Oracle – Intelligent Systems Monitoring

Oracle Critical Patch Update Advisory – October 2020

October 19, 2020November 24, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Starting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product’s risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the “traditional” advisory follows the same format as the previous advisories. The “traditional” advisory is published at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Big Data Spatial and Graph, versions prior to 3.0	Database
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager for Peoplesoft, version 13.4.1.1	Enterprise Manager
Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090	Systems
Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090	Systems
Hyperion Analytic Provider Services, version 11.1.2.4	Fusion Middleware
Hyperion BI+, version 11.1.2.4	Fusion Middleware
Hyperion Essbase, version 11.1.2.4	Fusion Middleware
Hyperion Infrastructure Technology, version 11.1.2.4	Fusion Middleware
Hyperion Lifecycle Management, version 11.1.2.4	Fusion Middleware
Hyperion Planning, version 11.1.2.4	Fusion Middleware
Identity Manager Connector, version 9.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
Management Pack for Oracle GoldenGate, version 12.2.1.2.0	Fusion Middleware
MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.21 and prior	MySQL
MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior	MySQL
MySQL Workbench, versions 8.0.21 and prior	MySQL
Oracle Access Manager, version 11.1.2.3.0	Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0	Oracle Supply Chain Products
Oracle Application Express, versions prior to 20.2	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1	Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0	Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1	Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2	Oracle Communications EAGLE
Oracle Communications Element Manager, versions 8.2.0-8.2.2	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, version 8.1	Oracle Communications Messaging Server
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	Oracle Communications Offline Mediation Controller
Oracle Communications Services Gatekeeper, version 7	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2-8.4	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.2.0-8.2.2	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.2.0-8.2.2	Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2	Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, version 8.4	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0	Oracle Financial Services Data Foundation
Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9	Oracle Financial Services Data Governance for US Regulatory Reporting
Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0	Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Profitability Management
Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0	Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9	Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0	Oracle Financial Services Regulatory Reporting with AgileREPORTER
Oracle Financial Services Retail Customer Analytics, version 8.0.6	Oracle Financial Services Retail Customer Analytics
Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0	Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0	Oracle Financial Services Applications
Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Signal, version 9.0	Health Sciences
Oracle Healthcare Data Repository, version 7.0.1	Health Sciences
Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0	Health Sciences
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2	Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.14	Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Insurance Accounting Analyzer, version 8.0.9	Oracle Insurance Accounting Analyzer
Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0	Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Data Foundation, versions 8.0.6-8.1.0	Oracle Insurance Data Foundation
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26	Oracle Insurance Applications
Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15	Java SE
Oracle Java SE Embedded, version 8u261	Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.20	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20	Oracle Policy Automation
Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1	Database
Oracle Retail Advanced Inventory Planning, version 14.1	Retail Applications
Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Back Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0	Retail Applications
Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3	Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1	Retail Applications
Oracle Solaris, versions 10, 11	Systems
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0	Database
Oracle Transportation Management, version 6.3.7	Oracle Supply Chain Products
Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.16	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise HCM Global Payroll Core, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM eSupplier Connection, version 9.2	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 20.7, 20.8	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0rich1 Ant Security FG Lab: CVE-2020-14841
Aaron Carreras of FireEye: CVE-2020-14871
Abdulrahman Nour of Redforce: CVE-2020-14823
Ahmed Elhady Mohamed of Ahmed Mohamed: CVE-2020-14768
Akshay Gaikwad: CVE-2020-14762
Alessandro Bosco of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
Alves Christopher of Telecom Nancy: CVE-2020-14867
Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14778
Amy Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
Andrej Simko of Accenture: CVE-2020-14774, CVE-2020-14808
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2020-14841, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886
Bui Duong from Viettel Cyber Security: CVE-2020-14879, CVE-2020-14880
Chi Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
codeplutos of AntGroup FG Security Lab: CVE-2020-14825
Damian Bury: CVE-2020-14767, CVE-2020-14770
Darragh Duffy: CVE-2020-14744
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
Edoardo Predieri of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Fabio Minarelli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Filip Ceglik: CVE-2020-14772
Francesco Russo of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
François Goichon of Google: CVE-2020-14735
Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14892
Graham Rymer of University Information Services, University of Cambridge: CVE-2020-14840
Hangfan Zhang: CVE-2020-14828
Ioannis Charalambous of NCC Group: CVE-2020-14787, CVE-2020-14788
Ivo Palazzolo of Daimler TSS: CVE-2020-14864
Jacob Thompson of FireEye: CVE-2020-14871
Jakub Palaczynski: CVE-2020-14740, CVE-2020-14752
Jakub Plusczok: CVE-2020-14854
Jeffrey Martin of Rapid7: CVE-2020-14871
Joe Almeida of Globlue Technologies: CVE-2020-14815
Julien Zhan of Telecom Nancy: CVE-2020-14867
Khuyen Nguyen of secgit.com: CVE-2020-14816, CVE-2020-14817, CVE-2020-14819, CVE-2020-14835
Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14778
Kylinking of NSFocus Security Team: CVE-2020-14841
Larry W. Cashdollar: CVE-2020-14758, CVE-2020-14759
Le Xuan Tuyen – VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14841, CVE-2020-14859
Long Nguyễn Hữu Vũ: CVE-2020-14863
Longofo of Knownsec 404 Team: CVE-2020-14841
Luca Di Giuseppe of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Markus Loewe: CVE-2020-14796, CVE-2020-14797, CVE-2020-14798
Massimiliano Brolli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Mateusz Dabrowski: CVE-2020-14784
Philippe Antoine of Telecom Nancy: CVE-2020-14867
Piotr Madej of ING Tech Poland: CVE-2020-14740
Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14778
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14825
r0 from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14841
Roger Meyer: CVE-2020-14745
Rui Zhong: CVE-2020-14828
Sergey Ostanin: CVE-2020-14781
Shiva Gupta of Shiva Hacker One: CVE-2020-14890, CVE-2020-14897
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14764
Thai Nguyen of ECQ: CVE-2020-14826
thiscodecc: CVE-2020-14825
Tomasz Stachowicz: CVE-2020-14780
Trung Le: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14855, CVE-2020-14862, CVE-2020-14875
Tuan Anh Nguyen of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2020-14876
Ved Prabhu: CVE-2020-14762, CVE-2020-14763, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900
Venustech ADLab: CVE-2020-14820
Viktor Gazdag of NCC Group: CVE-2020-14787, CVE-2020-14788
voidfyoo of Chaitin Security Research Lab: CVE-2020-14882, CVE-2020-14883
Walid Faour: CVE-2020-14783
Xingwei Lin of Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14889, CVE-2020-14892
Xinlei Ying of Ant Security Light-Year Lab: CVE-2020-14892
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-14841
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2020-14828, CVE-2020-14861, CVE-2020-14893
Yi Ren of Alibaba: CVE-2020-14790, CVE-2020-14828
Yongheng Chen: CVE-2020-14828
Yu Wang of BMH Security Team: CVE-2020-14841
Yuyue Wang of Alibaba: CVE-2020-14828
Zhiqiang Zang of University of Texas at Austin: CVE-2020-14792
Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2020-14867

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Amy Tran [35 reports]
Chi Tran [35 reports]
David Wilkins
Markus Loewe [2 reports]
Mateusz Dabrowski
Trung Le [35 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Abdulrahman Ahmed [3 reports]
Abhishek Morla
Adam Willard [2 reports]
Adam Willard of Raytheon Foreground Security
Adarsh VS Mannarakkal
Ahmed Elmalky
Ahmed Omer Morve
Ai Ho (j3ssiejjj)
Alex Munene
Alisha Sheikh
Anil Bhatt
Anurag Kumar Rawat (A1C3VENOM)
Ayan Saha
Badal Sardhara
Bindiya Sardhara
Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp).
Danny
Dhiraj Mishra
Funny Tech
Gaurav Kumar
Gourab Sadhukhan
Harsh Mukeshbhai Joshi [2 reports]
Himanshu Phulwariya
Karthick Selvaraj
Kartik Sharma
Kaustubh Kale
Kirtan Patel
Kryptos Logic – Threat Intelligence Platform
Kunal Gambhir
Magrabur Alam Sofily
Mansouri Badis
Marwan Ali Albahar [2 reports]
Matthew Harlow of EthicalHacker 20
Mayank Kumar
Mayank Malik, Kartik Sharma
Micah Van Deusen
Omkar Ghaisas
Osman Ahmed Hassan
Pankaj Kumar Thakur from Nepal [3 reports]
Pratish Bhansali
Ria from iZOOlogic
Riccardo Donini
Rick Verdoes & Danny de Weille of HackDefense
Robert Lee Dick [2 reports]
Roger Meyer
Ronak Nahar
Rudi Andriano
Ryan awsmhacks Preston
Sai Prashanth Pulisetti
Sameer Goyal
Shahid Ahmed [2 reports]
Shivang Trivedi [2 reports]
Shubham Kalaria
Shubham Maheshwari
Sidney Omondi of Salaam Technology
Siva Pathela
Soumajit Mukherjee
Sparsh Gupta
Srikar V – exp1o1t9r
Sumit Sah
Supun Madubashana Halangoda
Suresh Nadar
Swapnil Maurya – “swapmaurya20”
Syed Muhammad Asim [2 reports]
Vaibhav Gaikwad of Knock Security Solutions
Venkata Sateesh Netti (str4n63r)
Walid Hossain
Yassine Triki
Yatin Sharma

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 January 2021
20 April 2021
20 July 2021
19 October 2021

References

Modification History

Date	Note
2020-November-16	Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871.
2020-October-29	Rev 4. Added CVE-2018-2765.
2020-October-27	Rev 3. Credit statement update.
2020-October-22	Rev 2. Affected versions change for CVE-2020-14807, CVE-2020-14810 and credit statement update.
2020-October-20	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:

19 new security patches for Oracle Database Products
1 new security patch for Oracle Big Data Graph
5 new security patches for Oracle REST Data Services
4 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches plus additional third party patches noted below for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-12900	Core RDBMS (bzip2)	DBA Level Account	Oracle Net	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14735	Scheduler	Local Logon	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14734	Oracle Text	None	Oracle Net	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2018-2765	Oracle SSL API	None	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-13935	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c
CVE-2020-11023	Oracle Application Express (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-11023	ORDS (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 1
CVE-2020-14762	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-9281	Oracle Application Express	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14899	Oracle Application Express Data Reporter	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14900	Oracle Application Express Group Calendar	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14898	Oracle Application Express Packaged Apps	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14763	Oracle Application Express Quick Poll	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14741	Database Filesystem	Resource, Create Table, Create View, Create Procedure, Dbfs_role	Oracle Net	No	4.9	Network	Low	High	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-14901	RDBMS Security	Analyze Any	Oracle Net	No	4.9	Network	Low	High	None	Un- changed	High	None	None	19c
CVE-2020-14736	Database Vault	Create Public Synonym	Oracle Net	No	3.8	Network	Low	High	None	Un- changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-14743	Java VM	Create Procedure	Multiple	No	3.1	Network	High	Low	None	Un- changed	None	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14740	SQL Developer Install	Client Computer User Account	Local Logon	No	2.8	Local	Low	Low	Required	Un- changed	Low	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2020-14742	Core RDBMS	SYSDBA level account	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

Additional ORDS bugs are documented in the risk matrix “Oracle REST Data Services Risk Matrix”

Additional CVEs addressed are:

The patch for CVE-2019-12900 also addresses CVE-2016-3189
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Core RDBMS (LZ4): CVE-2019-17543
Core RDBMS (Zstandard): CVE-2019-11922
Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
SQL Developer (Apache Log4j): CVE-2017-5645
SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
SQL Developer (JCraft JSch): CVE-2016-5725
SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0192	Big Data Spatial and Graph	Property Graph Analytics (Apache Solr)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 3.0

Additional CVEs addressed are:

The patch for CVE-2019-0192 also addresses CVE-2017-3164

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Big Data Spatial and Graph
- Property Graph Analytics (jQuery): CVE-2015-9251
- Property Graph Analytics (jackson-databind): CVE-2020-9546, CVE-2015-9251, CVE-2017-5645, CVE-2018-12023, CVE-2018-14718, CVE-2018-7489, CVE-2019-10744, CVE-2019-12086, CVE-2019-14379, CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14195, CVE-2020-9547 and CVE-2020-9548
- Property Graph Analytics (lodash): CVE-2019-10744
- Property Graph Analytics (Apache Log4j): CVE-2017-5645

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle REST Data Services. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-7658	Oracle REST Data Services	General (Eclipse Jetty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2016-1000031	Oracle REST Data Services	General (Apache Commons FileUpload)	HTTP	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2020-14744	Oracle REST Data Services	General	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
CVE-2020-11023	Oracle REST Data Services	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
CVE-2020-14745	Oracle REST Data Services	General	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1

Additional CVEs addressed are:

The patch for CVE-2017-7658 also addresses CVE-2016-4800, CVE-2017-7656, CVE-2017-7657, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241, CVE-2019-10246, CVE-2019-10247 and CVE-2019-17632
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle REST Data Services
- General (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- General (jackson-databind): CVE-2019-16335, CVE-2019-12814, CVE-2019-14540, CVE-2019-14893, CVE-2019-17531, CVE-2019-20330, CVE-2020-11113, CVE-2020-11620 and CVE-2020-8840

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	Oracle TimesTen In-Memory Database	EM TimesTen plugin (RSA BSAFE Crypto-C)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 18.1.4.1.0
CVE-2017-5645	Oracle TimesTen In-Memory Database	Install (Apache Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 11.2.2.8.49
CVE-2019-1010239	Oracle TimesTen In-Memory Database	Install (Dave Gamble/cJSON)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 18.1.3.1.0
CVE-2019-0201	Oracle TimesTen In-Memory Database	Install (Apache ZooKeeper)	ZAB	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 18.1.3.1.0

Additional CVEs addressed are:

The patch for CVE-2017-5645 also addresses CVE-2020-1945
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-1010239 also addresses CVE-2019-11834 and CVE-2019-11835

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10173	Oracle Communications BRM – Elastic Charging Engine	Diameter Gateway and SDK (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.3.0.9.0, 12.0.0.3.0
CVE-2020-10683	Oracle Communications Unified Inventory Management	Core (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2019-10173	Oracle Communications Unified Inventory Management	Core (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2020-10878	Oracle Communications Billing and Revenue Management	Core (Perl)	TCP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	12.0.0.2.0, 12.0.0.3.0
CVE-2020-11022	Oracle Communications Billing and Revenue Management	Billing Operation Center and Oracle Communication Billing Care (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.5.0.23.0, 12.0.0.3.0
CVE-2020-9489	Oracle Communications Messaging Server	Core (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1
CVE-2020-9488	Oracle Communications Billing and Revenue Management	Billing Operation Center and Oracle Communication Billing Care (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7.5.0.23.0, 12.0.0.3.0
CVE-2020-9488	Oracle Communications Offline Mediation Controller	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.0.0.3.0
CVE-2020-9488	Oracle Communications Unified Inventory Management	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7.3.0, 7.4.0

Additional CVEs addressed are:

The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723
The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Communications Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Communications. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Communications Application Session Controller	WS and WEB (dom4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.9m0p1
CVE-2020-11973	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache Camel)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-2555	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-10683	Oracle Communications Diameter Signaling Router (DSR)	IDIH (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2019-2904	Oracle Communications Diameter Signaling Router (DSR)	Platform (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.4.0.5
CVE-2019-12260	Oracle Communications EAGLE Software	Network Stack (Wind River VxWorks)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	46.6.0-46.8.2
CVE-2020-11984	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-11984	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-11984	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2019-13990	Oracle Communications Session Route Manager	Core (Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Application Session Controller	WS and WEB (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.9m0p1
CVE-2019-17638	Oracle Communications Element Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Session Report Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Session Route Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Diameter Signaling Router (DSR)	IDIH (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-14195	Oracle Communications Element Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Evolved Communications Application Server	Universal Data Record (jackson-databind)	XCAP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.1
CVE-2020-14195	Oracle Communications Session Report Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Session Route Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-5398	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2019-17359	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	IDIH: 8.0.0-8.2.2
CVE-2019-12402	Oracle Communications Element Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2020-11080	Oracle Communications Session Border Controller	System (http2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.3, 8.4
CVE-2019-12402	Oracle Communications Session Report Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-12402	Oracle Communications Session Route Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-17359	Oracle Communications Session Route Manager	Core (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-10173	Oracle Communications Diameter Signaling Router (DSR)	IDIH (xstream)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	IDIH: 8.0.0-8.2.2
CVE-2020-9484	Oracle Communications Diameter Signaling Router (DSR)	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.0.0.0-8.4.0.5
CVE-2020-9484	Oracle Communications Element Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-9484	Oracle Communications Session Report Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-9484	Oracle Communications Session Route Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-1945	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache Ant)	None	No	6.7	Local	High	None	None	Un- changed	High	High	None	IDIH: 8.0.0-8.2.2
CVE-2020-10722	Oracle Communications Session Border Controller	Platform (DPDK)	None	No	6.7	Local	Low	High	None	Un- changed	High	High	High	8.2-8.4
CVE-2020-5408	Oracle Communications Element Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-5408	Oracle Communications Session Report Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-5408	Oracle Communications Session Route Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-11022	Oracle Communications Application Session Controller	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.8m0
CVE-2020-1941	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	IDIH: 8.0.0-8.2.2
CVE-2020-11022	Oracle Communications Diameter Signaling Router (DSR)	IDIH (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	IDIH: 8.0.0-8.2.2
CVE-2019-17091	Oracle Communications Diameter Signaling Router (DSR)	Platform (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2020-14788	Oracle Communications Diameter Signaling Router (DSR)	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2020-11022	Oracle Communications WebRTC Session Controller	ME (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.2
CVE-2020-11022	Oracle Enterprise Session Border Controller	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4
CVE-2019-12415	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	IDIH: 8.0.0-8.2.2
CVE-2020-14787	Oracle Communications Diameter Signaling Router (DSR)	User Interface	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2019-11048	Oracle Communications Diameter Signaling Router (DSR)	Core (PHP)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.0.0-8.4.0.5
CVE-2020-1954	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	IDIH: 8.0.0-8.2.2
CVE-2020-1954	Oracle Communications Element Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-1954	Oracle Communications Session Report Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-1954	Oracle Communications Session Route Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-9488	Oracle Communications Application Session Controller	WS and WEB (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	3.9m0p1
CVE-2020-9488	Oracle Communications Services Gatekeeper	Media Control UI (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7

Additional CVEs addressed are:

The patch for CVE-2019-11048 also addresses CVE-2020-7067
The patch for CVE-2019-12260 also addresses CVE-2019-12261
The patch for CVE-2019-13990 also addresses CVE-2019-5427
The patch for CVE-2019-17638 also addresses CVE-2019-17632
The patch for CVE-2020-10722 also addresses CVE-2020-10723 and CVE-2020-10724
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-11080 also addresses CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-9511 and CVE-2019-9513
The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548
The patch for CVE-2020-1941 also addresses CVE-2020-13920
The patch for CVE-2020-1945 also addresses CVE-2017-5645
The patch for CVE-2020-1954 also addresses CVE-2019-12423
The patch for CVE-2020-5398 also addresses CVE-2020-5397
The patch for CVE-2020-5408 also addresses CVE-2020-5407

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11984	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-17495	Primavera Gateway	Admin (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.2.0-16.2.11, 17.12.0-17.12.8
CVE-2015-1832	Primavera Unifier	Platform (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2017-9096	Primavera Unifier	Platform (iText)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-13935	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2019-17558	Primavera Unifier	Platform (Apache Solr)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196	Primavera Unifier	Core (Apache Kafka)	HTTP	Yes	7.0	Network	High	None	None	Un- changed	High	Low	Low	18.8, 19.12
CVE-2020-9489	Primavera Unifier	Platform (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-9488	Primavera Unifier	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	18.8, 19.12

