Oracle – Intelligent Systems Monitoring

Oracle Critical Patch Update Advisory – October 2019

October 14, 2019October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 11 new security patches for the Oracle Database Server divided as follows:

10 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2909	Java VM	None	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2956	Core RDBMS (jackson-databind)	Create Session	Multiple	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2913	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2939	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2018-2875	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2734	Core RDBMS	Create Session, Execute on DBMS_ADVISOR	OracleNet	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2018-11784	WLM (Apache Tomcat)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2019-2954	Core RDBMS	Create Session, Create Procedure	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2955	Core RDBMS	Local Logon	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2940	Core RDBMS	Create Session	OracleNet	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c

Additional CVEs addressed are below:

The patch for CVE-2018-11784 also addresses CVE-2018-8034.
The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-14721	Oracle NoSQL Database	NoSQL (jackson-databind)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 19.3.12

Additional CVEs addressed are below:

The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Construction and Engineering. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-6056	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-14379	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12, 18.8
CVE-2019-14379	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-3020	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	9.3	Network	Low	None	Required	Changed	High	High	None	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.11
CVE-2019-0232	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0211	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0227	Instantis EnterpriseTrack	Generic (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2017-12626	Instantis EnterpriseTrack	Generic (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2017-12626	Primavera Gateway	Admin (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.12
CVE-2017-12626	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
CVE-2017-12626	Primavera Unifier	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2976	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	17.1.0-17.12.12
CVE-2019-11358	Primavera Unifier	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The patch for CVE-2017-6056 also addresses CVE-2016-5425.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-14379 also addresses CVE-2019-12086, CVE-2019-14439, CVE-2019-14540 and CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 10 new security patches for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2019), My Oracle Support Note 2586423.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2942	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-2990	Oracle iStore	Order Tracker	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-2994	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2019-2995	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3000	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3022	Oracle Content Manager	Content	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3027	Oracle Application Object Library	Login Help	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.5-12.2.9
CVE-2019-2930	Oracle Field Service	Wireless	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-3024	Oracle Installed Base	Engineering Change Order	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.3-12.2.9
CVE-2019-2925	Oracle Workflow	Worklist	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.8

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Command Line Interface (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 13.3
CVE-2019-5443	Enterprise Manager Ops Center	Networking (cURL)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2895	Enterprise Manager for Exadata	Exadata Plug-In Deploy and Ins	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
CVE-2019-9517	Enterprise Manager Ops Center	OS Provisioning (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.3.3, 12.4.0
CVE-2019-11358	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.3, 12.4.0
CVE-2019-11358	Oracle Application Testing Suite	Load Testing for Web Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2, 13.3
CVE-2019-10247	Enterprise Manager Base Platform	Agent Next Gen (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	13.2, 13.3

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-9517 also addresses CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2019-10098.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
CVE-2019-14379	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2-8.0.8
CVE-2019-2980	Oracle FLEXCUBE Direct Banking	eMail	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.2, 12.0.3
CVE-2019-11358	Oracle Financial Services Enterprise Financial Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Retail Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-2979	Oracle FLEXCUBE Direct Banking	Payments	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	None	High	None	12.0.2, 12.0.3
CVE-2019-3019	Oracle Banking Digital Experience	Loan Calculator	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3025	Oracle Hospitality RES 3700	Interface	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	5.7
CVE-2019-2934	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2937	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2947	Oracle Hospitality Reporting and Analytics	Inventory Integration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2936	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-11358	Oracle Hospitality Materials Control	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2019-2952	Oracle Hospitality Reporting and Analytics	Admin-Configuration	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 37 new security patches for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2019 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle JDeveloper and ADF	ADF Faces	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2016-1000031	Oracle Virtual Directory	Virtual Directory Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2019-2905	Oracle Business Intelligence Enterprise Edition	Installation	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2906	BI Publisher (formerly XML Publisher)	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2891	Oracle WebLogic Server	Console	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2900	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-0188	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2017-12626	Oracle Enterprise Repository	Security Subsystem – 12c (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0
CVE-2018-15756	Oracle GoldenGate Application Adapters	3rd Party (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.2.1.0
CVE-2019-12086	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2970	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2901	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2902	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2903	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2971	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2972	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2016-1000031	Oracle SOA Suite	BPEL Service Engine and Fabric Layer (Apache Commons FileUpload)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2907	Oracle Web Services	SOAP with Attachments API for Java	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-2890	Oracle WebLogic Server	Web Services	T3	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2943	Oracle Data Integrator	Studio	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2897	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2016-7103	Oracle Business Intelligence Enterprise Edition	BI Platform Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2886	Oracle Forms	Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle JDeveloper and ADF	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle Service Bus	Web Container (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2889	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-17091	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle WebLogic Server	Web Services (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-1559	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Secure Store (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-3012	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2888	Oracle WebLogic Server	EJB Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2898	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2887	Oracle WebLogic Server	Web Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2899	Oracle JDeveloper and ADF	OAM	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GraalVM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2986	Oracle GraalVM Enterprise Edition	LLVM Interpreter	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.2.0
CVE-2019-9511	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.2.0
CVE-2019-2989	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	19.2.0

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Health Sciences Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Oracle Healthcare Foundation	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1.1, 7.2.2
CVE-2019-11358	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.1, 3.3.1

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Hospitality Guest Access	Base (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2953	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.80
CVE-2019-10247	Oracle Hospitality Guest Access	Base (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2927	Hyperion Data Relationship Management	Access and Security	HTTP	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.1.2.4
CVE-2019-2959	Hyperion Financial Reporting	Security Models	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2941	Hyperion Enterprise Performance Management Architect	Workspace	HTTP	No	4.0	Network	High	High	Required	Changed	Low	Low	None	11.1.2.4

Oracle Java SE Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2949	Java SE, Java SE Embedded	Kerberos	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2989	Java SE, Java SE Embedded	Networking	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2958	Java SE, Java SE Embedded	Libraries	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-11068	Java SE	JavaFX (libxslt)	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 8u221	See Note 1
CVE-2019-2977	Java SE	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	None	Low	Java SE: 11.0.4, 13	See Note 2
CVE-2019-2975	Java SE, Java SE Embedded	Scripting	Multiple	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	Java SE: 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2999	Java SE	Javadoc	Multiple	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	Java SE: 7u231, 8u221, 11.0.4, 13	See Note 2
CVE-2019-2996	Java SE, Java SE Embedded	Deployment	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 8u221; Java SE Embedded: 8u221	See Note 2
CVE-2019-2987	Java SE	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 11.0.4, 13	See Note 1
CVE-2019-2962	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2988	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2992	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2964	Java SE, Java SE Embedded	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 3
CVE-2019-2973	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2981	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2978	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2894	Java SE, Java SE Embedded	Security	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2983	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2933	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2945	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle JD Edwards. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Deployment (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.1.0

Oracle MySQL Risk Matrix

This Critical Patch Update contains 34 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-8457	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.17 and prior
CVE-2019-5443	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-10072	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-1543	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.17 and prior
CVE-2019-3011	MySQL Server	Server: C API	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2966	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2967	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2974	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior
CVE-2019-2946	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3004	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2914	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2969	MySQL Server	Client programs	MySQL Protocol	No	6.2	Local	Low	None	None	Un- changed	High	None	None	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2991	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.017 and prior
CVE-2019-2920	MySQL Connectors	Connector/ODBC	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	5.3.13 and prior, 8.0.17 and prior
CVE-2019-2993	MySQL Server	Server: C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2922	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2923	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2924	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-1549	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Workbench	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.17 and prior
CVE-2019-2963	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2968	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3003	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2997	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2948	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2950	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2982	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2998	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2960	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2957	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2938	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3018	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3009	MySQL Server	Server: Connection	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2910	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2911	MySQL Server	Information Schema	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-1549 also addresses CVE-2019-1547, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-0729	PeopleSoft Enterprise PeopleTools	Integration Broker (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-3862	PeopleSoft Enterprise PeopleTools	File Processing (libssh2)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.56, 8.57
CVE-2019-2932	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	8.56, 8.57
CVE-2019-2915	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2985	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3014	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2929	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2931	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-11358	PeopleSoft Enterprise PeopleTools	Portal, Charting (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3001	PeopleSoft Enterprise SCM eProcurement	eProcurement	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2019-3023	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.56, 8.57
CVE-2019-2951	PeopleSoft Enterprise HCM Human Resources	US Federal Specific	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2019-3015	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2019-3862 also addresses CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861 and CVE-2019-3863.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Policy Automation Connector for Siebel	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10.4.6
CVE-2019-11358	Oracle Policy Automation	Determinations Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15
CVE-2019-11358	Oracle Policy Automation Connector for Siebel	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.6
CVE-2019-11358	Oracle Policy Automation for Mobile Devices	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0-12.2.15

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Retail Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-19362	MICROS Retail XBRi Loss Prevention	Retail (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.3
CVE-2019-14379	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-0232	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.4
CVE-2018-15756	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2019-12086	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-11358	Oracle Retail Customer Insights	Retail Science Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-2896	MICROS Relate CRM Software	Internal Operations	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0,
CVE-2019-2884	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	17.0
CVE-2018-3300	Oracle Retail Xstore Office	Internal Operations	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	7.1
CVE-2019-10247	Oracle Retail Xstore Point of Service	Dataloader (jackson-databind)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	7.1, 15.0, 16.0, 17.0
CVE-2019-2883	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	17.0
CVE-2019-2872	Oracle Retail Xstore Point of Service	Point of Sale	None	No	2.7	Physical	High	High	Required	Un- changed	Low	Low	None	17.0.3, 18.0.1, 19.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241 and CVE-2019-10246.
The patch for CVE-2019-14379 also addresses CVE-2019-12086 and CVE-2019-14439.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2965	Siebel Core – DB Deployment and Configuration	Install – Configuration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	19.8 and prior
CVE-2019-11358	Siebel Mobile Applications	CG Mobile Connected (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.8 and prior
CVE-2018-8037	Siebel UI Framework	Customizable Prod/Configurator (Apache Tomcat)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.7 and prior
CVE-2019-2935	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.8 and prior

Oracle Systems Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Systems . 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000007	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-3010	Oracle Solaris	XScreenSaver	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11
CVE-2015-5180	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (glibc)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3071
CVE-2018-7185	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NTP)	NTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-18066	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (Net SNMP)	SNMP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-0732	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-6109	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSH)	SSH	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	Prior to XCP2361, Prior to XCP3070
CVE-2017-17558	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (USB Driver)	None	No	6.6	Physical	Low	Low	None	Un- changed	High	High	High	Prior to XCP2360, Prior to XCP3060
CVE-2018-12404	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to XCP2361, Prior to XCP3070
CVE-2019-2765	Oracle Solaris	Filesystem	None	No	5.3	Local	High	Low	None	Changed	Low	Low	Low	10, 11
CVE-2019-2961	Oracle Solaris	SMF services & legacy daemons	None	No	3.6	Local	High	Low	None	Un- changed	None	Low	Low	11
CVE-2019-3008	Oracle Solaris	LDAP Library	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11

Additional CVEs addressed are below:

The patch for CVE-2017-17558 also addresses CVE-2017-16531.
The patch for CVE-2018-0732 also addresses CVE-2016-8610 and CVE-2019-1559.
The patch for CVE-2018-1000007 also addresses CVE-2018-1000120 and CVE-2018-16842.
The patch for CVE-2018-12404 also addresses CVE-2018-12384.
The patch for CVE-2018-18066 also addresses CVE-2018-18065.
The patch for CVE-2019-6109 also addresses CVE-2018-20685 and CVE-2019-6111.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2019-0232	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.3-9.3.6
CVE-2019-11358	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Support Tools. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Diagnostic Assistant	Libraries (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.12.36
CVE-2019-12814	Oracle Clusterware	Trace File Analyzer (TFA) Collector (jackson-databind)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.0.0.0.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3028	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3017	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2944	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3026	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3021	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2984	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3002	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3005	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3031	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-1547	Oracle VM VirtualBox	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2926	Oracle VM VirtualBox	Core	None	No	2.3	Local	Low	High	None	Un- changed	None	None	Low	Prior to 5.2.34, prior to 6.0.14

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Security Alert for CVE-2019-2729 – 18 Jun 2019

June 17, 2019October 20, 2019 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2729

Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2729
Fangrun Li of Creditease Security Team: CVE-2019-2729
Foren Lim: CVE-2019-2729
Jkgh006: CVE-2019-2729
Lucifaer of 360CERT at QiHu360: CVE-2019-2729
Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
WenHui Wang of State Grid: CVE-2019-2729
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
Yuxuan Chen: CVE-2019-2729
Zhao Chang of Venustech ADLab: CVE-2019-2729
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date	Note
2019-July-11	Rev 4. Updated credit statement.
2019-June-21	Rev 3. Updated credit statement.
2019-June-20	Rev 2. Removed irrelevant paragraph about Oracle Database.
2019-June-18	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

No Related Posts

Oracle Security Alert for CVE-2019-2725 – 26 Apr 2019

April 25, 2019October 20, 2019 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2725

Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2725
Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
Icematcha of Qianxin Yunying Labs: CVE-2019-2725
icez of Tophant Competence Center: CVE-2019-2725
Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
Song Keya of Minsheng Banking Corp.: CVE-2019-2725
Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
ZengShuai Hao: CVE-2019-2725
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date	Note
2019-May-29	Rev 4. Updated Credit Statement.
2019-May-1	Rev 3. Updated Credit Statement.
2019-April-30	Rev 2. Updated WebLogic Server Versions.
2019-April-26	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2725	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0

No Related Posts

Oracle Critical Patch Update Advisory – April 2019

April 15, 2019October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2517	Core RDBMS	DBFS_ROLE	Oracle Net	No	9.1	Network	Low	High	None	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2516	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2619	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2518	Java VM	Create Session, Create Procedure	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2571	RDBMS DataPump	DBA role	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2582	Core RDBMS	None	Oracle Net	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0.1, 18c

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Berkeley DB. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2708	Data Store	Local Logon	Local Logon	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 6.138, prior to 6.2.38, prior to 18.1.32

Oracle Commerce Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2713	Oracle Commerce Merchandising	Asset Manager	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.2.0.3
CVE-2019-2659	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3
CVE-2019-2712	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3, 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 26 new security fixes for Oracle Communications Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1
CVE-2019-3822	Oracle Communications Operations Monitor	Security (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2018-11219	Oracle Communications Operations Monitor	Security (Redis)	RESP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2017-5645	Oracle Communications Pricing Design Center	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1, 12.0
CVE-2016-1000031	Oracle Communications Service Broker	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Service Broker Engineered System Edition	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2018-11236	Oracle Communications Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-11236	Oracle Enterprise Communications Broker	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-11236	Oracle Enterprise Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1258	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2, 7.3.4, 7.3.5, 7.4.0
CVE-2017-5664	Oracle Communications Application Session Controller	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2016-1181	Oracle Communications Policy Management	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1, 12.2, 12.3, 12.4
CVE-2018-16864	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-16864	Oracle Enterprise Communications Broker	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-16864	Oracle Enterprise Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1000180	Oracle Communications Application Session Controller	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications EAGLE LNP Application Processor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2
CVE-2017-5664	Oracle Communications Instant Messaging Server	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	10.0.1
CVE-2018-0732	Oracle Communications Operations Monitor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4, 4.0
CVE-2017-0861	Oracle Communications EAGLE Application Processor	Security (Kernel)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	16.1.0, 16.2.0
CVE-2015-9251	Oracle Communications Interactive Session Recorder	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2
CVE-2015-9251	Oracle Enterprise Operations Monitor	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.0
CVE-2018-12404	Oracle Communications Messaging Server	Security (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1
CVE-2017-5753	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3
CVE-2017-5754	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2016-1182.
The fix for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693 and CVE-2018-7566.
The fix for CVE-2017-5664 also addresses CVE-2016-8735, CVE-2017-12617 and CVE-2018-11784.
The fix for CVE-2018-0732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0734, CVE-2018-0737 and CVE-2018-0739.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11219 also addresses CVE-2018-11218.
The fix for CVE-2018-11236 also addresses CVE-2018-11237 and CVE-2018-6485.
The fix for CVE-2018-12404 also addresses CVE-2018-12384.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-16864 also addresses CVE-2018-16865.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Construction and Engineering Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera P6 Enterprise Project Portfolio Management	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2016-1000031	Primavera Unifier	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11763	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2018-0734	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11784	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2019-2701	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	18.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-11763 also addresses CVE-2017-9798.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 35 new security fixes for the Oracle E-Business Suite. 33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2019), My Oracle Support Note 2514102.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2638	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2633	Oracle Work in Process	Messages	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2663	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2682	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2665	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2639	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2671	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2675	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2600	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2651	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2661	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2655	Oracle Interaction Center Intelligence	Business Intelligence (OLTP)	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2652	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2583	Oracle iSupplier Portal	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2660	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2604	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2664	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2677	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2551	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2603	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2653	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2654	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2662	Oracle Territory Management	Territory Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2640	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2641	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2642	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2643	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2018-0734	Application Server	Technology Stack Triage (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	0.9.8, 1.0.0, 1.0.1
CVE-2019-2621	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2669	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2676	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2670	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2673	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2674	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2622	Oracle Service Contracts	Renewals	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Enterprise Manager Ops Center	Networking (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3
CVE-2016-4000	Oracle Configuration Manager	Collector of Config and Diag (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0
CVE-2018-1258	Enterprise Manager Base Platform	Enterprise Manager Install (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-1258	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.3
CVE-2018-11763	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.3
CVE-2018-1000180	Oracle Business Transaction Management	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.0
CVE-2018-1656	Enterprise Manager Base Platform	Agent Next Gen (IBM Java)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.2.0.0.0, 13.3.0.0.0
CVE-2019-2726	Enterprise Manager Ops Center	Services Integration	HTTP	No	6.3	Network	High	Low	None	Changed	None	None	High	12.3.3
CVE-2019-2557	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	13.3.0.1
CVE-2018-0734	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-0734	Enterprise Manager Ops Center	Networking (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3.3

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11763 also addresses CVE-2018-17189, CVE-2018-17199 and CVE-2019-0190.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The fix for CVE-2018-1656 also addresses CVE-2018-12539.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Financial Services Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Banking Platform	Collections (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0
CVE-2016-1000031	Oracle FLEXCUBE Private Banking	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-1258	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-11775	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2015-9251	Oracle Financial Services Analytical Applications Infrastructure	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.3-7.3.5, 8.0.0-8.0.7
CVE-2015-9251	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5-8.0.7
CVE-2015-9251	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Liquidity Risk Management	Internal Operations (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.6
CVE-2015-9251	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.7
CVE-2015-9251	Oracle Financial Services Market Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6
CVE-2015-9251	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.6
CVE-2015-9251	Oracle Financial Services Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-9251	Oracle Hospitality Reporting and Analytics	Report (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 53 new security fixes for Oracle Fusion Middleware. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle API Gateway	Oracle API Gateway (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-19362	Oracle Business Process Management Suite	Runtime Engine (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-3253	Oracle Data Integrator	Install, config, upgrade (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2016-1000031	Oracle Endeca Information Discovery Integrator	Other Issues (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-3822	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-1000031	Oracle Identity Analytics	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle JDeveloper	None (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2017-8287	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2017-8105	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2016-1000031	Oracle WebCenter Portal	Security Framework (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-19362	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2658	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2019-2646	Oracle WebLogic Server	EJB Container	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2645	Oracle WebLogic Server	WLS Core Components	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-1258	Oracle WebLogic Server	WLS Core Components (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2578	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0
CVE-2019-2595	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2706	Oracle Business Process Management Suite	BPM Foundation Services	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2019-2705	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3, 8.5.4	See Note 1
CVE-2018-14718	Oracle JDeveloper	Oracle JDeveloper (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2601	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1000180	Oracle API Gateway	Oracle API Gateway (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-11761	Oracle Business Process Management Suite	Runtime Engine (Apache Tika)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle SOA Suite	B2B Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2647	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2648	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2649	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2650	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-8013	Oracle Data Integrator	Install, config, upgrade (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2608	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2616	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1305	FMW Platform	Provisioning (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2018-1305	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2609	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2610	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2611	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2612	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2613	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2015-9251	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0734	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-0734	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1.0.0
CVE-2019-2618	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2576	Oracle Service Bus	Web Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2572	Oracle SOA Suite	Fabric Layer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0
CVE-2018-0495	Oracle Traffic Director	Security (NSS)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-2568	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.0	Network	Low	Low	None	Changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2588	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2615	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2579	Oracle WebCenter Sites	Advanced UI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.2.1.3.0
CVE-2019-2605	Oracle Business Intelligence Enterprise Edition	Web Catalog	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2720	Oracle Data Integrator	ODI Tools	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2017-8287 also addresses CVE-2017-8105.
The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Healthcare Master Person Index	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2629	Oracle Health Sciences Data Management Workbench	User Interface	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.4.8

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Hospitality Guest Access	Base (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2702	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	Yes	9.3	Network	Low	None	None	Changed	High	Low	None	8.0.80
CVE-2016-7103	Oracle Hospitality Cruise Fleet Management	FMS Suite (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.0.11
CVE-2018-11763	Oracle Hospitality Guest Access	Base (Apache HTTP Server)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	4.2.0, 4.2.1
CVE-2018-11784	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The fix for CVE-2016-7103 also addresses CVE-2015-9251.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2699	Java SE	Windows DLL	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u202	See Note 1
CVE-2019-2697	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2698	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2602	Java SE, Java SE Embedded	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 3
CVE-2019-2684	Java SE, Java SE Embedded	RMI	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle JD Edwards Products. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	JDENET	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-2565	JD Edwards World Technical Foundation	Service Enablement	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	A9.2, A9.3.1, A9.4
CVE-2015-9251	JD Edwards EnterpriseOne Tools	Web Runtime (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2564	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2632	MySQL Server	Server : Pluggable Auth	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2693	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2694	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2695	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2692	MySQL Connectors	Connector/J	JDBC	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.0.15 and prior
CVE-2019-1559	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.12 and prior, 8.0.15 and prior
CVE-2019-1559	MySQL Server	Server: Compiling (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2018-3123	MySQL Server	Server: libmysqld	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2623	MySQL Server	Server: Options	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2018-0734	MySQL Enterprise Backup	Enterprise Backup (OpenSSL)	TLS	No	5.1	Local	High	None	None	Un- changed	High	None	None	3.12.3 and prior, 4.1.2 and prior
CVE-2019-2634	MySQL Server	Server: Replication	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2580	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2585	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2593	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2624	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2628	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2566	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2626	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2644	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2631	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2581	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2596	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2607	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2625	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2681	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2685	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2687	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2688	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2689	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2683	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2592	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2587	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2635	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2584	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2589	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2606	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2620	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2627	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2691	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2636	MySQL Server	Server: Group Replication Plugin	MySQL Procotol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2614	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2617	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2630	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-1559	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	4.0.8 and prior, 8.0.14 and prior	See Note 1

Notes:

MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the SSL/TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 5.9.

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2598	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	8.7	Network	Low	High	None	Changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2590	PeopleSoft Enterprise HCM Talent Acquisition Manager	Job Opening	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	9.2
CVE-2018-1000180	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2594	PeopleSoft Enterprise PT PeopleTools	Application Server	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2707	PeopleSoft Enterprise ELM Enterprise Learning Management	Application Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2591	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2637	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-0734	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2597	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2700	PeopleSoft Enterprise ELM	Enterprise Learning Mgmt	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2
CVE-2019-2573	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57
CVE-2019-2586	PeopleSoft Enterprise PT PeopleTools	RemoteCall	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2014-9515	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Dozer)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2019-3772	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0, 18.0
CVE-2016-1000031	Oracle Retail Order Broker	System Administration (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	System Administration (Jasper)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2018-19362	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.60.9.0.0
CVE-2016-1000031	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1
CVE-2018-3314	MICROS Relate CRM Software	Customer	HTTP	No	8.2	Network	High	Low	None	Changed	High	High	None	11.4
CVE-2018-12023	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0
CVE-2018-14718	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3120	MICROS Lucas	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	2.9.5.6, 2.9.5.7
CVE-2018-2880	MICROS Retail-J	Back Office	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-15756	Oracle Retail Invoice Matching	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2018-15756	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.1, 5.2, 15.0, 16.0
CVE-2018-11763	Oracle Retail Xstore Point of Service	Point of Sale (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-11763	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-1000180	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.0, 7.1
CVE-2019-2424	Oracle Retail Convenience Store Back Office	Level 3 Maintenance Functions	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.6
CVE-2019-2558	Oracle Retail Point-of-Service	Infrastructure	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-1305	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.4
CVE-2015-9251	Oracle Retail Allocation	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0.2
CVE-2015-9251	Oracle Retail Invoice Matching	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2018-3312	Oracle Retail Customer Engagement	Segment	HTTP	No	5.5	Network	High	High	None	Un- changed	Low	High	Low	16.0, 17.0
CVE-2018-11784	Oracle Retail Order Broker	System Administration (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0
CVE-2018-11784	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2018-12023 also addresses CVE-2018-12022.
The fix for CVE-2018-1305 also addresses CVE-2018-11784 and CVE-2018-1304.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-19362.
The fix for CVE-2018-19362 also addresses CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-7489.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2014-0114	Oracle Knowledge	Information Manager Console (Apache Commons BeanUtils)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-1000031	Oracle Knowledge	Information Manager Console (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-2141	Oracle Knowledge	Information Manager Console (JGroups)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2015-1832	Oracle Knowledge	Information Manager Console (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-0635	Oracle Knowledge	AnswerFlow (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0
CVE-2014-0107	Oracle Knowledge	Information Manager Console (Apache Xalan)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2719	Oracle Knowledge	Web Applications (InfoCenter)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2570	Siebel Core – Server BizLogic Script	Integration – Scripting	HTTP	No	4.7	Network	Low	High	None	Un- changed	Low	Low	Low	19.3

