Category: Oracle

Oracle Database Server Risk Matrix

This Critical Patch Update contains 7 new security fixes for the Oracle Database Server divided as follows:

• 3 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
• 1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
• 3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3259	Java VM	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2018-3299	Oracle Text	None	Multiple	Yes	8.2	Network	Low	None	Required	Changed	None	Low	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2018-7489	Rapid Home Provisioning	RHP User	HTTP	No	2.3	Adjacent Network	High	Low	Required	Un- changed	None	None	Low	18c

Additional CVEs addressed are below:

• The fix for CVE-2018-7489 also addresses CVE-2017-15095.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-6814	Spatial	Big Data Graph (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	2.0, 2.1, 2.2

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle GoldenGate. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2913	Oracle GoldenGate	Monitoring Manager	TCP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0	See Note 1
CVE-2018-2912	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0
CVE-2018-2914	Oracle GoldenGate	Manager	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0

Notes:

1. For Linux and Windows platforms, the CVSS score is 9.0 with Access Complexity as High. For all other platforms, the cvss score is 10.0.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-0235	Oracle Communications Application Session Controller	Security (Glibc)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2017-5645	Oracle Communications Messaging Server	Convergence (Apache Log4J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 8.0.2
CVE-2016-0729	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 12.2.0
CVE-2015-7501	Oracle Communications Application Session Controller	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 3.7.1M0
CVE-2015-7501	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-0635	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-1182	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	Prior to 10.2.0
CVE-2017-15095	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Prior to 10.0.1
CVE-2018-8013	Oracle Communications MetaSolv Solution	Print preview, Gateway Events (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	6.3.0
CVE-2016-5080	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Objective System ASN1C)	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	Prior to 10.2.1
CVE-2016-5019	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Apache Trinidad)	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	Prior to 10.2.1
CVE-2016-2107	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 3.7.1M0
CVE-2017-3736	Oracle Communications Performance Intelligence Center (PIC) Software	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 10.2.1
CVE-2014-3490	Oracle Communications Performance Intelligence Center (PIC) Software	Security (resteasy-jaxrs)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 10.2.0

Additional CVEs addressed are below:

• The fix for CVE-2015-0235 also addresses CVE-2014-7817.
• The fix for CVE-2016-0729 also addresses CVE-2015-0252.
• The fix for CVE-2016-1182 also addresses CVE-2012-1007, CVE-2014-0014 and CVE-2016-1181.
• The fix for CVE-2017-15095 also addresses CVE-2017-7525.
• The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Construction and Engineering Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1275	Primavera Gateway	Web Access (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-7489	Primavera Gateway	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12
CVE-2018-12023	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-8013	Instantis EnterpriseTrack	Generic (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.1, 17.2, 17.3
CVE-2018-1305	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	17.1, 17.2, 17.3
CVE-2015-9251	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2, 16.2, 17.12
CVE-2018-3241	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3281	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2018-3148	Primavera Unifier	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8
CVE-2018-11039	Primavera P6 Enterprise Project Portfolio Management	Web Access (Spring Framework)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	18.8

Additional CVEs addressed are below:

• The fix for CVE-2018-1275 also addresses CVE-2018-1258.
• The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2018-12023.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2018), My Oracle Support Note 2445688.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3138	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3243	Oracle Applications Framework	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2018-3235	Oracle Applications Manager	None	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3189	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3190	Oracle E-Business Intelligence	Overview Page/Report Rendering	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-3188	Oracle iStore	Web interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3242	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3196	Oracle Partner Management	Partner Dashboard	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3011	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3151	Oracle iProcurement	E-Content Manager Catalog	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3236	Oracle User Management	Reports	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3167	Application Management Pack for Oracle E-Business Suite	User Monitoring	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3244	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3237	Oracle Applications Manager	Support Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3256	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2971	Oracle Applications Framework	REST Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Enterprise Manager Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-4000	Enterprise Manager Ops Center	Networking (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2017-5645	Oracle Configuration Manager	Collector of Config and Diag (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.2.0.2, 12.1.2.0.5
CVE-2018-1258	Enterprise Manager for MySQL Database	EM Plugin: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2
CVE-2018-0739	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.0.5, 13.2

Additional CVEs addressed are below:

• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Financial Services Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-12023	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2015-9251	Oracle Banking Platform	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.6.0, 2.6.1, 2.6.2

Additional CVEs addressed are below:

• The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Food and Beverage Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3128	Oracle Hospitality Reporting and Analytics	Report	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.0
CVE-2018-3131	Oracle Hospitality Gift and Loyalty	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2015-9251	Oracle Hospitality Materials Control	MobileAuthWebService (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2017-5715	MICROS PC Workstation 2015	BIOS	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 01.3.0.2i