Additional CVEs addressed are:

The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
The patch for CVE-2020-13935 also addresses CVE-2020-13934

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14855	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3
CVE-2020-14805	Oracle E-Business Suite Secure Enterprise Search	Search Integration Engine	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14875	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14876	Oracle Trade Management	User Interface	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14862	Oracle Universal Work Queue	Internal Operations	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.3 – 12.2.9
CVE-2020-14850	Oracle CRM Technical Foundation	Flex Fields	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14816	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14817	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14831	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14835	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3
CVE-2020-14849	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14819	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2020-14863	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3
CVE-2020-14808	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14833	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14834	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14851	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14856	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14857	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14774	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1 – 12.1.3, 12.2.3 – 12.2.10
CVE-2020-14761	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	12.1.3, 12.2.3 – 12.2.7
CVE-2020-14823	Oracle CRM Technical Foundation	Preferences	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.2.3 – 12.2.10
CVE-2020-14811	Oracle Applications Manager	AMP EBS Integration	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14826	Oracle Applications Manager	SQL Extensions	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14840	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14746	Oracle Applications Framework	Popup windows	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3 – 12.2.10
CVE-2020-14822	Oracle Installed Base	APIs	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1 – 12.1.3, 12.2.3 – 12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Enterprise Manager Ops Center	Agent Provisioning (Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.4.0.0
CVE-2018-11058	Oracle Application Testing Suite	Load Testing for Web Apps (RSA BSAFE Crypto-C)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.1
CVE-2019-17638	Oracle Application Testing Suite	Load Testing for Web Apps (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	13.3.0.1
CVE-2020-5398	Enterprise Manager Base Platform	Connector Framework (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	13.2.1.0
CVE-2020-1967	Enterprise Manager for Storage Management	Privilege Management (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.3.0.0, 13.4.0.0
CVE-2020-5398	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	13.3.0.1
CVE-2019-3740	Application Performance Management (APM)	Comp Management and Life Cycle Management (RSA BSAFE Crypto-J)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.3.0.0, 13.4.0.0
CVE-2019-2897	Enterprise Manager Base Platform	Event Management	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	13.3.0.0, 13.4.0.0
CVE-2020-11022	Enterprise Manager Ops Center	Reports in Ops Center (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.4.0.0
CVE-2020-1954	Enterprise Manager Base Platform	Connector Framework (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	13.2.1.0
CVE-2020-9488	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	13.4.1.1

Additional CVEs addressed are:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-13990 also addresses CVE-2019-5427
The patch for CVE-2019-17638 also addresses CVE-2019-17632
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
The patch for CVE-2020-1954 also addresses CVE-2019-12419
The patch for CVE-2020-5398 also addresses CVE-2020-5397

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17495	Oracle Banking Platform	Collections (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2020-10683	Oracle Banking Platform	Collections (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2019-10173	Oracle Banking Platform	Collections (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2020-10683	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.1.0
CVE-2020-9546	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.1.0
CVE-2020-9546	Oracle Financial Services Institutional Performance Analytics	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.7.0, 8.1.0
CVE-2020-9546	Oracle Financial Services Price Creation and Discovery	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.0.7
CVE-2017-5645	Oracle Financial Services Regulatory Reporting with AgileREPORTER	Core (Apache Ant)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.9.2.0
CVE-2020-9546	Oracle Financial Services Retail Customer Analytics	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6
CVE-2020-11973	Oracle FLEXCUBE Private Banking	Core (Apache Camel)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-14824	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	8.6	Network	Low	None	None	Changed	None	None	High	8.0.6-8.1.0
CVE-2020-14195	Oracle Banking Digital Experience	Framework (jackson-databind)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	18.1, 18.2, 18.3, 19.1, 19.2, 20.1
CVE-2020-5398	Oracle Financial Services Regulatory Reporting with AgileREPORTER	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.0.9.2.0
CVE-2020-5398	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-14894	Oracle Banking Corporate Lending	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0-14.4.0
CVE-2020-14896	Oracle Banking Payments	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	14.1.0-14.4.0
CVE-2020-14890	Oracle FLEXCUBE Direct Banking	Pre Login	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.1, 12.0.2, 12.0.3
CVE-2020-14897	Oracle FLEXCUBE Direct Banking	Pre Login	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.1, 12.0.2, 12.0.3
CVE-2020-14887	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0-14.4.0
CVE-2020-11022	Oracle Banking Digital Experience	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1, 19.2, 20.1
CVE-2020-11022	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Analytical Applications Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Balance Sheet Planning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.8
CVE-2020-11022	Oracle Financial Services Basel Regulatory Capital Basic	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Data Foundation	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Data Governance for US Regulatory Reporting	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.9
CVE-2020-11022	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Institutional Performance Analytics	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Liquidity Risk Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6
CVE-2020-11022	Oracle Financial Services Liquidity Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.7, 8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.8
CVE-2020-11022	Oracle Financial Services Price Creation and Discovery	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2020-11022	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for European Banking Authority	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for US Federal Reserve	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.9
CVE-2020-1941	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.0, 12.1.0
CVE-2020-11022	Oracle Insurance Accounting Analyzer	IFRS17 (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.9
CVE-2020-11022	Oracle Insurance Allocation Manager for Enterprise Profitability	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.8, 8.1.0
CVE-2020-11022	Oracle Insurance Data Foundation	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-1951	Oracle FLEXCUBE Private Banking	Core (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2019-10247	Oracle FLEXCUBE Core Banking	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.2.0, 11.5.0-11.7.0
CVE-2020-9488	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-9488	Oracle Financial Services Institutional Performance Analytics	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.7.0, 8.1.0
CVE-2020-9488	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (Apache log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.0.8, 8.1.0
CVE-2020-9488	Oracle Financial Services Price Creation and Discovery	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.0.7
CVE-2020-9488	Oracle Financial Services Retail Customer Analytics	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6
CVE-2020-9488	Oracle FLEXCUBE Core Banking	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.2.0, 11.5.0-11.7.0
CVE-2020-9488	Oracle FLEXCUBE Private Banking	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.0.0, 12.1.0

Additional CVEs addressed are:

The patch for CVE-2019-10173 also addresses CVE-2013-7285
The patch for CVE-2019-10247 also addresses CVE-2019-10246
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062
The patch for CVE-2020-1941 also addresses CVE-2020-13920
The patch for CVE-2020-1951 also addresses CVE-2020-1950
The patch for CVE-2020-5398 also addresses CVE-2020-5397
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11022	Oracle Hospitality Materials Control	Mobile Authorization (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2020-11022	Oracle Hospitality Simphony	Simphony Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1, 18.2, 19.1.0-19.1.2
CVE-2020-14753	Oracle Hospitality Reporting and Analytics	Installation	None	No	5.9	Local	Low	Low	Required	Changed	High	None	None	9.1.0
CVE-2020-14783	Oracle Hospitality RES 3700	CAL	TCP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.7

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Identity Manager Connector	General and Misc (Apache Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.0
CVE-2018-11058	Oracle Access Manager	Web Server Plugin (RSA BSafe)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0
CVE-2017-9800	Oracle Data Integrator	Install, config, upgrade (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-10683	Oracle Endeca Information Discovery Integrator	Integrator ETL (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-10173	Oracle Endeca Information Discovery Studio	Endeca Server (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-2904	Oracle Enterprise Repository	Security Subsystem – 12c (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0
CVE-2018-8088	Oracle GoldenGate Application Adapters	Application Adapters (SLF4J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.0
CVE-2019-17531	Oracle GoldenGate Application Adapters	Build Request (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.1.0.0.0
CVE-2018-11058	Oracle GoldenGate Application Adapters	Security Service (RSA BSAFE)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.0
CVE-2019-5482	Oracle HTTP Server	Web Listener (cURL)	TFTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-10683	Oracle WebCenter Portal	Portlet Services (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2555	Oracle WebCenter Portal	Security Framework (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-10173	Oracle WebCenter Portal	Security Framework (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0
CVE-2019-17267	Oracle WebLogic Server	Centralized Thirdparty Jars (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-14882	Oracle WebLogic Server	Console	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14841	Oracle WebLogic Server	Core	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14825	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14859	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14879	BI Publisher	E-Business Suite – XDO	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14880	BI Publisher	E-Business Suite – XDO	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14842	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14784	Oracle BI Publisher	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14815	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-2510	Oracle Data Integrator	Jave APIs (BeanShell)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0
CVE-2020-3235	Management Pack for Oracle GoldenGate	Monitor (SNMP)	SNMP	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.2.1.2.0
CVE-2020-14864	Oracle Business Intelligence Enterprise Edition	Installation	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-1967	Oracle HTTP Server	SSL Module (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2020-14820	Oracle WebLogic Server	Core	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-10097	Oracle HTTP Server	Core (Apache HTTP Server)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2020-14883	Oracle WebLogic Server	Console	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14780	BI Publisher	BI Publisher Security	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14843	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14766	Oracle Business Intelligence Enterprise Edition	Analytics Web Administration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-9484	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14757	Oracle WebLogic Server	Web Services	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.2.1.3.0
CVE-2020-15389	Oracle Outside In Technology	Installation (OpenJPEG)	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	None	High	8.5.5, 8.5.4	See Note 1
CVE-2020-1945	Oracle Business Process Management Suite	Runtime Engine (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-11358	BI Publisher	BI Publisher Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-11358	Oracle Business Process Management Suite	Runtime Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2904	Oracle Business Process Management Suite	Runtime Engine (Application Development Framework)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-9281	Oracle WebCenter Portal	Blogs and Wikis (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1951	Oracle Business Process Management Suite	Document Service (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-13631	Oracle Outside In Technology	Installation (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	High	None	8.5.5, 8.5.4	See Note 1
CVE-2020-9488	Oracle WebLogic Server	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.3.6.0.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

The patch for CVE-2017-9800 also addresses CVE-2016-2167, CVE-2016-2168 and CVE-2016-8734
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-17267 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943
The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267 and CVE-2019-20330
The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-13631 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
The patch for CVE-2020-1951 also addresses CVE-2020-1950

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle GraalVM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14803	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.3.3, 20.2.0

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1953	Oracle Healthcare Foundation	Self Service Analytics (Apache Commons Configuration)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	7.1.1, 7.2.0, 7.2.1, 7.3.0
CVE-2020-10683	Oracle Health Sciences Empirica Signal	User Interface (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.0
CVE-2020-2555	Oracle Healthcare Data Repository	Database Module (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0.1
CVE-2020-11022	Oracle Healthcare Foundation	Admin Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1.1, 7.2.0, 7.2.1, 7.3.0

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17638	Oracle Hospitality Guest Access	Base (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	4.2.0, 4.2.1
CVE-2020-14807	Oracle Hospitality Suite8	WebConnect	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.10.2, 8.11-8.14
CVE-2020-9484	Oracle Hospitality Guest Access	Base (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2020-14858	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	No	6.8	Network	Low	High	Required	Un- changed	High	High	High	5.5, 5.6
CVE-2020-14877	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	5.5, 5.6
CVE-2020-14810	Oracle Hospitality Suite8	WebConnect	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.10.2, 8.11-8.14

Additional CVEs addressed are:

The patch for CVE-2019-17638 also addresses CVE-2019-17632

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	Hyperion Essbase	Security and Provisioning (cURL)	TFTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4
CVE-2020-14854	Hyperion Infrastructure Technology	UI and Visualization	HTTP	No	6.1	Network	Low	High	Required	Un- changed	High	High	None	11.1.2.4
CVE-2019-1547	Hyperion Essbase	Security and Provisioning (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	11.1.2.4
CVE-2020-14768	Hyperion Analytic Provider Services	Smart View Provider	HTTP	No	4.3	Adjacent Network	High	Low	Required	Un- changed	Low	Low	Low	11.1.2.4
CVE-2020-14767	Hyperion BI+	IQR-Foundation service	Multiple	No	4.2	Network	High	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2020-14752	Hyperion Lifecycle Management	Shared Services	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14772	Hyperion Lifecycle Management	Shared Services	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14764	Hyperion Planning	Application Development Framework	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14770	Hyperion BI+	IQR-Foundation service	Multiple	No	2.0	Network	High	High	Required	Un- changed	Low	None	None	11.1.2.4

Additional CVEs addressed are:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563
The patch for CVE-2019-5482 also addresses CVE-2019-5481

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Oracle Insurance Policy Administration J2EE	Architecture (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.0.2.25, 11.1.0.15
CVE-2020-5398	Oracle Insurance Policy Administration J2EE	Admin Console (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.2.0
CVE-2020-11022	Oracle Insurance Insbridge Rating and Underwriting	Framework Administrator IBFA (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.0.0.0 – 5.6.0.0, 5.6.1.0
CVE-2020-9488	Oracle Insurance Insbridge Rating and Underwriting	Framework Administrator IBFA (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.0.0.0 – 5.6.0.0, 5.6.1.0
CVE-2020-9488	Oracle Insurance Policy Administration J2EE	Architecture (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
CVE-2020-9488	Oracle Insurance Rules Palette	Architecture (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14803	Java SE	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Java SE: 11.0.8, 15	See Note 1
CVE-2020-14792	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14781	Java SE, Java SE Embedded	JNDI	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14782	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14797	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14779	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14796	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 1
CVE-2020-14798	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 53 new security patches plus additional third party patches noted below for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-8174	MySQL Cluster	Cluster: JS module (Node.js)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
CVE-2020-14878	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	8.0	Adjacent Network	Low	Low	None	Un- changed	High	High	High	8.0.21 and prior
CVE-2020-13935	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-1967	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14828	MySQL Server	Server: DML	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.21 and prior
CVE-2020-14775	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14765	MySQL Server	Server: FTS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14769	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14830	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14836	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14846	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14800	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14827	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14760	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.31 and prior
CVE-2020-1730	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.21 and prior
CVE-2020-14776	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14821	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14829	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14848	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14852	MySQL Server	Server: Charsets	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14814	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14789	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14804	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14812	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14773	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14777	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14785	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14793	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14794	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14809	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14837	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14839	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14845	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14861	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14866	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14868	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14888	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14891	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14893	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14786	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14790	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14844	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14799	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14869	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14672	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14870	MySQL Server	Server: X Plugin	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14853	MySQL Cluster	Cluster: NDBCluster Plugin	Multiple	No	4.6	Network	Low	Low	Required	Un- changed	None	Low	Low	8.0.21 and prior
CVE-2020-14867	MySQL Server	Server: DDL	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14873	MySQL Server	Server: Logging	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14838	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.0.21 and prior
CVE-2020-14860	MySQL Server	Server: Security: Roles	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.21 and prior
CVE-2020-14791	MySQL Server	InnoDB	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	8.0.21 and prior
CVE-2020-14771	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	5.7.31 and prior, 8.0.21 and prior

Additional CVEs addressed are:

The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
The patch for CVE-2020-8174 also addresses CVE-2020-11080 and CVE-2020-8172

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

MySQL Cluster
- Cluster: Configuration (dojo): CVE-2020-4051

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	PeopleSoft Enterprise PeopleTools	Weblogic (RSA BSafe)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2020-14865	PeopleSoft Enterprise SCM eSupplier Connection	eSupplier Connection	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.2
CVE-2020-14795	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.57, 8.58
CVE-2020-14778	PeopleSoft Enterprise HCM Global Payroll Core	Security	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	9.2
CVE-2020-14832	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14801	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14802	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise PeopleTools	PIA Core Technology (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14813	PeopleSoft Enterprise PeopleTools	PIA Grids	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise PeopleTools	Portal, Charting (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-1954	PeopleSoft Enterprise PeopleTools	Elastic Search (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.56
CVE-2020-14806	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-9488	PeopleSoft Enterprise PeopleTools	Tools Admin API (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-9488	PeopleSoft Enterprise PeopleTools	Updates Environment Mgmt (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-14847	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.56, 8.57, 8.58

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11022	Oracle Policy Automation	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0 – 12.2.20
CVE-2020-11022	Oracle Policy Automation Connector for Siebel	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.6
CVE-2020-11022	Oracle Policy Automation for Mobile Devices	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0 – 12.2.20
CVE-2020-9488	Oracle Policy Automation	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.0 – 12.2.20
CVE-2020-9488	Oracle Policy Automation Connector for Siebel	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.4.6
CVE-2020-9488	Oracle Policy Automation for Mobile Devices	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.0 – 12.2.20

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 28 new security patches for Oracle Retail Applications. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Retail Order Broker	System Administration (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0, 19.0, 19.1
CVE-2020-10683	Oracle Retail Price Management	Security (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-9546	Oracle Retail Service Backbone	RSB kernel (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2020-1945	Oracle Retail Back Office	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Central Office	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Integration Bus	RIB Kernal (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.1, 15.0, 16.0
CVE-2020-1945	Oracle Retail Point-of-Service	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Returns Management	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-9410	Oracle Retail Order Broker	Order Broker Foundation (jasperreports_server)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2019-3740	Oracle Retail Assortment Planning	Application Core (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	15.0.3.0, 16.0.3.0
CVE-2019-3740	Oracle Retail Integration Bus	RIB Kernal (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1, 15.0, 16.0
CVE-2019-3740	Oracle Retail Predictive Application Server	RPAS Server (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2019-3740	Oracle Retail Service Backbone	RSB kernel (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1, 15.0, 16.0
CVE-2019-3740	Oracle Retail Xstore Point of Service	Xenvironment (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
CVE-2020-11022	Oracle Retail Back Office	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Central Office	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Customer Management and Segmentation Foundation	Segments (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.0
CVE-2019-11358	Oracle Retail Point-of-Service	Mobile POS (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Returns Management	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2019-12415	Oracle Retail Order Broker	Store Connect (Apache POI)	none	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0, 16.0
CVE-2020-9488	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1
CVE-2020-9488	Oracle Retail Assortment Planning	Application Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.3.0, 16.0.3.0
CVE-2020-9488	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.3.0, 16.0.3.0
CVE-2020-9488	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1, 15.0, 16.0
CVE-2020-9488	Oracle Retail Order Broker	Store Connect (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	16.0, 18.0, 19.0, 19.1, 19.2, 19.3
CVE-2020-9488	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-14732	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	19.0
CVE-2020-14731	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	18.0, 19.0

Additional CVEs addressed are:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-1945 also addresses CVE-2017-5645
The patch for CVE-2020-9410 also addresses CVE-2020-9409
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Siebel Apps – Marketing	Mktg/Email Mktg Stand-Alone (Apache Commons File Upload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.7
CVE-2019-10072	Siebel Apps – Marketing	Mktg/Campaign Mgmt (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	20.7
CVE-2020-11022	Siebel UI Framework	UIF Open UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	20.8

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	AJP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.5, 9.3.6
CVE-2020-10683	Oracle Agile PLM	Security (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.5
CVE-2020-9484	Oracle Transportation Management	Install (Apache Tomcat)	AJP	No	7.0	Local	High	Low	None	Un- changed	High	High	High	6.3.7
CVE-2020-11022	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-1938 also addresses CVE-2019-17569, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9484

Oracle Systems Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Systems. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14871	Oracle Solaris	Pluggable authentication module	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	10, 11
CVE-2020-14871	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.8
CVE-2019-11477	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (Linux Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2362, prior to XCP3090
CVE-2018-3693	Fujitsu M12-1, M12-2, M12-2S Servers	XCP Firmware (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to XCP3090
CVE-2020-14758	Oracle Solaris	Kernel	None	No	5.6	Local	Low	Low	Required	Un- changed	High	None	Low	11
CVE-2020-14754	Oracle Solaris	Filesystem	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11
CVE-2020-14818	Oracle Solaris	Utility	SSH	No	3.0	Network	High	Low	Required	Changed	None	Low	None	11
CVE-2020-14759	Oracle Solaris	Kernel	None	No	2.5	Local	High	Low	Required	Changed	None	Low	None	11

Additional CVEs addressed are:

The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479
The patch for CVE-2020-14871 also addresses CVE-2019-18348, CVE-2020-3909, CVE-2020-10108, CVE-2020-12243, CVE-2020-13630, CVE-2020-14758 and CVE-2020-14759

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10173	Oracle Utilities Framework	Common (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0
CVE-2020-10683	Oracle Utilities Framework	General (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-1945	Oracle Utilities Framework	General (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-14895	Oracle Utilities Framework	System Wide	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-9488	Oracle Utilities Framework	Common (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 – 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Additional CVEs addressed are:

The patch for CVE-2020-1945 also addresses CVE-2017-5645

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14872	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 6.1.16
CVE-2020-14881	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14884	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14885	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14886	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14889	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14892	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 6.1.16

No Related Posts

Oracle Security Alert for CVE-2020-14750 – 01 November 2020

September 30, 2020November 24, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2020-14750

Description

This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

360QUAKE TEAM: CVE-2020-14750
Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp): CVE-2020-14750
codeplutos of AntGroup FG Security Lab: CVE-2020-14750
f1v3 jacky: CVE-2020-14750
Hoang Quoc Thinh of RedTeam (VNG Corp): CVE-2020-14750
Huang Xiaopeng of 360CERT at QiHu360: CVE-2020-14750
icez of Tophant Competence Center: CVE-2020-14750
Jacky Xing of Dbappsecurity Team: CVE-2020-14750
Maoxin Lin of Dbappsecurity Team: CVE-2020-14750
mayoterry of Qingteng 73Lab Security Team: CVE-2020-14750
ph4nt0mer: CVE-2020-14750
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14750
Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14750
tcc: CVE-2020-14750
Tonghua Root: CVE-2020-14750
voidfyoo of Chaitin Security Research Lab: CVE-2020-14750
Xianglai Liu of Dbappsecurity Team: CVE-2020-14750
Yu Wang of BMH Security Team: CVE-2020-14750
Yuxuan Chen: CVE-2020-14750
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14750

Modification History

Date	Note
2020-November-6	Rev 2. Credit update.
2020-November-1	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security patch for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Security Alert CVE-2020-14750 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Security Alert CVE-2020-14750 Patch Availability Document for Oracle Products, My Oracle Support Note 2724951.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14750	Oracle WebLogic Server	Console	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

No Related Posts

Oracle Critical Patch Update Advisory – July 2020

July 13, 2020November 24, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – July 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories.

This Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Category Management Planning & Optimization, version 15.0.3	Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1	Database
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2	JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	MySQL
MySQL Connectors, versions 8.0.20 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior	MySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0	Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 21.0	Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0	Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0	Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40	Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Communications Analytics, version 12.1.1	Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3, 12.0	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0	Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1	Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3	Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0	Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3	Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6	Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3	Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4	Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6	Enterprise Manager
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8	Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0	Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20	Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0	Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2	Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3	Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0	Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4	Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1	iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1	Java SE
Oracle Java SE Embedded, version 8u251	Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0	Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0	Retail Applications
Oracle Retail Extract Transform and Load, version 19.0	Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Fusion Platform, version 5.5	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Invoice Matching, version 16.0	Retail Applications
Oracle Retail Item Planning, version 15.0.3	Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3	Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3	Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3	Retail Applications
Oracle Retail Order Broker, version 15.0	Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3	Retail Applications
Oracle Retail Sales Audit, version 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3	Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0	Retail Applications
Oracle SD-WAN Aware, versions 8.0, 8.1, 8.2	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.0, 8.1, 8.2, 9.0	Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, version 11	Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0	Database
Oracle Transportation Management, versions 6.3.7, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise FIN Expenses, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6	Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6	Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and prior	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Abdullah Alzahrani: CVE-2020-14554, CVE-2020-14635
Alessandro Bosco of TIM S.p.A: CVE-2020-14690
Alexander Kornbrust of Red Database Security: CVE-2020-2984
Alves Christopher (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Andrej Simko of Accenture: CVE-2020-14534, CVE-2020-14555, CVE-2020-14590, CVE-2020-14657, CVE-2020-14658, CVE-2020-14659, CVE-2020-14660, CVE-2020-14661, CVE-2020-14665, CVE-2020-14666, CVE-2020-14667, CVE-2020-14679, CVE-2020-14688
Antonin B. of NCIA / NCSC: CVE-2020-14610
Arseniy Sharoglazov of Positive Technologies: CVE-2020-14622
Artur Wojtkowski and CQURE Team: CVE-2020-14617, CVE-2020-14618
Billy Cody of Context Information Security: CVE-2020-14595
Bui Duong from Viettel Cyber Security: CVE-2020-14611
CERT/CC: CVE-2020-14558
Chathura Abeydeera of Deloitte Risk Advisory Pty Ltd: CVE-2020-14531
Chi Tran: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Conor McErlane working with Trend Micro’s Zero Day Initiative: CVE-2020-14628
Damian Bury: CVE-2020-14546
Edoardo Predieri of TIM S.p.A: CVE-2020-14690
Emad Al-Mousa of Saudi Aramco: CVE-2020-2969, CVE-2020-2978
Fabio Minarelli of TIM S.p.A: CVE-2020-14690
Filip Ceglik: CVE-2020-14560, CVE-2020-14565
Forum Bhayani: CVE-2020-14592
Francesco Russo of TIM S.p.A: CVE-2020-14690
Giovanni Delvecchio of Almaviva Security Assessment Team: CVE-2020-14607, CVE-2020-14608
Hangfan Zhang: CVE-2020-14575, CVE-2020-14654
Hugo Santiago dos Santos: CVE-2020-14613
Johannes Kuhn: CVE-2020-14556
Julien Zhan (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
kdot working with Trend Micro Zero Day Initiative: CVE-2020-14664
Khuyen Nguyen of secgit.com: CVE-2020-14668, CVE-2020-14669, CVE-2020-14670, CVE-2020-14671, CVE-2020-14681, CVE-2020-14682, CVE-2020-14686
Kingkk: CVE-2020-14642, CVE-2020-14644
Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Larry W. Cashdollar: CVE-2020-14724
Lionel Debroux: CVE-2020-2981
Luca Di Giuseppe of TIM S.p.A: CVE-2020-14690
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-14646, CVE-2020-14647, CVE-2020-14648, CVE-2020-14649, CVE-2020-14650, CVE-2020-14673, CVE-2020-14674, CVE-2020-14694, CVE-2020-14695, CVE-2020-14703, CVE-2020-14704
lufei of Tencent Force: CVE-2020-14645
Lukas Braune of Siemens: CVE-2019-8457
Lukasz Mikula: CVE-2020-14541
Lukasz Rupala of ING Tech Poland: CVE-2020-14552
Maoxin Lin of Dbappsecurity Team: CVE-2020-14645, CVE-2020-14652
Marco Marsala: CVE-2020-14559
Markus Loewe: CVE-2020-14583
Markus Wulftange of Code White GmbH: CVE-2020-14644, CVE-2020-14645, CVE-2020-14687
Massimiliano Brolli of TIM S.p.A: CVE-2020-14690
Mateusz Dabrowski: CVE-2020-14584, CVE-2020-14585
Maxime Escourbiac of Michelin CERT: CVE-2020-14719, CVE-2020-14720
Mohamed Fadel: CVE-2020-14601, CVE-2020-14602, CVE-2020-14603, CVE-2020-14604, CVE-2020-14605
Ntears of Chaitin Security Team: CVE-2020-14645, CVE-2020-14652
Owais Zaman of Sabic: CVE-2020-14551
Pavel Cheremushkin: CVE-2020-14713
Philippe Antoine (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Philippe Arteau of GoSecure: CVE-2020-14577
Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Przemyslaw Nowakowski: CVE-2020-2977
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14625
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-14629, CVE-2020-14675, CVE-2020-14676, CVE-2020-14677
Roberto Suggi Liverani of NCIA / NCSC: CVE-2020-14610
Roger Meyer: CVE-2020-2513, CVE-2020-2971, CVE-2020-2972, CVE-2020-2973, CVE-2020-2974, CVE-2020-2975, CVE-2020-2976
Roman Shemyakin: CVE-2020-14621
Rui Zhong: CVE-2020-14575, CVE-2020-14654
Saeed Shiravi: CVE-2020-14548
Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14645, CVE-2020-14652
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14532, CVE-2020-14533
Suthum Thitiananpakorn: CVE-2020-14569
Ted Raffle of rapid7.com: CVE-2020-14535, CVE-2020-14536
Tomasz Stachowicz: CVE-2020-14570, CVE-2020-14571
Trung Le: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14598, CVE-2020-14599
Vijayakumar Muniraj of CybersecurityWorks Research Labs: CVE-2020-14723
Yaoguang Chen of Ant-financial Light-Year Security Lab: CVE-2020-14654, CVE-2020-14725
Yongheng Chen: CVE-2020-14575, CVE-2020-14654
ZeddYu Lu of StarCross Tech: CVE-2020-14588, CVE-2020-14589
Zhao Xin Jun: CVE-2020-14652
Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi’anxin Group: CVE-2020-14711, CVE-2020-14712
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
Zouhair Janatil-Idrissi (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623

Security-In-Depth Contributors

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Alexander Kornbrust of Red Database Security [10 reports]
Cao Linhong of Sangfor Furthereye Security Team
Chi Tran [2 reports]
Fatih Çelik
James Nichols of 80/20 Labs
lufei of Tencent Force
Maoxin Lin of Dbappsecurity Team
Marc Fielding of Google
Markus Loewe [2 reports]
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group
Ryan Gerstenkorn
Saeid Tizpaz Niari
Shimizu Kawasaki of Asiainfo-sec of CSS Group
Trung Le [2 reports]
Venustech ADLab
Yu Wang of BMH Security Team [2 reports]

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

0xd0ff9 aka Bao Bui
1ZRR4H aka Germán Fernández
@ngkogkos hunt4p1zza
Abdulkadir Mutlu
Abdullah Mohamed
Abhinav P
Aditra Andri Laksana
Ahmed Moustafa
Alfie Njeru (emenalf)
Aman Deep Singh Chawla
Anas Rahmani
Anat Bremler-Barr
Anis Azzi
Anon Venus
Ansar Uddin Anan
Ben Passmore
Celal Erdik of Ebruu Tech Limited
Chirag Prajapati
Dave Altena
Dhamu Harker
Dhiral Patel
Dhiren Kumar Pradhan
Elmonzer Kamaleldin of Monzer Kamal
HackersEra VMS [2 reports]
Hamza Megahed
Harpreet Singh of Pyramid Cyber Security & Forensic Pvt Ltd
Harry The DevOps Guy
Ilyas Orak
Jagdish Bharucha
Jatin Saini
Jeremy Lindsey of Burns & McDonnell [2 reports]
Jin DanLong
Josue Acevedo Maldonado
Ken Nevers
Kishore Hariram [2 reports]
Last Light [2 reports]
Lior Shafir
Luciano Anezin
Maayan Amid of Orca Security
Magrabur Alam Sofily
Matthijs R. Koot [2 reports]
Mayur Gupta
Meridian Miftari
Moaied Nagi Hassan (Moonlight)
Mohit Khemchandani
Muhammad Abdullah
Naveen Kumar
Ome Mishra
Prathmesh Lalingkar
Pratish Bhansali
Prince Achillies
Pritam Mukherjee
Rajesh Patil
Raphael Karger
Ricardo Iramar dos Santos
Ridvan Erbas
Roger Meyer
rootme34
Russell Muetzelfeldt of Flybuys
Saad Zitouni
Sajid Ali
Sam Jadali
Sarath Kumar (Kadavul)
Saurabh Dilip Mhatre
Severus of VietSunshine Security Engineering Team
Shailesh Kumar
Shubham Khadgi
Sipke Mellema
Siva Pathela
Smii Mondher
Srinivas M
Tinu Tomy
Tony Marcel Nasr [2 reports]
Tuatnh
Tushar Bhardwaj
Ujjwal Tyagi
Valentin Virtejanu of Lifespan
Victor Gevers
Viet Nguyen [2 reports]
Virendra Tiwari
Vishal Ajwani
Vlad Staricin
Yehuda Afek
Youssef A. Mohamed aka GeneralEG
Zubin

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

20 October 2020
19 January 2021
20 April 2021
20 July 2021

References

Modification History

Date	Note
2020-October-21	Rev 8. Updated CVSS score of CVE-2020-14564.
2020-August-31	Rev 7. Credit Statement Update.
2020-August-3	Rev 6. Credit Statement Update.
2020-July-27	Rev 5. Credit Statement Update.
2020-July-24	Rev 4. Affected version number changes to CVE-2020-14701 & CVE-2020-14606
2020-July-23	Rev 3. Added entry for CVE-2020-14725 in MySQL Risk Matrix. The fix was included in patches already released but was inadvertently not documented.
2020-July-20	Rev 2. Credit Statement Update.
2020-July-14	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 27 new security patches for the Oracle Database Products divided as follows:

19 new security patches for Oracle Database Server.
3 new security patches for Oracle Berkeley DB.
1 new security patch for Oracle Global Lifecycle Management.
3 new security patches for Oracle GoldenGate.
1 new security patch for Oracle TimesTen In-Memory Database.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	MapViewer (Apache Commons FileUpload)	Valid User Account	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2968	Java VM	Create Session, Create Procedure	Multiple	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-9843	Core RDBMS (zlib)	Create Session	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	18c
CVE-2020-2969	Data Pump	DBA role account	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-8112	GeoRaster (OpenJPG)	Create Session	Oracle Net	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	18c
CVE-2020-2513	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2971	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2972	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2973	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2974	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2976	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2975	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2019-17569	Workload Manager (Apache Tomcat)	None	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.0.1, 18c, 19c
CVE-2020-2977	Oracle Application Express	Valid User Account	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	5.1-19.2
CVE-2020-2978	Oracle Database – Enterprise Edition	DBA role account	Oracle Net	No	4.1	Network	Low	High	None	Changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-13990	MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)	Local Logon	None	No	0.0	Local	Low	Low	Required	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 2
CVE-2018-18314	Oracle Database (Perl)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 3
CVE-2019-10086	Spatial Studio (Apache Commons Beanutils)	Local Logon	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Spatial Studio: Prior to 19.2.1	See Note 4
CVE-2019-16943	TFA (jackson-databind)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 5

Notes:

MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10140	Data Store	None	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	Prior to 6.1.38
CVE-2020-2981	Data Store	None	None	No	7.0	Local	High	None	Required	Un- changed	High	High	High	Prior to 18.1.40
CVE-2019-8457	Data Store (SQLite)	None	TCP	No	0.0	Network	Low	None	Required	Un- changed	None	None	None	Prior to 18.1.40	See Note 1

Notes:

The CVE-2019-8457 is not exploitable in the context of Oracle Berkeley DB product, thus the CVSS score is 0.0.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Oracle Global Lifecycle Management/OPatch	Patch Installer (jackson-databind)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 12.2.0.1.20	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the Oracle Global Lifecycle Management product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14705	Oracle GoldenGate	Process Management	TCP	Yes	9.6	Adjacent Network	Low	None	None	Changed	High	High	High	Prior to 19.1.0.0.0
CVE-2019-0222	GoldenGate Stream Analytics	Security (ActiveMQ)	TCP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	Prior to 19.1.0.0.1
CVE-2019-14379	GoldenGate Stream Analytics	Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 19.1.0.0.1	See Note 1

Notes:

CVE-2019-14379 and other CVEs addressed by these patches are not exploitable in the Oracle GoldenGate product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2016-5017, CVE-2017-5637, CVE-2018-17190, CVE-2018-8012, CVE-2018-8088, CVE-2019-0201, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14439 and CVE-2019-14893.

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-18314	Oracle TimesTen In-Memory Database	Doc, EM Plug-in (Perl)	OracleNet	No	0.0	Network	Low	Low	None	Un- changed	None	None	None	Prior to 18.1.2.1.0	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14536	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Workbench	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.0, 11.1, 11.2, prior to 11.3.1
CVE-2020-14535	Oracle Commerce Service Center	Commerce Service Center	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14532	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14533	Oracle Commerce Platform	Dynamo Application Framework	HTTP	No	3.5	Network	Low	High	Required	Un- changed	Low	Low	None	11.1, 11.2, prior to 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 60 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14701	Oracle SD-WAN Aware	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2
CVE-2020-14606	Oracle SD-WAN Edge	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2, 9.0
CVE-2018-11058	Oracle Communications Analytics	Platform (RSA BSAFE)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.1
CVE-2019-16943	Oracle Communications Billing and Revenue Management	Business Operation Center, Billing Care (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.5.0.23.0, 12.0.0.3.0
CVE-2016-1000031	Oracle Communications Contacts Server	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-9546	Oracle Communications Contacts Server	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-1938	Oracle Communications Element Manager	Core (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-9546	Oracle Communications Evolved Communications Application Server	Session Design Center, Universal Data Recorder (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1
CVE-2020-1938	Oracle Communications Instant Messaging Server	Installation (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2020-9546	Oracle Communications Instant Messaging Server	Presence API (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2019-13990	Oracle Communications IP Service Activator	Netwok Processor Configuration Management (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2020-11656	Oracle Communications Network Charging and Control	Data Access Pack (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2019-2729	Oracle Communications Network Integrity	Integration (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2019-2904	Oracle Communications Network Integrity	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-5645	Oracle Communications Network Integrity	Cartridge Management (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-7060	Oracle Communications Diameter Signaling Router (DSR)	Platform (PHP)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0-8.4
CVE-2020-1945	Oracle Communications MetaSolv Solution	Online Help (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	6.3.0
CVE-2018-1258	Oracle Communications Network Integrity	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-9546	Oracle Communications Network Charging and Control	Installer (jackson-databind)	None	No	8.4	Local	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2020-14580	Oracle Communications Session Border Controller	System Admin	SSH	No	8.2	Network	Low	Low	Required	Changed	High	Low	Low	8.1.0, 8.2.0, 8.3.0
CVE-2016-1181	Oracle Communications Network Integrity	MSS Integration Cartridge (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-0861	Oracle Communications LSMS	Kernel	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	13.0-13.3
CVE-2020-1945	Oracle Communications Order and Service Management	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	7.3, 7.4
CVE-2020-5398	Oracle Communications BRM – Elastic Charging Engine	Orchestration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.3, 12.0
CVE-2019-17359	Oracle Communications Convergence	S/MIME Configuration (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0.1.0-3.0.2.1
CVE-2020-5398	Oracle Communications Element Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2019-0227	Oracle Communications Network Integrity	Adapters (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.5, 7.3.6
CVE-2019-16056	Oracle Communications Operations Monitor	VSP implementing webserver (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.4, 4.1-4.3
CVE-2019-0227	Oracle Communications Order and Service Management	Installer, CMWS, CMT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2020-5398	Oracle Communications Session Report Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-5398	Oracle Communications Session Route Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-14630	Oracle Enterprise Session Border Controller	File Upload	HTTP	No	7.5	Network	Low	High	Required	Changed	Low	Low	High	8.1.0, 8.2.0, 8.3.0
CVE-2019-10193	Oracle Communications Operations Monitor	FDP, VSP Login, Packet Inspector (Redis)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	3.4, 4.1
CVE-2019-12423	Oracle Communications Element Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Report Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Route Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14721	Oracle Enterprise Communications Broker	WebGUI	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	3.0.0-3.2.0
CVE-2020-11022	Oracle Communications Analytics	Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1
CVE-2020-11022	Oracle Communications Element Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Element Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Interactive Session Recorder	Dashboard (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1-6.4
CVE-2019-17091	Oracle Communications Network Integrity	Core (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.5, 7.3.6
CVE-2020-11022	Oracle Communications Operations Monitor	Mediation Engine, Dashboard, Grapahs, Calls (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.1-4.3
CVE-2020-11022	Oracle Communications Session Report Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Report Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Session Route Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Route Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14563	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.0.0-3.2.0
CVE-2020-14722	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	5.8	Network	High	None	Required	Changed	Low	Low	Low	3.0.0-3.2.0
CVE-2018-3639	Oracle Communications LSMS	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	13.0-13.3
CVE-2020-1951	Oracle Communications Messaging Server	Security (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.2, 8.1.0
CVE-2019-10247	Oracle Communications Analytics	Platform (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1
CVE-2020-1934	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-10247	Oracle Communications Services Gatekeeper	Platform Test Environment (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.0, 6.1, 7.0
CVE-2020-1934	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1934	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14574	Oracle Communications Interactive Session Recorder	FACE	None	No	4.7	Local	High	High	None	Un- changed	High	Low	None	6.1-6.4
CVE-2020-9488	Oracle Communications Instant Messaging Server	Installation (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.0.1.4.0
CVE-2020-9488	Oracle Communications Interactive Session Recorder	API, FACE, Archiver (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.1-6.4
CVE-2020-9488	Oracle Communications Network Charging and Control	Notification Gateway (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.0.1, 12.0.0-12.0.3