Additional CVEs addressed are below:

The fix for CVE-2014-0114 also addresses CVE-2016-1000031 and CVE-2016-3092.
The fix for CVE-2015-1832 also addresses CVE-2016-2141.
The fix for CVE-2016-1000031 also addresses CVE-2016-3092.
The fix for CVE-2016-2141 also addresses CVE-2015-1832.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Sun Systems Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2704	Oracle Solaris	IPS Package Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11
CVE-2018-20685	Oracle Solaris	SunSSH	SSH	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	10
CVE-2019-2577	Oracle Solaris	File Locking Services	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	11

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2016-1000031	Oracle Agile PLM	Application Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5
CVE-2019-2567	Oracle Configurator	Active Model Generation	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1, 12.2
CVE-2019-2709	Oracle Transportation Management	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.3.7, 6.4.2, 6.4.3
CVE-2019-2575	Oracle AutoVue 3D Professional Advanced	Format Handling – 2D	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.0, 21.0.1

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-9251	OSS Support Tools	Remote Diagnostic Agent (jQuery)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.1

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Utilities Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-14952	Oracle Utilities Framework	Common (icu4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-8088	Oracle Utilities Framework	Common (slf4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2016-1000031	Oracle Utilities Framework	User Interface (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-1258	Oracle Utilities Network Management System	Web Gateway client (Spring Framework)	T3	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.12.0.3
CVE-2015-9251	Oracle Real-Time Scheduler	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0
CVE-2015-9251	Oracle Utilities Mobile Workforce Management	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0

Additional CVEs addressed are below:

The fix for CVE-2017-14952 also addresses CVE-2014-7923, CVE-2014-7926, CVE-2014-7940, CVE-2014-8146, CVE-2014-8147, CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2016-7415, CVE-2017-17484, CVE-2017-7867 and CVE-2017-7868.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3822	Oracle Secure Global Desktop	Core (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.4
CVE-2019-2656	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2680	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2696	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2703	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2721	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2722	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2723	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2657	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2690	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2679	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	Low	None	Changed	Low	None	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2678	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2574	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-1559	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.4
CVE-2018-11784	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.4

Additional CVEs addressed are below:

The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2019-1559 also addresses CVE-2018-0734, CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

No Related Posts

Oracle Critical Patch Update Advisory – January 2019

January 14, 2019October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Database Server. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2444	Core RDBMS	Local Logon	Local Logon	No	8.2	Local	Low	Low	Required	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2406	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 18c
CVE-2019-2547	Java VM	Create Session, Create Procedure	Multiple	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle Communications Applications. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Communications Converged Application Server – Service Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-1000031	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Commons Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2017-5645	Oracle Communications Online Mediation Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2018-11776	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 12.5
CVE-2017-5645	Oracle Communications Service Broker	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Services Gatekeeper	Security (Apache Commons Collections Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-9206	Oracle Communications Services Gatekeeper	Security (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2017-5645	Oracle Communications WebRTC Session Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2016-6814	Oracle Communications Unified Inventory Management	Security (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	prior to 7.4.0
CVE-2016-0635	Oracle Communications Converged Application Server	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2018-1258	Oracle Communications Diameter Signaling Router (DSR)	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 8.3
CVE-2018-1258	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 10.2.1
CVE-2018-1258	Oracle Communications Services Gatekeeper	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-14718	Oracle Communications Billing and Revenue Management	Billing Operations Center, Billing Care (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.5, 12.0
CVE-2016-1181	Oracle Communications Converged Application Server	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2017-15095	Oracle Communications Diameter Signaling Router (DSR)	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2016-1181	Oracle Communications WebRTC Session Controller	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2018-1000180	Oracle Communications Converged Application Server	Security (Bouncy Castle)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.0.0.1
CVE-2017-9798	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 8.3
CVE-2018-5390	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-1000180	Oracle Communications WebRTC Session Controller	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-1000300	Oracle Communications WebRTC Session Controller	Security (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	prior to 7.2
CVE-2017-0379	Oracle Communications WebRTC Session Controller	Security (libgcrypt)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-8013	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 8.3
CVE-2018-8013	Oracle Communications WebRTC Session Controller	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 7.2
CVE-2019-2399	Oracle Communications Diameter Signaling Router (DSR)	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	prior to 8.3
CVE-2015-9251	Oracle Communications Converged Application Server	Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.0.0.1
CVE-2015-9251	Oracle Communications WebRTC Session Controller	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.2
CVE-2018-0732	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-0732	Oracle Communications Unified Session Manager	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.3.5
CVE-2018-0732	Oracle Communications WebRTC Session Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	prior to 7.2
CVE-2018-0732	Oracle Enterprise Communications Broker	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	PCz2.1, PCz2.2, PCz3.0
CVE-2018-0732	Oracle Enterprise Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	ECz7.4.0, ECz7.5.0, ECz8.0.0, ECz8.1.0

Additional CVEs addressed are below:

The fix for CVE-2016-0635 also addresses CVE-2018-1258.
The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2017-0379 also addresses CVE-2017-9526.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2018-0732 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.
The fix for CVE-2018-1000180 also addresses CVE-2015-7940 and CVE-2018-1000613.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-11776 also addresses CVE-2016-1000031.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The fix for CVE-2018-14718 also addresses CVE-2017-15095, CVE-2017-7525, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-7489.
The fix for CVE-2018-5390 also addresses CVE-2018-6922.
The fix for CVE-2018-9206 also addresses CVE-2015-9251.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-9206	Primavera Unifier	Core (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-14718	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-0732	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2512	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2019), My Oracle Support Note 2480398.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2489	Oracle One-to-One Fulfillment	OCM Query	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2453	Oracle Performance Management	Performance Management Plan	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2445	Oracle Content Manager	Cover Letter	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2497	Oracle CRM Technical Foundation	Messages	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2400	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2440	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2498	Oracle Partner Management	Partner Dash board	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2447	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2470	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2546	Oracle Applications Manager	SQL Extensions	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	None	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2488	Oracle CRM Technical Foundation	Session Management	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2396	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2496	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2491	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2492	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2485	Oracle Mobile Field Service	Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Agent Next Gen (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1258	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-12023	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-14718	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-0732	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1000300	Enterprise Manager Ops Center	Networking (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-0732	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.2, 12.3.3
CVE-2018-3303	Enterprise Manager Base Platform	EM Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.2, 13.3
CVE-2018-3304	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-3305	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2015-9251	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.2, 12.3.3

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-12023 also addresses CVE-2018-11307, CVE-2018-12022 and CVE-2018-14718.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Financial Services Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Oracle Banking Platform	Patching (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2016-1000031	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2017-5645	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-14718	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2018-14718	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2018-1000632	Oracle FLEXCUBE Investor Servicing	Infrastructure (dom4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2017-14735	Oracle Banking Platform	Infrastructure (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.5.0, 2.6.0, 2.6.1
CVE-2019-2549	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.2
CVE-2019-2550	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.0.2

Additional CVEs addressed are below:

The fix for CVE-2018-14718 also addresses CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2401	Oracle Hospitality Reporting and Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2402	Oracle Hospitality Simphony	Client Application Loader	HTTP	Yes	7.7	Network	High	None	None	Un- changed	High	High	Low	2.10
CVE-2019-2425	Oracle Hospitality Reporting and Analytics	Report	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	9.1.0
CVE-2019-2403	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.10
CVE-2019-2407	Oracle Hospitality Reporting and Analytics	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2397	Oracle Hospitality Reporting and Analytics	Report	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 62 new security fixes for Oracle Fusion Middleware. 57 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Fusion Middleware MapViewer	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2017-5645	Oracle GoldenGate Application Adapters	Application Adapters (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.1
CVE-2018-1275	Oracle Service Architecture Leveraging Tuxedo	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.2.0.0
CVE-2017-5645	Oracle SOA Suite	Installation & Templates (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-1832	Oracle WebLogic Server	Third Party Tools (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	12.2.1.3
CVE-2018-14718	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2414	Oracle HTTP Server	Web Listener	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-1000180	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0732	Oracle Endeca Server	Third Party (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.7.0
CVE-2018-1000180	Oracle Enterprise Repository	Security Subsystem – 12c (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2019-2467	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2468	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2473	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2474	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2475	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2476	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2477	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2479	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2017-13745	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2018-1000180	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-1000180	Oracle WebLogic Server	WLS Core Components (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3
CVE-2019-2462	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2538	Oracle Managed File Transfer	MFT Runtime Server	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	19.1.0.0.0, 12.2.1.3.0
CVE-2019-2429	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2438	Oracle Web Cache	ESI/Partial Page Caching	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2018-11775	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0
CVE-2019-2452	Oracle WebLogic Server	WLS Core Components	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2019-2456	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2463	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2469	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2418	Oracle WebLogic Server	WLS Core Components	T3	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Business Process Management Suite	Runtime Engine (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2413	Oracle Reports Developer	Valid Session	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3
CVE-2017-14735	Oracle WebCenter Sites	Third Party Tools (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2015-9251	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2019-2395	Oracle WebLogic Server	WLS – Web Services	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	None	Low	10.3.6.0
CVE-2019-2457	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2458	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2459	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2460	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2461	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2464	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2465	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2466	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2472	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2478	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2480	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9583	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2427	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2019-2441	Oracle WebLogic Server	Application Container – JavaEE	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2398	Oracle WebLogic Server	WLS – Deployment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2017-14229	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	8.5.3	See Note 1

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2015-1832 also addresses CVE-2018-1313.
The fix for CVE-2016-9392 also addresses CVE-2016-9389.
The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613 and CVE-2018-3246.
The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Health Sciences Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Health Sciences Information Manager	Health Policy Engine (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0
CVE-2018-1258	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2430	Oracle Argus Safety	Console	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1, 8.2
CVE-2019-2431	Oracle Argus Safety	Console	HTTP	Yes	6.1	Network	High	None	Required	Changed	None	High	None	8.1, 8.2
CVE-2015-9251	Oracle Healthcare Foundation	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1, 7.2
CVE-2019-2432	Oracle Argus Safety	Login	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	8.1, 8.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-5684	Oracle Hospitality Cruise Fleet Management	Corporate Access Module (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	9.0.10
CVE-2016-5684	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Shared Libraries (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	8.0.8
CVE-2019-2411	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	TCP	No	7.6	Network	Low	Low	Required	Changed	None	Low	High	8.0.8
CVE-2019-2409	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.3	Local	Low	Low	Required	Changed	Low	Low	High	8.0.8
CVE-2019-2410	Oracle Hospitality Cruise Shipboard Property Management System	DGS RES Online, FMS Sender, FMS Receiver, OHC WPF Security	None	No	5.1	Local	Low	None	None	Un- changed	Low	Low	None	8.0.8

Additional CVEs addressed are below:

The fix for CVE-2016-5684 also addresses CVE-2015-0852.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2415	Hyperion BI+	Foundation UI & Servlets	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	11.1.2.4

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Insurance Calculation Engine	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.2
CVE-2018-1258	Oracle Insurance Rules Palette	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.0, 10.2
CVE-2018-8013	Oracle Insurance Policy Administration J2EE	User Interface (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.0, 10.2
CVE-2015-9251	Oracle Insurance Insbridge Rating and Underwriting	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.2, 5.4, 5.5
CVE-2017-14735	Oracle Insurance Policy Administration J2EE	Core (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.0, 10.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Java SE Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2540	Java Advanced Management Console	Server	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Java Advanced Management Console: 2.12
CVE-2018-11212	Java SE	ImageIO (libjpeg)	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2426	Java SE	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2449	Java SE	Deployment	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 8u192	See Note 2
CVE-2019-2422	Java SE	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-8013	JD Edwards EnterpriseOne Tools	Web Runtime SEC (Apache Batik)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards World Security	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-10933	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.13 and prior
CVE-2019-2435	MySQL Connectors	Connector/Python	TLS	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.13 and prior, 2.1.8 and prior
CVE-2018-0732	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2534	MySQL Server	Server: Replication	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2533	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.13 and prior
CVE-2019-2529	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2482	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2434	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2455	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2503	MySQL Server	Server: Connection Handling	MySQL Protocol	No	6.4	Adjacent Network	High	Low	None	Un- changed	High	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2436	MySQL Server	Server: Replication	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.13 and prior
CVE-2018-0734	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2536	MySQL Server	Server: Packaging	MySQL Protocol	No	5.0	Local	High	High	Required	Changed	None	None	High	8.0.13 and prior
CVE-2019-2502	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2510	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2539	MySQL Server	Server: Connection	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2494	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2495	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2537	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2420	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2481	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2507	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2530	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2528	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2531	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2486	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2532	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2535	MySQL Server	Server: Options	MySQL Protocol	No	4.1	Local	High	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2513	MySQL Server	Shell	None	No	2.5	Local	High	Low	Required	Changed	Low	None	None	8.0.13 and prior
CVE-2018-0732	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	8.0.13 and prior, 4.0.7 and prior	See Note 1

Notes:

MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 20 new security fixes for Oracle PeopleSoft Products. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2416	PeopleSoft Enterprise PeopleTools	Application Server	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-1000300	PeopleSoft Enterprise PeopleTools	File Processing (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2405	PeopleSoft Enterprise PeopleTools	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-0732	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2019-2433	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2443	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2417	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2421	PeopleSoft Enterprise HCM eProfile Manager Desktop	Guided Self Service	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2442	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2015-9251	PeopleSoft Enterprise PeopleTools	Mobile Application Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2423	PeopleSoft Enterprise PeopleTools	PIA Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2499	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2439	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2471	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2519	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2419	PeopleSoft Enterprise CC Common Application Objects	Form and Approval Builder	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2	See Note 1
CVE-2019-2404	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2490	PeopleSoft Enterprise PeopleTools	Panel Processor	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2019-2408	PeopleSoft Enterprise PeopleTools	Feeds	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2493	PeopleSoft Enterprise CS Campus Community	Frameworks	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	9.0, 9.2

Notes:

This Enterprise Common Component is used by all PeopleSoft Application products. Please refer to the MOS Note Doc ID 2493366.1 for patch information.

