Category: Oracle

Oracle Database Server Risk Matrix

This Critical Patch Update contains 9 new security fixes for the Oracle Database Server divided as follows:

• 8 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 3 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
• 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-11058	Core RDBMS	None	TCPS/HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 1
CVE-2019-2776	Core RDBMS	Create Any Index	OracleNet	No	7.6	Network	Low	High	None	Changed	High	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2799	Oracle ODBC Driver	None	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c	See Note 2
CVE-2019-2749	Java VM	Create Session, Create Procedure	Multiple	No	6.8	Network	High	Low	None	Un- changed	None	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2484	Application Express	Valid Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1, 18.2
CVE-2019-2753	Oracle Text	Create Session	OracleNet	No	4.6	Network	Low	Low	Required	Un- changed	Low	None	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2569	Core RDBMS	Local Logon	Local Logon	No	4.0	Local	High	High	Required	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2016-9572	Spatial	Create Session	OracleNet	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	12.2.0.1, 18c

Notes:

1. Client Score for CVE-2018-11058 is 8.1 with Access Complexity as High.
2. The vulnerability affects Windows platforms only.

Additional CVEs addressed are below:

• The update for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2018-11058, CVE-2019-2799 and CVE-2019-2569.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-7489	Oracle Global Lifecycle Management OPatchAuto	OPatch Auto Binary (jackson-databind)	Local Logon	No	7.2	Local	High	High	Required	Changed	High	High	High	Prior to 12.2.0.1.14

Additional CVEs addressed are below:

• The update for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2760	Data Store	Local Logon	Local Logon	No	7.0	Local	High	None	Required	Un- changed	High	High	High	12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32
CVE-2019-2868	Data Store	Local Logon	Local Logon	No	7.0	Local	High	None	Required	Un- changed	High	High	High	12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32
CVE-2019-2869	Data Store	Local Logon	Local Logon	No	7.0	Local	High	None	Required	Un- changed	High	High	High	12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32
CVE-2019-2870	Data Store	Local Logon	Local Logon	No	7.0	Local	High	None	Required	Un- changed	High	High	High	12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32
CVE-2019-2871	Data Store	Local Logon	Local Logon	No	7.0	Local	High	None	Required	Un- changed	High	High	High	12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Communications Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Communications Application Session Controller	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2019-2729	Oracle Communications Converged Application Server	Security (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 7.0, 7.1
CVE-2018-1275	Oracle Communications Converged Application Server – Service Controller	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1
CVE-2016-1000031	Oracle Communications Convergence	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.2
CVE-2017-5645	Oracle Communications Interactive Session Recorder	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1, 6.2
CVE-2016-1000031	Oracle Communications Online Mediation Controller	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-1000031	Oracle Communications Unified	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.2.0
CVE-2018-19362	Oracle Communications Unified	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.2.0
CVE-2018-18311	Oracle Communications Billing and Revenue Management	Billing and Revenue Management Server (Perl)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.5, 12.0
CVE-2018-8039	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache cxf)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0, 8.1, 8.2
CVE-2018-12023	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.0.1.2.0
CVE-2018-1000120	Oracle Communications Application Session Controller	Security (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2019-12086	Oracle Communications Billing and Revenue Management	Billing Care, Business Operations Center (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.5, 12.0
CVE-2018-1000180	Oracle Communications Convergence	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.0.2
CVE-2018-0732	Oracle Communications Diameter Signaling Router (DSR)	Signaling (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0, 8.1, 8.2, 8.3
CVE-2017-5664	Oracle Communications Interactive Session Recorder	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.0, 6.1, 6.2
CVE-2018-15756	Oracle Communications Online Mediation Controller	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.1
CVE-2018-8013	Oracle Communications Application Session Controller	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.7.1, 3.8.0
CVE-2017-3736	Oracle Communications EAGLE (Software)	Security (OpenSSL)	TLS	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	46.5, 46.6, 46.7
CVE-2018-1305	Oracle Communications Instant Messaging Server	Security (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.0.1.2.0
CVE-2018-17197	Oracle Communications Messaging Server	Security (Apache Tika)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.0.2, 8.1.0
CVE-2015-9251	Oracle Communications Application Session Controller	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.7.1, 3.8.0
CVE-2019-11358	Oracle Communications Billing and Revenue Management	Billing Care, Business Operations Center (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.5, 12.0
CVE-2017-5715	Oracle Communications Diameter Signaling Router (DSR)	Security (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	8.0, 8.1, 8.2, 8.3