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 65 new security fixes for Oracle Fusion Middleware. 56 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2433477.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	BI Publisher (formerly XML Publisher)	BI Publisher Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2017-5645	Oracle API Gateway	Oracle API Gateway (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-1275	Oracle Big Data Discovery	Data Processing (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.6.0
CVE-2018-1275	Oracle GoldenGate for Big Data	Other issues (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 12.3.1.1, 12.3.2.1
CVE-2017-5645	Oracle Identity Analytics	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle Identity Management Suite	Suite Level Patch Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2017-15095	Oracle Identity Manager	Installer (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3191	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3197	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0
CVE-2018-3201	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-3245	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-3252	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-1258	Oracle Endeca Information Discovery Integrator	Other Issues (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.1.0, 3.2.0
CVE-2018-1258	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2018-2911	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	3.1.2
CVE-2016-1182	Oracle Adaptive Access Manager	OAAM Server (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	11.1.1.7.0, 11.1.2.3.0
CVE-2018-3204	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0
CVE-2016-1182	Oracle Real-Time Decision Server	Platform Installation (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	3.2.1
CVE-2017-7805	Oracle Directory Server Enterprise Edition	Admin Console (Sun Security Libraries)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.1.1.7
CVE-2018-3152	Oracle GlassFish Server	Administration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.1.2
CVE-2018-1000300	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle Tuxedo	Docs-ATMI-IB (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1.0
CVE-2018-3246	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0, 12.2.1.3
CVE-2018-3213	Oracle WebLogic Server	Docker Images	T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to Docker 12.2.1.3.20180913
CVE-2018-8013	Oracle Business Intelligence Enterprise Edition	Oracle Business Intelligence Enterprise Edition (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-8013	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	11.1.1.7.0, 12.1.3.0.0
CVE-2018-3179	Oracle Identity Manager	Advanced Console	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	11.1.2.3.0, 12.2.1.3.0
CVE-2018-3168	Oracle Identity Analytics	Core Components	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	11.1.1.5.8
CVE-2018-3217	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3	See Note 1
CVE-2018-3218	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.5.3	See Note 1
CVE-2018-3219	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3220	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3221	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3302	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3222	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3223	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3224	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3225	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3226	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3227	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3228	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3229	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3230	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3231	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3232	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3233	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3234	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-18223	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-18224	Oracle Outside In Technology	Outside In Filters (ODA Module)	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3	See Note 1
CVE-2018-3238	Oracle WebCenter Sites	Advanced UI	HTTP	No	6.9	Network	Low	High	Required	Changed	High	Low	None	11.1.1.8.0
CVE-2018-0739	Oracle Endeca Server	Product Code (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	7.6.1, 7.7.0
CVE-2018-1305	Oracle WebCenter Sites	Advanced UI (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.8.0, 12.2.1.3.0
CVE-2018-3249	Oracle WebLogic Server	WLS – Web Services	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.3.6.0
CVE-2018-3248	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	10.3.6.0
CVE-2015-9251	Oracle Endeca Information Discovery Studio	Studio (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.0
CVE-2017-14735	Oracle Fusion Middleware MapViewer	Install (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Service Bus	OSB Core Functionality (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2015-9251	Oracle WebCenter Sites	Advanced UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2018-3250	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0
CVE-2018-3215	Oracle Endeca Information Discovery Integrator	Integrator ETL	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	3.1.0, 3.2.0
CVE-2018-3210	Oracle GlassFish Server	Java Server Faces	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.1.2
CVE-2018-3254	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-3253	Oracle Virtual Directory	Virtual Directory Manager	HTTP	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	11.1.1.7.0, 11.1.1.9.0
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2018-2902	Oracle WebLogic Server	Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0, 12.1.3.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

• The fix for CVE-2016-1182 also addresses CVE-2014-0114 and CVE-2016-1181.
• The fix for CVE-2017-15095 also addresses CVE-2017-7525 and CVE-2018-7489.
• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-1275 also addresses CVE-2016-0635, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-9251	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1258	Oracle Hospitality Guest Access	Base (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2018-3160	Oracle Hospitality Cruise Shipboard Property Management System	OHC Admin, OHC Management	None	No	7.7	Local	Low	High	Required	Changed	High	High	High	8.0
CVE-2018-3158	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2018-3163	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	9.0
CVE-2018-3166	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	9.0
CVE-2018-1305	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	4.2.0, 4.2.1
CVE-2018-3159	Oracle Hospitality Cruise Fleet Management	Sender and Receiver	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2015-9251	Oracle Hospitality Guest Access	Base (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.2.0, 4.2.1
CVE-2018-3181	Oracle Hospitality Cruise Shipboard Property Management System	OHC ENOAD	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0

Additional CVEs addressed are below:

• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Hyperion. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3208	Hyperion Data Relationship Management	Access and Security	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4.345
CVE-2018-3142	Hyperion Essbase Administration Services	EAS Console	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	11.1.2.4
CVE-2018-3175	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3176	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3177	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3178	Hyperion Common Events	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3140	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.2.4
CVE-2018-3141	Hyperion Essbase Administration Services	EAS Console	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	11.1.2.4
CVE-2018-3184	Hyperion BI+	IQR – Foundation Services	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3146	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.1, 6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Insurance Calculation Engine	Calculation engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2018-1275	Oracle Insurance Calculation Engine	Calculation engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1.1, 10.2.1
CVE-2017-5645	Oracle Insurance Rules Palette	Rules Palette (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-1275	Oracle Insurance Rules Palette	Rules Palette (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0, 11.1
CVE-2018-8013	Oracle Insurance Calculation Engine	Architecture (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.1.1, 10.2.1