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Retail Back Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Central Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Returns Management	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Service Backbone	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-7658	Oracle Retail Xstore Payment	Security (Jetty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3
CVE-2018-1258	Oracle Retail Customer Insights	Other (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3311	Oracle Retail Xstore Payment	Security	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	3.3
CVE-2018-1000180	Oracle Retail Convenience and Fuel POS Software	Point of Sale (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.8.1
CVE-2018-8013	Oracle Retail Integration Bus	RIB Kernel (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.0
CVE-2018-3125	Oracle Retail Merchandising System	Security (SQL Logger)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	14.1
CVE-2017-14735	Oracle Retail Back Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2017-14735	Oracle Retail Central Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Customer Insights	Other (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2017-14735	Oracle Retail Returns Management	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Sales Audit	Operational Insights (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2015-9251	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.60.9, 1.64.0

Additional CVEs addressed are below:

The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-3311 also addresses CVE-2015-4760.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-9206	Siebel UI Framework	UIF Open UI (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.10, 18.11

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Tape Library ACSLS	Software (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2018-1275	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2016-0635	Tape Library ACSLS	Software (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.4
CVE-2019-2541	Oracle Solaris	DHCP Client	DHCP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10
CVE-2019-2437	Oracle Solaris	Kernel	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11
CVE-2019-2412	Sun ZFS Storage Appliance Kit (AK)	Object Store	None	No	6.4	Local	High	High	None	Un- changed	High	High	High	prior to 8.8.2
CVE-2018-3646	Oracle Solaris	Kernel	None	No	5.6	Local	High	Low	None	Changed	High	None	None	11
CVE-2018-3639	Oracle Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11
CVE-2019-2543	Oracle Solaris	Kernel	KSSL	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2544	Oracle Solaris	Kernel	None	No	4.0	Local	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2545	Oracle Solaris	LDoms IO	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	10, 11

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-8965	Oracle Agile PLM	Gantt Chart (JViews)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-0732	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2019-2487	Oracle Transportation Management	UI Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	6.3.7, 6.4.1, 6.4.2, 6.4.3
CVE-2017-14735	Oracle Agile PLM	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2015-9251	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-0732	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 19.1

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Oracle Utilities Network Management System	System wide (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2
CVE-2015-9251	Oracle Utilities Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.3.0.1-4.3.0.4

Additional CVEs addressed are below:

The fix for CVE-2016-4000 also addresses CVE-2018-1000180 and CVE-2018-1000613.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2500	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2524	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2552	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-3309	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	prior to 5.2.22
CVE-2019-2520	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2521	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2522	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2523	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2526	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2548	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-11763	Oracle Secure Global Desktop (SGD)	Web Server (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.4
CVE-2019-2511	Oracle VM VirtualBox	Core	SOAP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2508	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2509	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2527	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.26, prior to 6.0.4
CVE-2019-2450	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2451	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2555	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2554	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2556	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2018-11784	Oracle Secure Global Desktop (SGD)	Application Server (Apache Tomcat)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4
CVE-2018-0734	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.0
CVE-2019-2525	Oracle VM VirtualBox	Core	None	No	5.6	Local	High	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2446	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2448	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2501	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2504	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2505	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2506	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2553	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

No Related Posts

Oracle Critical Patch Update Advisory – October 2018

October 15, 2018October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 7 new security fixes for the Oracle Database Server divided as follows:

3 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3259	Java VM	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2018-3299	Oracle Text	None	Multiple	Yes	8.2	Network	Low	None	Required	Changed	None	Low	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2018-7489	Rapid Home Provisioning	RHP User	HTTP	No	2.3	Adjacent Network	High	Low	Required	Un- changed	None	None	Low	18c

Additional CVEs addressed are below:

The fix for CVE-2018-7489 also addresses CVE-2017-15095.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Spatial	Big Data Graph (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	2.0, 2.1, 2.2

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2913	Oracle GoldenGate	Monitoring Manager	TCP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0	See Note 1
CVE-2018-2912	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0
CVE-2018-2914	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0

Notes:

For Linux and Windows platforms, the CVSS score is 9.0 with Access Complexity as High. For all other platforms, the cvss score is 10.0.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-0235	Oracle Communications Application Session Controller	Security (Glibc)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2017-5645	Oracle Communications Messaging Server	Convergence (Apache Log4J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 8.0.2
CVE-2016-0729	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 12.2.0
CVE-2015-7501	Oracle Communications Application Session Controller	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2015-7501	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-0635	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-1182	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	Prior to 10.2.0
CVE-2017-15095	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Prior to 10.0.1
CVE-2018-8013	Oracle Communications MetaSolv Solution	Print preview, Gateway Events (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	6.3.0
CVE-2016-5080	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Objective System ASN1C)	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-5019	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Trinidad)	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	Prior to 10.2.1
CVE-2016-2107	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 3.7.1M0
CVE-2017-3736	Oracle Communications Performance Intelligence Center (PIC) Software	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 10.2.1
CVE-2014-3490	Oracle Communications Performance Intelligence Center (PIC) Software	Security (resteasy-jaxrs)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 10.2.0

Additional CVEs addressed are below:

The fix for CVE-2015-0235 also addresses CVE-2014-7817.
The fix for CVE-2016-0729 also addresses CVE-2015-0252.
The fix for CVE-2016-1182 also addresses CVE-2012-1007, CVE-2014-0014 and CVE-2016-1181.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Construction and Engineering Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1275	Primavera Gateway	Web Access (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-7489	Primavera Gateway	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-12023	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-8013	Instantis EnterpriseTrack	Generic (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.1, 17.2, 17.3
CVE-2018-1305	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	17.1, 17.2, 17.3
CVE-2015-9251	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2, 16.2, 17.12
CVE-2018-3241	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3281	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3148	Primavera Unifier	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-11039	Primavera P6 Enterprise Project Portfolio Management	Web Access (Spring Framework)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	18.8

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1258.
The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2018-12023.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2018), My Oracle Support Note 2445688.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3138	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3243	Oracle Applications Framework	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2018-3235	Oracle Applications Manager	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3189	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3190	Oracle E-Business Intelligence	Overview Page/Report Rendering	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3188	Oracle iStore	Web interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3242	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3196	Oracle Partner Management	Partner Dashboard	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3011	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3151	Oracle iProcurement	E-Content Manager Catalog	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3236	Oracle User Management	Reports	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3167	Application Management Pack for Oracle E-Business Suite	User Monitoring	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3244	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3237	Oracle Applications Manager	Support Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3256	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2971	Oracle Applications Framework	REST Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Enterprise Manager Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Ops Center	Networking (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2017-5645	Oracle Configuration Manager	Collector of Config and Diag (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.2.0.2, 12.1.2.0.5
CVE-2018-1258	Enterprise Manager for MySQL Database	EM Plugin: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2
CVE-2018-0739	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.0.5, 13.2

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Financial Services Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-12023	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2015-9251	Oracle Banking Platform	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.6.0, 2.6.1, 2.6.2

Additional CVEs addressed are below:

The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Food and Beverage Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3128	Oracle Hospitality Reporting and Analytics	Report	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.0, 9.1
CVE-2018-3131	Oracle Hospitality Gift and Loyalty	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0, 9.1
CVE-2015-9251	Oracle Hospitality Materials Control	MobileAuthWebService (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2017-5715	MICROS PC Workstation 2015	BIOS	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 01.3.0.2i

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 65 new security fixes for Oracle Fusion Middleware. 56 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	BI Publisher (formerly XML Publisher)	BI Publisher Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2017-5645	Oracle API Gateway	Oracle API Gateway (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-1275	Oracle Big Data Discovery	Data Processing (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.6.0
CVE-2018-1275	Oracle GoldenGate for Big Data	Other issues (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 12.3.1.1, 12.3.2.1
CVE-2017-5645	Oracle Identity Analytics	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle Identity Management Suite	Suite Level Patch Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2017-15095	Oracle Identity Manager	Installer (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3191	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3197	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0
CVE-2018-3201	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-3245	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3252	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-1258	Oracle Endeca Information Discovery Integrator	Other Issues (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.1.0, 3.2.0
CVE-2018-1258	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-2911	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	3.1.2
CVE-2016-1182	Oracle Adaptive Access Manager	OAAM Server (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	11.1.1.7.0, 11.1.2.3.0
CVE-2018-3204	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0
CVE-2016-1182	Oracle Real-Time Decision Server	Platform Installation (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	3.2.1
CVE-2017-7805	Oracle Directory Server Enterprise Edition	Admin Console (Sun Security Libraries)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.1.1.7
CVE-2018-3152	Oracle GlassFish Server	Administration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.1.2
CVE-2018-1000300	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle Tuxedo	Docs-ATMI-IB (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1.0
CVE-2018-3246	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0, 12.2.1.3
CVE-2018-3213	Oracle WebLogic Server	Docker Images	T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to Docker 12.2.1.3.20180913
CVE-2018-8013	Oracle Business Intelligence Enterprise Edition	Oracle Business Intelligence Enterprise Edition (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-8013	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 12.1.3.0.0
CVE-2018-3179	Oracle Identity Manager	Advanced Console	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3168	Oracle Identity Analytics	Core Components	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	11.1.1.5.8
CVE-2018-3217	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3, 8.5.4	See Note 1
CVE-2018-3218	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3, 8.5.4	See Note 1
CVE-2018-3219	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2018-3220	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2018-3221	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3302	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3222	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3223	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3224	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3225	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3226	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3227	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3228	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3229	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3230	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3231	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3232	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3233	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3234	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-18223	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-18224	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2018-3238	Oracle WebCenter Sites	Advanced UI	HTTP	No	6.9	Network	Low	High	Required	Changed	High	Low	None	11.1.1.8.0
CVE-2018-0739	Oracle Endeca Server	Product Code (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	7.6.1, 7.7.0
CVE-2018-1305	Oracle WebCenter Sites	Advanced UI (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.8.0, 12.2.1.3.0
CVE-2018-3249	Oracle WebLogic Server	WLS – Web Services	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.3.6.0
CVE-2018-3248	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	10.3.6.0
CVE-2015-9251	Oracle Endeca Information Discovery Studio	Studio (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.0
CVE-2017-14735	Oracle Fusion Middleware MapViewer	Install (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Service Bus	OSB Core Functionality (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2015-9251	Oracle WebCenter Sites	Advanced UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2018-3250	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0
CVE-2018-3215	Oracle Endeca Information Discovery Integrator	Integrator ETL	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	3.1.0, 3.2.0
CVE-2018-3210	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.1.2
CVE-2018-3254	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-3253	Oracle Virtual Directory	Virtual Directory Manager	HTTP	No	8.5	Network	High	Low	None	Changed	High	High	High	11.1.1.7.0, 11.1.1.9.0
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2018-2902	Oracle WebLogic Server	Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0, 12.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2016-1182 also addresses CVE-2014-0114 and CVE-2016-1181.
The fix for CVE-2017-15095 also addresses CVE-2017-7525 and CVE-2018-7489.
The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1275 also addresses CVE-2016-0635, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-9251	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Hospitality Guest Access	Base (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2018-3160	Oracle Hospitality Cruise Shipboard Property Management System	OHC Admin, OHC Management	None	No	7.7	Local	Low	High	Required	Changed	High	High	High	8.0
CVE-2018-3158	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2018-3163	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	9.0
CVE-2018-3166	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	9.0
CVE-2018-1305	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	4.2.0, 4.2.1
CVE-2018-3159	Oracle Hospitality Cruise Fleet Management	Sender and Receiver	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2015-9251	Oracle Hospitality Guest Access	Base (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.2.0, 4.2.1
CVE-2018-3181	Oracle Hospitality Cruise Shipboard Property Management System	OHC ENOAD	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hyperion. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3208	Hyperion Data Relationship Management	Access and Security	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4.345
CVE-2018-3142	Hyperion Essbase Administration Services	EAS Console	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4
CVE-2018-3175	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3176	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3177	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3178	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3140	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3141	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	11.1.2.4
CVE-2018-3184	Hyperion BI+	IQR – Foundation Services	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3146	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.1, 6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Insurance Calculation Engine	Calculation engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2018-1275	Oracle Insurance Calculation Engine	Calculation engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2017-5645	Oracle Insurance Rules Palette	Rules Palette (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-1275	Oracle Insurance Rules Palette	Rules Palette (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-8013	Oracle Insurance Calculation Engine	Architecture (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.1.1, 10.2.1