Additional CVEs addressed are below:

• The update for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737, CVE-2017-3738, CVE-2018-0732, CVE-2018-0734, CVE-2018-0737, CVE-2018-0739 and CVE-2018-5407.
• The update for CVE-2017-5664 also addresses CVE-2016-8735 and CVE-2017-5647.
• The update for CVE-2018-0732 also addresses CVE-2017-3738, CVE-2018-0733, CVE-2018-0734, CVE-2018-0737 and CVE-2018-0739.
• The update for CVE-2018-1000120 also addresses CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The update for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The update for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.
• The update for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The update for CVE-2018-1305 also addresses CVE-2018-1304.
• The update for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
• The update for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The update for CVE-2019-12086 also addresses CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.
• The update for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Construction and Engineering Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-19362	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12, 18.8
CVE-2019-0192	Primavera Unifier	Core (solr)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-0190	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2019-0199	Instantis EnterpriseTrack	Core (Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2018-15756	Primavera Analytics	Admin (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.8
CVE-2018-15756	Primavera Gateway	Admin (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.2, 16.2, 17.12, 18.8
CVE-2018-17197	Primavera Unifier	Core (Apache Tika)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2015-9251	Primavera Unifier	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

• The update for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The update for CVE-2019-0190 also addresses CVE-2018-17189 and CVE-2018-17199.
• The update for CVE-2019-0192 also addresses CVE-2017-3164.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 13 new security fixes for the Oracle E-Business Suite. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2019), My Oracle Support Note 2555452.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2828	Oracle Field Service	Wireless	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2775	Oracle Payments	File Transmission	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	None	High	High	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2782	Oracle Payments	File Transmission	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2837	Oracle CRM Technical Foundation	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3 – 12.2.8
CVE-2019-2829	Oracle iSupport	Service Requests	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2666	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2668	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2672	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2825	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3 – 12.2.8
CVE-2019-2773	Oracle Payments	File Transmission	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2783	Oracle Payments	File Transmission	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2809	Oracle iRecruitment	Password Reset	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.1.1 – 12.1.3, 12.2.3 – 12.2.8
CVE-2019-2761	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3 – 12.2.8

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 12 new security fixes for the Oracle Enterprise Manager Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2534806.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-19362	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 13.3
CVE-2019-3822	Enterprise Manager Ops Center	Networking (cURL)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2016-1000031	Oracle Application Testing Suite	Load Testing for Web Apps (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 13.3
CVE-2018-8039	Enterprise Manager Base Platform	Connector Framework (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2019-0211	Enterprise Manager Ops Center	Compliance Test Suite (Apache HTTP Server)	none	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2018-1000180	Enterprise Manager for Fusion Middleware	Application Replay (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.2, 13.3
CVE-2019-0222	Oracle Enterprise Manager Base Platform	Valid Session (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2019-2727	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.3
CVE-2018-11775	Oracle Enterprise Manager Base Platform	Reporting Framework (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2019-1559	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2019-1559	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3.3, 12.4.0
CVE-2019-2728	Enterprise Manager Ops Center	Networking	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	12.3.3, 12.4.0

Additional CVEs addressed are below:

• The update for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The update for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The update for CVE-2018-8039 also addresses CVE-2018-1258.
• The update for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
• The update for CVE-2019-0222 also addresses CVE-2018-11775.
• The update for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 60 new security fixes for Oracle Financial Services Applications. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-19362	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.7.1
CVE-2018-19362	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2-8.0.8
CVE-2018-19362	Oracle Financial Services Funds Transfer Pricing	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.0.7
CVE-2018-19362	Oracle Financial Services Institutional Performance Analytics	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4-8.0.7
CVE-2018-19362	Oracle Financial Services Price Creation and Discovery	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4-8.0.7
CVE-2018-19362	Oracle Financial Services Profitability Management	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4-8.0.7
CVE-2018-19362	Oracle Financial Services Retail Customer Analytics	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4-8.0.6
CVE-2016-1000031	Oracle FLEXCUBE Core Banking	Securities (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2.0, 11.6.0, 11.7.0, 11.8.0
CVE-2016-1000031	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2016-1000031	Oracle FLEXCUBE Universal Banking	Infrastructure (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.1-12.0.3, 12.1.0
CVE-2018-19362	Oracle Insurance Allocation Manager for Enterprise Profitability	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.8
CVE-2018-19362	Oracle Insurance Performance Insight	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.7
CVE-2019-2841	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-8039	Oracle FLEXCUBE Private Banking	Core (cxf)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.0.1, 12.0.3, 12.1.0
CVE-2019-2754	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2018-15756	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.2-8.0.8
CVE-2018-15756	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.1, 12.0.3, 12.1.0
CVE-2014-0114	Oracle Insurance IFRS 17 Analyzer	UI (Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.0.6, 8.0.7
CVE-2018-17197	Oracle FLEXCUBE Private Banking	Core (Apache Tika)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.0.1, 12.0.3, 12.1.0
CVE-2019-11358	Oracle Banking Platform	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0-2.7.1
CVE-2019-11358	Oracle Financial Services – Regulatory Reporting for Reserve Bank of India – Lombard Risk Integration Pack	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.7
CVE-2019-11358	Oracle Financial Services – Regulatory Reporting for US Federal Reserve – Lombard Risk Integration Pack	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.3-7.3.5, 8.0.2-8.0.8
CVE-2019-11358	Oracle Financial Services Analytical Applications Reconciliation Framework	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Asset Liability Management	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Basel Regulatory Capital Basic	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Data Foundation	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.8
CVE-2019-11358	Oracle Financial Services Data Integration Hub	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5-8.0.7
CVE-2019-11358	Oracle Financial Services Funds Transfer Pricing	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Hedge Management and IFRS Valuations	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Institutional Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Liquidity Risk Management	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6
CVE-2019-11358	Oracle Financial Services Liquidity Risk Measurement and Management	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.7, 8.0.8
CVE-2019-11358	Oracle Financial Services Loan Loss Forecasting and Provisioning	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.7
CVE-2019-11358	Oracle Financial Services Market Risk Measurement and Management	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6, 8.0.8
CVE-2019-11358	Oracle Financial Services Price Creation and Discovery	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Profitability Management	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Regulatory Reporting for European Banking Authority	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Regulatory Reporting for European Banking Authority – Integration Pack for Lombard Risk	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Regulatory Reporting for US Federal Reserve	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Financial Services Retail Customer Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.6
CVE-2019-11358	Oracle Financial Services Revenue Management and Billing	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0.0, 2.4.0.1
CVE-2017-14735	Oracle FLEXCUBE Core Banking	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.2.0, 11.6.0, 11.7.0, 11.8.0
CVE-2019-2736	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-2744	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2019-11358	Oracle Insurance Allocation Manager for Enterprise Profitability	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.8
CVE-2019-11358	Oracle Insurance Data Foundation	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2019-11358	Oracle Insurance IFRS 17 Analyzer	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Insurance Performance Insight	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.7
CVE-2019-2847	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-2840	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2019-2823	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.0.5-8.0.8
CVE-2019-2843	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-2790	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2019-2846	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-2794	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2019-2839	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.1.0-12.4.0, 14.0.0-14.2.0
CVE-2019-2845	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-2793	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	12.0.1-12.0.3, 12.1.0-12.4.0, 14.0.0-14.2.0

Additional CVEs addressed are below:

• The update for CVE-2018-19362 also addresses CVE-2018-19360, CVE-2018-19361 and CVE-2019-12086.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Food and Beverage Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2763	Oracle Hospitality Gift and Loyalty	iCard	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	9.0.0, 9.1.0
CVE-2019-2833	Oracle Hospitality Simphony	Import/Export	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	18.2.1
CVE-2019-2836	Oracle Hospitality Simphony	Engagement	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	18.2.1