Additional CVEs addressed are below:

• The fix for CVE-2018-1275 also addresses CVE-2018-1270.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3183	Java SE, Java SE Embedded, JRockit	Scripting	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u182, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3209	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u182	See Note 2
CVE-2018-3169	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u191, 8u182, 11; Java SE Embedded: 8u181	See Note 2
CVE-2018-3149	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u201, 7u191, 8u182, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3211	Java SE, Java SE Embedded	Serviceability	None	No	6.6	Local	Low	Low	Required	Un- changed	High	High	None	Java SE: 8u182, 11; Java SE Embedded: 8u181	See Note 3
CVE-2018-3180	Java SE, Java SE Embedded, JRockit	JSSE	SSL/TLS	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 6u201, 7u191, 8u182, 11; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3214	Java SE, Java SE Embedded, JRockit	Sound	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19	See Note 1
CVE-2018-3157	Java SE	Sound	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 11	See Note 4
CVE-2018-3150	Java SE	Utility	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11	See Note 4
CVE-2018-13785	Java SE, Java SE Embedded	Deployment (libpng)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u201, 7u191, 8u182, 11; Java SE Embedded: 8u181	See Note 1
CVE-2018-3136	Java SE, Java SE Embedded	Security	Multiple	Yes	3.4	Network	High	None	Required	Changed	None	Low	None	Java SE: 6u201, 7u191, 8u182, 11; Java SE Embedded: 8u181	See Note 2
CVE-2018-3139	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 6u201, 7u191, 8u182, 11; Java SE Embedded: 8u181	See Note 2

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). This vulnerability can only be exploited when Java Usage Tracker functionality is being used.
4. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Additional CVEs addressed are below:

• The fix for CVE-2018-13785 also addresses CVE-2018-14048.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-7489	JD Edwards EnterpriseOne Orchestrator	IoT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-7489	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Business Logic Inf (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2017-15095	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0739	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure (OpenSSL)	JDENET	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	9.2

Additional CVEs addressed are below:

• The fix for CVE-2017-15095 also addresses CVE-2017-7525.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 38 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-11776	MySQL Enterprise Monitor	Monitoring: General (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-8014	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2018-3258	MySQL Connectors	Connector/J	X Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.0.12 and prior
CVE-2018-1258	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior
CVE-2016-9843	MySQL Server	InnoDB (zlib)	MySQL Protocol	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3155	MySQL Server	Server: Parser	MySQL Protocol	No	7.7	Network	Low	Low	None	Changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3143	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3156	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3251	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3182	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3137	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3203	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3133	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3145	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3144	MySQL Server	Server: Security: Audit	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3185	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3195	MySQL Server	Server: DDL	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.12 and prior
CVE-2018-3247	MySQL Server	Server: Merge	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3187	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3174	MySQL Server	Client programs	MySQL Protocol	No	5.3	Local	High	High	None	Changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3171	MySQL Server	Server: Partition	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3277	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3162	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3173	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3200	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3170	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3212	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3280	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3276	MySQL Server	Server: Memcached	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3186	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3161	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3278	MySQL Server	Server: RBR	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3279	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3282	MySQL Server	Server: Storage Engines	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior
CVE-2018-3285	MySQL Server	Server: Windows	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.12 and prior
CVE-2018-3284	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3283	MySQL Server	Server: Logging	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.23 and prior, 8.0.12 and prior
CVE-2018-3286	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	8.0.12 and prior

Additional CVEs addressed are below:

• The fix for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-8014 also addresses CVE-2018-1304, CVE-2018-1305, CVE-2018-8034 and CVE-2018-8037.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle PeopleSoft Products. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-9798	PeopleSoft Enterprise PeopleTools	PeopleSoft CDA (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3192	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-3165	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2018-3193	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3194	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3164	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3255	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3301	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3153	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3257	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3154	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3206	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3207	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3132	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3205	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-3130	PeopleSoft Enterprise Interaction Hub	Application Portal	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.1.0.0
CVE-2018-3239	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3261	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3202	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3198	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2018-3135	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56
CVE-2018-3262	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2018-3129	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	MICROS Relate CRM Software	Web Services (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8, 11.4
CVE-2018-7489	Oracle Retail Allocation	General (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-7489	Oracle Retail Assortment Planning	Application Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2016-1000031	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.0, 13.1, 13.2
CVE-2018-7489	Oracle Retail Invoice Matching	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Open Commerce Platform	Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Open Commerce Platform	Framework (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-1275	Oracle Retail Open Commerce Platform	Framework (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.0
CVE-2018-1275	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Predictive Application Server	RPAS Fusion Client (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1, 15.0, 16.0
CVE-2018-7489	Oracle Retail Sales Audit	Operational Insights (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-1258	MICROS Lucas	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.9.5
CVE-2018-1258	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.2, 14.0, 14.1, 15.0, 16.0
CVE-2018-1258	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1.2
CVE-2017-15095	Oracle Retail Open Commerce Platform	Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.3.0, 6.0.0, 6.0.1
CVE-2018-3115	Oracle Retail Sales Audit	Operational Insights	HTTP	No	7.7	Network	High	Low	None	Changed	High	Low	Low	15.0, 16.0
CVE-2018-2889	MICROS Retail-J	Internal Operations	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-8013	Oracle Retail Back Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.3, 13.4, 14, 14.1
CVE-2018-8013	Oracle Retail Central Office	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-8013	Oracle Retail Order Broker	Upgrade Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	5.1, 5.2, 15.0, 16.0
CVE-2018-8013	Oracle Retail Point-of-Service	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-8013	Oracle Retail Returns Management	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1
CVE-2018-3122	Oracle Retail Open Commerce Platform	Integrations	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	6.0, 6.0.1, 5.3
CVE-2018-3126	Oracle Retail Xstore Point of Service	Xenvironment	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	15.0.2, 16.0.4, 17.0.2
CVE-2018-7489	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	6.6	Network	High	High	None	Un- changed	High	High	High	6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2
CVE-2018-2887	MICROS Retail-J	Back Office	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.0.0, 12.1.2
CVE-2018-1305	MICROS XBRi	Retail (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	10.8.3, 10.8.2, 10.8.1, 10.7.0, 10.6.0, 10.5.0
CVE-2018-1305	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

• The fix for CVE-2017-5533 also addresses CVE-2017-5529.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-1275 also addresses CVE-2017-5529, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525, CVE-2018-11307 and CVE-2018-12022.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Siebel UI Framework	EAI (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.7, 18.8, 18.9
CVE-2018-1305	Siebel Apps – Marketing	Mktg/Campaign Mgmt (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	18.7, 18.8, 18.9
CVE-2018-3059	Siebel UI Framework	UIF Open UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.7, 18.8, 18.9

Additional CVEs addressed are below:

• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 19 new security fixes for the Oracle Sun Systems Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-7167	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2352 and Prior to XCP3050
CVE-2016-7167	SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers	XCP Firmware (curl)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP1123	See Note 1
CVE-2018-3273	Solaris	Remote Administration Daemon (RAD)	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2016-5244	Solaris	Kernel	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.4
CVE-2018-3275	Solaris	LibKMIP	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.3
CVE-2018-3272	Solaris	Kernel Zones Virtualized NIC Driver	None	No	6.2	Local	Low	None	None	Un- changed	None	None	High	11.3
CVE-2018-3274	Solaris	Kernel	SMB	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	11.3
CVE-2018-3263	Solaris	Sudo	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2015-6937	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.4
CVE-2018-3267	Solaris	LFTP	FTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3
CVE-2018-3271	Solaris	Kernel Zones	None	No	5.3	Local	High	High	None	Changed	None	None	High	11.3
CVE-2018-3172	Solaris	RPC	Portmap v3	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	10, 11.4
CVE-2018-3268	Solaris	SMB Server	SMB	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.3
CVE-2018-3265	Solaris	Zones	None	No	4.9	Local	High	None	None	Un- changed	Low	Low	Low	11.3
CVE-2018-3264	Solaris	Kernel	None	No	4.4	Local	Low	Low	None	Un- changed	None	Low	Low	11.3
CVE-2018-3269	Solaris	SMB Server	SMB	No	4.3	Network	Low	Low	None	Un- changed	None	None	Low	11.3
CVE-2018-3266	Solaris	Verified Boot	None	No	3.9	Local	High	High	None	Un- changed	Low	Low	Low	11.3
CVE-2018-2922	Solaris	Kernel	None	No	2.5	Local	High	Low	None	Un- changed	Low	None	None	11.3
CVE-2018-3270	Solaris	Kernel	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11.3

Notes:

1. SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers are not affected by CVE-2017-7407 and CVE-2016-7141.

Additional CVEs addressed are below:

• The fix for CVE-2015-6937 also addresses CVE-2015-7990.
• The fix for CVE-2016-7167 also addresses CVE-2015-3144, CVE-2015-3145, CVE-2015-3153, CVE-2015-3236, CVE-2015-3237, CVE-2016-0755, CVE-2016-3739, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-9586 and CVE-2017-7407.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1258	Oracle Agile PLM	Application Server (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.1.3, 6.2.0, 6.2.1
CVE-2018-1305	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-1305	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	6.3.7
CVE-2018-3134	Oracle Agile Product Lifecycle Management for Process	User Group Management	None	No	5.0	Local	High	Low	Required	Un- changed	Low	High	None	6.2.0.0
CVE-2018-3127	Oracle Demantra Demand Management	Product Security	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	7.3.5, 12.2

Additional CVEs addressed are below:

• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-0739	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	Prior to 18.4

Additional CVEs addressed are below:

• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3294	Oracle VM VirtualBox	Core	VRDP	No	9.0	Network	Low	Low	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3288	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3289	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3290	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3296	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3297	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-2909	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3298	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3291	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3292	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3293	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3295	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-3287	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.20
CVE-2018-0732	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 5.2.20

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Related:

• No Related Posts

This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system.