Additional CVEs addressed are below:

The fix for CVE-2018-1275 also addresses CVE-2018-1270.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3183	Java SE, Java SE Embedded, JRockit	Scripting	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3209	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u181	See Note 2
CVE-2018-3169	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note 2
CVE-2018-3149	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3211	Java SE, Java SE Embedded	Serviceability	None	No	6.6	Local	Low	Low	Required	Un- changed	High	High	None	Java SE: 8u181, 11; Java SE Embedded: 8u181	See Note 3
CVE-2018-3180	Java SE, Java SE Embedded, JRockit	JSSE	SSL/TLS	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3214	Java SE, Java SE Embedded, JRockit	Sound	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u181; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3157	Java SE	Sound	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 11	See Note 4
CVE-2018-3150	Java SE	Utility	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11	See Note 4
CVE-2018-13785	Java SE, Java SE Embedded	Deployment (libpng)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note 2
CVE-2018-3136	Java SE, Java SE Embedded	Security	Multiple	Yes	3.4	Network	High	None	Required	Changed	None	Low	None	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note 2
CVE-2018-3139	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 6u201, 7u191, 8u181, 11; Java SE Embedded: 8u181	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). This vulnerability can only be exploited when Java Usage Tracker functionality is being used.
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Additional CVEs addressed are below:

The fix for CVE-2018-13785 also addresses CVE-2018-14048.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-7489	JD Edwards EnterpriseOne Orchestrator	IoT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Business Logic Inf (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0739	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (OpenSSL)	JDENET	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	9.2

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 38 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11776	MySQL Enterprise Monitor	Monitoring: General (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-8014	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-3258	MySQL Connectors	Connector/J	X Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.0.12 and prior
CVE-2018-1258	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2016-9843	MySQL Server	InnoDB (zlib)	MySQL Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3155	MySQL Server	Server: Parser	MySQL Protocol	No	7.7	Network	Low	Low	None	Changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3143	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3156	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3251	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3182	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3137	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3203	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3133	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3145	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3144	MySQL Server	Server: Security: Audit	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3185	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3195	MySQL Server	Server: DDL	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.12 and prior
CVE-2018-3247	MySQL Server	Server: Merge	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3187	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3174	MySQL Server	Client programs	MySQL Protocol	No	5.3	Local	High	High	None	Changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3171	MySQL Server	Server: Partition	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3277	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3162	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3173	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3200	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3170	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3212	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3280	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3276	MySQL Server	Server: Memcached	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3186	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3161	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3278	MySQL Server	Server: RBR	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3279	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3282	MySQL Server	Server: Storage Engines	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3285	MySQL Server	Server: Windows	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3284	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3283	MySQL Server	Server: Logging	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3286	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	8.0.12 and prior

Additional CVEs addressed are below:

The fix for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-8014 also addresses CVE-2018-1304, CVE-2018-1305, CVE-2018-8034 and CVE-2018-8037.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle PeopleSoft Products. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-9798	PeopleSoft Enterprise PeopleTools	PeopleSoft CDA (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3192	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-3165	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2018-3193	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3194	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3164	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3255	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3301	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3153	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3257	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3154	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3206	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3207	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3132	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3205	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3130	PeopleSoft Enterprise Interaction Hub	Application Portal	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.1.0.0
CVE-2018-3239	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3261	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3202	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3198	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3135	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56
CVE-2018-3262	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2018-3129	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	MICROS Relate CRM Software	Web Services (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8, 11.4
CVE-2018-7489	Oracle Retail Allocation	General (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-7489	Oracle Retail Assortment Planning	Application Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2016-1000031	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.0, 13.1, 13.2
CVE-2018-7489	Oracle Retail Invoice Matching	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Open Commerce Platform	Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Open Commerce Platform	Framework (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-1275	Oracle Retail Open Commerce Platform	Framework (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.0
CVE-2018-1275	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1, 15.0, 16.0
CVE-2018-7489	Oracle Retail Sales Audit	Operational Insights (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-1258	MICROS Lucas	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.9.5
CVE-2018-1258	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2, 14.0, 14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1.2
CVE-2017-15095	Oracle Retail Open Commerce Platform	Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-3115	Oracle Retail Sales Audit	Operational Insights	HTTP	No	7.7	Network	High	Low	None	Changed	High	Low	Low	15.0, 16.0
CVE-2018-2889	MICROS Retail-J	Internal Operations	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-8013	Oracle Retail Back Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.3, 13.4, 14, 14.1
CVE-2018-8013	Oracle Retail Central Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-8013	Oracle Retail Order Broker	Upgrade Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	5.1, 5.2, 15.0, 16.0
CVE-2018-8013	Oracle Retail Point-of-Service	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-8013	Oracle Retail Returns Management	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-3122	Oracle Retail Open Commerce Platform	Integrations	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	6.0, 6.0.1, 5.3
CVE-2018-3126	Oracle Retail Xstore Point of Service	Xenvironment	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	15.0.2, 16.0.4, 17.0.2
CVE-2018-7489	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2
CVE-2018-2887	MICROS Retail-J	Back Office	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.0.0, 12.1.2
CVE-2018-1305	MICROS XBRi	Retail (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.8.3, 10.8.2, 10.8.1, 10.7.0, 10.6.0, 10.5.0
CVE-2018-1305	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

The fix for CVE-2017-5533 also addresses CVE-2017-5529.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1275 also addresses CVE-2017-5529, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.
The fix for CVE-2018-7489 also addresses CVE-2017-7525, CVE-2018-11307 and CVE-2018-12022.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Siebel UI Framework	EAI (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.7, 18.8, 18.9
CVE-2018-1305	Siebel Apps – Marketing	Mktg/Campaign Mgmt (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	18.7, 18.8, 18.9
CVE-2018-3059	Siebel UI Framework	UIF Open UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.7, 18.8, 18.9

Additional CVEs addressed are below:

The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 19 new security fixes for the Oracle Sun Systems Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-7167	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2352 and Prior to XCP3050
CVE-2016-7167	SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP1123	See Note 1
CVE-2018-3273	Solaris	Remote Administration Daemon (RAD)	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2016-5244	Solaris	Kernel	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.4
CVE-2018-3275	Solaris	LibKMIP	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.3
CVE-2018-3272	Solaris	Kernel Zones Virtualized NIC Driver	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	11.3
CVE-2018-3274	Solaris	Kernel	SMB	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	11.3
CVE-2018-3263	Solaris	Sudo	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2015-6937	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.4
CVE-2018-3267	Solaris	LFTP	FTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3
CVE-2018-3271	Solaris	Kernel Zones	None	No	5.3	Local	High	High	None	Changed	None	None	High	11.3
CVE-2018-3172	Solaris	RPC	Portmap v3	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	10, 11.4
CVE-2018-3268	Solaris	SMB Server	SMB	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.3
CVE-2018-3265	Solaris	Zones	None	No	4.9	Local	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2018-3264	Solaris	Kernel	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	11.3
CVE-2018-3269	Solaris	SMB Server	SMB	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	11.3
CVE-2018-3266	Solaris	Verified Boot	None	No	3.9	Local	High	High	None	Un- changed	Low	Low	Low	11.3
CVE-2018-2922	Solaris	Kernel	None	No	2.5	Local	High	Low	None	Un- changed	Low	None	None	11.3
CVE-2018-3270	Solaris	Kernel	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11.3

Notes:

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers are not affected by CVE-2017-7407 and CVE-2016-7141.

Additional CVEs addressed are below:

The fix for CVE-2015-6937 also addresses CVE-2015-7990.
The fix for CVE-2016-7167 also addresses CVE-2015-3144, CVE-2015-3145, CVE-2015-3153, CVE-2015-3236, CVE-2015-3237, CVE-2016-0755, CVE-2016-3739, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-9586 and CVE-2017-7407.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1258	Oracle Agile PLM	Application Server (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.1.3, 6.2.0, 6.2.1
CVE-2018-1305	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.3.7
CVE-2018-3134	Oracle Agile Product Lifecycle Management for Process	User Group Management	None	No	5.0	Local	High	Low	Required	Un- changed	Low	High	None	6.2.0.0
CVE-2018-3127	Oracle Demantra Demand Management	Product Security	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	7.3.5, 12.2

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-0739	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to 18.4

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3294	Oracle VM VirtualBox	Core	VRDP	No	9.0	Network	Low	Low	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3288	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3289	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3290	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3296	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3297	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-2909	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3298	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3291	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3292	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3293	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3295	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3287	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-0732	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 5.2.20

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.

No Related Posts

Oracle Security Alert for CVE-2018-11776 – 31 August 2018

August 30, 2018October 20, 2019 Oracle Leave a comment

This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system.

Products incorporating Struts 2 are not necessarily vulnerable. For a list of Oracle products, their statuses, and available patches, please refer to Security Alert CVE-2018-11776 Products and Versions. Oracle recommends that customers frequently review Security Alert CVE-2018-11776 Products and Versions and plan to apply the updates as soon as they are released by Oracle. The Security Alert CVE-2018-11776 Products and Versions page will be updated as new information becomes available.

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-31	Rev 1. Initial Release.

Third Party Component Risk Matrix

This Security Alert contains 1 new security fix for Third Party Component. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11776	Apache Struts 2	Core	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.34 and before 2.5.16 and before

No Related Posts

Oracle Security Alert for CVE-2018-3110 – 10 August 2018

August 9, 2018October 20, 2019 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2018-3110

Description

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.

If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.

Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18	Database

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-10	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3110	Java VM	Create Session	Oracle Net	No	9.9	Network	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18

No Related Posts

Oracle Critical Patch Update Advisory – July 2018

July 16, 2018October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Database Server divided as follows:

3 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-15095	Oracle Spatial (jackson-databind)	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 18.1
CVE-2018-2939	Core RDBMS	Local Logon	Local Logon	No	8.4	Local	Low	Low	None	Changed	None	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2
CVE-2018-3004	Java VM	Create Session, Create Procedure	Multiple	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.2

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Global Lifecycle Management OPatchAuto	DB specific extensions (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	All

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-2099	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.x, 12.x
CVE-2016-0714	Oracle Communications Policy Management	Security (Apache Tomcat)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2016-2176	Oracle Communications Policy Management	Security (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	12.x
CVE-2017-7525	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.x
CVE-2016-5195	Oracle Communications Policy Management	Platform (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2017-6074	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	ECz7.x, ECz8.x
CVE-2017-0379	Oracle Communications Interactive Session Recorder	Security (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.x, 6.x
CVE-2015-7940	Oracle Communications Policy Management	CMP (Bouncy Castle)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.x
CVE-2017-5662	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	7.x, 8.x
CVE-2018-2904	Oracle Communications EAGLE LNP Application Processor	GUI	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.x
CVE-2018-0739	Oracle Communications Network Charging and Control	Security (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
CVE-2017-3633	Oracle Communications Policy Management	Security (MySQL)	Multiple	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	12.x
CVE-2018-2936	Oracle Communications Messaging Server	Web Client	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.x
CVE-2015-5600	Oracle Communications Policy Management	Security (OpenSSH)	SSH	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.x

Additional CVEs addressed are below:

The fix for CVE-2015-5600 also addresses CVE-2014-2532.
The fix for CVE-2016-0714 also addresses CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706 and CVE-2016-3092.
The fix for CVE-2016-2099 also addresses CVE-2016-4463.
The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 and CVE-2016-2109.
The fix for CVE-2017-3633 also addresses CVE-2017-3634, CVE-2017-3635, CVE-2017-3636, CVE-2017-3641, CVE-2017-3647, CVE-2017-3648, CVE-2017-3649, CVE-2017-3651, CVE-2017-3652, CVE-2017-3653 and CVE-2017-3732.
The fix for CVE-2017-7525 also addresses CVE-2017-15707 and CVE-2018-1327.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Construction and Engineering Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2966	Primavera Unifier	Core	HTTP	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	16.x, 17.x, 18.x
CVE-2018-2968	Primavera Unifier	Core	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	16.x, 17.x, 18.x
CVE-2016-4055	Primavera Unifier	Core (Moment)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	16.x, 17.x, 18.x
CVE-2018-2960	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2961	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2965	Primavera Unifier	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x
CVE-2016-7103	Primavera Unifier	Core (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x, 17.x, 18.x
CVE-2018-2967	Primavera Unifier	Core	None	No	5.3	Physical	Low	None	None	Changed	High	None	None	16.x, 17.x, 18.x
CVE-2018-2962	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.4	Network	High	Low	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2963	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.4, 15.x, 16.x
CVE-2018-2969	Primavera Unifier	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	16.x