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693, CVE-2018-5390 and CVE-2018-7566.
The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The patch for CVE-2018-3639 also addresses CVE-2018-10675, CVE-2018-10872 and CVE-2018-3665.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10193 also addresses CVE-2019-10192.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16056 also addresses CVE-2019-16935.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2020-11656 also addresses CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 and CVE-2020-9327.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-1951 also addresses CVE-2020-1950.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-7060 also addresses CVE-2020-7059.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Primavera Gateway	Admin (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.2.0-16.2.11, 17.12.0-17.12.7
CVE-2020-10683	Primavera P6 Enterprise Project Portfolio Management	Web Access (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
CVE-2020-9546	Primavera Unifier	Platform (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-1945	Primavera Unifier	Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196	Primavera P6 Enterprise Project Portfolio Management	Web Access (kafka client)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	19.12.0-19.12.6
CVE-2020-9484	Instantis EnterpriseTrack	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	17.1-17.3
CVE-2020-11022	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
CVE-2020-2562	Primavera Portfolio Management	Investor Module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14528	Primavera Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14706	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.5
CVE-2020-14527	Primavera Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14549	Primavera Portfolio Management	Web Server	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14618	Primavera Unifier	Mobile App	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	Prior to 20.6
CVE-2020-14617	Primavera Unifier	Platform, Mobile App	HTTPS	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12; Mobile App: Prior to 20.6
CVE-2020-14653	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.18.2
CVE-2020-14529	Primavera Portfolio Management	Investor Module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-1934	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-14566	Primavera Portfolio Management	Web Access	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-9488	Instantis EnterpriseTrack	Logging (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-9488	Primavera Gateway	Admin (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-1945.
The patch for CVE-2018-17196 also addresses CVE-2017-12610 and CVE-2018-1288.
The patch for CVE-2020-10683 also addresses CVE-2018-1000632.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-9484 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 30 new security patches for the Oracle E-Business Suite. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2020), My Oracle Support Note 2679563.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14598	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14599	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14658	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14665	Oracle Trade Management	Invoice	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14670	Oracle Advanced Outbound Telephony	Settings	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14671	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14534	Oracle Applications Framework	Popups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.9
CVE-2020-14688	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14660	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14682	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14668	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14681	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14666	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14596	Oracle iStore	Address Book	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14582	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14686	Oracle iSupport	Others	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14719	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	12.2.4-12.2.9
CVE-2020-14720	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	12.2.4-12.2.9
CVE-2020-14610	Oracle Applications Framework	Attachments / File Upload	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.2.9
CVE-2020-14657	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14667	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14679	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3, 12.2.3-12.2.9
CVE-2020-14635	Oracle Application Object Library	Logging	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.5-12.2.9
CVE-2020-14554	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.8
CVE-2020-14716	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14717	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14659	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14661	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14555	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14590	Oracle Applications Framework	Page Request	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Enterprise Manager Base Platform	Enterprise Manager Install (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2017-5645	Oracle Application Testing Suite	Load Testing for Web Apps (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.1
CVE-2020-1945	Enterprise Manager Ops Center	Networking (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.4.0.0
CVE-2019-0227	Enterprise Manager for Fusion Middleware	Coherence Management (Apache Axis)	HTTP	Yes	8.8	Adjacent Network	Low	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2018-11776	Enterprise Manager Base Platform	Reporting Framework (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2019-0227	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.0.5, 13.3.0.0
CVE-2020-7595	Oracle Real User Experience Insight	APM Mesh (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.3.1.0
CVE-2020-2982	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2020-2984	Oracle Configuration Manager	Discovery and collection script	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.2.0.6
CVE-2020-2983	Oracle Data Masking and Subsetting	Data Masking	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2019-17091	Oracle Application Testing Suite	Load Testing for Web Apps (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2.0.1, 13.3.0.1
CVE-2019-12415	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.0.5, 13.3.0.0, 13.4.0.0
CVE-2020-1934	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0
CVE-2019-1551	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2019-1551 also addresses CVE-2020-1967.
The patch for CVE-2020-1934 also addresses CVE-2019-0220, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2020-1927.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-7595 also addresses CVE-2019-19956 and CVE-2019-20388.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Oracle Banking Payments	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1.0-14.4.0
CVE-2020-9546	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.9.0
CVE-2019-2904	Oracle Financial Services Lending and Leasing	Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.2.0
CVE-2017-5645	Oracle Financial Services Lending and Leasing	Core (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.8.0
CVE-2017-15708	Oracle Financial Services Market Risk Measurement and Management	User Interface (Apache Synapse)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.0.8
CVE-2019-13990	Oracle FLEXCUBE Investor Servicing	Infrastructure (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-13990	Oracle FLEXCUBE Private Banking	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2019-11358	Oracle Insurance Accounting Analyzer	User Interface (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2020-1945	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.6-8.1.0
CVE-2020-1945	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle FLEXCUBE Private Banking	Utilities (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.0.0, 12.1.0
CVE-2020-14569	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle Banking Enterprise Collections	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.7.0-2.9.0
CVE-2020-1945	Oracle Banking Platform	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.4.0-2.9.0
CVE-2019-0227	Oracle Financial Services Compliance Regulatory Reporting	Web Service to Regulatory Report (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2019-12402	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-12423	Oracle FLEXCUBE Private Banking	Core (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-0188	Oracle FLEXCUBE Private Banking	Core (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-17359	Oracle FLEXCUBE Private Banking	Core (Bouncy Castle Java Library)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2020-14602	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6-8.1.0
CVE-2020-14691	Oracle Financial Services Liquidity Risk Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6
CVE-2020-14605	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14685	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14692	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.8
CVE-2020-14693	Oracle Insurance Accounting Analyzer	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.9
CVE-2020-14662	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	8.0.6-8.1.0
CVE-2020-11022	Oracle Banking Enterprise Collections	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0-2.8.0
CVE-2020-11022	Oracle Banking Platform	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0-2.10.0
CVE-2020-14601	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-14615	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4
CVE-2019-12415	Oracle Banking Payments	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.1.0-14.4.0
CVE-2019-12415	Oracle FLEXCUBE Private Banking	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2020-14603	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14604	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14684	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.0.6-8.1.0
CVE-2020-9488	Oracle Banking Platform	Collections (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.4.0-2.10.0
CVE-2020-9488	Oracle FLEXCUBE Investor Servicing	Infrastructure (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-12402 and CVE-2019-5427.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14543	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14561	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14594	Oracle Hospitality Reporting and Analytics	Inventory Integration	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14616	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-17531	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-9546	Oracle WebLogic Server	Centralized Thirdparty Jars (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2018-11058	Oracle WebLogic Server	Security Service (RSA BSAFE)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14625	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14644	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14645	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14687	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Centralized Thirdparty Jars (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Console (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1945	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	3.2.0
CVE-2020-1945	Oracle Enterprise Repository	Security Subsystem (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0
CVE-2020-8112	Oracle Outside In Technology	Installation (OpenJPEG)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.5.5, 8.5.4	See Note 1
CVE-2020-14609	Oracle Business Intelligence Enterprise Edition	Analytics Web Answers	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14611	Oracle WebCenter Portal	Composer	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	High	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14584	Oracle BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14585	Oracle BI Publisher	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14690	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14608	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	12.2.1.3.0
CVE-2020-14723	Oracle Help Technologies	Web UIX	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2020-14588	Oracle WebLogic Server	Web Container	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14626	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14565	Oracle Unified Directory	Security	HTTP	No	8.1	Network	Low	High	Required	Changed	None	High	High	11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14642	Oracle Coherence	CacheStore	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-0227	Oracle WebCenter Portal	WebCenter Spaces Application (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-14639	Oracle WebLogic Server	Sample apps	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-5398	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14589	Oracle WebLogic Server	Web Container	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2967	Oracle WebLogic Server	Web Services	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14696	Oracle BI Publisher	Layout Templates	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14571	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14570	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14552	Oracle WebCenter Portal	Security Framework	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14557	Oracle WebLogic Server	Web Container	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14655	Oracle Security Service	SSL API	HTTPS	Yes	6.5	Network	High	None	None	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14652	Oracle WebLogic Server	Core	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-14862	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Knockout)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-1941	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.7.0
CVE-2020-14607	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14613	Oracle WebCenter Sites	Advanced User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14572	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14636	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14637	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14638	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14640	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14530	Oracle Security Service	None	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-12415	Oracle WebCenter Portal	Security Framework (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2966	Oracle WebLogic Server	Console	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14622	Oracle WebLogic Server	Core	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488	Oracle Fusion Middleware MapViewer	Install (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14548	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2019-17571.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267, CVE-2019-20330 and CVE-2020-9546.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-8112 also addresses CVE-2018-6616, CVE-2019-12973 and CVE-2020-6851.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17560	Oracle GraalVM Enterprise Edition	GraalVM Compiler (Apache NetBeans)	HTTPS	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	19.3.2, 20.1.0
CVE-2020-14583	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.3.2, 20.1.0
CVE-2020-11080	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.3.2, 20.1.0
CVE-2020-14718	Oracle GraalVM Enterprise Edition	JVMCI	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	19.3.2, 20.1.0

Additional CVEs addressed are below:

The patch for CVE-2019-17560 also addresses CVE-2019-17561.
The patch for CVE-2020-11080 also addresses CVE-2020-8172.

Oracle Health Sciences Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Health Sciences Empirica Inspections	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.0.1.2
CVE-2020-1938	Oracle Health Sciences Empirica Signal	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3
CVE-2020-5398	Oracle Healthcare Master Person Index	Master Data Management (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.2
CVE-2020-11022	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.2.1, 3.3.1, 3.3.2, 3.4.0

Additional CVEs addressed are below:

The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Hospitality Guest Access	Base (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14546	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14560	Oracle Hyperion BI+	UI and Visualization	HTTP	No	4.2	Network	High	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2020-14541	Hyperion Financial Close Management	Close Manager	HTTP	No	2.0	Network	High	High	Required	Un- changed	None	Low	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14595	Oracle iLearning	Assessment Manager	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	None	Low	6.1, 6.1.1

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-12626	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.2.0, 10.2.4
CVE-2020-5398	Oracle Insurance Policy Administration J2EE	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-5398	Oracle Insurance Rules Palette	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Rules Palette	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-9488	Oracle Insurance Data Gateway	Security (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	1.0

Additional CVEs addressed are below:

The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2020-5398 also addresses CVE-2018-15756 and CVE-2020-5397.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14664	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u251	See Note 1
CVE-2020-14583	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14593	Java SE, Java SE Embedded	2D	Multiple	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14562	Java SE	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 11.0.7, 14.0.1	See Note 1
CVE-2020-14621	Java SE, Java SE Embedded	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 2
CVE-2020-14556	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14573	Java SE	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11.0.7, 14.0.1	See Note 3
CVE-2020-14581	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14578	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14579	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14577	Java SE, Java SE Embedded	JSSE	TLS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Installation SEC (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/C++ (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-5398	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Server	Server: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14663	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14678	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14697	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14591	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14539	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14680	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14619	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14576	MySQL Server	Server: UDF	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14643	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14651	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14550	MySQL Client	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2019-1551	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.0.12 and prior, 8.0.20 and prior
CVE-2020-14568	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14623	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14540	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14575	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14620	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14624	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14656	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14547	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14597	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14614	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14654	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14725	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14632	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14567	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-14631	MySQL Server	Server: Security: Audit	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14586	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14702	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14641	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	High	None	None	8.0.20 and prior
CVE-2020-14559	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14553	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14633	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.20 and prior
CVE-2020-14634	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.20 and prior
CVE-2020-5258	MySQL Cluster	Cluster: Packaging (dojo)	Multiple	No	0.0	Network	Low	Low	Required	Un- changed	None	None	None	7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	See Note 1
CVE-2020-1967	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	No	0.0	Network	Low	None	None	Un- changed	None	None	None	4.0.12 and prior, 8.0.20 and prior	See Note 2

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
This CVE is not exploitable in MySQL Enterprise Monitor. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17359	PeopleSoft Enterprise HCM Global Payroll Switzerland	Global Payroll for Switzerland (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-16056	PeopleSoft Enterprise PeopleTools	Porting (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.57, 8.58
CVE-2019-11358	PeopleSoft Enterprise FIN Expenses	Expenses (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-14627	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14592	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14587	PeopleSoft Enterprise FIN Expenses	Expenses	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14612	PeopleSoft Enterprise HRMS	Time and Labor	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14558	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2019-1551	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-14600	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57, 8.58
CVE-2020-14564	PeopleSoft Enterprise PeopleTools	Environment Mgmt Console	HTTP	No	3.4	Network	Low	High	Required	Changed	None	Low	None	8.56, 8.57, 8.58

Additional CVEs addressed are below:

The patch for CVE-2019-16056 also addresses CVE-2019-16935.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 47 new security patches for Oracle Retail Applications. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Customer Management and Segmentation Foundation	Segment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2019-12086	Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2020-2555	Oracle Retail Assortment Planning	Application Core (Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.0
CVE-2020-1945	Oracle Retail Financial Integration	PeopleSoft Integration (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2020-10683	Oracle Retail Integration Bus	RIB Kernal (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-13990	Oracle Retail Integration Bus	RIB Kernal (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-16943	Oracle Retail Merchandising System	Inventory Movement (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.2, 16.0.3
CVE-2019-16943	Oracle Retail Sales Audit	Transaction Maintenance (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2017-5645	Oracle Retail Service Backbone	Installer (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2019-13990	Oracle Retail Xstore Point of Service	Xenvironment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-9546	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-1945	Category Management Planning & Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Assortment Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Data Extractor for Merchandising	ODI Knowledge Module (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	1.9, 1.10
CVE-2020-1945	Oracle Retail Item Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Macro Space Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Merchandise Financial Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Predictive Application Server	RPAS Server (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Regular Price Optimization	Operations & Maintenance (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Replenishment Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Service Backbone	Install (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Size Profile Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Store Inventory Management	SIM Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2015-9251	Oracle Retail Customer Management and Segmentation Foundation	Promotions (jQuery)	HTTP	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	18.0
CVE-2020-5398	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2020-5398	Oracle Retail Financial Integration	PeopleSoft Integration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2017-12626	Oracle Retail Fusion Platform	Retail Portal Framework (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5
CVE-2020-5398	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-12423	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	15.0
CVE-2020-5398	Oracle Retail Predictive Application Server	RPAS Server (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-5398	Oracle Retail Service Backbone	RSB Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2019-10086	Customer Management and Segmentation Foundation	Promotions (Apache Commons-Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	18.0
CVE-2020-14709	Customer Management and Segmentation Foundation	Card	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	16.0, 17.0, 18.0
CVE-2019-3740	Oracle Retail Store Inventory Management	SIM Integration (BSAFE Crypto-J)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2019-17091	Oracle Retail Financial Integration	PeopleSoft Integration (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Integration Bus	RIB Kernal (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Invoice Matching	Pricing (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0
CVE-2019-17091	Oracle Retail Service Backbone	RSB kernel (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2018-10237	Oracle Retail Integration Bus	Packaging (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2020-14710	Customer Management and Segmentation Foundation	Security	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.0, 17.0, 18.0
CVE-2020-14708	Customer Management and Segmentation Foundation	Segment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	16.0, 17.0, 18.0
CVE-2018-15756	Oracle Retail Xstore Point of Service	Point of Sale (Spring Framework)	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	7.1
CVE-2020-9488	Oracle Retail Data Extractor for Merchandising	Knowledge Module (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	18.0
CVE-2020-9488	Oracle Retail Financial Integration	PeopleSoft Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0, 16.0
CVE-2020-9488	Oracle Retail Store Inventory Management	SIM Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3

Additional CVEs addressed are below:

The patch for CVE-2015-9251 also addresses CVE-2020-11022.
The patch for CVE-2017-12626 also addresses CVE-2019-12415.
The patch for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The patch for CVE-2019-12086 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 and CVE-2019-20330.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-9546 also addresses CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16943	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.20.5 and prior
CVE-2020-1938	Siebel UI Framework	EAI, SWSE (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2019-16943	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2020-14531	Siebel UI Framework	SWSE Server	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	20.6 and prior
CVE-2020-9488	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.20.5 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Supply Chain. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-2555	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-1000031	Oracle Rapid Planning	Middle Tier (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-5019	Oracle Rapid Planning	Middle Tier (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-10683	Oracle Rapid Planning	Middle Tier (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-4000	Oracle Rapid Planning	Middle Tier (jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Apache Ant)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2019-17563	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.3.7
CVE-2016-6814	Oracle Agile Engineering Data Management	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	6.2.1.0
CVE-2020-1945	Oracle Rapid Planning	Middle Tier (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1, 12.2
CVE-2015-7501	Oracle Rapid Planning	Middle Tier (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-14669	Oracle Configurator	UI Servlet	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1, 12.2
CVE-2019-0227	Oracle Agile Engineering Data Management	Install (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	6.2.1.0
CVE-2019-0227	Oracle Rapid Planning	Installation (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-5398	Oracle Rapid Planning	Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.1, 12.2
CVE-2018-15756	Oracle Rapid Planning	Middle Tier (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1, 12.2
CVE-2018-8013	Oracle Rapid Planning	Middle Tier (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.1, 12.2
CVE-2019-17091	Oracle Rapid Planning	Installation (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1, 12.2
CVE-2019-1547	Oracle Agile Engineering Data Management	Install (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	6.2.1.0
CVE-2020-14551	Oracle AutoVue	Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	21.0
CVE-2020-14544	Oracle Transportation Management	Data, Domain & Function Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	6.4.3

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Systems Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11656	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8
CVE-2020-14724	Oracle Solaris	Device Driver Utility	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	11
CVE-2018-12207	Oracle Solaris	Kernel	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11	See Note 1
CVE-2020-14537	Oracle Solaris	Packaging Scripts	None	No	5.5	Local	Low	High	Required	Changed	None	None	High	11
CVE-2020-14545	Oracle Solaris	Device Driver Utility	None	No	5.0	Local	High	Low	Required	Un- changed	None	High	Low	11
CVE-2019-5489	Oracle Solaris	Kernel	Multiple	No	3.5	Network	High	Low	None	Changed	Low	None	None	11
CVE-2020-14542	Oracle Solaris	libsuri	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	11

Notes:

Please refer to My Oracle Support Note 2609642.1 for further information on how CVE-2018-12207 impacts Oracle Solaris.

Additional CVEs addressed are below:

The patch for CVE-2020-11656 also addresses CVE-2020-1927 and CVE-2020-1934.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-12023	Oracle Utilities Framework	Common (jackson-databind)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14628	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 1
CVE-2020-14646	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14647	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14649	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14713	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14674	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14675	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14676	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14677	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14699	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14711	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 2
CVE-2020-14629	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14703	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14704	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14648	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14650	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14673	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14694	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14695	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14698	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14700	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14712	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	High	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14707	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14714	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14715	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12

Notes:

The CVE-2020-14628 is applicable to Windows VM only.
The CVE-2020-14711 is applicable to macOS host only.

