Oracle – Intelligent Systems Monitoring

Oracle Critical Patch Update Advisory – July 2020

July 13, 2020September 18, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – July 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Category Management Planning & Optimization, version 15.0.3	Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1	Database
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2	JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	MySQL
MySQL Connectors, versions 8.0.20 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior	MySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0	Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 21.0	Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0	Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0	Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40	Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Communications Analytics, version 12.1.1	Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM – Elastic Charging Engine, versions 11.3, 12.0	Oracle Communications BRM – Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0	Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1	Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3	Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0	Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3	Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6	Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3	Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4	Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6	Enterprise Manager
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8	Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0	Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20	Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0	Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2	Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3	Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0	Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4	Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1	iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1	Java SE
Oracle Java SE Embedded, version 8u251	Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0	Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0	Retail Applications
Oracle Retail Extract Transform and Load, version 19.0	Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Fusion Platform, version 5.5	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Invoice Matching, version 16.0	Retail Applications
Oracle Retail Item Planning, version 15.0.3	Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3	Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3	Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3	Retail Applications
Oracle Retail Order Broker, version 15.0	Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3	Retail Applications
Oracle Retail Sales Audit, version 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3	Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0	Retail Applications
Oracle SD-WAN Aware, versions 8.0, 8.1, 8.2	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.0, 8.1, 8.2, 9.0	Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, version 11	Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0	Database
Oracle Transportation Management, versions 6.3.7, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise FIN Expenses, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6	Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6	Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and prior	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Abdullah Alzahrani: CVE-2020-14554, CVE-2020-14635
Alessandro Bosco of TIM S.p.A: CVE-2020-14690
Alexander Kornbrust of Red Database Security: CVE-2020-2984
Alves Christopher (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Andrej Simko of Accenture: CVE-2020-14534, CVE-2020-14555, CVE-2020-14590, CVE-2020-14657, CVE-2020-14658, CVE-2020-14659, CVE-2020-14660, CVE-2020-14661, CVE-2020-14665, CVE-2020-14666, CVE-2020-14667, CVE-2020-14679, CVE-2020-14688
Antonin B. of NCIA / NCSC: CVE-2020-14610
Arseniy Sharoglazov of Positive Technologies: CVE-2020-14622
Artur Wojtkowski and CQURE Team: CVE-2020-14617, CVE-2020-14618
Billy Cody of Context Information Security: CVE-2020-14595
Bui Duong from Viettel Cyber Security: CVE-2020-14611
CERT/CC: CVE-2020-14558
Chathura Abeydeera of Deloitte Risk Advisory Pty Ltd: CVE-2020-14531
Chi Tran: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Conor McErlane working with Trend Micro’s Zero Day Initiative: CVE-2020-14628
Damian Bury: CVE-2020-14546
Edoardo Predieri of TIM S.p.A: CVE-2020-14690
Emad Al-Mousa of Saudi Aramco: CVE-2020-2969, CVE-2020-2978
Fabio Minarelli of TIM S.p.A: CVE-2020-14690
Filip Ceglik: CVE-2020-14560, CVE-2020-14565
Forum Bhayani: CVE-2020-14592
Francesco Russo of TIM S.p.A: CVE-2020-14690
Giovanni Delvecchio of Almaviva Security Assessment Team: CVE-2020-14607, CVE-2020-14608
Hangfan Zhang: CVE-2020-14575, CVE-2020-14654
Hugo Santiago dos Santos: CVE-2020-14613
Johannes Kuhn: CVE-2020-14556
Julien Zhan (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
kdot working with Trend Micro Zero Day Initiative: CVE-2020-14664
Khuyen Nguyen of secgit.com: CVE-2020-14668, CVE-2020-14669, CVE-2020-14670, CVE-2020-14671, CVE-2020-14681, CVE-2020-14682, CVE-2020-14686
Kingkk: CVE-2020-14642, CVE-2020-14644
Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Larry W. Cashdollar: CVE-2020-14724
Lionel Debroux: CVE-2020-2981
Luca Di Giuseppe of TIM S.p.A: CVE-2020-14690
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-14646, CVE-2020-14647, CVE-2020-14648, CVE-2020-14649, CVE-2020-14650, CVE-2020-14673, CVE-2020-14674, CVE-2020-14694, CVE-2020-14695, CVE-2020-14703, CVE-2020-14704
lufei of Tencent Force: CVE-2020-14645
Lukas Braune of Siemens: CVE-2019-8457
Lukasz Mikula: CVE-2020-14541
Lukasz Rupala of ING Tech Poland: CVE-2020-14552
Maoxin Lin of Dbappsecurity Team: CVE-2020-14645, CVE-2020-14652
Marco Marsala: CVE-2020-14559
Markus Loewe: CVE-2020-14583
Markus Wulftange of Code White GmbH: CVE-2020-14644, CVE-2020-14645, CVE-2020-14687
Massimiliano Brolli of TIM S.p.A: CVE-2020-14690
Mateusz Dabrowski: CVE-2020-14584, CVE-2020-14585
Maxime Escourbiac of Michelin CERT: CVE-2020-14719, CVE-2020-14720
Mohamed Fadel: CVE-2020-14601, CVE-2020-14602, CVE-2020-14603, CVE-2020-14604, CVE-2020-14605
Ntears of Chaitin Security Team: CVE-2020-14645, CVE-2020-14652
Owais Zaman of Sabic: CVE-2020-14551
Pavel Cheremushkin: CVE-2020-14713
Philippe Antoine (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Philippe Arteau of GoSecure: CVE-2020-14577
Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Przemyslaw Nowakowski: CVE-2020-2977
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14625
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-14629, CVE-2020-14675, CVE-2020-14676, CVE-2020-14677
Roberto Suggi Liverani of NCIA / NCSC: CVE-2020-14610
Roger Meyer: CVE-2020-2513, CVE-2020-2971, CVE-2020-2972, CVE-2020-2973, CVE-2020-2974, CVE-2020-2975, CVE-2020-2976
Roman Shemyakin: CVE-2020-14621
Rui Zhong: CVE-2020-14575, CVE-2020-14654
Saeed Shiravi: CVE-2020-14548
Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14645, CVE-2020-14652
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14532, CVE-2020-14533
Suthum Thitiananpakorn: CVE-2020-14569
Ted Raffle of rapid7.com: CVE-2020-14535, CVE-2020-14536
Tomasz Stachowicz: CVE-2020-14570, CVE-2020-14571
Trung Le: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14598, CVE-2020-14599
Vijayakumar Muniraj of CybersecurityWorks Research Labs: CVE-2020-14723
Yaoguang Chen of Ant-financial Light-Year Security Lab: CVE-2020-14654, CVE-2020-14725
Yongheng Chen: CVE-2020-14575, CVE-2020-14654
ZeddYu Lu of StarCross Tech: CVE-2020-14588, CVE-2020-14589
Zhao Xin Jun: CVE-2020-14652
Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi’anxin Group: CVE-2020-14711, CVE-2020-14712
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
Zouhair Janatil-Idrissi (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Alexander Kornbrust of Red Database Security [10 reports]
Cao Linhong of Sangfor Furthereye Security Team
Chi Tran [2 reports]
Fatih Çelik
James Nichols of 80/20 Labs
lufei of Tencent Force
Maoxin Lin of Dbappsecurity Team
Marc Fielding of Google
Markus Loewe [2 reports]
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group
Ryan Gerstenkorn
Saeid Tizpaz Niari
Shimizu Kawasaki of Asiainfo-sec of CSS Group
Trung Le [2 reports]
Venustech ADLab
Yu Wang of BMH Security Team [2 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

