management, version 11.1.2.4.330	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2	Fusion Middleware
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MICROS 700 Series Tablet, versions Prior to BIOS 0.00.13ORC, Prior to BIOS 0.01.25ORC	MICROS 700 Series Tablet
MICROS Handheld Terminal, versions 2018, Android 4.4.4 Security Patch Bulletin prior to February 1	MICROS Handheld Terminal
MICROS Kitchen Display Controller, versions Prior to BIOS 0.00.16ORC	MICROS Kitchen Display System Hardware
MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6	Retail Applications
MICROS Relate CRM Software, versions 10.8.x, 11.4.x	Retail Applications
MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x	Retail Applications
MICROS Workstation 6, versions prior to BIOS 1.3.1.0, prior to BIOS 1.5.2.0, prior to BIOS 2.3.1.0	MICROS Workstation
MICROS XBR, versions 7.0.2, 7.0.4	Retail Applications
MySQL Client, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior	MySQL
MySQL Connectors, versions 5.3.10 and prior, 8.0.11 and prior	MySQL
MySQL Enterprise Monitor, versions 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior	MySQL
MySQL Server, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior	MySQL
MySQL Workbench, versions 6.3.10 and prior, 8.0.11 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, version 10.1	Enterprise Manager
Oracle AutoVue VueLink Integration, versions 21.0.0, 21.0.1	Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle Banking Payments, versions 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle Communications Diameter Signaling Router (DSR), versions 7.x, 8.x	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE LNP Application Processor, version 10.x	Oracle Communications EAGLE LNP Application Processor
Oracle Communications Interactive Session Recorder, versions 5.x, 6.x	Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 3.x	Oracle Communications Convergence
Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0	Oracle Communications Network Charging and Control
Oracle Communications Policy Management, version 12.x	Oracle Communications Policy Management
Oracle Communications Session Border Controller, versions ECz7.x, ECz8.x	Oracle Communications Session Border Controller
Oracle Communications User Data Repository, versions 10.x, 12.x	Oracle Communications User Data Repository
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2	Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7	E-Business Suite
Oracle Endeca Information Discovery Studio, versions 3.1, 3.2	Fusion Middleware
Oracle Enterprise Data Quality, version 12.2.1.3.0	Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3.x, 8.0.x	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, version 8.0.x	Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Funds Transfer Pricing, versions 6.1.1, 8.0.x	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.4, 8.0.5	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Profitability Management, versions 6.1.1, 8.0.x	Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing, versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0	Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle Fusion Middleware, versions 12.2.1.2, 12.2.1.3	Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 12.2.1.2, 12.2.1.3	Fusion Middleware
Oracle Global Lifecycle Management OPatchAuto, version All	Oracle Global Lifecycle Management OPatchAuto
Oracle Hospitality Cruise Fleet Management System, version 9.x	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.x	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Gift and Loyalty, version 9.0.0	Oracle Hospitality Gift and Loyalty
Oracle Hospitality OPERA 5 Property Services, version 5.5.x	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.0.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.8, 2.9, 2.10	Oracle Hospitality Simphony
Oracle iLearning, version 6.2	iLearning
Oracle Insurance Policy Administration, versions 10.0, 10.1, 10.2, 11.0	Oracle Insurance Applications
Oracle Internet Directory, version 11.1.1.9.0	Fusion Middleware
Oracle Java SE, versions 6u191, 7u181, 8u172, 10.0.1	Java SE
Oracle Java SE Embedded, version 8u171	Java SE
Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle JRockit, version R28.3.18	Java SE
Oracle Outside In Technology, version 8.5.3	Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10	Oracle Policy Automation
Oracle Retail Back Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Bulk Data Integration, version 16.0	Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Clearance Optimization Engine, version 14.0.5	Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.1.132	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.x, 17.x	Retail Applications
Oracle Retail Financial Integration, versions 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x	Retail Applications
Oracle Retail Integration Bus, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 14.0.x, 14.1.x, 15.0, 15.0.x, 16.0, 16.0.x	Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0	Retail Applications
Oracle Retail Point-of-Sale, versions 14.0, 14.1	Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1	Retail Applications
Oracle Retail Predictive Application Server, version 15.0.3	Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.0.x, 14.1.x, 15.0.x, 16.0.x	Retail Applications
Oracle Retail Service Layer, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x	Retail Applications
Oracle Secure Global Desktop, versions 5.3, 5.4	Virtualization
Oracle SOA Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle SuperCluster Specific Software, versions prior to 2.5.0	Systems
Oracle Transportation Management, versions 6.2, 6.3.7, 6.4.1	Oracle Supply Chain Products
Oracle Tuxedo, versions 12.1.1, 12.1.3, 12.2.2	Fusion Middleware
Oracle Utilities Framework, version 4.3.x	Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.x, 2.3.x	Oracle Utilities Applications
Oracle Utilities Work and Asset Management, version 1.9.1.2.12	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.16	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3	Fusion Middleware
OSS Support Tools, versions prior to 18.3	Support Tools
PeopleSoft Enterprise CS Financial Aid, versions 9.0, 9.2	PeopleSoft
PeopleSoft Enterprise FIN Install, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56	PeopleSoft
PeopleSoft HRMS, version 9.2	PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.x, 16.x, 17.x	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.x, 17.x, 18.x	Oracle Construction and Engineering Suite
Siebel Applications, version 18.0	Siebel
Solaris, versions 10, 11.2, 11.3	Systems
Solaris Cluster, versions 3.3, 4.3	Systems
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.20	Systems
Tape Library ACSLS, versions Prior to ACSLS 8.4.0-3	Systems