No Related Posts

Oracle Critical Patch Update Advisory – April 2020

April 13, 2020November 24, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – April 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 399 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Application Performance Management, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Application Service Level Management, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Hyperion Financial Management, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Identity Manager Connector, version 9.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
Java Advanced Management Console, version 2.16	Java SE
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MICROS Relate CRM Software, version 11.4	Retail Applications
MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior	MySQL
MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.11.5331 and prior, 8.0.18.1217 and prior	MySQL
MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior	MySQL
MySQL Workbench, versions 8.0.19 and prior	MySQL
Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Express, versions prior to 19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle Banking Enterprise Collections, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Originations, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Product Manufacturing, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0	Oracle Banking Platform
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, version 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications ASAP Cartridges, versions 7.2, 7.3	Oracle Communications ASAP Cartridges
Oracle Communications Calendar Server, versions 8.0.0.2.0, 8.0.0.3.0	Oracle Communications Calendar Server
Oracle Communications Converged Application Server – Service Controller, version 6.1	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0, 8.1.0, 8.2.0, 8.2.1	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0	Oracle Communications Operations Monitor
Oracle Communications Service Broker, versions 6.0, 6.1	Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, versions 6.0, 6.1	Oracle Communications Services Gatekeeper
Oracle Communications Session Report Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2	Oracle Communications WebRTC Session Controller
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Server, version 7.7.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Data Foundation, versions 8.0.6-8.0.9	Oracle Financial Services Data Foundation
Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7, 8.0.8	Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, version 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.6, 2.7, 2.8	Oracle Financial Services Revenue Management and Billing Analytics
Oracle FLEXCUBE Core Banking, version 4.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0, 12.1	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle Global Lifecycle Management NextGen OUI Framework, versions 12.2.1.3.0, 12.2.1.4.0, 13.9.4.2.2	Fusion Middleware
Oracle Global Lifecycle Management OPatch, versions prior to 11.2.0.3.23, prior to 12.2.0.1.19, prior to 13.9.4.2.1	Global Lifecycle Management
Oracle GraalVM Enterprise Edition, versions 19.3.1, 20.0.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Information Manager, version 3.0	Health Sciences
Oracle Healthcare Data Repository, version 7.0	Health Sciences
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 11.1.1.9.0	Fusion Middleware
Oracle In-Memory Performance-Driven Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Java SE, versions 7u251, 8u241, 11.0.6, 14	Java SE
Oracle Java SE Embedded, version 8u241	Java SE
Oracle Knowledge, versions 8.6.0-8.6.3	Oracle Knowledge
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.4	Fusion Middleware
Oracle Real User Experience Insight, versions 13.1.2.1, 13.2.3.1, 13.3.1.0	Enterprise Manager
Oracle Retail Advanced Inventory Planning, versions 14.0, 15.0, 16.0	Retail Applications
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Merchandising System, version 16.0	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Store Inventory Management, version 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 18.0.1	Retail Applications
Oracle SD-WAN Edge, versions 7.3, 8.0, 8.1, 8.2	Oracle SD-WAN Edge
Oracle Secure Backup, versions prior to 18.1	Oracle Secure Backup
Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2, 4.2.0.3, 4.3.0.2-4.3.0.6, 4.4.0.0, 4.4.0.2	Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.1, 2.3.0.2, 2.4.0.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.40, prior to 6.0.20, prior to 6.1.6	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
OSS Support Tools, versions 20.0, 20.1	Support Tools
PeopleSoft Enterprise CS Campus Community, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Absence Management, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.6, 18.8.0-18.8.8, 19.12.0	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.2.0.0-16.2.19.3, 17.12.0.0-17.12.17.0, 18.8.0.0-18.8.18.0, 19.12.1.0-19.12.3.0, 20.1.0.0-20.2.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 20.2 and prior	Siebel
StorageTek Tape Analytics SW Tool, version 2.3.0	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

21superman: CVE-2020-2828
Abdullah H. AlJaber: CVE-2020-2753
Abdulrahman Nour of Redforce: CVE-2020-2865
Alexander Kornbrust of Red Database Security: CVE-2020-2737, CVE-2020-2946
Alves Christopher: CVE-2020-2752
Andrej Simko of Accenture: CVE-2020-2794, CVE-2020-2796, CVE-2020-2810
Andrew Hess: CVE-2020-2910
anhdaden of STAR Labs working with Trend Micro’s Zero Day Initiative: CVE-2020-2575, CVE-2020-2748, CVE-2020-2894, CVE-2020-2902, CVE-2020-2911
Anil Aravind: CVE-2020-2864
Bao Zhen: CVE-2020-2926
Barakat Soror: CVE-2020-2913, CVE-2020-2914
Barakat Soror working with Trend Micro Zero Day Initiative: CVE-2020-2907, CVE-2020-2958
Bengt Jonsson of Uppsala University: CVE-2020-2767
Bui Duong from Viettel Cyber Security: CVE-2020-2883, CVE-2020-2884
Bui Quang: CVE-2020-2933
Calvin Fong (Lord_Idiot) of STAR Labs working with Trend Micro Zero Day Initiative: CVE-2020-2748, CVE-2020-2758
Christian Freudigmann of Daimler TSS: CVE-2020-2738
Damian Bury: CVE-2020-2769, CVE-2020-2777
Dan Amodio of Contrast Security: CVE-2020-2800
Daniel Martinez Adan (aDoN90): CVE-2020-2738
elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2741
Esteban Montes Morales of Accenture: CVE-2020-2813
Fangrun Li of Cloud Security Team at Qihoo 360: CVE-2020-2798, CVE-2020-2801, CVE-2020-2963
Fatih Çelik: CVE-2020-2909
Florian Ohlms of Daimler TSS: CVE-2020-2738
GreenDog working with Trend Micro Zero Day Initiative: CVE-2020-2950
JanatiIdrissi Zouhair: CVE-2020-2752
Jang of VNPT ISC: CVE-2020-2883, CVE-2020-2884
John Simpson of Trend Micro Security Research working with the Zero Day Initiative: CVE-2020-2882, CVE-2020-2956
Julien Ahrens of RCE Security: CVE-2020-2870, CVE-2020-2871, CVE-2020-2872, CVE-2020-2873, CVE-2020-2874, CVE-2020-2876, CVE-2020-2877, CVE-2020-2878, CVE-2020-2879, CVE-2020-2880, CVE-2020-2881
Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2767
Kaki King: CVE-2020-2883
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2783, CVE-2020-2784, CVE-2020-2785, CVE-2020-2786, CVE-2020-2787
Khaled Sakr of Malcrove: CVE-2019-2899
khuyenn of Viettel Cyber Security: CVE-2020-2820, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2871
Kostis Sagonas of Uppsala University: CVE-2020-2767
Lalit Naphade: CVE-2020-2740
Longofo of Knownsec 404 Team: CVE-2020-2798, CVE-2020-2949, CVE-2020-2963
lufei from 0vul Team of Butian at Qi’anxin Group: CVE-2020-2869, CVE-2020-2883
Maoxin Lin of Dbappsecurity Team: CVE-2020-2869, CVE-2020-2934
Marc Durdin: CVE-2020-2930
Marco Ivaldi of Media Service: CVE-2020-2771, CVE-2020-2851, CVE-2020-2944
Marek Cybul: CVE-2020-2766
Martin Doyhenard of Onapsis: CVE-2020-2750
Matei “Mal” Badanoiu: CVE-2020-2869, CVE-2020-2875
Mauro Leggieri of TRAPMINE Inc.: CVE-2020-2895
Michal Bogdanowicz of STM Solutions: CVE-2020-2811
Minle Chen of PingAn Galaxy Lab: CVE-2020-2798
Nils Emmerich of ERNW : CVE-2020-2803, CVE-2020-2805
Owais Zaman of Sabic: CVE-2020-2594, CVE-2020-2706
Paul Fiterau Brostean of Uppsala University: CVE-2020-2767
Pavel Cheremushkin: CVE-2020-2929, CVE-2020-2951
Peter Dettman of cryptoworkshop.com: CVE-2020-2778
Philippe Antoine (Telecom Nancy): CVE-2020-2752
Piotr Domirski: CVE-2020-2745
Quynh Le of VNPT ISC: CVE-2020-2798
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2883
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-2798, CVE-2020-2829, CVE-2020-2963
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-2742, CVE-2020-2743, CVE-2020-2908
Robert Merget of Ruhr-University Bochum: CVE-2020-2767
Roger Meyer: CVE-2020-2514
RunOu of Bangcle Security: CVE-2020-2798
Rémi Badonnel (Telecom Nancy): CVE-2020-2752
Samrat Das of Emirates NBD: CVE-2020-2772
Sebastian Fuchs of NTT Security: CVE-2020-2744
Sebastian Wlodarczyk of Optima Partners: CVE-2020-2747
Simone Bordet of Webtide: CVE-2020-2781
Tarun Sehgal of eSec Forte Technologies: CVE-2020-2782
Tomasz Wisniewski: CVE-2020-2793
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-2789, CVE-2020-2807, CVE-2020-2808, CVE-2020-2809, CVE-2020-2815, CVE-2020-2817, CVE-2020-2818, CVE-2020-2819, CVE-2020-2820, CVE-2020-2821, CVE-2020-2822, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2833, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2837, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2843, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2858, CVE-2020-2860, CVE-2020-2861, CVE-2020-2863, CVE-2020-2871
Vahagn Vardanyan: CVE-2020-2733
Vaibhav Shukla: CVE-2020-2955
Venustech ADLab: CVE-2020-2798, CVE-2020-2801
Victor Rodriguez: CVE-2020-2739
Vishnu Dev TJ working with Trend Micro’s Zero Day Initiative: CVE-2020-2929
Xingwei Lin of Ant-financial Light-Year Security Lab: CVE-2020-2905
Xinlei Ying of Ant-financial Light-Year Security Lab: CVE-2020-2905
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-2869, CVE-2020-2934
Yu Wang of BMH Security Team: CVE-2020-2883
ZeddYu Lu: CVE-2020-2867
Zhan Julien: CVE-2020-2752
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-2959
Zohaib Tasneem of Sabic: CVE-2020-2594, CVE-2020-2706

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Abdullah H. AlJaber
Andrej Simko of Accenture working with iDefense Labs
ICHIHARA Ryohei of DMM.com LLC
Jayson Grace of Sandia National Laboratories
KeChen Lin of Ping An Bank Security Team
Markus Loewe
Mathieu Deous of Datadoghq
Mehdi Benkaddour
MengLiang Ji of CICITLab
Michael Miller of Integrigy
Raju Mogulapalli of Rheem Manufacturing
tint0 of Viettel Cyber Security working with iDefense Labs
Tuan Anh Nguyen of Viettel Cyber Security

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Anton Hrytskevich
Chetan Tiwari
Daniel J. Grinkevich
Faizan Ahmed
Hamit Cibo
Heshie Brody
Jimmy Bruneel
Mohamed Yaser
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group
Robert Lee Dick
Shriram
Wai Yan Aung
Yash Ahmed Quashim

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 July 2020
20 October 2020
19 January 2021
20 April 2021

References

Modification History

Date	Note
2020-July-20	Rev 11. Credit Statement Update.
2020-June-19	Rev 10. Credit Statement Update.
2020-June-15	Rev 9. Added note concerning the patch for CVE-2020-2801.
2020-May-27	Rev 8. Credit Statement Update.
2020-May-18	Rev 7. Updated protocol information for CVE-2020-2798, CVE-2020-2801, CVE-2020-2828, CVE-2020-2883, CVE-2020-2884 and CVE-2020-2915.
2020-May-06	Rev 6. Credit Statement Update.
2020-April-30	Rev 5. Credit Statement Update.
2020-April-24	Rev 4. Added CVE-2020-2575 for VirtualBox to the Virtualization Risk Matrix. This increases the overall number of security patches to 399. The releases listed in the patch availability document for Virtualization already include the patch for CVE-2020-2575. Updated CVSS score for CVE-2020-2894 in the Oracle Virtualization risk matrix. Modified the additional CVE list for CVE-2018-1165 in Oracle ZFS Storage Appliance Kit.
2020-April-17	Rev 3. Modified the affected versions for Oracle Outside In Technology vulnerabilities and updated the credit statement.
2020-April-16	Rev 2. Added entry in the Oracle Fusion Middleware risk matrix for Oracle WebLogic Server security patch to address CVE-2019-16943. This increases the overall number of security patches to 398. This is simply a documentation change. The patches were already listed in the patch availability document for Fusion Middleware.
2020-April-14	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 10 new security patches for the Oracle Database Products divided as follows:

8 new security patches for Oracle Database Server.
1 new security patch for Oracle Global Lifecycle Management.
1 new security patch for Oracle Secure Backup.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 8 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2735	Java VM	Create Session	Oracle Net	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-10251	Oracle Multimedia	Create Session	Oracle Net	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	12.1.0.2
CVE-2019-17563	WLM (Apache Tomcat)	None	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.0.1, 18c, 19c
CVE-2020-2737	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2853	Oracle Text	Create Session	OracleNet	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-7103	Oracle Application Express	None	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 19.1
CVE-2020-2514	Oracle Application Express	End User Role	HTTPS	No	4.6	Network	Low	Low	Required	Un- changed	None	Low	Low	Prior to 19.2
CVE-2020-2734	RDBMS/Optimizer	Execute on DBMS_SQLTUNE	Oracle Net	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c

Additional CVEs addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251 and CVE-2019-11358.
The patch for CVE-2019-17563 also addresses CVE-2019-12418.
The patch for CVE-2019-2853 also addresses CVE-2019-2756, CVE-2019-2759 and CVE-2019-2852.

Oracle Global Lifecycle Management Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-20330	Oracle Global Lifecycle Management OPatch	Patch Installer	HTTP	No	0.0	Network	High	None	None	Un- changed	None	None	None	Prior to 11.2.0.3.23, Prior to 12.2.0.1.19, Prior to 13.9.4.2.1	See Note 1

Notes:

The following CVEs addressed by this patch are not exploitable in the Oracle product, so the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2019-20330 also addresses CVE-2016-4000, CVE-2016-4463, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335 and CVE-2020-8840.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Secure Backup. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-5712	Oracle Secure Backup	PHP	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 18.1

Additional CVEs addressed are below:

The patch for CVE-2018-5712 also addresses CVE-2018-5711.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 39 new security patches for Oracle Communications Applications. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16943	Oracle Communications Calendar Server	Administration (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.2.0, 8.0.0.3.0
CVE-2015-3253	Oracle Communications Converged Application Server – Service Controller	Admin Console (Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-4000	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-2729	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-14379	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-16943	Oracle Communications Evolved Communications Application Server	SDP, SCF and URD (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1
CVE-2019-5482	Oracle Communications Operations Monitor	REST API (cURL)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-2904	Oracle Communications Service Broker	Admin Console (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1
CVE-2019-2904	Oracle Communications Services Gatekeeper	API Management Portal (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1
CVE-2019-10082	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10088	Oracle Communications Messaging Server	Security (Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.0.2, 8.1.0
CVE-2018-8039	Oracle Communications Session Report Manager	Core (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-8039	Oracle Communications Session Route Manager	Core (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1
CVE-2019-0211	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-0211	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-0227	Oracle Communications ASAP Cartridges	Web Service (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.2, 7.3
CVE-2019-0222	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2017-12626	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2018-15756	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2018-1000180	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Bouncy Castle Java Library)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-0227	Oracle Communications Element Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Element Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-15163	Oracle Communications Operations Monitor	Packet Inspector, Traces functionality (libpcap)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-0227	Oracle Communications Session Report Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Session Report Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-15756	Oracle Communications Session Report Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1
CVE-2019-0227	Oracle Communications Session Route Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Session Route Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-15756	Oracle Communications Session Route Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1
CVE-2017-12626	Oracle Communications Unified Inventory Management	Bulk Import (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3.0, 7.4.0
CVE-2019-11358	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-11358	Oracle Communications Operations Monitor	Mediation Engine, Calls Page (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4.0, 4.0.0, 4.1.0
CVE-2019-11358	Oracle Communications WebRTC Session Controller	WSC-Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.2
CVE-2019-10247	Oracle Communications Element Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-20852	Oracle Communications Operations Monitor	VSP Webserver (Python)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-10247	Oracle Communications Session Report Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10247	Oracle Communications Session Route Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-14821	Oracle SD-WAN Edge	OS (Kernel)	None	No	3.9	Local	High	High	None	Un- changed	Low	Low	Low	7.3, 8.0, 8.1, 8.2	See Note 1
CVE-2019-1010238	Oracle SD-WAN Edge	OS (Kernel)	SSH	No	2.0	Network	High	High	Required	Un- changed	None	None	Low	7.3, 8.0, 8.1, 8.2	See Note 1

Notes:

Versions 7.3, 8.0 and 8.1 are vulnerable only with Debian 5.1. Version 8.2 is vulnerable only with Oracle Linux 7.0.