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle Fusion Middleware. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Please note that the recently-released Security Alert patches for WebLogic Server, CVE-2019-2725 and CVE-2019-2729, are included in this Critical Patch Update. Customers are strongly advised to apply this Critical Patch Update on all WebLogic Server systems.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-11058	Oracle Security Service	SSL API (RSA BSAFE)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2017-5645	Oracle SOA Suite	Installation & Templates (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-1000031	Oracle WebCenter Sites	Advanced UI (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2856	Oracle WebLogic Server	Application Container – JavaEE	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-6814	Oracle WebCenter Sites	Advanced UI (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.2.1.3.0
CVE-2019-2771	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	8.2	Network	Low	Low	Required	Changed	Low	High	Low	11.1.1.9.0
CVE-2019-0211	Oracle HTTP Server	Web Listener (Apache httpd)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2768	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2018-1000180	Oracle Data Integrator	Runtime Java agent for ODI (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2018-15756	Oracle Endeca Information Discovery Integrator	Other Issues (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-0222	Oracle Enterprise Repository	Security Subsystem – 12c (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0
CVE-2018-15756	Oracle WebCenter Sites	Advanced UI (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0
CVE-2018-15756	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2852	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2853	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2756	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2759	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2854	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2764	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2792	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2835	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2855	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2018-8013	Oracle WebCenter Sites	Third Party Tools (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2767	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0
CVE-2019-2742	Oracle BI Publisher	Web Service API	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0
CVE-2015-9251	Oracle Business Intelligence Enterprise Edition	BI Platform Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.4.0
CVE-2016-7103	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0734	Oracle Endeca Server	Product Code (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.7.0
CVE-2019-1559	Oracle Endeca Server	Product Code (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.7.0
CVE-2019-2751	Oracle HTTP Server	OHS Config MBeans	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2824	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2827	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2858	Oracle Identity Manager	Advanced Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	11.1.2.3.0, 12.2.1.3.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

• The update for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
• The update for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The update for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
• The update for CVE-2019-2742 also addresses CVE-2016-3473.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Hospitality Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2781	Oracle Hospitality Suite8	XML Interface	TCP/IP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.9.6, 8.10.2, 8.11-8.14
CVE-2019-11358	Oracle Hospitality Guest Access	Base (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.2, 4.2.1

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2770	Oracle Hyperion Planning	Smart View	HTTP	No	4.5	Network	Low	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2019-2861	Oracle Hyperion Planning	Security	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2735	Oracle Hyperion Workspace	UI and Visualization	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 7 new security fixes for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Insurance Calculation Engine	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.7, 10.0, 10.1, 10.2
CVE-2016-1000031	Oracle Insurance Policy Administration J2EE	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0
CVE-2016-1000031	Oracle Insurance Rules Palette	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0
CVE-2018-15756	Oracle Insurance Calculation Engine	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.7, 10.0, 10.1, 10.2
CVE-2018-15756	Oracle Insurance Policy Administration J2EE	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2, 11.0
CVE-2018-15756	Oracle Insurance Rules Palette	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2, 11.0
CVE-2017-14735	Oracle Insurance Calculation Engine	Core (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.7, 10.0, 10.1, 10.2

Additional CVEs addressed are below:

• The update for CVE-2018-15756 also addresses CVE-2016-5007 and CVE-2016-9878.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 10 new security fixes for Oracle Java SE. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-7317	Java SE, Java SE Embedded	AWT (libpng)	Multiple	Yes	6.8	Network	High	None	Required	Un- changed	None	High	High	Java SE: 7u221, 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 1
CVE-2019-2821	Java SE	JSSE	TLS	Yes	5.3	Network	High	None	Required	Un- changed	High	None	None	Java SE: 11.0.3, 12.0.1	See Note 1
CVE-2019-2762	Java SE, Java SE Embedded	Utilities	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u221, 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 2
CVE-2019-2769	Java SE, Java SE Embedded	Utilities	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u221, 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 2
CVE-2019-2745	Java SE	Security	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	Java SE: 7u221, 8u212, 11.0.3	See Note 2
CVE-2019-2816	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u221, 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 2
CVE-2019-2842	Java SE	JCE	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 8u212	See Note 2
CVE-2019-2786	Java SE, Java SE Embedded	Security	Multiple	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	Java SE: 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 2
CVE-2019-2818	Java SE	Security	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 11.0.3, 12.0.1	See Note 1
CVE-2019-2766	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u221, 8u212, 11.0.3, 12.0.1; Java SE Embedded: 8u211	See Note 2