Products incorporating Struts 2 are not necessarily vulnerable. For a list of Oracle products, their statuses, and available patches, please refer to Security Alert CVE-2018-11776 Products and Versions. Oracle recommends that customers frequently review Security Alert CVE-2018-11776 Products and Versions and plan to apply the updates as soon as they are released by Oracle. The Security Alert CVE-2018-11776 Products and Versions page will be updated as new information becomes available.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-31	Rev 1. Initial Release.

Third Party Component Risk Matrix This Security Alert contains 1 new security fix for Third Party Component. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2018-11776 Apache Struts 2 Core HTTP Yes 9.8 Network Low None None Un- changed High High High 2.3.34 and before 2.5.16 and before

Related:

• No Related Posts

Oracle Security Alert Advisory – CVE-2018-3110

Description

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.

If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.

Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18	Database

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-10	Rev 1. Initial Release.

Oracle Database Server Risk Matrix This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here. CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2018-3110 Java VM Create Session Oracle Net No 9.9 Network Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18

Related:

• No Related Posts

Oracle Database Server Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Database Server divided as follows:

• 3 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
• 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-15095	Oracle Spatial (jackson-databind)	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 18.1
CVE-2018-2939	Core RDBMS	Local Logon	Local Logon	No	8.4	Local	Low	Low	None	Changed	None	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2
CVE-2018-3004	Java VM	Create Session, Create Procedure	Multiple	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.2

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-7489	Oracle Global Lifecycle Management OPatchAuto	DB specific extensions (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	All

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-2099	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.x, 12.x
CVE-2016-0714	Oracle Communications Policy Management	Security (Apache Tomcat)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2016-2176	Oracle Communications Policy Management	Security (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	12.x
CVE-2017-7525	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.x
CVE-2016-5195	Oracle Communications Policy Management	Platform (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2017-6074	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	ECz7.x, ECz8.x
CVE-2017-0379	Oracle Communications Interactive Session Recorder	Security (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.x, 6.x
CVE-2015-7940	Oracle Communications Policy Management	CMP (Bouncy Castle)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.x
CVE-2017-5662	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	7.x, 8.x
CVE-2018-2904	Oracle Communications EAGLE LNP Application Processor	GUI	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.x
CVE-2018-0739	Oracle Communications Network Charging and Control	Security (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
CVE-2017-3633	Oracle Communications Policy Management	Security (MySQL)	Multiple	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	12.x
CVE-2018-2936	Oracle Communications Messaging Server	Web Client	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.x
CVE-2015-5600	Oracle Communications Policy Management	Security (OpenSSH)	SSH	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.x

Additional CVEs addressed are below:

• The fix for CVE-2015-5600 also addresses CVE-2014-2532.
• The fix for CVE-2016-0714 also addresses CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706 and CVE-2016-3092.
• The fix for CVE-2016-2099 also addresses CVE-2016-4463.
• The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 and CVE-2016-2109.
• The fix for CVE-2017-3633 also addresses CVE-2017-3634, CVE-2017-3635, CVE-2017-3636, CVE-2017-3641, CVE-2017-3647, CVE-2017-3648, CVE-2017-3649, CVE-2017-3651, CVE-2017-3652, CVE-2017-3653 and CVE-2017-3732.
• The fix for CVE-2017-7525 also addresses CVE-2017-15707 and CVE-2018-1327.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Construction and Engineering Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2966	Primavera Unifier	Core	HTTP	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	16.x, 17.x, 18.x
CVE-2018-2968	Primavera Unifier	Core	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	16.x, 17.x, 18.x
CVE-2016-4055	Primavera Unifier	Core (Moment)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	16.x, 17.x, 18.x
CVE-2018-2960	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2961	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2965	Primavera Unifier	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x
CVE-2016-7103	Primavera Unifier	Core (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x, 17.x, 18.x
CVE-2018-2967	Primavera Unifier	Core	None	No	5.3	Physical	Low	None	None	Changed	High	None	None	16.x, 17.x, 18.x
CVE-2018-2962	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.4	Network	High	Low	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2963	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.4, 15.x, 16.x
CVE-2018-2969	Primavera Unifier	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	16.x

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2018), My Oracle Support Note 2379675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2993	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3017	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2995	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3018	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3008	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2953	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2997	Oracle Scripting	Script Author	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2991	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3012	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2996	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2954	Oracle Order Management	Product Diagnostic Tools	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2988	Oracle Marketing	Products	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2934	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3
CVE-2018-2994	Oracle iStore	Shopping Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle Enterprise Manager Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Enterprise Manager Base Platform	Installer (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager Base Platform	Security Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	Application Replay (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2.0.0 and prior
CVE-2017-5645	Enterprise Manager for Oracle Database	Provisioning (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.8, 13.2.2
CVE-2017-5645	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1.1.1, 13.2.1.1
CVE-2018-7489	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2, 13.2.3
CVE-2018-1275	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-1275	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1
CVE-2018-2976	Enterprise Manager Ops Center	Networking	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	12.2.2
CVE-2016-1181	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2017-9798	Enterprise Manager Base Platform	Installer (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.2.x
CVE-2016-9878	Enterprise Manager Ops Center	Framework (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2017-9798	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2018-0739	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.2.2, 12.3.3