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0c0c0f: CVE-2018-2893
Adam Willard: CVE-2018-3017, CVE-2018-3018
Add of MeePwn working with Trend Micro’s Zero Day Initiative: CVE-2018-3055
Amin Moralic of Pure Hacking: CVE-2018-2953
André Lenoir of Tehtris: CVE-2018-2991, CVE-2018-2993, CVE-2018-2996, CVE-2018-3012
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2018-3087, CVE-2018-3088, CVE-2018-3089, CVE-2018-3090
Badcode of Knownsec 404 Team: CVE-2018-2893
Bartłomiej Stasiek: CVE-2018-2900
Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2018-2992, CVE-2018-3009, CVE-2018-3010, CVE-2018-3092, CVE-2018-3093, CVE-2018-3094, CVE-2018-3095, CVE-2018-3096, CVE-2018-3097, CVE-2018-3098, CVE-2018-3099, CVE-2018-3102, CVE-2018-3103, CVE-2018-3104
Daniel Bleichenbacher of Google: CVE-2018-2972
Dario Weißer: CVE-2018-3081
David Litchfield of Apple: CVE-2018-2894
Denis Andzakovic of Pulse Security: CVE-2018-2933, CVE-2018-2998
Fabio Pires of NCC Group: CVE-2018-2907
Faizal Hasanwala: CVE-2018-2936
Gregory Draperi: CVE-2018-2938
Gregory Smiley of Security Compass: CVE-2018-2955, CVE-2018-2957, CVE-2018-3000, CVE-2018-3001, CVE-2018-3002, CVE-2018-3003
Jackson Thuraisamy of Security Compass: CVE-2018-2955, CVE-2018-2957
Jakub Palaczynski of ING Services Polska: CVE-2018-2958
Jayson Grace of Sandia National Laboratories: CVE-2018-2996
Jim LaValley, Towerwall, Inc.: CVE-2018-2960, CVE-2018-2961, CVE-2018-2962, CVE-2018-2963, CVE-2018-2965, CVE-2018-2966, CVE-2018-2967, CVE-2018-2968, CVE-2018-2969
John Beeson of Baker Hughes, a GE Company: CVE-2018-2976
Krisorn Phochalam: CVE-2018-2899
Liao Xinxi of NSFOCUS Security Team: CVE-2018-2893
Lilei of Venustech ADLab: CVE-2018-2893
Linpei Sheng of 360 Enterprise Security Group: CVE-2018-2997
Lokesh Sharma: CVE-2018-2934
Lukasz Plonka of ING Services Polska: CVE-2018-2915, CVE-2018-2987
Marcin Wołoszyn of ING Services Polska: CVE-2018-2958
Mathew Nash of NCC Group: CVE-2018-2907
Matthew E. Fulton: CVE-2018-3109
Matthew Fulton of Pure Hacking: CVE-2018-2953
Mingxuan Song of CNCERT: CVE-2018-2894
Neil Kettle of Trustwave Spiderlabs: CVE-2018-2892
Nicolas Verdier of Tehtris: CVE-2018-2991, CVE-2018-2993, CVE-2018-2996, CVE-2018-3012
Niklas Baumstark working with Trend Micro’s Zero Day Initiative: CVE-2018-3055, CVE-2018-3085, CVE-2018-3091
Pawan Patil of Electronic Arts: CVE-2018-2994, CVE-2018-2995
Pawel Gocyla: CVE-2018-2925
Rich Mirch: CVE-2018-2939
Root Object working with Trend Micro’s Zero Day Initiative: CVE-2018-3086
Sidney Markowitz: CVE-2018-2942
Thomas Barabosch of Fraunhofer FKIE: CVE-2018-3005
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2018-2893
Zhong Zhaochen: CVE-2018-2964