Additional CVEs addressed are below:

The patch for CVE-2018-1000180 also addresses CVE-2018-1000613.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0222 also addresses CVE-2018-11775.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2018-11784.
The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-14379 also addresses CVE-2019-14439.
The patch for CVE-2019-15163 also addresses CVE-2019-15161, CVE-2019-15162, CVE-2019-15164 and CVE-2019-15165.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2019-5482 also addresses CVE-2019-15601 and CVE-2019-5481.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Instantis EnterpriseTrack	Logging (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1 – 17.3
CVE-2019-17195	Primavera Gateway	Admin (Connect2id Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.12.0
CVE-2019-16943	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.12.0 – 17.12.6, 18.8.0 – 18.8.8, 19.12.0
CVE-2019-16943	Primavera Unifier	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7 – 17.12, 18.8, 19.12
CVE-2019-13990	Primavera Unifier	Infrastructure (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2019-10082	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	17.1 – 17.3
CVE-2019-17563	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	17.1 – 17.3
CVE-2019-12402	Primavera Gateway	Admin (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.8.0 – 18.8.8, 19.12.0
CVE-2019-10086	Primavera Gateway	Admin (Apache Commons Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	16.2.0 – 16.2.11, 17.12.0 – 17.12.6
CVE-2020-2594	Primavera P6 Enterprise Project Portfolio Management	Project Manager	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	16.2.0.0 – 16.2.19.3, 17.12.0.0 – 17.12.17.0, 18.8.0.0 – 18.8.18.0, 19.12.1.0 – 19.12.3.0, 20.1.0.0 – 20.2.0.0
CVE-2019-12415	Instantis EnterpriseTrack	Office Open document processor (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.1 – 17.3
CVE-2020-2706	Primavera P6 Enterprise Project Portfolio Management	Project Manager	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	16.2.0.0 – 16.2.19.3, 17.12.0.0 – 17.12.17.0, 18.8.0.0 – 18.8.18.0, 19.12.1.0 – 19.12.3.0, 20.1.0.0 – 20.2.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 74 new security patches for the Oracle E-Business Suite. 70 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2020), My Oracle Support Note 2650675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2838	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1-12.1.3
CVE-2020-2863	Oracle Advanced Outbound Telephony	User Interface	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2852	Oracle Advanced Outbound Telephony	Calendar	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2871	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2854	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2856	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2857	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2890	Oracle Applications Framework	Diagnostics	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2820	Oracle Common Applications Calendar	Notes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2020-2823	Oracle Common Applications Calendar	Notes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2881	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2873	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2842	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2844	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2845	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2846	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2847	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2848	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2849	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2850	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2885	Oracle Document Management and Collaboration	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3,12.2.3-12.2.9
CVE-2020-2808	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2809	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2840	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2874	Oracle Email Center	Customer Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2794	Oracle Email Center	Email Address list and Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2813	Oracle Email Center	KB Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2796	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2855	Oracle iSupport	Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2878	Oracle iSupport	Mail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2843	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2815	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2872	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2841	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2880	Oracle Learning Management	OTA Training Activities	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2831	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2834	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2835	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2836	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2837	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2858	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2860	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2861	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2876	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2807	Oracle Marketing Encyclopedia System	Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2824	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2825	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2826	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2827	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2832	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2870	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2877	Oracle Partner Management	Attribute Admin Setup	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2833	Oracle Quoting	Courseware	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2817	Oracle Scripting	Miscellaneous	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2879	Oracle Scripting	Miscellaneous	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2839	Oracle Service Intelligence	Internal Operations- Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2821	Oracle Trade Management	Budget	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2020-2822	Oracle Trade Management	Claims	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2818	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2819	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2882	Oracle Human Resources	Hierarchy Diagrammers	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2956	Oracle Human Resources	Hierarchy Diagrammers	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2750	Oracle General Ledger	Account Hierarchy Manager	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2866	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.5-12.2.9
CVE-2020-2889	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3,12.2.3-12.2.9
CVE-2020-2887	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.1-12.1.3,12.2.3-12.2.9
CVE-2020-2864	Oracle iSupplier Portal	Accounts	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.5-12.2.9
CVE-2020-2888	Oracle Marketing	Partners	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2753	Oracle Workflow	Workflow Notification Mailer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2886	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2810	Oracle iStore	Shopping Cart	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2789	Oracle iSupport	User Interface	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3,12.2.3-12.2.8
CVE-2020-2862	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2772	Oracle Human Resources	Absence Recording, Maintenance	HTTP	No	4.1	Network	Low	Low	Required	Changed	None	Low	None	12.2.6-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2633852.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2961	Enterprise Manager Base Platform	Discovery Framework (Oracle OHS)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.0.0, 13.3.0.0
CVE-2018-11058	Oracle Real User Experience Insight	Processing (Oracle Instant Client)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.1.2.1, 13.2.3.1, 13.3.1.0
CVE-2018-18311	Enterprise Manager Base Platform	Install (Perl)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.0.0, 13.3.0.0
CVE-2019-0227	Oracle Application Testing Suite	Oracle Flow Builder (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	13.2.0.1, 13.3.0.1
CVE-2019-1543	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-11358	Application Service Level Management	Service Level Agreements (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2.0.0, 13.3.0.0
CVE-2020-2946	Application Performance Management	EM Request Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-18311 also addresses CVE-2016-2381.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 35 new security patches for Oracle Financial Services Applications. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Banking Enterprise Collections	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-13990	Oracle Banking Enterprise Originations	Core (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Enterprise Originations	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-13990	Oracle Banking Enterprise Product Manufacturing	Core (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Enterprise Product Manufacturing	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Platform	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-16943	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-2904	Oracle Financial Services Revenue Management and Billing Analytics	Dashboards (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6, 2.7, 2.8
CVE-2019-12419	Oracle FLEXCUBE Private Banking	Core (Apache CXF)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2019-2904	Oracle FLEXCUBE Private Banking	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2019-10088	Oracle FLEXCUBE Private Banking	Core (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	12.0, 12.1
CVE-2019-17359	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.6 – 8.0.9
CVE-2019-0227	Oracle FLEXCUBE Private Banking	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2017-12626	Oracle FLEXCUBE Private Banking	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 12.1
CVE-2020-2793	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2939	Oracle Financial Services Asset Liability Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2936	Oracle Financial Services Balance Sheet Planning	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.8
CVE-2020-2964	Oracle Financial Services Data Foundation	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2945	Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management	User Interfaces	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7, 8.0.8
CVE-2020-2941	Oracle Financial Services Funds Transfer Pricing	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2935	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.8
CVE-2020-2891	Oracle Financial Services Liquidity Risk Management	User Interfaces	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6
CVE-2020-2943	Oracle Financial Services Liquidity Risk Measurement and Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7, 8.0.8
CVE-2020-2938	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.8
CVE-2020-2942	Oracle Financial Services Price Creation and Discovery	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7
CVE-2020-2940	Oracle Financial Services Profitability Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2937	Oracle Insurance Accounting Analyzer	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2955	Oracle FLEXCUBE Core Banking	Transaction Processing	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	4.0
CVE-2019-17091	Oracle Banking Enterprise Product Manufacturing	Core (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Enterprise Originations	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Enterprise Product Manufacturing	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Platform	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-12415	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0.6 – 8.0.9
CVE-2019-12415	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0.6, 8.0.8
CVE-2019-10247	Oracle FLEXCUBE Private Banking	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0, 12.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2019-12419 also addresses CVE-2019-12406.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Food and Beverage Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2746	Oracle Hospitality Reporting and Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 45 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update April 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2633852.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2950	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-1000031	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2915	Oracle Coherence	Caching, CacheStore, Invocation	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-13990	Oracle Fusion Middleware MapViewer	Install (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-16943	Oracle Global Lifecycle Management NextGen OUI Framework	Tools (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.9.4.2.2, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-10328	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.4	See Note 1
CVE-2019-16943	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-16943	Oracle WebCenter Sites	Sites (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17571	Oracle WebLogic Server	Console (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-16943	Oracle WebLogic Server	Third Party Tools (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2801	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	See Note 2
CVE-2020-2883	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2884	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10088	Oracle Business Process Management Suite	BPM Composer (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	12.2.1.4.0
CVE-2017-5130	Oracle HTTP Server	Web Listener (LibXML2)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	11.1.1.9.0
CVE-2020-2867	Oracle WebLogic Server	Web Container	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-0222	Identity Manager Connector	General (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.0
CVE-2018-15756	Identity Manager Connector	LDAP Gateway (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.0
CVE-2015-7940	Oracle Business Intelligence Enterprise Edition	Installation (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2017-12626	Oracle Endeca Information Discovery Integrator	Integrator ETL (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-17359	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-15903	Oracle Outside In Technology	DC-Specific Component (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-16168	Oracle Outside In Technology	DC-Specific Component (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2018-20843	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-17359	Oracle SOA Suite	Installation (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2828	Oracle WebLogic Server	WLS Web Services	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0
CVE-2020-2739	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	7.4	Network	Low	None	Required	Changed	High	None	None	12.2.1.3.0
CVE-2020-2784	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2785	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2786	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2787	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2798	Oracle WebLogic Server	WLS Web Services	IIOP, T3	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2952	Oracle HTTP Server	Web Listener	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.1.1.9.0
CVE-2018-20622	Oracle Outside In Technology	Installation (JasPer)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-11358	Oracle Big Data Discovery	Studio (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.6
CVE-2019-11358	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle WebCenter Sites	Advanced UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2020-2811	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle Big Data Discovery	Studio (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	1.6
CVE-2020-2747	Oracle Access Manager	SSO Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2949	Oracle Coherence	Caching, CacheStore, Invocation	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247	Oracle Endeca Information Discovery Integrator	Integrator ETL (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0
CVE-2020-2783	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.5.4	See Note 1
CVE-2019-10247	Oracle Unified Directory	OpenDS SDK (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2766	Oracle WebLogic Server	Console	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2829	Oracle WebLogic Server	Management Services	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0
CVE-2019-1547	Oracle API Gateway	Oracle API Gateway (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2019-1547	Oracle Endeca Server	Product Code (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	7.7.0
CVE-2020-2740	Oracle Access Manager	Authentication Engine	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2745	Oracle Access Manager	Federation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2869	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
The patch for this issue will address the vulnerability only if the WLS instance is using JDK 1.7.0_191 or later, or JDK 1.8.0_181 or later.

Additional CVEs addressed are below:

The patch for CVE-2016-10328 also addresses CVE-2016-10244, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287 and CVE-2018-6942.
The patch for CVE-2018-20622 also addresses CVE-2017-13745, CVE-2017-14232, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20570, CVE-2018-20584, CVE-2018-9055, CVE-2018-9154 and CVE-2018-9252.
The patch for CVE-2019-0222 also addresses CVE-2018-11775.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-16168 also addresses CVE-2018-20346, CVE-2018-20506 and CVE-2019-8457.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-17571 also addresses CVE-2017-5645.
The patch for CVE-2020-2798 also addresses CVE-2020-2963.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle GraalVM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-15606	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.3.1, 20.0.0
CVE-2020-2803	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.3.1, 20.0.0
CVE-2020-2802	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.3.1, 20.0.0
CVE-2020-2799	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	No	6.3	Network	High	Low	None	Changed	None	High	None	19.3.1, 20.0.0
CVE-2020-2900	Oracle GraalVM Enterprise Edition	Tools	Multiple	No	3.7	Network	High	Low	Required	Un- changed	Low	Low	None	19.3.1, 20.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-15606 also addresses CVE-2019-15604 and CVE-2019-15605.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Health Sciences Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17091	Oracle Health Sciences Information Manager	Policy Engine (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.0
CVE-2019-17091	Oracle Healthcare Data Repository	Installation (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.0

Oracle Hyperion Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2777	Hyperion Financial Management	Security	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2899	Hyperion Financial Management	Security (Application Development Framework)	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4
CVE-2020-2769	Hyperion Financial Reporting	Web Based Report Designer	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle Java SE Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2803	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 1
CVE-2020-2805	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 1
CVE-2019-18197	Java SE	JavaFX (libxslt)	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 8u241	See Note 1
CVE-2020-2816	Java SE	JSSE	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Java SE: 11.0.6, 14	See Note 2
CVE-2020-2781	Java SE, Java SE Embedded	JSSE	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2830	Java SE, Java SE Embedded	Concurrency	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2767	Java SE	JSSE	HTTPS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 11.0.6, 14	See Note 3
CVE-2020-2800	Java SE, Java SE Embedded	Lightweight HTTP Server	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 2
CVE-2020-2778	Java SE	JSSE	HTTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 11.0.6, 14	See Note 3
CVE-2020-2764	Java SE	Advanced Management Console	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java Advanced Management Console: 2.16	See Note 2
CVE-2020-2754	Java SE, Java SE Embedded	Scripting	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2755	Java SE, Java SE Embedded	Scripting	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2773	Java SE, Java SE Embedded	Security	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2756	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2757	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle JD Edwards. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2733	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-11058	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure Security (Oracle Security Service)	JDENET	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-1547	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	9.2
CVE-2019-1547	JD Edwards World Security	World Software Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.

Oracle Knowledge Risk Matrix

This Critical Patch Update contains 16 new security patches for Oracle Knowledge. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2791	Oracle Knowledge	Information Manager Console	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.2
CVE-2016-1000031	Oracle Knowledge	Information Manager Console, Web Applications – InfoCenter (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2020-2931	Oracle Knowledge	Web Applications – InfoCenter	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2015-1832	Oracle Knowledge	Web Applications – InfoCenter (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.6.0-8.6.3
CVE-2019-0227	Oracle Knowledge	Information Manager Console (Apache Axis)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2016-3092	Oracle Knowledge	Web Applications – InfoCenter (Apache Commons Fileupload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2015-0254	Oracle Knowledge	Information Manager Console (Apache Standard Taglibs)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.6.0-8.6.1
CVE-2018-17197	Oracle Knowledge	Information Manager Console (Apache Tika)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2795	Oracle Knowledge	Information Manager Console	None	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.6.0-8.6.2
CVE-2019-11358	Oracle Knowledge	Answer Flow (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2015-9251	Oracle Knowledge	Information Manager Console, Web Applications – InfoCenter (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2017-14735	Oracle Knowledge	Web Applications – InfoCenter (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2020-2524	Oracle Knowledge	InQuira Search	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2932	Oracle Knowledge	Information Manager Console	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2553	Oracle Knowledge	Information Manager Console	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	8.6.0-8.6.3
CVE-2020-2522	Oracle Knowledge	Information Manager Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.6.0-8.6.1

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.7.28 and prior, 8.0.18 and prior
CVE-2019-19646	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.19 and prior
CVE-2019-14889	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	8.0.19 and prior
CVE-2019-17563	MySQL Enterprise Monitor	Service Manager (Apache Tomcat)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.0.18.1217 and prior, 4.0.11.5331 and prior
CVE-2019-15601	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.29 and prior, 8.0.19 and prior
CVE-2019-15601	MySQL Workbench	MySQL Workbench (cURL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.19 and prior
CVE-2020-2780	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2790	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.28 and prior
CVE-2020-2768	MySQL Cluster	Cluster: General	Multiple	No	6.3	Network	Low	Low	Required	Un- changed	None	Low	High	7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior
CVE-2020-2804	MySQL Server	Server: Memcached	Memcached Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2760	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-2752	MySQL Client	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.27 and prior, 8.0.17 and prior
CVE-2020-2806	MySQL Server	Server: Compiling	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.28 and prior
CVE-2020-2934	MySQL Connectors	Connector/J	MySQL Protocol	Yes	5.0	Network	High	None	Required	Un- changed	Low	Low	Low	8.0.19 and prior, 5.1.48 and prior
CVE-2020-2762	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2814	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2893	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2895	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2898	MySQL Server	Server: Charsets	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19
CVE-2020-2903	MySQL Server	Server: Connection Handling	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2896	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2770	MySQL Server	Server: Logging	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2765	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-2892	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2897	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2923	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2924	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2901	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2928	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2904	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2925	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2759	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2763	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2761	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2774	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2853	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2779	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2812	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2875	MySQL Connectors	Connector/J	MySQL Protocol	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	8.0.14 and prior, 5.1.48 and prior
CVE-2019-1547	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	No	4.7	Local	High	Low	None	Un- changed	High	None	None	5.6.46 and prior, 5.7.26 and prior, 8.0.18 and prior
CVE-2020-2926	MySQL Server	Server: Group Replication GCS	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2921	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2930	MySQL Server	Server: Parser	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2922	MySQL Client	C API	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior
CVE-2020-2933	MySQL Connectors	Connector/J	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	5.1.48 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-19646 also addresses CVE-2019-19242, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2019-19959 and CVE-2019-20218.
The patch for CVE-2019-5482 also addresses CVE-2019-5481.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2776	PeopleSoft Enterprise PeopleTools	Security	HTTP	Yes	8.6	Network	Low	None	None	Changed	None	None	High	8.56, 8.57
CVE-2019-0227	PeopleSoft Enterprise PeopleTools	Tools Admin API (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2020-2859	PeopleSoft Enterprise PeopleTools	nVision	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2019-17359	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2020-2782	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	8.56, 8.57, 8.58
CVE-2020-2906	PeopleSoft Enterprise SCM Purchasing	Supplier Change	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2020-2954	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-2868	PeopleSoft Enterprise PeopleTools	Diagnostic Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-2751	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2797	PeopleSoft Enterprise PeopleTools	Process Scheduler	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-2775	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-2912	PeopleSoft Enterprise CS Campus Community	Self-Service	HTTP	No	5.0	Network	Low	Low	None	Changed	Low	None	None	9.2
CVE-2020-2899	PeopleSoft Enterprise SCM Purchasing	Purchasing	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	9.2
CVE-2020-2947	PeopleSoft Enterprise HCM Absence Management	Absence Management	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle Retail Applications. 17 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 15.0
CVE-2019-13990	Oracle Retail Back Office	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2019-13990	Oracle Retail Central Office	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2020-2953	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2019-13990	Oracle Retail Order Broker	Order Broker Foundation (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0, 19.0
CVE-2019-13990	Oracle Retail Point-of-Service	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2018-11058	Oracle Retail Predictive Application Server	RPAS Server (Oracle Security Service)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-13990	Oracle Retail Returns Management	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2019-2880	Oracle Retail Store Inventory Management	Security	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2019-17563	MICROS Relate CRM Software	Segments (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.4
CVE-2019-17563	Oracle Retail Order Broker	System Administration (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0
CVE-2020-5398	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5533	Oracle Retail Xstore Point of Service	Point of Sale (JasperReports)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	15.0
CVE-2019-0227	Oracle Retail Xstore Point of Service	Xenvironment (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.1
CVE-2019-17359	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.0.1
CVE-2017-12626	Oracle Retail Xstore Point of Service	Xenvironment (Apache POI)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	7.1
CVE-2019-17091	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Merchandising System	Inventory Tracking (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0
CVE-2018-10237	Oracle Retail Xstore Point of Service	Xstore Office (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	7.1, 15.0, 16.0, 17.0
CVE-2017-3160	Oracle Retail Xstore Point of Service	Xstore Services (Apache Cordova)	None	No	4.2	Local	High	Low	Required	Un- changed	Low	Low	Low	15.0
CVE-2019-10173	Oracle Retail Xstore Point of Service	Point of Sale (xstream)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	17.0
CVE-2019-10086	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-10072	Oracle Retail Xstore Point of Service	Xstore Services (Apache Tomcat)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	15.0, 16.0, 17.0, 18.0
CVE-2018-1258	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	3.7	Network	High	Low	Required	Un- changed	Low	None	Low	17.0
CVE-2019-10082	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	No	3.3	Network	High	High	None	Un- changed	Low	None	Low	7.1
CVE-2018-11797	Oracle Retail Xstore Point of Service	Dataloader (Apache pdfbox)	HTTP	No	3.1	Network	High	High	Required	Un- changed	Low	None	Low	17.0
CVE-2018-10237	Oracle Retail Xstore Point of Service	Xstore Services (Google Guava)	HTTP	No	3.1	Network	High	High	Required	Un- changed	Low	Low	None	17.0

Additional CVEs addressed are below:

The patch for CVE-2017-5533 also addresses CVE-2017-5529.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-11797 also addresses CVE-2018-8036 and CVE-2019-0228.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2017-15706, CVE-2018-11784, CVE-2018-1304, CVE-2018-1305, CVE-2018-1336, CVE-2018-8014, CVE-2018-8034, CVE-2018-8037, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.
The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Siebel CRM. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2738	Siebel UI Framework	EAI, SWSE	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	20.2 and prior

Oracle Supply Chain Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle In-Memory Performance-Driven Planning	User Interface (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-2920	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.3, 9.3.5, 9.3.6
CVE-2020-2744	Oracle Transportation Management	Security	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	6.3.7, 6.4.2, 6.4.3
CVE-2020-2865	Oracle Configurator	Installation	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1, 12.2

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Support Tools. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	OSS Support Tools	Services Tools Bundle (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.0
CVE-2019-15601	OSS Support Tools	Services Tools Bundle (cURL)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	20.1

Additional CVEs addressed are below:

The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481.