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2018), My Oracle Support Note 2379675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2993	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3017	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2995	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3018	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3008	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2953	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2997	Oracle Scripting	Script Author	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2991	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3012	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2996	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2954	Oracle Order Management	Product Diagnostic Tools	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2988	Oracle Marketing	Products	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2934	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3
CVE-2018-2994	Oracle iStore	Shopping Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle Enterprise Manager Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Enterprise Manager Base Platform	Installer (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager Base Platform	Security Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	Application Replay (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2.0.0 and prior
CVE-2017-5645	Enterprise Manager for Oracle Database	Provisioning (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.8, 13.2.2
CVE-2017-5645	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1.1.1, 13.2.1.1
CVE-2018-7489	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2, 13.2.3
CVE-2018-1275	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-1275	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1
CVE-2018-2976	Enterprise Manager Ops Center	Networking	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	12.2.2
CVE-2016-1181	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2017-9798	Enterprise Manager Base Platform	Installer (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.2.x
CVE-2016-9878	Enterprise Manager Ops Center	Framework (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2017-9798	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2018-0739	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.2.2, 12.3.3

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2016-9878 also addresses CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 56 new security fixes for Oracle Financial Services Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Banking Platform	Collections (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2017-5645	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3.x, 8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Analytical Applications Infrastructure	Inline Processing Engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Behavior Detection Platform	Admin Tool (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Behavior Detection Platform	Ingestion (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Funds Transfer Pricing	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2017-5645	Oracle Financial Services Hedge Management and IFRS Valuations	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Loan Loss Forecasting and Provisioning	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Profitability Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2018-3050	Oracle Banking Corporate Lending	Core module	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3027	Oracle Banking Payments	Payments Core	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3051	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3035	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3015	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-8013	Oracle Financial Services Analytical Applications Infrastructure	Link Analysis and Metadata browser (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.3.x, 8.0.x	See Note 1
CVE-2018-3040	Oracle Banking Corporate Lending	Core module	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3022	Oracle Banking Payments	Payments Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2014-3577	Oracle Financial Services Revenue Management and Billing	External Message (HTTP Client)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0
CVE-2018-3041	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 14.0.0, 14.1.0
CVE-2018-3030	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2979	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3036	Oracle Banking Corporate Lending	Core module	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3020	Oracle Banking Payments	Payments Core	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3037	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3028	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2974	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2895	Oracle Banking Corporate Lending	Core module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-2896	Oracle Banking Payments	Payments Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-2897	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-2898	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2899	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3042	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3044	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3048	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3023	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3024	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3026	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3043	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3045	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3049	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3031	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3032	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3034	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2980	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2981	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3019	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3038	Oracle Banking Corporate Lending	Core module	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3046	Oracle Banking Corporate Lending	Core module	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3021	Oracle Banking Payments	Payments Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3025	Oracle Banking Payments	Payments Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3039	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3047	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3029	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3033	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2975	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2982	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Notes:

Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

The fix for CVE-2014-3577 also addresses CVE-2015-5262.
The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 38 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Enterprise Data Quality	General (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-1275	Oracle Enterprise Repository	Security Subsystem (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2017-5645	Oracle Fusion Middleware MapViewer	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-7489	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-7489	Oracle WebLogic Server	Console (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-1275	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2894	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2893	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-3100	Oracle Business Process Management Suite	Process Analysis & Discovery	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-3007	Oracle Tuxedo	Core	Jolt	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1, 12.1.3, 12.2.2
CVE-2018-2935	Oracle WebLogic Server	JSF	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2958	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2900	BI Publisher	Layout Tools	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0
CVE-2017-12617	FMW Platform	Common Components (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2015-7940	Oracle JDeveloper	None (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-8013	Oracle Fusion Middleware MapViewer	Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.2, 12.2.1.3
CVE-2018-2943	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2018-3102	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2992	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3009	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3010	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3092	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3103	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3093	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3094	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3095	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3096	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3097	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3104	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3098	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3099	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2925	BI Publisher	Web Server	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-0739	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-3109	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-0739	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.1
CVE-2016-9843	Oracle Outside In Technology	Outside In Search Export SDK (zlib)	HTTP	Yes	6.3	Network	Low	None	Required	Un- changed	Low	Low	Low	8.5.3	See Note 1
CVE-2018-2987	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2015-0204	Oracle Internet Directory	SSL/TLS	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	11.1.1.9.0	See Note 2
CVE-2018-2998	Oracle WebLogic Server	SAML	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2011-4461	Oracle Endeca Information Discovery Studio	Studio (Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	3.1, 3.2
CVE-2018-3108	Oracle Fusion Middleware	Oracle Notification Service	HTTPS	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-3101	Oracle WebCenter Portal	Portlet Services	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2933	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3	See Note 3
CVE-2018-3105	Oracle SOA Suite	Health Care FastPath	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Please refer to MOS document (Doc ID 2420947.1) for instructions on how to address this issue.
Please refer to MOS document (Doc ID 2421480.1) for instructions on how to address this issue.

Additional CVEs addressed are below:

The fix for CVE-2016-9843 also addresses CVE-2014-8157, CVE-2014-9029, CVE-2014-9746, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2016-0718, CVE-2016-5300, CVE-2016-9841 and CVE-2017-10989.
The fix for CVE-2018-0739 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Hospitality Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2984	Oracle Hospitality Cruise Fleet Management System	Gangway Activity Web App	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.x
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	iCard.net (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2956	Oracle Hospitality OPERA 5 Property Services	Integration	None	No	8.1	Local	High	None	None	Changed	High	High	High	5.5.x
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Configuration (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2957	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.x
CVE-2018-3002	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	9.x
CVE-2018-3000	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	8.x
CVE-2018-2978	Oracle Hospitality Simphony	Import/Export	HTTP	No	7.1	Network	High	Low	None	Un- changed	High	High	Low	2.8, 2.9, 2.10
CVE-2018-3013	Oracle Hospitality OPERA 5 Property Services	Report Server Config	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2018-3014	Oracle Hospitality OPERA 5 Property Services	Reports	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2017-0785	MICROS Handheld Terminal	MC40 Zebra Handheld unit (WiFi)	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	Android 4.4.4 Security Patch Bulletin prior to February 1, 2018
CVE-2018-3003	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	9.x
CVE-2018-3001	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.x
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 720 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.01.25ORC
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 721 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.13ORC
CVE-2017-5715	MICROS Kitchen Display Controller	Kitchen Display System 210 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.16ORC
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 32 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.5.2.0
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 64 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 2.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 620 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 650 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2018-2955	Oracle Hospitality OPERA 5 Property Services	Integration	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.5.x

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2014-0114, CVE-2015-6420 and CVE-2016-1182.
The fix for CVE-2017-0785 also addresses CVE-2017-13088 and CVE-2017-13218.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2907	Hyperion Financial Reporting	Security Models	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	11.1.2
CVE-2018-2915	Hyperion Data Relationship Management	Access and security	HTTPS	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	11.1.2.4.330

Oracle iLearning Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2989	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Insurance Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Insurance Policy Administration	Policy Administration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0
CVE-2018-1275	Oracle Insurance Policy Administration	Policy Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2938	Java SE	Java DB	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 6u191, 7u181, 8u172	See Note 1
CVE-2018-2964	Java SE	Deployment	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u172, 10.0.1	See Note 2
CVE-2018-2941	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172, 10.0.1	See Note 2
CVE-2018-2942	Java SE	Windows DLL	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172	See Note 3
CVE-2018-2972	Java SE	Security	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 10.0.1	See Note 3
CVE-2018-2973	Java SE, Java SE Embedded	JSSE	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2940	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2952	Java SE, Java SE Embedded, JRockit	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18	See Note 3

Notes:

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVE-2018-2938 addresses CVE-2018-1313.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 10 new security fixes for Oracle JD Edwards Products. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2944	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2018-2947	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2018-2945	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2946	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2948	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2949	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2950	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2999	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-3006	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2017-3736	JD Edwards World Security	GUI / World Vision (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	MySQL Enterprise Monitor	Service Manager (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2017-0379	MySQL Workbench	Workbench: Security: Encryption (libgcrypt)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.11 and prior
CVE-2018-3064	MySQL Server	InnoDB	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Connectors	Connector/ODBC (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3.10 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2018-3070	MySQL Server	Client mysqldump	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3060	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	High	None	Un- changed	None	High	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3065	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Server	Server: Installing (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3073	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-0739	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3074	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3062	MySQL Server	Server: Memcached	memcached	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3081	MySQL Client	Client programs	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3071	MySQL Server	Audit Log	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3079	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3054	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3077	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3078	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3080	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3061	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3067	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3063	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.60 and prior
CVE-2018-3075	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3058	MySQL Server	MyISAM	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3056	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.7.22 and prior, 8.0.11 and prior
CVE-2018-2598	MySQL Workbench	Workbench: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.3.10 and earlier
CVE-2018-3066	MySQL Server	Server: Options	MySQL Protocol	No	3.3	Network	High	High	None	Un- changed	Low	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-2767	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3084	MySQL Server	Shell: Core / Client	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	8.0.11 and prior
CVE-2018-3082	MySQL Server	Server: DDL	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.11 and prior

Additional CVEs addressed are below:

The fix for CVE-2017-0379 also addresses CVE-2017-9526.
The fix for CVE-2018-0739 also addresses CVE-2017-3737 and CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	PeopleSoft Enterprise FIN Install	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-1275	PeopleSoft Enterprise FIN Install	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-2990	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.55, 8.56
CVE-2018-2977	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56
CVE-2018-2951	PeopleSoft Enterprise PeopleTools	Configuration Manager	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3068	PeopleSoft Enterprise HCM Human Resources	Compensation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2929	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2919	PeopleSoft Enterprise PeopleTools	Unified Navigation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2985	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2986	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3016	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.55, 8.56
CVE-2018-3072	PeopleSoft HRMS	Candidate Gateway	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2018-2970	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3076	PeopleSoft Enterprise CS Financial Aid	ISIR Processing	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.0, 9.2

Additional CVEs addressed are below:

The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Policy Automation	Determinations Engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
CVE-2017-5645	Oracle Policy Automation Connector for Siebel	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.6
CVE-2017-5645	Oracle Policy Automation for Mobile Devices	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5533	MICROS Lucas	Security (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6
CVE-2017-5533	MICROS Relate CRM Software	Internal Operations (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.x, 11.4.x
CVE-2018-1275	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2018-1275	Oracle Retail Central Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Clearance Optimization Engine	General Application (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2017-5645	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Point-of-Service	Infrastructure (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3
CVE-2018-1275	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Service Backbone	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Service Layer	Installation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x
CVE-2016-6814	Oracle Retail Integration Bus	RIB Kernal (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-6814	Oracle Retail Service Backbone	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	16.0.025
CVE-2016-1181	MICROS XBR	Retail (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.0.2, 7.0.4
CVE-2017-12617	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2016-3506	Oracle Retail Convenience and Fuel POS Software	Point of Sale	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2018-2882	MICROS Retail-J	Interfaces	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2016-9878	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Central Office	Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2017-5664	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	2.1.132
CVE-2015-7940	Oracle Retail Convenience and Fuel POS Software	OPT Server (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.1.132
CVE-2016-9878	Oracle Retail Integration Bus	Install (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-9878	Oracle Retail Point-of-Sale	Transaction (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2018-2888	MICROS Retail-J	Back Office	none	No	6.7	Physical	High	High	Required	Changed	High	High	Low	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-3052	MICROS Relate CRM Software	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	10.8.x, 11.4.x
CVE-2018-3053	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	16.x, 17.x
CVE-2018-2881	MICROS Retail-J	Database	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-2891	Oracle Retail Bulk Data Integration	BDI Job Scheduler	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2017-5533 also addresses CVE-2017-5529.
The fix for CVE-2017-5664 also addresses CVE-2016-8735.
The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Siebel CRM Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2959	Siebel UI Framework	UIF Open UI	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	18.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 22 new security fixes for the Oracle Sun Systems Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2930	Solaris Cluster	NAS device addition	RPC	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3, 4.3
CVE-2015-7501	Tape Library ACSLS	Software (Apache Commons Collections)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to ACSLS 8.4.0-3
CVE-2018-3057	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 8.7.18
CVE-2018-2928	Solaris	RAD	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2018-2892	Solaris	Availability Suite Service	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2908	Solaris	Kernel	RPC	No	7.7	Network	Low	Low	None	Changed	None	None	High	11.3
CVE-2018-2926	Solaris	NVIDIA-GFX Kernel driver	ISCSI	No	7.6	Network	Low	Low	None	Un- changed	Low	Low	High	11.3
CVE-2018-2918	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 8.7.18
CVE-2018-2920	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	Prior to 8.7.19
CVE-2018-2932	Oracle SuperCluster Specific Software	SuperCluster Virtual Assistant	Multiple	Yes	7.1	Network	High	None	Required	Un- changed	High	Low	High	Prior to 2.5.0
CVE-2018-1171	Solaris	Kernel	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2921	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	Prior to 8.7.18
CVE-2018-2924	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	5.7	Local	Low	High	None	Changed	Low	Low	Low	Prior to 8.7.18
CVE-2018-2937	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 8.7.19
CVE-2018-2917	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2905	Sun ZFS Storage Appliance Kit (AK)	Core Services	SSL/TLS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 8.7.20
CVE-2018-2903	Solaris	Kernel	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	10, 11.3
CVE-2018-2927	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	Prior to 8.7.18
CVE-2018-2906	Hardware Management Pack	Ipmitool	IPMI	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	11.3
CVE-2018-2901	Solaris	Kernel	DHCP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	10, 11.2
CVE-2018-2916	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2923	Sun ZFS Storage Appliance Kit (AK)	Core Services	None	No	2.3	Local	Low	High	None	Un- changed	Low	None	None	Prior to 8.7.20