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Jim LaValley, Towerwall, Inc.
Lokesh Sharma (2 reports)

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Adam Willard
Anil Tom
Cedric Zirtacic
Cem Onat Karagun (6 reports)
Dmitry Ivanov
Elif Zehra Karabiber (2 reports)
Omkar Avasthi
Jacob ‘kobsoN’ Hazak
Jamal Elfitory
Jayesh Patel
Jose Carlos Exposito Bueno
Kerem TAMCI
Mushraf Mustafa
Nalla Muthu
Nick Marcoccio @1oopho1e
re4lity of Polaris Lab
Richard Cocks
Rick Ramgattie
Sara Badran
TrendyTofu working with Trend Micro’s Zero Day Initiative
Viral Bhatt
Vishakh B
Vismit Rakhecha
Youssef A. Mohamed aka GeneralEG

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 October 2018
15 January 2019
16 April 2019
16 July 2019

References

Modification History

Date	Note
2018-October-12	Rev 8. Updated credit for CVE-2018-3055.
2018-September-18	Rev 7. Updated credit for CVE-2018-2996.
2018-September-4	Rev 6. Updated CVSS score of CVE-2018-2943.
2018-August-2	Rev 5. Updated affected versions of CVE-2018-2894 and CVE-2018-7489 for WebLogic Server.
2018-July-27	Rev 4. Updated On-Line Presence Security Contributors.
2018-July-23	Rev 3. Updated CVE-2018-2938.
2018-July-20	Rev 2. Updated CVE-2018-2938.
2018-July-17	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Database Server divided as follows:

3 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-15095	Oracle Spatial (jackson-databind)	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 18.1
CVE-2018-2939	Core RDBMS	Local Logon	Local Logon	No	8.4	Local	Low	Low	None	Changed	None	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2
CVE-2018-3004	Java VM	Create Session, Create Procedure	Multiple	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.2

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Global Lifecycle Management OPatchAuto	DB specific extensions (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	All

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-2099	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.x, 12.x
CVE-2016-0714	Oracle Communications Policy Management	Security (Apache Tomcat)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2016-2176	Oracle Communications Policy Management	Security (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	12.x
CVE-2017-7525	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.x
CVE-2016-5195	Oracle Communications Policy Management	Platform (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2017-6074	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	ECz7.x, ECz8.x
CVE-2017-0379	Oracle Communications Interactive Session Recorder	Security (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.x, 6.x
CVE-2015-7940	Oracle Communications Policy Management	CMP (Bouncy Castle)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.x
CVE-2017-5662	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	7.x, 8.x
CVE-2018-2904	Oracle Communications EAGLE LNP Application Processor	GUI	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.x
CVE-2018-0739	Oracle Communications Network Charging and Control	Security (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
CVE-2017-3633	Oracle Communications Policy Management	Security (MySQL)	Multiple	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	12.x
CVE-2018-2936	Oracle Communications Messaging Server	Web Client	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.x
CVE-2015-5600	Oracle Communications Policy Management	Security (OpenSSH)	SSH	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.x

Additional CVEs addressed are below:

The fix for CVE-2015-5600 also addresses CVE-2014-2532.
The fix for CVE-2016-0714 also addresses CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706 and CVE-2016-3092.
The fix for CVE-2016-2099 also addresses CVE-2016-4463.
The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 and CVE-2016-2109.
The fix for CVE-2017-3633 also addresses CVE-2017-3634, CVE-2017-3635, CVE-2017-3636, CVE-2017-3641, CVE-2017-3647, CVE-2017-3648, CVE-2017-3649, CVE-2017-3651, CVE-2017-3652, CVE-2017-3653 and CVE-2017-3732.
The fix for CVE-2017-7525 also addresses CVE-2017-15707 and CVE-2018-1327.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Construction and Engineering Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-2966	Primavera Unifier	Core	HTTP	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	16.x, 17.x, 18.x
CVE-2018-2968	Primavera Unifier	Core	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	16.x, 17.x, 18.x
CVE-2016-4055	Primavera Unifier	Core (Moment)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	16.x, 17.x, 18.x
CVE-2018-2960	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2961	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2965	Primavera Unifier	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x
CVE-2016-7103	Primavera Unifier	Core (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x, 17.x, 18.x
CVE-2018-2967	Primavera Unifier	Core	None	No	5.3	Physical	Low	None	None	Changed	High	None	None	16.x, 17.x, 18.x
CVE-2018-2962	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.4	Network	High	Low	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2963	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.4, 15.x, 16.x
CVE-2018-2969	Primavera Unifier	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	16.x