Oracle Systems Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Systems. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	StorageTek Tape Analytics SW Tool	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.0
CVE-2020-2944	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10, 11
CVE-2020-2927	Oracle Solaris	Common Desktop Environment	None	No	7.8	Local	High	Low	None	Changed	High	High	High	10, 11
CVE-2020-2851	Oracle Solaris	Common Desktop Environment	None	No	7.8	Local	High	Low	None	Changed	High	High	High	10, 11
CVE-2018-1165	Oracle Solaris	SMB Server Kernel Module	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	11
CVE-2018-1165	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.8
CVE-2019-11358	StorageTek Tape Analytics SW Tool	Software (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0
CVE-2020-2749	Oracle Solaris	SMF command svcbundle	None	No	2.5	Local	High	Low	Required	Changed	None	Low	None	11
CVE-2020-2771	Oracle Solaris	Whodo	None	No	2.5	Local	High	Low	Required	Changed	Low	None	None	10, 11

Additional CVEs addressed are below:

The patch for CVE-2018-1165 also addresses CVE-2016-6489, CVE-2017-5754, CVE-2018-0732, CVE-2018-0734, CVE-2018-0737, CVE-2018-18227, CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625, CVE-2018-19626, CVE-2018-19627, CVE-2018-19628, CVE-2018-5407, CVE-2019-12387, CVE-2019-12855, CVE-2019-13057, CVE-2019-13565, CVE-2019-16056, CVE-2019-16168, CVE-2019-19269, CVE-2019-19553, CVE-2019-2412, CVE-2019-2878, CVE-2019-3008, CVE-2019-9579, CVE-2020-2558, CVE-2020-2578, CVE-2020-2680, CVE-2020-2749 and CVE-2020-7044.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000632	Oracle Utilities Framework	Common (Dom4J)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.2.0, 4.2.0.2, 4.2.0.3, 4.3.0.2 – 4.3.0.6, 4.4.0.0, 4.4.0.2
CVE-2017-12626	Oracle Utilities Network Management System	Upload (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.12.0.3, 2.3.0.1, 2.3.0.2, 2.4.0.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2902	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2959	Oracle VM VirtualBox	Core	MLD	Yes	8.6	Network	Low	None	None	Changed	None	None	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2742	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2905	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2908	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2758	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2929	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2575	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2911	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2907	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2958	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2913	Oracle VM VirtualBox	Core	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2914	Oracle VM VirtualBox	Core	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2910	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	High	None	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2951	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2741	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2743	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2894	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2748	Oracle VM VirtualBox	Core	None	No	3.2	Local	Low	High	None	Changed	Low	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2909	Oracle VM VirtualBox	Core	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6

No Related Posts

Oracle Critical Patch Update Advisory – January 2020

January 13, 2020November 24, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – January 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 334 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Hyperion Planning, version 11.1.2.4	Fusion Middleware
Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2	JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	MySQL
MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior	MySQL
MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior	MySQL
MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Workbench, versions 8.0.18 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.3	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6	Oracle Supply Chain Products
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 21.0.2	Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.3.0	Oracle Financial Services Applications
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clinical, version 5.2	Health Sciences
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Instant Messaging Server, version 10.0.1.3.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Border Controller
Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Router
Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3	Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Inventory Management, versions 7.3, 7.4	Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5	Oracle Communications Unified Session Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1	Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0	Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle GraalVM Enterprise Edition, version 19.3.0.2	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5	Health Sciences
Oracle Healthcare Master Person Index, version 3.0	Health Sciences
Oracle Hospitality Cruise Materials Management, version 7.30.567	Oracle Hospitality Cruise Materials Management
Oracle Hospitality Guest Access, version 4.2	Oracle Hospitality Guest Access
Oracle Hospitality OPERA 5, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Suites Management, versions 3.7, 3.8	Oracle Hospitality Suites Management
Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle iLearning, version 6.1	iLearning
Oracle Java SE, versions 7u241, 8u231, 11.0.5, 13.0.1	Java SE
Oracle Java SE Embedded, version 8u231	Java SE
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 13.4.4	Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Sales Audit, version 15.0.3.16.0.2	Retail Applications
Oracle Secure Global Desktop, versions 5.4, 5.5	Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0	Fusion Middleware
Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4	Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Utilities Work and Asset Management (v1), version 1.9.1.2	Oracle Utilities Applications
Oracle VM Server for SPARC, version 3.6	Systems
Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2	Virtualization
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft PeopleTools, versions 8.56, 8.57	PeopleSoft
Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.10 and prior	Siebel
Sun ZFS Storage Appliance Kit, version 8.8.6	Systems
Tape Library ACSLS, versions 8.5, 8.5.1	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Add of STAR labs: CVE-2020-2674
Afanti of North China Electric Power University: CVE-2020-2550
Alexander Kornbrust of Red Database Security: CVE-2020-2511, CVE-2020-2516, CVE-2020-2527, CVE-2020-2572, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645
ALVES Christopher: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
An Trinh: CVE-2020-6950
Andrej Simko of Accenture: CVE-2020-2582, CVE-2020-2596, CVE-2020-2597, CVE-2020-2657, CVE-2020-2658, CVE-2020-2661, CVE-2020-2662, CVE-2020-2665, CVE-2020-2667, CVE-2020-2668, CVE-2020-2669, CVE-2020-2670, CVE-2020-2671, CVE-2020-2672
Andres Georgieff of Sandia National Laboratories: CVE-2020-2561
André Lenoir of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2020-2682
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2020-2698, CVE-2020-2701, CVE-2020-2726, CVE-2020-2727
Bengt Jonsson of Uppsala University: CVE-2020-2655
Bo Zhang: CVE-2020-2654
Daniel Le Souef of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Daniel Martinez Adan (aDoN90): CVE-2020-2538, CVE-2020-2539
Davide Berardi: CVE-2020-2703
Devin Rosenbauer of Identity Works LLC: CVE-2020-2729
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-2568, CVE-2020-2569, CVE-2020-2731
Ehsan Nikavar: CVE-2020-2531
elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2681, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2704, CVE-2020-2705
Giuseppino Cadeddu of Quantum Leap: CVE-2020-2599
Harold Zang of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Harrison Neal: CVE-2020-2510, CVE-2020-2512, CVE-2020-2515, CVE-2020-2517
Instructor working with Trend Micro Zero Day Initiative: CVE-2020-2693
JanatiIdrissi Zouhair: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Jang from VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2555
Jonas Mattsson of Outpost24 Ghost Labs: CVE-2020-2533, CVE-2020-2534
Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2655
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2540, CVE-2020-2541, CVE-2020-2542, CVE-2020-2543, CVE-2020-2576
Kirtikumar Anandrao Ramchandani: CVE-2020-2545
Kostis Sagonas of Uppsala University: CVE-2020-2655
Kylinking of NSFocus Security Team: CVE-2020-2551
Long Kuan: CVE-2020-2654
Looke of PingAn Galaxy Lab: CVE-2020-2547, CVE-2020-2548, CVE-2020-2549, CVE-2020-2552
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-2702
Lukasz Mikula: CVE-2020-2563
Lukasz Plonka of ING Tech Poland: CVE-2020-2663
Lukasz Rupala of ING Tech Poland: CVE-2020-2663
Marco Ivaldi of Media Service: CVE-2020-2656, CVE-2020-2696
Martin Doyhenard of Onapsis: CVE-2020-2586, CVE-2020-2587
Matthias Kaiser of Apple Information Security: CVE-2020-2546
Michal Skowron: CVE-2020-2537
Microsoft Vulnerability Research of Microsoft Corp.: CVE-2020-2536
Mohammad Sedghi: CVE-2020-2535
Nicolas Verdier of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
Or Hanuka of Motorola Solutions: CVE-2020-2557
Owais Zaman of Sabic: CVE-2020-2592, CVE-2020-2707
Paul Fiterau Brostean of Uppsala University: CVE-2020-2655
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
RACV Information Security Team: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Reno Robert: CVE-2020-2698
Robert Merget of Ruhr-University Bochum: CVE-2020-2655
Rémi Badonnel: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Sravya Nandimandalam: CVE-2020-2519
Stefano Ciccone of Aon’s Cyber Labs: CVE-2020-2551
Tom Tran: CVE-2020-2559, CVE-2020-2728
Tomasz Wisniewski: CVE-2020-2688
Tzachy Horesh (Motorola Solutions) of Motorola Solutions: CVE-2020-2557
Vivek Parikh: CVE-2020-2678
ZHAN Julien: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Zhongcheng Li (CK01) of Topsec Alpha Team: CVE-2020-2725
Zohaib Tasneem of Sabic: CVE-2020-2707

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

An Trinh
Andres Georgieff of Sandia National Laboratories
Benjamin Horvat of Cologne-Intelligence
Josh Bressers of Elastic
Marek Cybul
Markus Loewe
Martin Doyhenard of Onapsis
Matias Mevied of Onapsis
Quentin Rhoads-Herrera of Critical Start
Tolga Han Jonas Özgan of Cologne-Intelligence
Vahagn Vardanyan
Vladimir Egorov

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Aditya Shende
Ahmet Gürel
Andy Bentley
Apoorv Raj Saxena of FireCompass
Arcot Manju
Hardikkumar Patel
Jimmy Bruneel
Joby Y Daniel
Lutfu Mert Ceylan
Mohamed Yaser
Mohammed Rafi
Pankaj Kumar Thakur (Nepal)
Roger Meyer
Sai Kiran Battaluri
Saiteja Pinoju
Zeel D. Chavda

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 April 2020
14 July 2020
20 October 2020
19 January 2021

References

Modification History

Date	Note
2020-April-20	Rev 7. Updated affected versions associated with CVE-2020-2555.
2020-March-11	Rev 6. Updated affected versions of Oracle AutoVue associated with CVE-2019-10247 and CVE-2020-2592. Updated affected versions associated with CVE-2020-2569.
2020-March-5	Rev 5. Updated affected versions associated with CVE-2020-2517.
2020-January-23	Rev 4. Updated affected versions associated with CVE-2020-2555 and modified credit entries for CVE-2020-2551, CVE-2020-2559 and CVE-2020-2663.
2020-January-17	Rev 3. Updated MOS note number for Oracle Communications Session Border Controller.
2020-January-15	Rev 2. JavaSE and Database Versions Updated.
2020-January-14	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 12 new security patches for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2511	Core RDBMS	Create Session	OracleNet	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2510	Core RDBMS	None	OracleNet	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2518	Java VM	Create Session	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-10072	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2512	Database Gateway for ODBC	None	OracleNet	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2515	Database Gateway for ODBC	Create Session	OracleNet	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2527	Core RDBMS	Create Index, Create Table	OracleNet	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2731	Core RDBMS	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2568	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2569	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2517	Database Gateway for ODBC	Create Procedure, Create Database Link	OracleNet	No	3.3	Network	High	High	None	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2516	Core RDBMS	Create Materialized View, Create Table	OracleNet	No	2.4	Network	Low	High	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

This patch also addresses four additional vulnerabilities: CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232. For Windows platform – due to CVE-2019-0232 – the CVSS 3.0 score is 8.1.

Additional CVEs addressed are below:

The patch for CVE-2019-10072 also addresses CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Communications Applications. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Communications Instant Messaging Server	Presence-api (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2017-5645	Oracle Communications Instant Messaging Server	Core (Log4j)	XMPP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2018-16395	Oracle Communications Interactive Session Recorder	Security (Ruby)	TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1, 6.2, 6.3
CVE-2018-11058	Oracle Communications IP Service Activator	Database Client (NZ)	TCPS/HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.4, 7.4.0
CVE-2019-8457	Oracle Communications Unified Inventory Management	Tools (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2019-3862	Oracle Communications Diameter Signaling Router (DSR)	Platform (libssh2)	SSH	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-0227	Oracle Communications Design Studio	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.4.1.1.0, 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-16168	Oracle Communications Design Studio	Core (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-10072	Oracle Communications Instant Messaging Server	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0.1.3.0
CVE-2018-6829	Oracle Communications Interactive Session Recorder	General (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	6.0, 6.1, 6.2, 6.3
CVE-2019-11477	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-11477	Oracle Communications Session Router	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2
CVE-2019-11477	Oracle Communications Subscriber-Aware Load Balancer	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 8.1, 8.3
CVE-2018-15756	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 7.4
CVE-2019-11477	Oracle Enterprise Communications Broker	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	PCz3.0, PCz3.1, PCz3.2
CVE-2019-11477	Oracle Enterprise Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.5, 8.0, 8.1, 8.2, 8.3
CVE-2019-11358	Oracle Communications Interactive Session Recorder	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2, 6.3
CVE-2019-17091	Oracle Communications Unified Inventory Management	Maps (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-11358	Oracle Communications Unified Inventory Management	Maps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-1559	Oracle Communications Diameter Signaling Router (DSR)	Platform (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-1559	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Session Router	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Unified Session Manager	Routing (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.3.5, 8.2.5
CVE-2018-0734	Oracle Enterprise Communications Broker	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	PCz3.0, PCz3.1, PCz3.2
CVE-2018-0734	Oracle Enterprise Session Border Controller	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	7.5, 8.0, 8.1, 8.2, 8.3

Additional CVEs addressed are below:

The patch for CVE-2018-0734 also addresses CVE-2018-0735, CVE-2018-5407, CVE-2019-1547 and CVE-2019-1559.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2018-11784 and CVE-2019-0232.
The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479.
The patch for CVE-2019-14379 also addresses CVE-2018-14718, CVE-2018-19362, CVE-2019-12086 and CVE-2019-14439.
The patch for CVE-2019-1559 also addresses CVE-2018-0734.
The patch for CVE-2019-16168 also addresses CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14540	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-14540	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-10088	Primavera Unifier	Core (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-0227	Primavera Gateway	Provider (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.2.11, 17.12.6
CVE-2019-0227	Primavera Unifier	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2556	Primavera P6 Enterprise Project Portfolio Management	Core	None	No	7.3	Local	Low	Low	Required	Changed	Low	High	Low	16.2.0.0-16.2.19.0, 17.12.0.0-17.12.16.0, 18.8.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0
CVE-2012-1695	Instantis EnterpriseTrack	Mobile (Mobile Application Framework)	HTTP	Yes	6.8	Network	High	None	None	Changed	None	High	None	17.1, 17.2, 17.3	See Note 1
CVE-2019-11358	Primavera Gateway	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-17091	Primavera P6 Enterprise Project Portfolio Management	Web Access (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.15.0, 18.1.0.0-18.8.15.0, 19.12.0.0
CVE-2019-12415	Primavera Gateway	Admin (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.12.6, 18.8.8.1
CVE-2019-12415	Primavera Unifier	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2707	Primavera P6 Enterprise Project Portfolio Management	WebAccess	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0

Notes:

JRockit is removed.

Additional CVEs addressed are below:

The patch for CVE-2012-1695 also addresses CVE-2012-3135.
The patch for CVE-2019-0227 also addresses CVE-2014-3596 and CVE-2018-8032.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-14540 also addresses CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 23 new security patches for the Oracle E-Business Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2020), My Oracle Support Note 2613782.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2586	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2587	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2651	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2652	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2653	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2669	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2670	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2671	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2672	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2582	Oracle iStore	Shopping Cart	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2658	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2661	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2662	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2665	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2591	Oracle Web Applications Desktop Integrator	Application Service	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2020-2603	Oracle Field Service	Wireless	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2666	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.5-12.2.9
CVE-2020-2566	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2596	Oracle CRM Technical Foundation	Message Hooks	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2657	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2667	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2668	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2597	Oracle One-to-One Fulfillment	Call Phone Number Page	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 50 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	Enterprise Manager Ops Center	Networking (Oracle Security Service)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-5482	Enterprise Manager Ops Center	Networking (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2904	Oracle Application Testing Suite	Load Testing for Web Apps (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2016-4000	Oracle Application Testing Suite	Oracle Flow Builder (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2673	Oracle Application Testing Suite	Oracle Flow Builder	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Oracle Flow Builder (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2019-11358	Oracle Application Testing Suite	Oracle Flow Builder (jQuery)	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2609	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2017-14735	Oracle Application Testing Suite	Load Testing for Web Apps (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-14735	Oracle Application Testing Suite	Oracle Flow Builder (Antisamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2631	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2636	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2626	Enterprise Manager Base Platform	Cloud Control Manager – OMS	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2634	Enterprise Manager Base Platform	Configuration Standard Framewk	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2624	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2633	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2642	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2645	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2617	Enterprise Manager Base Platform	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2610	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2611	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2612	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2618	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2619	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2620	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2621	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2616	Enterprise Manager Base Platform	Enterprise Manager Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2622	Enterprise Manager Base Platform	Event Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2629	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2630	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2613	Enterprise Manager Base Platform	Global EM Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2628	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2639	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2625	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2643	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2623	Enterprise Manager Base Platform	Metrics Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2615	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2644	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2608	Enterprise Manager Base Platform	Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2632	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2635	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2614	Enterprise Manager for Fusion Middleware	APM Mesh	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2637	Enterprise Manager for Oracle Database	Change Manager – web based	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2641	Enterprise Manager for Oracle Database	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2638	Enterprise Manager for Oracle Database	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2640	Enterprise Manager for Oracle Database	Target Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-12415	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	none	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2646	Enterprise Manager Base Platform	Command Line Interface	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-1547	Enterprise Manager Ops Center	Networking (RSA Bsafe)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	12.3.3, 12.4.0

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5482 also addresses CVE-2019-5481.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 24 new security patches for Oracle Financial Services Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.3-7.3.5, 8.0.0-8.0.8
CVE-2019-0227	Oracle Financial Services Funds Transfer Pricing	Web Service (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.2-8.0.7
CVE-2020-2718	Oracle Banking Corporate Lending	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2713	Oracle Banking Payments	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	14.1.0-14.3.0
CVE-2020-2688	Oracle Financial Services Analytical Applications Infrastructure	Object Migration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.4-8.0.8
CVE-2020-2723	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2699	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2716	Oracle Banking Corporate Lending	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2711	Oracle Banking Payments	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	14.1.0-14.3.0
CVE-2020-2721	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2684	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2715	Oracle Banking Corporate Lending	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2717	Oracle Banking Corporate Lending	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2710	Oracle Banking Payments	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2712	Oracle Banking Payments	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2730	Oracle Financial Services Revenue Management and Billing	File Upload	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	2.7.0.0, 2.7.0.1, 2.8.0.0
CVE-2020-2720	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2722	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2685	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2683	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTPS	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2719	Oracle Banking Corporate Lending	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2714	Oracle Banking Payments	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	14.1.0-14.3.0
CVE-2020-2724	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2700	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.0.1-12.4.0, 14.0.0-14.3.0

Oracle Food and Beverage Applications Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2697	Oracle Hospitality Suites Management	Request Tracker	None	No	4.9	Physical	Low	Low	None	Un- changed	High	Low	None	3.7, 3.8

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Fusion Middleware. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update January 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2555	Oracle Coherence	Caching,CacheStore,Invocation	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2551	Oracle WebLogic Server	WLS Core Components	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2546	Oracle WebLogic Server	Application Container – JavaEE	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2728	Identity Manager	OIM – LDAP user and role Synch	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-0227	Oracle Big Data Discovery	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	1.6
CVE-2019-0227	Oracle Endeca Information Discovery Studio	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	3.2.0
CVE-2017-12626	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-0227	Oracle Tuxedo	TX SALT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.1.0.0, 12.1.3.0.0
CVE-2020-6950	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle WebLogic Server	Third Party Tools (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2543	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2549	Oracle WebLogic Server	WLS Core Components	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0
CVE-2020-2537	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2538	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0
CVE-2020-2540	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2541	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2576	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2542	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2530	Oracle HTTP Server	Web Listener	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2533	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2534	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2539	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Analytics Server and Analytics Web General (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	3.2.0
CVE-2019-12415	Oracle Enterprise Repository	Security Subsystem (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2020-2729	Identity Manager	Advanced Console	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2536	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.5.4	See Note 1
CVE-2019-10247	Oracle Endeca Information Discovery Integrator	Integrator Acquistion System (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0
CVE-2020-2545	Oracle HTTP Server	OSSL Module	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2545	Oracle Security Service	SSL API	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2550	Oracle WebLogic Server	WLS Core Components	None	No	5.1	Local	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2547	Oracle WebLogic Server	Console	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2548	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0
CVE-2020-2552	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2535	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2544	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2519	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2531	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-15845	Oracle GraalVM Enterprise Edition	Interpreter and runtime (Ruby)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.3.0.2	See Note 1
CVE-2020-2604	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	19.3.0.2	See Note 2
CVE-2019-16776	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	19.3.0.2
CVE-2020-2595	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	19.3.0.2
CVE-2020-2581	Oracle GraalVM Enterprise Edition	LLVM Interpreter	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	19.3.0.2

Notes:

This vulnerability is in the standard Ruby libraries, not in the TruffleRuby interpreter.
GraalVM Enterprise 19.3 and above includes both Java SE 8 and Java SE 11.