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Additional CVEs addressed are below:

• The update for CVE-2019-7317 also addresses CVE-2019-6129.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle GraalVM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2813	Oracle GraalVM Enterprise Edition	GraalVM	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.0.0
CVE-2019-2862	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	6.8	Network	High	None	Required	Un- changed	None	High	High	19.0.0

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Installation SEC (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-19362	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-19362	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-1559	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	JDENET	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	9.2
CVE-2019-1559	JD Edwards World Security	Security Vulnerability (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

• The update for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The update for CVE-2019-1559 also addresses CVE-2018-0734, CVE-2018-0735 and CVE-2018-5407.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-3822	MySQL Server	Server: Packaging (cURL)	MySQL Protocol	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.7.26 and prior, 8.0.15 and prior
CVE-2018-15756	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.0.9 and prior, 8.0.14 and prior
CVE-2019-2822	MySQL Server	Shell: Admin / InnoDB Cluster	MySQL Protocol	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.0.16 and prior
CVE-2019-2800	MySQL Server	Server: Replication	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	8.0.16 and prior
CVE-2019-2795	MySQL Server	Server: Charsets	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2746	MySQL Server	Server: Data Dictionary	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2019-2812	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2834	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2805	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2740	MySQL Server	Server: XML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-1559	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0.16 and prior
CVE-2019-2758	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2819	MySQL Server	Server: Security: Audit	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2731	MySQL Server	Server: Replication	MySQL Protocol	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	5.7.23 and prior
CVE-2019-2778	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2741	MySQL Server	Server: Audit Log	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2743	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2019-2739	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	5.1	Local	Low	High	None	Un- changed	None	Low	High	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2785	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2798	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2879	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2737	MySQL Server	Server : Pluggable Auth	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2780	MySQL Server	Server: Components / Services	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2784	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2801	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2747	MySQL Server	Server: GIS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2019-2757	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2774	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2796	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2802	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2803	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2808	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2810	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2815	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2830	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2752	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2755	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2811	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2826	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2797	MySQL Server	Client programs	MySQL Protocol	No	4.2	Adjacent Network	High	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2791	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	3.8	Network	Low	High	None	Un- changed	Low	Low	None	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2738	MySQL Server	Server : Compiling	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2730	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	5.6.44 and prior, 5.7.18 and prior
CVE-2019-2789	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.16 and prior
CVE-2019-2814	MySQL Server	InnoDB	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	Low	None	8.0.16 and prior

Additional CVEs addressed are below:

• The update for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-0226	PeopleSoft Enterprise PeopleTools	Security (Apache WSS4J)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2748	PeopleSoft Enterprise PT PeopleTools	Application Server	HTTP	No	7.1	Network	High	Low	None	Changed	Low	High	None	8.55, 8.56, 8.57
CVE-2019-2599	PeopleSoft Enterprise PT PeopleTools	Pagelet Wizard	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2831	PeopleSoft Enterprise FIN Project Costing	Projects	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	9.2
CVE-2019-2772	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-11358	PeopleSoft Enterprise PeopleTools	Mobile Application Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-17960	PeopleSoft Enterprise PeopleTools	Rich Text Editor (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-1559	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