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2016-9878 also addresses CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 56 new security fixes for Oracle Financial Services Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Banking Platform	Collections (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2017-5645	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3.x, 8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Analytical Applications Infrastructure	Inline Processing Engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Behavior Detection Platform	Admin Tool (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Behavior Detection Platform	Ingestion (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Funds Transfer Pricing	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2017-5645	Oracle Financial Services Hedge Management and IFRS Valuations	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Loan Loss Forecasting and Provisioning	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Profitability Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2018-3050	Oracle Banking Corporate Lending	Core module	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3027	Oracle Banking Payments	Payments Core	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3051	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3035	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3015	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-8013	Oracle Financial Services Analytical Applications Infrastructure	Link Analysis and Metadata browser (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.3.x, 8.0.x	See Note 1
CVE-2018-3040	Oracle Banking Corporate Lending	Core module	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3022	Oracle Banking Payments	Payments Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2014-3577	Oracle Financial Services Revenue Management and Billing	External Message (HTTP Client)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0
CVE-2018-3041	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 14.0.0, 14.1.0
CVE-2018-3030	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2979	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3036	Oracle Banking Corporate Lending	Core module	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3020	Oracle Banking Payments	Payments Core	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3037	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3028	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2974	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2895	Oracle Banking Corporate Lending	Core module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-2896	Oracle Banking Payments	Payments Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-2897	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-2898	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2899	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3042	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3044	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3048	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3023	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3024	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3026	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3043	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3045	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3049	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3031	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3032	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3034	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2980	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2981	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3019	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3038	Oracle Banking Corporate Lending	Core module	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3046	Oracle Banking Corporate Lending	Core module	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3021	Oracle Banking Payments	Payments Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3025	Oracle Banking Payments	Payments Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3039	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3047	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3029	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3033	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2975	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2982	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Notes:

1. Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

• The fix for CVE-2014-3577 also addresses CVE-2015-5262.
• The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 38 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Enterprise Data Quality	General (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-1275	Oracle Enterprise Repository	Security Subsystem (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2017-5645	Oracle Fusion Middleware MapViewer	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-7489	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-7489	Oracle WebLogic Server	Console (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-1275	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2894	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2893	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-3100	Oracle Business Process Management Suite	Process Analysis & Discovery	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-3007	Oracle Tuxedo	Core	Jolt	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1, 12.1.3, 12.2.2
CVE-2018-2935	Oracle WebLogic Server	JSF	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2958	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2900	BI Publisher	Layout Tools	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0
CVE-2017-12617	FMW Platform	Common Components (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2015-7940	Oracle JDeveloper	None (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-8013	Oracle Fusion Middleware MapViewer	Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.2, 12.2.1.3
CVE-2018-2943	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2018-3102	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2992	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3009	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3010	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3092	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3103	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3093	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3094	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3095	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3096	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3097	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3104	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3098	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3099	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2925	BI Publisher	Web Server	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-0739	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-3109	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-0739	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.1
CVE-2016-9843	Oracle Outside In Technology	Outside In Search Export SDK (zlib)	HTTP	Yes	6.3	Network	Low	None	Required	Un- changed	Low	Low	Low	8.5.3	See Note 1
CVE-2018-2987	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2015-0204	Oracle Internet Directory	SSL/TLS	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	11.1.1.9.0	See Note 2
CVE-2018-2998	Oracle WebLogic Server	SAML	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2011-4461	Oracle Endeca Information Discovery Studio	Studio (Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	3.1, 3.2
CVE-2018-3108	Oracle Fusion Middleware	Oracle Notification Service	HTTPS	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-3101	Oracle WebCenter Portal	Portlet Services	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2933	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3	See Note 3
CVE-2018-3105	Oracle SOA Suite	Health Care FastPath	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
2. Please refer to MOS document (Doc ID 2420947.1) for instructions on how to address this issue.
3. Please refer to MOS document (Doc ID 2421480.1) for instructions on how to address this issue.

Additional CVEs addressed are below:

• The fix for CVE-2016-9843 also addresses CVE-2014-8157, CVE-2014-9029, CVE-2014-9746, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2016-0718, CVE-2016-5300, CVE-2016-9841 and CVE-2017-10989.
• The fix for CVE-2018-0739 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Hospitality Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2984	Oracle Hospitality Cruise Fleet Management System	Gangway Activity Web App	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.x
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	iCard.net (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2956	Oracle Hospitality OPERA 5 Property Services	Integration	None	No	8.1	Local	High	None	None	Changed	High	High	High	5.5.x
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Configuration (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2957	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.x
CVE-2018-3002	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	9.x
CVE-2018-3000	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	8.x
CVE-2018-2978	Oracle Hospitality Simphony	Import/Export	HTTP	No	7.1	Network	High	Low	None	Un- changed	High	High	Low	2.8, 2.9, 2.10
CVE-2018-3013	Oracle Hospitality OPERA 5 Property Services	Report Server Config	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2018-3014	Oracle Hospitality OPERA 5 Property Services	Reports	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2017-0785	MICROS Handheld Terminal	MC40 Zebra Handheld unit (WiFi)	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	Android 4.4.4 Security Patch Bulletin prior to February 1, 2018
CVE-2018-3003	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	9.x
CVE-2018-3001	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.x
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 720 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.01.25ORC
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 721 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.13ORC
CVE-2017-5715	MICROS Kitchen Display Controller	Kitchen Display System 210 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.16ORC
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 32 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.5.2.0
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 64 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 2.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 620 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 650 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2018-2955	Oracle Hospitality OPERA 5 Property Services	Integration	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.5.x