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle AutoVue VueLink Integration	Installation Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	21.0.0, 21.0.1
CVE-2016-6814	Oracle Agile PLM	Event Java PX (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2016-1181	Agile Recipe Management for Pharmaceuticals	UI Components-Framework (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.4
CVE-2016-1181	Oracle Transportation Management	Install (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2, 6.3.7, 6.4.1
CVE-2017-5662	Oracle Agile PLM MCAD Connector	CAX Client (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	3.3, 3.4, 3.5, 3.6
CVE-2018-0739	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2018-0739	Oracle Transportation Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.2
CVE-2018-3069	Oracle Agile Product Lifecycle Management for Process	Installation	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	6.2.0.0

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000300	OSS Support Tools	Services Tools Bundle (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 18.3

Additional CVEs addressed are below:

The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Utilities Network Management System	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.x, 2.3.x
CVE-2017-5645	Oracle Utilities Work and Asset Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2.12
CVE-2016-5019	Oracle Utilities Framework	Help (Apache Trinidad)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.3.x
CVE-2017-5662	Oracle Utilities Network Management System	Install (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	1.12.x, 2.3.x

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Virtualization. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-3086	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3087	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3088	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3089	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3090	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3085	Oracle VM VirtualBox	Core	None	No	8.5	Local	Low	None	Required	Changed	Low	High	High	Prior to 5.2.16
CVE-2018-1000300	Oracle Secure Global Desktop	Core (curl)	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	5.3, 5.4
CVE-2018-3055	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	Required	Changed	Low	None	High	Prior to 5.2.16
CVE-2018-1305	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.3, 5.4
CVE-2018-0739	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3, 5.4
CVE-2018-3091	Oracle VM VirtualBox	Core	None	No	6.3	Local	Low	None	Required	Changed	High	None	None	Prior to 5.2.16
CVE-2018-3005	Oracle VM VirtualBox	Core	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	Prior to 5.2.16

Additional CVEs addressed are below:

The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.

No Related Posts

Oracle Critical Patch Update Advisory – April 2018

April 16, 2018October 20, 2019 Oracle Leave a comment

Oracle Database Server Risk Matrix

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server divided as follows:

1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2841	Java VM	Create Session, Create Procedure	Multiple	No	8.5	Network	High	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0

This Critical Patch Update contains 1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2832	Oracle GoldenGate	None	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.0.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Communications Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Communications Network Intelligence	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.x
CVE-2017-5645	Oracle Communications Unified Inventory Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.x
CVE-2017-15095	Oracle Communications Calendar Server	WCAP (jackson-databind)	WCAP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.x
CVE-2017-15095	Oracle Communications Contacts Server	REST (jackson-databind)	RESTful Addressbook Protocol	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.x
CVE-2016-6304	Oracle Communications EAGLE LNP Application Processor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.1.0.0.0 and Prior
CVE-2017-7805	Oracle Communications Messaging Server	Security (NSS)	TLS	No	7.5	Network	High	Low	None	Un- changed	High	High	High	8.x
CVE-2017-5662	Oracle Communications MetaSolv Solution	Print Preview (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	6.3.0
CVE-2018-2756	Oracle Communications Order and Service Management	WebUI	HTTP	No	6.3	Network	Low	Low	Required	Un- changed	High	Low	None	7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x
CVE-2017-3736	Oracle Communications Network Charging and Control	Common (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0

Additional CVEs addressed are below:

The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-12617	Instantis EnterpriseTrack	Web Server (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	17.1, 17.2
CVE-2017-15095	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	16.x, 17.x
CVE-2018-2849	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	16.2, 17.1 – 17.12
CVE-2017-5662	Instantis EnterpriseTrack	Sitewand (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	17.1, 17.2

Additional CVEs addressed are below:

The fix for CVE-2017-12617 also addresses CVE-2017-5664.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 12 new security fixes for the Oracle E-Business Suite. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2018), My Oracle Support Note 2369524.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2870	Oracle Human Resources	General Utilities	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2871	Oracle Human Resources	General Utilities	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2804	Oracle Application Object Library	DB Privileges	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2864	Oracle Application Object Library	Diagnostics	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2867	Oracle Application Object Library	Diagnostics	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2872	Oracle General Ledger	Account Hierarchy Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2873	Oracle General Ledger	Account Hierarchy Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2865	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2866	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2868	Oracle Human Resources	General Utilities	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2869	Oracle Human Resources	General Utilities	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2874	Oracle Application Object Library	Logging	None	No	4.3	Physical	Low	None	Required	Un- changed	High	None	None	12.1.3

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Enterprise Manager Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Enterprise Manager Ops Center	Networking (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2017-5645	Oracle Application Testing Suite	Load Testing for Web Apps (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1
CVE-2015-7501	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.4
CVE-2016-0635	Enterprise Manager for MySQL Database	EM Plugin: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.4
CVE-2017-15095	Enterprise Manager for Virtualization	Generic Virtualization (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2
CVE-2017-5664	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.1.0.4
CVE-2018-2742	Enterprise Manager Ops Center	Framework	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.2, 12.3.3
CVE-2018-2750	Enterprise Manager Base Platform	UI Framework	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.1.0.5
CVE-2017-3736	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5, 13.2.0.0
CVE-2017-3736	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.2.2, 12.3.3

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735.
The fix for CVE-2017-5664 also addresses CVE-2017-12617.
The fix for CVE-2018-2742 also addresses CVE-2016-3092, CVE-2017-10393 and CVE-2017-10400.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 36 new security fixes for Oracle Financial Services Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x	See Note 1
CVE-2018-7489	Oracle Financial Services Hedge Management and IFRS Valuations	Hedge Definition, Valuation-run definition (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2018-7489	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.5
CVE-2017-5645	Oracle FLEXCUBE Core Banking	Securities (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.5.0, 11.6.0, 11.7.0
CVE-2017-5645	Oracle FLEXCUBE Private Banking	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2017-15095	Oracle Banking Enterprise Collections	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.6
CVE-2017-15095	Oracle Banking Enterprise Originations	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.6
CVE-2017-15095	Oracle Banking Enterprise Product Manufacturing	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.6
CVE-2017-15095	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.4, 2.5, 2.6
CVE-2017-12617	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.3.x, 8.0.x	See Note 1
CVE-2018-2855	Oracle Financial Services Basel Regulatory Capital Basic	Portfolio, Attribution	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2856	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	Portfolio, Attribution	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2017-5662	Oracle Financial Services Analytical Applications Infrastructure	Link Analysis and Metadata browser (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	7.3.x, 8.0.x	See Note 1
CVE-2018-2746	Oracle Banking Corporate Lending	Core module	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2746	Oracle Banking Payments	Payments Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2746	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0, 14.0.0
CVE-2018-2746	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2746	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2747	Oracle Banking Corporate Lending	Core module	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2747	Oracle Banking Payments	Payments Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2747	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0
CVE-2018-2747	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2747	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2748	Oracle Banking Corporate Lending	Core module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2748	Oracle Banking Payments	Payments Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2854	Oracle Financial Services Basel Regulatory Capital Basic	Portfolio, Attribution	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2859	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	Portfolio, Attribution	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2807	Oracle FLEXCUBE Core Banking	Securities	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.5.0, 11.6.0, 11.7.0
CVE-2018-2748	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 14.0.0
CVE-2018-2748	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2748	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2749	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2749	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2749	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 14.0.0
CVE-2018-2749	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2749	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0

Notes:

Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Big Data Discovery	Data Processing (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.6.0
CVE-2017-5645	Oracle Business Intelligence Data Warehouse Administration Console	DAC Installation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.6.4
CVE-2017-5645	Oracle Endeca Information Discovery Integrator	Integrator Acquisition System (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.1, 3.2
CVE-2017-5645	Oracle Endeca Server	Product Code (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.7
CVE-2017-5645	Oracle Enterprise Repository	Core Issues – 12c (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2017-5645	Oracle Enterprise Repository	Security Subsystem (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2016-5019	Oracle Fusion Middleware MapViewer	Tile Server (Apache MyFaces Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0
CVE-2017-5645	Oracle Managed File Transfer	MFT Runtime Server (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-5645	Oracle WebCenter Portal	Security Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2017-5645	Oracle WebLogic Server	WL Diagnostics Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2628	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2016-6814	Oracle Big Data Discovery	Data Processing (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	1.6.0
CVE-2018-2739	Oracle Access Manager	Web Server Plugin	HTTP	Yes	9.3	Network	Low	None	Required	Changed	High	High	None	10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
CVE-2018-2879	Oracle Access Manager	Authentication Engine	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	11.1.2.3.0, 12.2.1.3.0	See Note 1
CVE-2015-7501	Oracle Business Intelligence Enterprise Edition	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0
CVE-2015-7501	Oracle GoldenGate Veridata	None (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0.1.2, 12.1.3.0.0
CVE-2015-7501	Oracle WebLogic Portal	– (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.6.0.0
CVE-2015-7501	Real-Time Decisions (RTD) Solutions	Configuration (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.2.0.0.0
CVE-2018-2834	Oracle Data Visualization Desktop	Security	HTTP	No	8.5	Local	Low	None	Required	Changed	Low	High	High	12.2.4.1.1	See Note 2
CVE-2018-2828	Oracle WebCenter Content	Content Server	HTTP	No	8.2	Network	Low	Low	Required	Changed	High	Low	Low	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2791	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-12617	Management Pack for Oracle GoldenGate	Monitor (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.2.1.0.13
CVE-2017-15095	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2017-12617	Oracle WebCenter Sites	Advanced UI (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.8.0
CVE-2017-7525	Oracle WebLogic Server	Sample apps (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2770	Oracle Adaptive Access Manager	OAAM Admin	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.2.3.0
CVE-2015-7940	Oracle Mobile Security Suite	LEGACY: BMAX (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.0.1
CVE-2018-2765	Oracle Security Service	Oracle SSL API	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2016-3092	Oracle WebCenter Sites	Advanced UI (Apache Commons Fileupload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.8.0, 12.2.1.2.0
CVE-2015-7940	Oracle WebLogic Server	CIE Related Components (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0, 12.2.1.2
CVE-2017-5662	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-5662	Oracle Enterprise Repository	Security Subsystem (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	11.1.1.7.0, 12.1.3.0.0
CVE-2013-1768	Oracle WebLogic Server	WLS Security (Apache OpenJPA)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3
CVE-2018-2768	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 3
CVE-2018-2806	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 3
CVE-2018-2801	Oracle Outside In Technology	Outside In Image Export SDK	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 3
CVE-2018-2587	Oracle Access Manager	Web Server Plugin	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	High	None	10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
CVE-2017-3736	Oracle Endeca Information Discovery Studio	Endeca Server (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.6.1.0.0, 7.7.0.0.0
CVE-2018-2760	Oracle HTTP Server	OSSL Module	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.3, 12.2.1.2
CVE-2017-3736	Oracle Tuxedo	Docs-ATMI-IB (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1.0.0

Notes:

Please refer to Doc ID My Oracle Support Note 2386496.1 for instructions on how to address this issue.
Please refer to Doc ID My Oracle Support Note 2384640.1 for instructions on how to address this issue.
Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2017-12617 also addresses CVE-2016-3092, CVE-2016-8745, CVE-2017-5664 and CVE-2017-7674.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.
The fix for CVE-2017-7525 also addresses CVE-2017-15707.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Hospitality Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2829	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	2.10
CVE-2017-13082	MICROS Handheld Terminal	MC40 Zebra Handheld unit (Fusion)	WPA, WPA2	Yes	8.1	Adjacent Network	Low	None	None	Un- changed	High	High	None	Prior to Fusion 2.03.0.0.021R
CVE-2018-2803	Oracle Hospitality Reporting and Analytics	Report	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.0
CVE-2018-2833	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	2.7, 2.8, 2.9, 2.10
CVE-2018-2851	Oracle Hospitality Simphony First Edition	Enterprise Management Console	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	1.6, 1.7
CVE-2018-2824	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	2.8, 2.9, 2.10
CVE-2018-2827	Oracle Hospitality Suite8	Profile	HTTP	No	7.6	Network	Low	Low	Required	Un- changed	High	Low	High	8.x
CVE-2018-2848	Oracle Hospitality Simphony First Edition	Client Application Loader	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	1.6, 1.7
CVE-2018-2850	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	Multiple	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	9.x
CVE-2018-2847	Oracle Hospitality Simphony First Edition	Operations	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	1.6, 1.7
CVE-2018-2852	Oracle Hospitality Guest Access	Base	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	4.2.0, 4.2.1
CVE-2018-2802	Oracle Hospitality Simphony	Client Application Loader	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.8, 2.9
CVE-2018-2853	Oracle Hospitality Simphony First Edition	Operations, Client Application Loader	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	1.6, 1.7