Additional CVEs addressed are below:

The patch for CVE-2019-15845 also addresses CVE-2019-16201, CVE-2019-16254 and CVE-2019-16255.
The patch for CVE-2019-16776 also addresses CVE-2019-16775 and CVE-2019-16777.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Clinical	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2
CVE-2019-2904	Oracle Health Sciences Data Management Workbench	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4, 2.5
CVE-2018-15756	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17359	Oracle Hospitality Guest Access	Base (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.2
CVE-2020-2675	Oracle Hospitality OPERA 5	Login	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.5
CVE-2020-2676	Oracle Hospitality OPERA 5	Printing	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5
CVE-2020-2677	Oracle Hospitality OPERA 5	Login	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	5.5, 5.6
CVE-2020-2599	Oracle Hospitality Cruise Materials Management	MMS All	None	No	4.2	Physical	High	None	None	Un- changed	High	None	None	7.30.567

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Hyperion Planning	Application Development Framework	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4
CVE-2020-2563	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4

Oracle iLearning Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2709	Oracle iLearning	Learner Pages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	6.1

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2604	Java SE, Java SE Embedded	Serialization	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2019-16168	Java SE	JavaFX (SQLite)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 8u231	See Note 2
CVE-2019-13117	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2019-13118	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2020-2601	Java SE, Java SE Embedded	Security	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2585	Java SE	JavaFX	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 8u231	See Note 1
CVE-2020-2655	Java SE	JSSE	HTTPS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 11.0.5, 13.0.1	See Note 1
CVE-2020-2593	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2654	Java SE	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1	See Note 3
CVE-2020-2590	Java SE, Java SE Embedded	Security	Kerberos	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2659	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231; Java SE Embedded: 8u231	See Note 1
CVE-2020-2583	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-14379	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jackson databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 19 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16168	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.18 and prior
CVE-2020-2579	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2627	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2570	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2573	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2574	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2577	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2589	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.17 and prior
CVE-2020-2580	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2020-2588	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2660	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2679	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Enterprise Backup	Security (OpenSSL)	TLS	No	4.7	Local	High	Low	None	Un- changed	High	None	None	3.12.4 and prior, 4.1.3 and prior
CVE-2020-2584	MySQL Server	Server: Options	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	High	None	None	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2694	MySQL Server	Server: Information Schema	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	8.0.18 and prior
CVE-2020-2572	MySQL Server	Server: Audit Plugin	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	5.7.28 and prior, 8.0.18 and prior
CVE-2019-8457	MySQL Cluster	Cluster: General (SQLite)	Multiple	Yes	0.0	Network	Low	None	Required	Un- changed	None	None	None	7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	See Note 1

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 9.8. SQLite is removed from MySQL Cluster releases with the January 2020 Critical Patch Update.

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-15708	PeopleSoft Enterprise PeopleTools	Portal (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-2729	PeopleSoft Enterprise PeopleTools	Security (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2017-12626	PeopleSoft Enterprise PeopleTools	Change Impact Analyzer (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57
CVE-2019-0227	PeopleSoft Enterprise PeopleTools	Portal (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2017-1000376	PeopleSoft PeopleTools	PeopleCode (libffi)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.56, 8.57
CVE-2020-2598	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2600	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2606	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2607	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2663	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2602	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2695	PeopleSoft Enterprise CC Common Application Objects	Approval Framework	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.1, 9.2
CVE-2019-1547	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.56, 8.57
CVE-2020-2561	PeopleSoft Enterprise HCM Human Resources	Company Dir / Org Chart Viewer	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2020-2687	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2017-15708 also addresses CVE-2019-10086.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Retail Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Retail Assortment Planning	Application Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-2904	Oracle Retail Clearance Optimization Engine	Dataset Componen (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	Dataset Component (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	General Application (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.3
CVE-2019-12814	Oracle Retail Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.0
CVE-2019-2904	Oracle Retail Markdown Optimization	Common Component Integration (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2019-12419	Oracle Retail Order Broker	Order Broker Foundation (CXF)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2019-2904	Oracle Retail Sales Audit	Operational Insights (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3. 16.0.2
CVE-2018-1258	Oracle Retail Clearance Optimization Engine	Dataset Component (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.0.5
CVE-2018-1258	Oracle Retail Markdown Optimization	Common Component Integration (Spring Framework)	HTTPS	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.4.4
CVE-2016-1181	Oracle Retail Clearance Optimization Engine	Dataset Component (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-1181	Oracle Retail Markdown Optimization	Common Component Integration (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.4.4
CVE-2018-8039	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2019-0227	Oracle Retail Order Broker	System Administration (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0
CVE-2020-2650	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	16.0
CVE-2020-2648	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	6.2	Physical	Low	High	None	Un- changed	High	High	High	16.0
CVE-2019-17091	Oracle Retail Assortment Planning	Application Core (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0.3
CVE-2019-12415	Oracle Retail Clearance Optimization Engine	General Application (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.0
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3, 16.0.3
CVE-2020-2567	Oracle Retail Customer Management and Segmentation Foundation	Security	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	18.0
CVE-2020-2649	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	16.0

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2016-5019 also addresses CVE-2019-2904.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12419 also addresses CVE-2019-12406.
The patch for CVE-2019-12814 also addresses CVE-2018-11307, CVE-2019-12384, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267 and CVE-2019-17531.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.

Oracle Siebel CRM Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (jackson databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.8 and prior
CVE-2019-14379	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.10 and prior
CVE-2020-2564	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.10 and prior
CVE-2020-2559	Siebel UI Framework	UIF Open UI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.7 and prior
CVE-2020-2560	Siebel UI Framework	SWSE Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	19.10 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Systems Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle Systems. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-9636	Sun ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8.6
CVE-2019-2729	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2016-1000031	Tape Library ACSLS	Software (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2020-2696	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10
CVE-2020-2565	Oracle Solaris	Consolidation Infrastructure	None	No	7.5	Local	High	Low	Required	Changed	High	High	High	11
CVE-2019-2725	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2018-15756	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2020-2605	Oracle Solaris	Filesystem	None	No	7.1	Local	Low	Low	None	Un- changed	None	High	High	11
CVE-2019-11358	Tape Library ACSLS	Software (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5, 8.5.1
CVE-2020-2680	Oracle Solaris	Filesystem	None	No	6.0	Local	Low	High	None	Changed	None	None	High	11
CVE-2020-2558	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2578	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2647	Oracle Solaris	Kernel	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	10, 11
CVE-2020-2664	Oracle Solaris	Filesystem	None	No	4.6	Local	Low	Low	Required	Changed	Low	Low	None	11
CVE-2020-2656	Oracle Solaris	X Window System	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	10, 11
CVE-2019-9579	Oracle Solaris	SMB Server	None	No	3.3	Local	Low	Low	None	Un- changed	None	Low	None	11
CVE-2020-2571	Oracle VM Server for SPARC	Templates	None	No	3.3	Local	Low	None	Required	Un- changed	None	Low	None	3.6

Additional CVEs addressed are below:

The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-9636 also addresses CVE-2017-15906, CVE-2018-1000030, CVE-2018-1060, CVE-2018-11759, CVE-2018-15473, CVE-2018-17189, CVE-2018-20684, CVE-2019-0215, CVE-2019-1559, CVE-2019-5718 and CVE-2019-9208.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Oracle Agile PLM MCAD Connector	CAX Client (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	3.4, 3.5, 3.6
CVE-2019-0232	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2.0, 6.2.1
CVE-2017-12626	Oracle Agile PLM	Security (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2019-10072	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.5, 9.3.6
CVE-2019-0227	Oracle Agile PLM Framework	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	9.3.3
CVE-2020-2592	Oracle AutoVue	Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.2
CVE-2019-10247	Oracle AutoVue	Security (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.2
CVE-2020-2557	Oracle Demantra Demand Management	Security	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Utilities Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Utilities Work and Asset Management (v1)	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2
CVE-2019-11358	Oracle Real-Time Scheduler	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2019-11358	Oracle Utilities Mobile Workforce Management	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2014-3004	Oracle Utilities Framework	Common (Castor)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2674	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2682	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-0227	Oracle Secure Global Desktop	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	5.4, 5.5
CVE-2020-2698	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2701	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2702	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2726	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2681	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2689	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2690	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2691	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2692	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2703	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16
CVE-2020-2704	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2705	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2725	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2678	Oracle VM VirtualBox	Core	None	No	6.4	Local	High	Low	None	Changed	Low	High	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-17091	Oracle Secure Global Desktop	Core (Mojarra)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2020-2727	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2693	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-10092	Oracle Secure Global Desktop	Web Server (Apache HTTPD Server)	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2019-1547	Oracle Secure Global Desktop	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	5.4, 5.5

Additional CVEs addressed are below:

The patch for CVE-2019-10092 also addresses CVE-2019-10098.
The patch for CVE-2019-1547 also addresses CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Critical Patch Update Advisory – October 2019

October 14, 2019November 24, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2019

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 219 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Diagnostic Assistant, version 2.12.36	Support Tools
Enterprise Manager Base Platform, versions 13.2, 13.3	Enterprise Manager
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071	Systems
Hyperion Data Relationship Management, version 11.1.2.4	Fusion Middleware
Hyperion Enterprise Performance Management Architect, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 4.0.1.0	JD Edwards
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0	Retail Applications
MICROS Retail XBRi Loss Prevention, version 10.8.3	Retail Applications
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.17 and prior	MySQL
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior	MySQL
MySQL Workbench, versions 8.0.17 and prior	MySQL
Oracle Agile PLM, versions 9.3.3-9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, versions 13.2, 13.3	Enterprise Manager
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clusterware, version 19.0.0.0.0	Support Tools
Oracle Data Integrator, version 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Retail Performance Analytics
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle Forms, version 12.2.1.3.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, version 19.2.0	Oracle GraalVM Enterprise Edition
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13	Java SE
Oracle Java SE Embedded, version 8u221	Java SE
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle NoSQL Database, versions prior to 19.3.12	NoSQL Database
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15	Oracle Policy Automation
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 17.0	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 16.0	Retail Applications
Oracle Retail Xstore Office, version 7.1	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0	Retail Applications
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, version 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Virtual Directory, version 11.1.1.9.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14	Virtualization
Oracle Web Services, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.8 and prior	Siebel

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Alaa Kachouh of Bankmed: CVE-2019-3019
Alexander Kornbrust of Red Database Security: CVE-2018-2875, CVE-2019-2895, CVE-2019-2939
Alpha66647777: CVE-2019-2978
Amaal Khalid of SecureMisr: CVE-2019-2979, CVE-2019-2980
Andrej Simko of Accenture: CVE-2019-2930, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3024
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2930
Andrzej Dyjak of sigsegv.pl: CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972
anhdaden of STAR Labs: CVE-2019-2984, CVE-2019-3002, CVE-2019-3005
Anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2019-3026, CVE-2019-3031
Badcode of Knownsec 404 Team: CVE-2019-2888
Bartlomiej Stasiek: CVE-2019-2941
Dimitrios – Georgios Karetsos of COSMOTE – Mobile Telecommunications S.A.: CVE-2019-2959
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2019-2954, CVE-2019-2955
Ehsan Nikavar: CVE-2019-2898
Emad Al-Mousa of Saudi Aramco: CVE-2019-2940
Huyna of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-3017
Imre Rad: CVE-2019-2996
Jakub Palaczynski: CVE-2019-2927
Jakub Palaczynski of ING Tech Poland: CVE-2019-2886
Jan Jancar of Masaryk University: CVE-2019-2894
Jean-Benjamin Rousseau of SEC Consult Vulnerability Lab: CVE-2019-17091
Krzysztof Bednarski of ING Tech Poland: CVE-2019-2886
Kyle Stiemann of Liferay: CVE-2019-17091
Laura Rowieska: CVE-2019-2897
Lewei Qu of Baidu, Inc.: CVE-2019-3021
lofiboy of infiniti Team, VinCSS (a member of Vingroup): CVE-2019-2926, CVE-2019-2944
Longofo of Knownsec 404 Team: CVE-2019-2888
Lukasz Mikula: CVE-2019-2932
Lukasz Rupala of ING Tech Poland: CVE-2019-2900, CVE-2019-3012
Marco Ivaldi of Media Service: CVE-2019-3010
Marek Cybul: CVE-2019-3014, CVE-2019-3015
Michal Skowron: CVE-2019-2897
MitAh of Tencent Security Xuanwu Lab: CVE-2019-2999
TSM_007 of TSM: CVE-2019-3012
Owais Zaman of Sabic: CVE-2019-3020
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2019-2993, CVE-2019-3011
Ramnath Shenoy of NCC Group: CVE-2019-3015
Resecurity, Inc.: CVE-2019-3028
Rob Hamm of sas.com: CVE-2019-2949
RunningSnail: CVE-2019-2889
Saeed Shiravi: CVE-2019-3012
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2019-2959
Steven Danneman of Security Innovation: CVE-2019-2922, CVE-2019-2923, CVE-2019-2924
tint0 of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-2904
Tomasz Wisniewski: CVE-2019-2906
Vahagn Vardanyan: CVE-2019-2905, CVE-2019-2907
Venustech ADLab: CVE-2019-2887, CVE-2019-2890
Vladimir Egorov: CVE-2019-2905, CVE-2019-2907
Walid Faour: CVE-2019-3025
Zohaib Tasneem of Sabic: CVE-2019-3020

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Amit Kaplan of GE
An Trinh
Bartlomiej Zogala
Ben Heimerdinger of Code White GmbH
Cornelius Aschermann of Ruhr-University Bochum
George R
Joshua Graham of TSS
Lucas Fink
Markus Wulftange of Code White GmbH
Roberto Suggi Liverani of NATO Communications and Information Agency
Roy Haroush of GE
Sergej Schumilo of Ruhr-University Bochum
Simon Worner
Tin Duong of Fortinet’s FortiGuard Labs
voidfyoo of Chaitin Tech

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Arun Babu
Ben Stock of CISPA Helmholtz Center for Information Security (Germany)
Dudy Shaul
Khiem Tran
Malavika SK
Nick Nikiforakis
Pooja B Sen
Ronak Nahar
Sajjad Hashemian
Shubham Garg [nullb0t] of JMIETI
Stefano Calzavara
Wai Yan Aung

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 January 2020
14 April 2020
14 July 2020
20 October 2020

References

Modification History

Date	Note
2019-October-15	Rev 1. Initial Release.
2019-November-26	Rev 2. Update Entry for CVE-2019-2941
2020-January-22	Rev 3. Update affected version Entry for CVE-2019-2888

Oracle Database Server Risk Matrix

This Critical Patch Update contains 11 new security patches for the Oracle Database Server divided as follows:

10 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2909	Java VM	None	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2956	Core RDBMS (jackson-databind)	Create Session	Multiple	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2913	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2939	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2018-2875	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2734	Core RDBMS	Create Session, Execute on DBMS_ADVISOR	OracleNet	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2018-11784	WLM (Apache Tomcat)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2019-2954	Core RDBMS	Create Session, Create Procedure	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2955	Core RDBMS	Local Logon	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2940	Core RDBMS	Create Session	OracleNet	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c

Additional CVEs addressed are below:

The patch for CVE-2018-11784 also addresses CVE-2018-8034.
The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-14721	Oracle NoSQL Database	NoSQL (jackson-databind)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 19.3.12

Additional CVEs addressed are below:

The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Construction and Engineering. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-6056	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-14379	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12, 18.8
CVE-2019-14379	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-3020	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	9.3	Network	Low	None	Required	Changed	High	High	None	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.11
CVE-2019-0232	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0211	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0227	Instantis EnterpriseTrack	Generic (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2017-12626	Instantis EnterpriseTrack	Generic (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2017-12626	Primavera Gateway	Admin (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.12
CVE-2017-12626	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
CVE-2017-12626	Primavera Unifier	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2976	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	17.1.0-17.12.12
CVE-2019-11358	Primavera Unifier	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The patch for CVE-2017-6056 also addresses CVE-2016-5425.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-14379 also addresses CVE-2019-12086, CVE-2019-14439, CVE-2019-14540 and CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 10 new security patches for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2019), My Oracle Support Note 2586423.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2942	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-2990	Oracle iStore	Order Tracker	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-2994	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2019-2995	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3000	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3022	Oracle Content Manager	Content	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3027	Oracle Application Object Library	Login Help	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.5-12.2.9
CVE-2019-2930	Oracle Field Service	Wireless	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-3024	Oracle Installed Base	Engineering Change Order	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.3-12.2.9
CVE-2019-2925	Oracle Workflow	Worklist	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.8

Oracle Enterprise Manager Risk Matrix

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Command Line Interface (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 13.3
CVE-2019-5443	Enterprise Manager Ops Center	Networking (cURL)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2895	Enterprise Manager for Exadata	Exadata Plug-In Deploy and Ins	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
CVE-2019-9517	Enterprise Manager Ops Center	OS Provisioning (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.3.3, 12.4.0
CVE-2019-11358	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.3, 12.4.0
CVE-2019-11358	Oracle Application Testing Suite	Load Testing for Web Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2, 13.3
CVE-2019-10247	Enterprise Manager Base Platform	Agent Next Gen (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	13.2, 13.3

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-9517 also addresses CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2019-10098.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
CVE-2019-14379	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2-8.0.8
CVE-2019-2980	Oracle FLEXCUBE Direct Banking	eMail	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.2, 12.0.3
CVE-2019-11358	Oracle Financial Services Enterprise Financial Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Retail Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-2979	Oracle FLEXCUBE Direct Banking	Payments	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	None	High	None	12.0.2, 12.0.3
CVE-2019-3019	Oracle Banking Digital Experience	Loan Calculator	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3025	Oracle Hospitality RES 3700	Interface	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	5.7
CVE-2019-2934	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2937	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2947	Oracle Hospitality Reporting and Analytics	Inventory Integration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2936	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-11358	Oracle Hospitality Materials Control	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2019-2952	Oracle Hospitality Reporting and Analytics	Admin-Configuration	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 37 new security patches for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Critical Patch Update Advisory – October 2020

Description

Affected Products and Patch Information

Note:

Risk Matrix Content

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

Security-In-Depth Contributors

On-Line Presence Security Contributors

Critical Patch Update Schedule

References

Modification History

Oracle Database Products Risk Matrices

Oracle Database Server Risk Matrix

Notes:

Additional CVEs addressed are:

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle Database Server Client-Only Installations

Oracle Big Data Graph Risk Matrix

Additional CVEs addressed are:

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle REST Data Services Risk Matrix

Additional CVEs addressed are:

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle TimesTen In-Memory Database Risk Matrix

Additional CVEs addressed are:

Oracle Communications Applications Risk Matrix

Additional CVEs addressed are:

Oracle Communications Risk Matrix

Additional CVEs addressed are:

Oracle Construction and Engineering Risk Matrix

Additional CVEs addressed are:

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Additional CVEs addressed are:

Oracle Financial Services Applications Risk Matrix

Additional CVEs addressed are:

Oracle Food and Beverage Applications Risk Matrix

Additional CVEs addressed are:

Oracle Fusion Middleware Risk Matrix

Notes:

Additional CVEs addressed are:

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Additional CVEs addressed are:

Oracle Hospitality Applications Risk Matrix

Additional CVEs addressed are:

Oracle Hyperion Risk Matrix

Additional CVEs addressed are:

Oracle Insurance Applications Risk Matrix

Additional CVEs addressed are:

Oracle Java SE Risk Matrix

Notes:

Oracle MySQL Risk Matrix

Additional CVEs addressed are:

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle PeopleSoft Risk Matrix

Additional CVEs addressed are:

Oracle Policy Automation Risk Matrix

Additional CVEs addressed are:

Oracle Retail Applications Risk Matrix

Additional CVEs addressed are:

Oracle Siebel CRM Risk Matrix

Additional CVEs addressed are:

Oracle Supply Chain Risk Matrix

Additional CVEs addressed are:

Oracle Systems Risk Matrix

Additional CVEs addressed are:

Oracle Utilities Applications Risk Matrix

Additional CVEs addressed are:

Oracle Virtualization Risk Matrix

Related:

Oracle Security Alert Advisory – CVE-2020-14750

Description

Affected Products and Patch Information

Security Alert Supported Products and Versions

References

Risk Matrix Content