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114, CVE-2015-6420 and CVE-2016-1182.
• The fix for CVE-2017-0785 also addresses CVE-2017-13088 and CVE-2017-13218.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2907	Hyperion Financial Reporting	Security Models	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	11.1.2
CVE-2018-2915	Hyperion Data Relationship Management	Access and security	HTTPS	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	11.1.2.4.330

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2989	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Insurance Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Insurance Policy Administration	Policy Administration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0
CVE-2018-1275	Oracle Insurance Policy Administration	Policy Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2938	Java SE	Java DB	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 6u191, 7u181, 8u172	See Note 1
CVE-2018-2964	Java SE	Deployment	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u172, 10.0.1	See Note 2
CVE-2018-2941	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172, 10.0.1	See Note 2
CVE-2018-2942	Java SE	Windows DLL	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172	See Note 3
CVE-2018-2972	Java SE	Security	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 10.0.1	See Note 3
CVE-2018-2973	Java SE, Java SE Embedded	JSSE	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2940	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2952	Java SE, Java SE Embedded, JRockit	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18	See Note 3

Notes:

1. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVE-2018-2938 addresses CVE-2018-1313.
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 10 new security fixes for Oracle JD Edwards Products. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2944	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2018-2947	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2018-2945	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2946	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2948	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2949	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2950	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2999	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-3006	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2017-3736	JD Edwards World Security	GUI / World Vision (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

• The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	MySQL Enterprise Monitor	Service Manager (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2017-0379	MySQL Workbench	Workbench: Security: Encryption (libgcrypt)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.11 and prior
CVE-2018-3064	MySQL Server	InnoDB	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Connectors	Connector/ODBC (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3.10 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2018-3070	MySQL Server	Client mysqldump	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3060	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	High	None	Un- changed	None	High	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3065	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Server	Server: Installing (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3073	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-0739	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3074	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3062	MySQL Server	Server: Memcached	memcached	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3081	MySQL Client	Client programs	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3071	MySQL Server	Audit Log	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3079	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3054	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3077	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3078	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3080	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3061	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3067	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3063	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.60 and prior
CVE-2018-3075	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3058	MySQL Server	MyISAM	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3056	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.7.22 and prior, 8.0.11 and prior
CVE-2018-2598	MySQL Workbench	Workbench: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.3.10 and earlier
CVE-2018-3066	MySQL Server	Server: Options	MySQL Protocol	No	3.3	Network	High	High	None	Un- changed	Low	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-2767	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3084	MySQL Server	Shell: Core / Client	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	8.0.11 and prior
CVE-2018-3082	MySQL Server	Server: DDL	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.11 and prior

Additional CVEs addressed are below:

• The fix for CVE-2017-0379 also addresses CVE-2017-9526.
• The fix for CVE-2018-0739 also addresses CVE-2017-3737 and CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	PeopleSoft Enterprise FIN Install	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-1275	PeopleSoft Enterprise FIN Install	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-2990	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.55, 8.56
CVE-2018-2977	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56
CVE-2018-2951	PeopleSoft Enterprise PeopleTools	Configuration Manager	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3068	PeopleSoft Enterprise HCM Human Resources	Compensation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2929	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2919	PeopleSoft Enterprise PeopleTools	Unified Navigation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2985	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2986	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3016	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.55, 8.56
CVE-2018-3072	PeopleSoft HRMS	Candidate Gateway	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2018-2970	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3076	PeopleSoft Enterprise CS Financial Aid	ISIR Processing	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.0, 9.2

Additional CVEs addressed are below:

• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Policy Automation	Determinations Engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
CVE-2017-5645	Oracle Policy Automation Connector for Siebel	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.6
CVE-2017-5645	Oracle Policy Automation for Mobile Devices	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5533	MICROS Lucas	Security (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6
CVE-2017-5533	MICROS Relate CRM Software	Internal Operations (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.x, 11.4.x
CVE-2018-1275	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2018-1275	Oracle Retail Central Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Clearance Optimization Engine	General Application (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2017-5645	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Point-of-Service	Infrastructure (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3
CVE-2018-1275	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Service Backbone	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Service Layer	Installation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x
CVE-2016-6814	Oracle Retail Integration Bus	RIB Kernal (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-6814	Oracle Retail Service Backbone	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	16.0.025
CVE-2016-1181	MICROS XBR	Retail (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.0.2, 7.0.4
CVE-2017-12617	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2016-3506	Oracle Retail Convenience and Fuel POS Software	Point of Sale	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2018-2882	MICROS Retail-J	Interfaces	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2016-9878	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Central Office	Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2017-5664	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	2.1.132
CVE-2015-7940	Oracle Retail Convenience and Fuel POS Software	OPT Server (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.1.132
CVE-2016-9878	Oracle Retail Integration Bus	Install (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-9878	Oracle Retail Point-of-Sale	Transaction (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2018-2888	MICROS Retail-J	Back Office	none	No	6.7	Physical	High	High	Required	Changed	High	High	Low	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-3052	MICROS Relate CRM Software	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	10.8.x, 11.4.x
CVE-2018-3053	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	16.x, 17.x
CVE-2018-2881	MICROS Retail-J	Database	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-2891	Oracle Retail Bulk Data Integration	BDI Job Scheduler	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2017-5533 also addresses CVE-2017-5529.
• The fix for CVE-2017-5664 also addresses CVE-2016-8735.
• The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2959	Siebel UI Framework	UIF Open UI	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	18.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 22 new security fixes for the Oracle Sun Systems Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2930	Solaris Cluster	NAS device addition	RPC	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3, 4.3
CVE-2015-7501	Tape Library ACSLS	Software (Apache Commons Collections)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to ACSLS 8.4.0-3
CVE-2018-3057	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 8.7.18
CVE-2018-2928	Solaris	RAD	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2018-2892	Solaris	Availability Suite Service	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2908	Solaris	Kernel	RPC	No	7.7	Network	Low	Low	None	Changed	None	None	High	11.3
CVE-2018-2926	Solaris	NVIDIA-GFX Kernel driver	ISCSI	No	7.6	Network	Low	Low	None	Un- changed	Low	Low	High	11.3
CVE-2018-2918	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 8.7.18
CVE-2018-2920	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	Prior to 8.7.19
CVE-2018-2932	Oracle SuperCluster Specific Software	SuperCluster Virtual Assistant	Multiple	Yes	7.1	Network	High	None	Required	Un- changed	High	Low	High	Prior to 2.5.0
CVE-2018-1171	Solaris	Kernel	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2921	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	Prior to 8.7.18
CVE-2018-2924	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	5.7	Local	Low	High	None	Changed	Low	Low	Low	Prior to 8.7.18
CVE-2018-2937	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 8.7.19
CVE-2018-2917	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2905	Sun ZFS Storage Appliance Kit (AK)	Core Services	SSL/TLS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 8.7.20
CVE-2018-2903	Solaris	Kernel	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	10, 11.3
CVE-2018-2927	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	Prior to 8.7.18
CVE-2018-2906	Hardware Management Pack	Ipmitool	IPMI	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	11.3
CVE-2018-2901	Solaris	Kernel	DHCP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	10, 11.2
CVE-2018-2916	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2923	Sun ZFS Storage Appliance Kit (AK)	Core Services	None	No	2.3	Local	Low	High	None	Un- changed	Low	None	None	Prior to 8.7.20

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle AutoVue VueLink Integration	Installation Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	21.0.0, 21.0.1
CVE-2016-6814	Oracle Agile PLM	Event Java PX (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2016-1181	Agile Recipe Management for Pharmaceuticals	UI Components-Framework (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.4
CVE-2016-1181	Oracle Transportation Management	Install (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2, 6.3.7, 6.4.1
CVE-2017-5662	Oracle Agile PLM MCAD Connector	CAX Client (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	3.3, 3.4, 3.5, 3.6
CVE-2018-0739	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2018-0739	Oracle Transportation Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.2
CVE-2018-3069	Oracle Agile Product Lifecycle Management for Process	Installation	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	6.2.0.0

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1000300	OSS Support Tools	Services Tools Bundle (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 18.3

Additional CVEs addressed are below:

• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Utilities Network Management System	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.x, 2.3.x
CVE-2017-5645	Oracle Utilities Work and Asset Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2.12
CVE-2016-5019	Oracle Utilities Framework	Help (Apache Trinidad)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.3.x
CVE-2017-5662	Oracle Utilities Network Management System	Install (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	1.12.x, 2.3.x

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Virtualization. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3086	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3087	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3088	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3089	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3090	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3085	Oracle VM VirtualBox	Core	None	No	8.5	Local	Low	None	Required	Changed	Low	High	High	Prior to 5.2.16
CVE-2018-1000300	Oracle Secure Global Desktop	Core (curl)	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	5.3, 5.4
CVE-2018-3055	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	Required	Changed	Low	None	High	Prior to 5.2.16
CVE-2018-1305	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.3, 5.4
CVE-2018-0739	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3, 5.4
CVE-2018-3091	Oracle VM VirtualBox	Core	None	No	6.3	Local	Low	None	Required	Changed	High	None	None	Prior to 5.2.16
CVE-2018-3005	Oracle VM VirtualBox	Core	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	Prior to 5.2.16

Additional CVEs addressed are below:

• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Related:

• No Related Posts