0xd0ff9 aka Bao Bui
1ZRR4H aka Germán Fernández
@ngkogkos hunt4p1zza
Abdulkadir Mutlu
Abdullah Mohamed
Abhinav P
Aditra Andri Laksana
Ahmed Moustafa
Alfie Njeru (emenalf)
Aman Deep Singh Chawla
Anas Rahmani
Anat Bremler-Barr
Anis Azzi
Anon Venus
Ansar Uddin Anan
Ben Passmore
Celal Erdik of Ebruu Tech Limited
Chirag Prajapati
Dave Altena
Dhamu Harker
Dhiral Patel
Dhiren Kumar Pradhan
Elmonzer Kamaleldin of Monzer Kamal
HackersEra VMS [2 reports]
Hamza Megahed
Harpreet Singh of Pyramid Cyber Security & Forensic Pvt Ltd
Harry The DevOps Guy
Ilyas Orak
Jagdish Bharucha
Jatin Saini
Jeremy Lindsey of Burns & McDonnell [2 reports]
Jin DanLong
Josue Acevedo Maldonado
Ken Nevers
Kishore Hariram [2 reports]
Last Light [2 reports]
Lior Shafir
Luciano Anezin
Maayan Amid of Orca Security
Magrabur Alam Sofily
Matthijs R. Koot [2 reports]
Mayur Gupta
Meridian Miftari
Moaied Nagi Hassan (Moonlight)
Mohit Khemchandani
Muhammad Abdullah
Naveen Kumar
Ome Mishra
Prathmesh Lalingkar
Pratish Bhansali
Prince Achillies
Pritam Mukherjee
Rajesh Patil
Raphael Karger
Ricardo Iramar dos Santos
Ridvan Erbas
Roger Meyer
rootme34
Russell Muetzelfeldt of Flybuys
Saad Zitouni
Sajid Ali
Sam Jadali
Sarath Kumar (Kadavul)
Saurabh Dilip Mhatre
Severus of VietSunshine Security Engineering Team
Shailesh Kumar
Shubham Khadgi
Sipke Mellema
Siva Pathela
Smii Mondher
Srinivas M
Tinu Tomy
Tony Marcel Nasr [2 reports]
Tuatnh
Tushar Bhardwaj
Ujjwal Tyagi
Valentin Virtejanu of Lifespan
Victor Gevers
Viet Nguyen [2 reports]
Virendra Tiwari
Vishal Ajwani
Vlad Staricin
Yehuda Afek
Youssef A. Mohamed aka GeneralEG
Zubin