• The update for CVE-2015-0226 also addresses CVE-2015-0227.
• The update for CVE-2018-17960 also addresses CVE-2018-9861.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 21 new security fixes for Oracle Retail Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	MICROS Retail XBRi Loss Prevention	Retail (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.0 – 10.8.3
CVE-2016-1000031	Oracle Retail Integration Bus	RIB Kernal (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-19362	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1, 15.0, 16.0, 17.0, 18.0
CVE-2018-1258	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2018-1258	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.0.3.26, 14.1.3.37, 15.0.3.100
CVE-2018-1258	Oracle Retail Service Backbone	Install (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0.1
CVE-2019-2750	MICROS Retail-J	Internal Operations	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	12.1.0, 12.1.1, 12.1.2, 13.1
CVE-2018-3315	Oracle Retail Customer Management and Segmentation Foundation	Customer	HTTP	No	8.2	Network	High	Low	None	Changed	High	High	None	16.0, 17.0
CVE-2019-2561	Oracle Retail Xstore Office	Internal Operations	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	7.0, 7.1
CVE-2018-19362	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	16.0, 17.0, 18.0
CVE-2018-8039	Oracle Retail Order Broker	Order Broker Foundation (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2019-0232	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2016-1181	Oracle Retail Order Management System	Upgrade Install (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.0
CVE-2019-0211	Oracle Retail Xstore Point of Service	Xenvironment (Apache HTTP Server)	none	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	7.0, 7.1
CVE-2018-3316	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	7.6	Network	Low	Low	None	Un- changed	High	Low	Low	16.0, 17.0
CVE-2018-3111	Oracle Retail Xstore Office	Internal Operations	HTTP	Yes	7.6	Network	Low	None	Required	Un- changed	High	Low	Low	7.1
CVE-2018-15756	Oracle Retail Advanced Inventory Planning	Operations & Maintenance (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.0
CVE-2018-15756	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	14.0, 14.1, 15.0, 16.0
CVE-2019-0190	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-2883	Oracle Retail Xstore Office	Internal Operations	HTTP	No	5.5	Network	Low	Low	Required	Un- changed	Low	Low	Low	7.0, 7.1
CVE-2018-11784	MICROS Retail XBRi Loss Prevention	Retail (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.8.0 – 10.8.3

Additional CVEs addressed are below:

• The update for CVE-2016-1181 also addresses CVE-2016-1182.
• The update for CVE-2018-11784 also addresses CVE-2018-8034.
• The update for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
• The update for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-1258.
• The update for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The update for CVE-2019-0190 also addresses CVE-2018-17189 and CVE-2018-17199.
• The update for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2777	Siebel Core – Server Framework	Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.0 and prior
CVE-2019-2857	Siebel UI Framework	UIF Open UI	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	19.0 and prior
CVE-2019-2779	Siebel Core – Common Components	Email	HTTP	No	4.2	Network	High	High	Required	Un- changed	High	None	None	19.0 and prior

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle Sun Systems Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2725	StorageTek Tape Analytics SW Tool	Application Server (WebLogic)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.0
CVE-2019-2729	StorageTek Tape Analytics SW Tool	Application Server (WebLogic)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.0
CVE-2019-2725	Tape Virtual Storage Manager GUI	Application Server (WebLogic)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.2
CVE-2019-5597	Oracle Solaris	Kernel	IPv6	Yes	9.1	Network	Low	None	None	Un- changed	None	High	High	11.4, 11.3
CVE-2019-2832	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10
CVE-2019-2844	Oracle Solaris	LDAP Client Tools	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.4
CVE-2019-5598	Oracle Solaris	Kernel	ICMPv6	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.4
CVE-2019-2838	Oracle Solaris	Kernel	NFS	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	11.4
CVE-2019-2804	Oracle Solaris	Filesystem	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	11.4, 10
CVE-2019-2820	Oracle Solaris	Gnuplot	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	11.4
CVE-2019-2788	Oracle Solaris	Open Fabrics Tools	None	No	6.3	Local	High	None	Required	Un- changed	None	High	High	11.4
CVE-2019-2878	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.8.3
CVE-2019-2787	Oracle Solaris	Automount	NFS	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	11.4, 10
CVE-2019-2807	Oracle Solaris	Zones	None	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.4

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Agile Engineering Data Management	Installation Issues (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.2.0, 6.2.1
CVE-2019-2725	Oracle Agile PLM	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5
CVE-2019-0232	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.3.7
CVE-2018-15756	Oracle Agile PLM	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2019-2817	Oracle Agile PLM	Folders, Files & Attachments	HTTP	No	5.4	Network	High	Low	Required	Un- changed	High	None	Low	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2019-2732	Oracle Demantra Demand Management	Product Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	7.3.1.5.2
CVE-2018-11784	Oracle Agile Engineering Data Management	Installation Issues (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	6.2.0, 6.2.1
CVE-2019-2733	Oracle Demantra Demand Management	Product Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	7.3.1.5.2

Additional CVEs addressed are below:

• The update for CVE-2018-11784 also addresses CVE-2018-8034.
• The update for CVE-2019-0232 also addresses CVE-2018-11784 and CVE-2018-8034.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 7 new security fixes for Oracle Support Tools. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-3822	Services Tools Bundle	Utilities (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.2
CVE-2018-12022	Oracle Clusterware	Trace File Analyzer (TFA) Collector (jackson-databind)	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.1.0.2.0
CVE-2018-1000873	Oracle Clusterware	Trace File Analyzer (TFA) Collector (jackson-databind)	Multiple	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.0.2.0
CVE-2015-9251	Diagnostic Assistant	Libraries (Jsch and jQuery)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 2.12.36
CVE-2019-11358	System Utilities	One Command Installation Tool (jQuery)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.1
CVE-2019-1559	Services Tools Bundle	Utilities (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.2
CVE-2019-2860	Oracle Clusterware	Trace File Analyzer (TFA) Collector	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	12.1.0.2.0

Additional CVEs addressed are below:

• The update for CVE-2018-1000873 also addresses CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2019-12814.
• The update for CVE-2018-12022 also addresses CVE-2018-12023 and CVE-2019-12086.
• The update for CVE-2019-11358 also addresses CVE-2015-9251.
• The update for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Utilities Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Utilities Advanced Spatial and Operational Analytics	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0.1
CVE-2016-6814	Oracle Utilities Framework	Scripting (Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.3.0.2.0-4.3.0.6.0, 4.4.0.0.0
CVE-2018-12023	Oracle Utilities Advanced Spatial and Operational Analytics	Install (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.7.0.1

Additional CVEs addressed are below:

• The update for CVE-2016-6814 also addresses CVE-2016-6497.
• The update for CVE-2018-12023 also addresses CVE-2017-7525, CVE-2018-11307, CVE-2018-12022 and CVE-2018-7489.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2859	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2867	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2866	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2864	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2865	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-1543	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2863	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2848	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2877	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2873	Oracle VM VirtualBox	Core	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2874	Oracle VM VirtualBox	Core	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2875	Oracle VM VirtualBox	Core	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2876	Oracle VM VirtualBox	Core	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 5.2.32, prior to 6.0.10
CVE-2019-2850	Oracle VM VirtualBox	Core	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	Prior to 5.2.32, prior to 6.0.10	See Note 1

Notes:

1. The vulnerability affects Windows platforms only.

Related:

• No Related Posts

Oracle Security Alert Advisory – CVE-2019-2729

Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

• Badcode of Knownsec 404 Team: CVE-2019-2729
• Fangrun Li of Creditease Security Team: CVE-2019-2729
• Foren Lim: CVE-2019-2729
• Jkgh006: CVE-2019-2729
• Lucifaer of 360CERT at QiHu360: CVE-2019-2729
• Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
• orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
• WenHui Wang of State Grid: CVE-2019-2729
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
• Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
• Yuxuan Chen: CVE-2019-2729
• Zhao Chang of Venustech ADLab: CVE-2019-2729
• Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date	Note
2019-July-11	Rev 4. Updated credit statement.
2019-June-21	Rev 3. Updated credit statement.
2019-June-20	Rev 2. Removed irrelevant paragraph about Oracle Database.
2019-June-18	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2019-2729 Oracle WebLogic Server Web Services HTTP Yes 9.8 Network Low None None Un- changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

Related:

• No Related Posts

Oracle Security Alert Advisory – CVE-2019-2725

Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

• Badcode of Knownsec 404 Team: CVE-2019-2725
• Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
• Icematcha of Qianxin Yunying Labs: CVE-2019-2725
• icez of Tophant Competence Center: CVE-2019-2725
• Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
• Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
• Song Keya of Minsheng Banking Corp.: CVE-2019-2725
• Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
• ZengShuai Hao: CVE-2019-2725
• Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date	Note
2019-May-29	Rev 4. Updated Credit Statement.
2019-May-1	Rev 3. Updated Credit Statement.
2019-April-30	Rev 2. Updated WebLogic Server Versions.
2019-April-26	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1. CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2019-2725 Oracle WebLogic Server Web Services HTTP Yes 9.8 Network Low None None Un- changed High High High 10.3.6.0, 12.1.3.0

Related:

• No Related Posts