Additional CVEs addressed are below:

The fix for CVE-2017-13082 also addresses CVE-2017-13077, CVE-2017-13078 and CVE-2017-13080.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2825	Java SE	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 10	See Note 1
CVE-2018-2826	Java SE	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 10	See Note 1
CVE-2018-2814	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161	See Note 1
CVE-2018-2811	Java SE	Install	None	No	7.7	Local	High	None	Required	Changed	High	High	High	Java SE: 8u162, 10	See Note 2
CVE-2018-2794	Java SE, JRockit	Security	None	No	7.7	Local	High	None	Required	Changed	High	High	High	Java SE: 6u181, 7u171, 8u162, 10, JRockit: R28.3.17	See Note 3
CVE-2018-2783	Java SE, Java SE Embedded, JRockit	Security	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Java SE: 6u181, 7u161, 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17	See Note 3
CVE-2018-2798	Java SE, Java SE Embedded, JRockit	AWT	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2796	Java SE, Java SE Embedded, JRockit	Concurrency	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2799	Java SE, Java SE Embedded, JRockit	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2797	Java SE, Java SE Embedded, JRockit	JMX	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2795	Java SE, Java SE Embedded, JRockit	Security	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2815	Java SE, Java SE Embedded, JRockit	Serialization	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17	See Note 3
CVE-2018-2800	Java SE, JRockit	RMI	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 6u181, 7u171, 8u162; JRockit: R28.3.17	See Note 4
CVE-2018-2790	Java SE, Java SE Embedded	Security	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Applies to installation process on client deployment of Java.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards World Security	Security Vulnerability (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	A9.2, A9.3, A9.4
CVE-2017-15095	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2017-3736	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	9.2

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2755	MySQL Server	Server: Replication	MySQL Protocol	No	7.7	Local	High	None	Required	Changed	High	High	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2805	MySQL Server	GIS Extension	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.39 and prior
CVE-2018-2782	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.39 and prior, 5.7.21 and prior
CVE-2018-2784	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.39 and prior, 5.7.21 and prior
CVE-2018-2819	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2758	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.39 and prior, 5.7.21 and prior
CVE-2018-2817	MySQL Server	Server: DDL	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2775	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2780	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2017-3737	MySQL Enterprise Monitor	Monitoring: Agent (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior
CVE-2018-2761	MySQL Server	Client programs	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2786	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.21 and prior
CVE-2018-2787	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.39 and prior, 5.7.21 and prior
CVE-2018-2812	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.21 and prior
CVE-2018-2877	MySQL Cluster	Cluster: ndbcluster/plugin	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
CVE-2018-2759	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2766	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.39 and prior, 5.7.21 and prior
CVE-2018-2777	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2810	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2818	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2839	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2778	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2779	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2781	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2816	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2846	MySQL Server	Server: Performance Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2769	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2776	MySQL Server	Group Replication GCS	XCom	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2762	MySQL Server	Server: Connection	MySQL Protocol	No	4.4	Local	Low	High	None	Un- changed	None	None	High	5.7.21 and prior
CVE-2018-2771	MySQL Server	Server: Locking	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2813	MySQL Server	Server: DDL	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2773	MySQL Server	Client programs	None	No	4.1	Local	High	High	None	Un- changed	None	None	High	5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2016-9878	MySQL Enterprise Monitor	EM Plugin: General (Spring Framework)	HTTP	No	3.8	Physical	High	High	None	Un- changed	High	None	None	3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior

Additional CVEs addressed are below:

The fix for CVE-2017-3737 also addresses CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2772	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.54, 8.55, 8.56
CVE-2018-2774	PeopleSoft Enterprise PT PeopleTools	SQR	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.54, 8.55, 8.56
CVE-2018-2793	PeopleSoft Enterprise PT PeopleTools	PsAdmin	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2878	PeopleSoft Enterprise HCM Shared Components	Notepad	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2788	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2821	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55, 8.56
CVE-2018-2838	PeopleSoft Enterprise PRTL Interaction Hub	EPPCM_HIER_TOP	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1
CVE-2017-3736	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2752	PeopleSoft Enterprise HCM	Security	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2
CVE-2018-2785	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.54, 8.55, 8.56
CVE-2018-2820	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.54, 8.55, 8.56
CVE-2018-2809	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.54, 8.55, 8.56

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	MICROS Lucas	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.9.5
CVE-2017-5645	Oracle Retail Advanced Inventory Planning	Operations & Maintenance (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 13.4, 14.1, 15.0
CVE-2017-5645	Oracle Retail Back Office	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.4, 14.1.3
CVE-2017-5645	Oracle Retail Central Office	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.4, 14.1.3
CVE-2017-5645	Oracle Retail EFTLink	Installation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.1.124, 15.0.1, 16.0.2
CVE-2017-5645	Oracle Retail Insights	Integration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1, 15.0, 16.0
CVE-2017-5645	Oracle Retail Invoice Matching	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-5645	Oracle Retail Order Broker	System Administration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.0, 5.1, 5.2, 15.0, 16.0
CVE-2017-5645	Oracle Retail Order Management System	Upgrade Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0, 4.5, 4.7, 5.0
CVE-2017-5645	Oracle Retail Point-of-Service	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.4, 14.1.3
CVE-2017-5645	Oracle Retail Price Management	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-5645	Oracle Retail Returns Management	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.8, 2.4.9, 14.0.4, 14.1.3
CVE-2017-5645	Oracle Retail Store Inventory Management	SIM Integration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1
CVE-2016-6814	Oracle Retail Insights	ODI Configuration (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	14.0, 14.1, 15.0, 16.0
CVE-2016-0635	Oracle Retail Invoice Matching	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2016-3506	Oracle Retail Merchandising System	Installation	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0
CVE-2017-15095	Oracle Retail Order Broker	System Administration (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2
CVE-2017-12617	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2018-2840	Oracle Retail Xstore Point of Service	Xstore Office	HTTP	Yes	7.6	Network	Low	None	Required	Un- changed	High	Low	Low	6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2
CVE-2016-9878	Oracle Retail Customer Engagement	Internal Operations (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	16.0
CVE-2017-5664	Oracle Retail Order Management System	Upgrade Install (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	5.0
CVE-2016-9878	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.4.3, 14.0.3, 14.1.3
CVE-2017-9798	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	6.0.11, 6.5.11, 7.0.6, 7.1.6
CVE-2017-5645	Oracle Retail Xstore Point of Service	Xenvironment (Apache Log4j)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	6.0.11, 7.0.6, 7.1.6, 15.0.1
CVE-2018-2876	Oracle Retail Integration Bus	RIB Kernal(Apache Commons Collections)	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	13.2
CVE-2018-2862	Oracle Retail Point-of-Service	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.8, 13.4.9, 14.0.4, 14.1.3
CVE-2017-15095	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2
CVE-2018-2861	Oracle Retail Back Office	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	13.4.9, 14.0.4, 14.1.3
CVE-2018-2738	Oracle Retail Central Office	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.4.9, 14.0.4, 14.1.3
CVE-2018-2737	Oracle Retail Returns Management	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.3.8, 2.4.9, 14.0.4, 14.1.3
CVE-2016-5007	Oracle Retail Xstore Point of Service	Point of Sale (Spring Framework)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1

Additional CVEs addressed are below:

The fix for CVE-2016-5007 also addresses CVE-2014-0054.
The fix for CVE-2016-9878 also addresses CVE-2016-5007.
The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-5645 also addresses CVE-2017-12617.
The fix for CVE-2018-2876 also addresses CVE-2015-7501.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5664	Siebel UI Framework	EAI (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	17.0
CVE-2018-2789	Siebel Core – Server Framework	Services	HTTP	No	5.0	Network	Low	Low	None	Changed	Low	None	None	17.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle Sun Systems Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-17562	Integrated Lights Out Manager (ILOM)	System Management (GoAhead)	HTTP	No	9.1	Network	Low	High	None	Changed	High	High	High	3.x, 4.x
CVE-2018-2754	Solaris	ZVNET Driver	None	No	7.7	Local	Low	None	None	Un- changed	None	High	High	11.3
CVE-2018-2764	Solaris	Kernel	NFS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10, 11.3
CVE-2018-2718	Solaris	RPC	NFS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10, 11.3
CVE-2018-2822	Solaris Cluster	Cluster Geo	None	No	6.6	Local	Low	Low	None	Un- changed	High	Low	Low	4.3
CVE-2018-2857	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	Prior to 8.7.17
CVE-2018-2753	Solaris	Python modules	None	No	6.0	Local	High	Low	Required	Un- changed	High	High	None	11.3
CVE-2017-5753	Solaris	Kernel	None	No	5.6	Local	High	Low	None	Changed	High	None	None	10, 11.3
CVE-2018-2858	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 8.7.17
CVE-2018-2808	Solaris	Kernel	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	11.3
CVE-2018-2863	Sun ZFS Storage Appliance Kit (AK)	API frameworks	HTTP	No	5.0	Network	Low	Low	None	Changed	Low	None	None	Prior to 8.7.17
CVE-2018-2563	Solaris	LDAP Library	LDAP	No	4.2	Network	High	Low	None	Un- changed	Low	Low	None	10, 11.3
CVE-2018-2792	Hardware Management Pack	Ipmitool	Multiple	No	3.8	Network	Low	High	None	Un- changed	Low	Low	None	Prior to 2.4.3
CVE-2018-2763	Solaris	NTPD	None	No	3.3	Local	Low	Low	None	Un- changed	None	Low	None	11.3

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-15095	Oracle Agile PLM Framework	Web Client (CS)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.3.6
CVE-2018-2823	Oracle Transportation Management	Database	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	6.4.3
CVE-2018-2572	Oracle Agile Product Lifecycle Management for Process	Installation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1.1.6, 6.2.0.0, 6.2.1.0
CVE-2017-3736	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.1.3, 6.2.0, 6.2.1
CVE-2017-3736	Oracle Transportation Management	Install (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.2

Additional CVEs addressed are below:

The fix for CVE-2017-15095 also addresses CVE-2017-7525.
The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-3736	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	Prior to 18.2

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Utilities Framework	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0, 4.3.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2842	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2843	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2844	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2830	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2835	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2836	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2837	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2860	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2017-9798	Oracle Secure Global Desktop (SGD)	Web Server (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.3
CVE-2018-2845	Oracle VM VirtualBox	Core	None	No	6.6	Local	Low	Low	None	Un- changed	Low	Low	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2018-0739	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to 5.1.36, Prior to 5.2.10
CVE-2017-3737	Oracle Secure Global Desktop (SGD)	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3
CVE-2018-2831	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	Prior to 5.1.36, Prior to 5.2.10

Additional CVEs addressed are below:

The fix for CVE-2017-3737 also addresses CVE-2017-3738.

No Related Posts

Oracle Database Server Risk Matrix

Oracle NoSQL Database Risk Matrix

Oracle Construction and Engineering Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Risk Matrix

Oracle Policy Automation Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Systems Risk Matrix

Oracle Supply Chain Risk Matrix

Oracle Support Tools Risk Matrix

Oracle Virtualization Risk Matrix

Related:

Oracle Security Alert Advisory – CVE-2019-2729

Description

Affected Products and Patch Information

Security Alert Supported Products and Versions

References

Risk Matrix Content

Credit Statement

Modification History

Oracle Fusion Middleware Risk Matrix

Related:

Oracle Security Alert Advisory – CVE-2019-2725

Description

Affected Products and Patch Information

Security Alert Supported Products and Versions

References

Credit Statement

Modification History

Oracle Fusion Middleware Risk Matrix

Related:

Oracle Database Server Risk Matrix

Oracle Berkeley DB Risk Matrix

Oracle Commerce Risk Matrix

Oracle Communications Applications Risk Matrix

Oracle Construction and Engineering Suite Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Products Suite Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Products Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Products Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Sun Systems Products Suite Risk Matrix

Oracle Supply Chain Products Suite Risk Matrix

Oracle Support Tools Risk Matrix

Oracle Utilities Applications Risk Matrix

Oracle Virtualization Risk Matrix

Related:

Oracle Database Server Risk Matrix

Oracle Communications Applications Risk Matrix

Oracle Construction and Engineering Suite Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Products Suite Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle Insurance Applications Risk Matrix

Oracle Java SE Risk Matrix