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2018), My Oracle Support Note 2379675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-2993	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3017	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2995	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3018	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3008	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2953	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2997	Oracle Scripting	Script Author	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2991	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3012	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2996	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2954	Oracle Order Management	Product Diagnostic Tools	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2988	Oracle Marketing	Products	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2934	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3
CVE-2018-2994	Oracle iStore	Shopping Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle Enterprise Manager Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Enterprise Manager Base Platform	Installer (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager Base Platform	Security Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	Application Replay (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2.0.0 and prior
CVE-2017-5645	Enterprise Manager for Oracle Database	Provisioning (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.8, 13.2.2
CVE-2017-5645	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1.1.1, 13.2.1.1
CVE-2018-7489	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2, 13.2.3
CVE-2018-1275	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-1275	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1
CVE-2018-2976	Enterprise Manager Ops Center	Networking	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	12.2.2
CVE-2016-1181	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2017-9798	Enterprise Manager Base Platform	Installer (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.2.x
CVE-2016-9878	Enterprise Manager Ops Center	Framework (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2017-9798	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2018-0739	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.2.2, 12.3.3

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2016-9878 also addresses CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 56 new security fixes for Oracle Financial Services Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Banking Platform	Collections (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2017-5645	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3.x, 8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Analytical Applications Infrastructure	Inline Processing Engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Behavior Detection Platform	Admin Tool (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Behavior Detection Platform	Ingestion (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Funds Transfer Pricing	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2017-5645	Oracle Financial Services Hedge Management and IFRS Valuations	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Loan Loss Forecasting and Provisioning	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Profitability Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2018-3050	Oracle Banking Corporate Lending	Core module	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3027	Oracle Banking Payments	Payments Core	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3051	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3035	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3015	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-8013	Oracle Financial Services Analytical Applications Infrastructure	Link Analysis and Metadata browser (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.3.x, 8.0.x	See Note 1
CVE-2018-3040	Oracle Banking Corporate Lending	Core module	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3022	Oracle Banking Payments	Payments Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2014-3577	Oracle Financial Services Revenue Management and Billing	External Message (HTTP Client)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0
CVE-2018-3041	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 14.0.0, 14.1.0
CVE-2018-3030	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2979	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3036	Oracle Banking Corporate Lending	Core module	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3020	Oracle Banking Payments	Payments Core	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3037	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3028	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2974	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2895	Oracle Banking Corporate Lending	Core module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-2896	Oracle Banking Payments	Payments Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-2897	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-2898	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2899	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3042	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3044	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3048	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3023	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3024	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3026	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3043	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3045	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3049	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3031	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3032	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3034	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2980	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2981	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3019	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3038	Oracle Banking Corporate Lending	Core module	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3046	Oracle Banking Corporate Lending	Core module	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3021	Oracle Banking Payments	Payments Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3025	Oracle Banking Payments	Payments Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3039	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3047	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3029	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3033	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2975	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2982	Oracle FLEXCUBE Universal Banking

Oracle Critical Patch Update Advisory – January 2020

Description

Affected Products and Patch Information

Note:

Risk Matrix Content

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

Security-In-Depth Contributors

On-Line Presence Security Contributors

Critical Patch Update Schedule

References

Modification History

Oracle Database Server Risk Matrix

Oracle Communications Applications Risk Matrix

Oracle Construction and Engineering Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle iLearning Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Systems Risk Matrix

Oracle Supply Chain Risk Matrix

Oracle Utilities Applications Risk Matrix

Oracle Virtualization Risk Matrix

Related:

Oracle Critical Patch Update Advisory – October 2019

Description

Affected Products and Patch Information

Note:

Risk Matrix Content

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

Security-In-Depth Contributors

On-Line Presence Security Contributors

Critical Patch Update Schedule

References

Modification History

Oracle Database Server Risk Matrix

Oracle NoSQL Database Risk Matrix

Oracle Construction and Engineering Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Risk Matrix

Oracle Policy Automation Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Systems Risk Matrix

Oracle Supply Chain Risk Matrix

Oracle Support Tools Risk Matrix

Oracle Virtualization Risk Matrix

Related:

Oracle Security Alert Advisory – CVE-2019-2729

Description

Affected Products and Patch Information

Security Alert Supported Products and Versions