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

20 October 2020
19 January 2021
20 April 2021
20 July 2021

References

Modification History

Date	Note
2020-August-31	Rev 7. Credit Statement Update.
2020-August-3	Rev 6. Credit Statement Update.
2020-July-27	Rev 5. Credit Statement Update.
2020-July-24	Rev 4. Affected version number changes to CVE-2020-14701 & CVE-2020-14606
2020-July-23	Rev 3. Added entry for CVE-2020-14725 in MySQL Risk Matrix. The fix was included in patches already released but was inadvertently not documented.
2020-July-20	Rev 2. Credit Statement Update.
2020-July-14	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 27 new security patches for the Oracle Database Products divided as follows:

19 new security patches for Oracle Database Server.
3 new security patches for Oracle Berkeley DB.
1 new security patch for Oracle Global Lifecycle Management.
3 new security patches for Oracle GoldenGate.
1 new security patch for Oracle TimesTen In-Memory Database.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	MapViewer (Apache Commons FileUpload)	Valid User Account	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2968	Java VM	Create Session, Create Procedure	Multiple	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-9843	Core RDBMS (zlib)	Create Session	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	18c
CVE-2020-2969	Data Pump	DBA role account	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-8112	GeoRaster (OpenJPG)	Create Session	Oracle Net	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	18c
CVE-2020-2513	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2971	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2972	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2973	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2974	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2976	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2975	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2019-17569	Workload Manager (Apache Tomcat)	None	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.0.1, 18c, 19c
CVE-2020-2977	Oracle Application Express	Valid User Account	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	5.1-19.2
CVE-2020-2978	Oracle Database – Enterprise Edition	DBA role account	Oracle Net	No	4.1	Network	Low	High	None	Changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-13990	MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)	Local Logon	None	No	0.0	Local	Low	Low	Required	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 2
CVE-2018-18314	Oracle Database (Perl)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 3
CVE-2019-10086	Spatial Studio (Apache Commons Beanutils)	Local Logon	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Spatial Studio: Prior to 19.2.1	See Note 4
CVE-2019-16943	TFA (jackson-databind)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 5

Notes:

MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10140	Data Store	None	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	Prior to 6.1.38
CVE-2020-2981	Data Store	None	None	No	7.0	Local	High	None	Required	Un- changed	High	High	High	Prior to 18.1.40
CVE-2019-8457	Data Store (SQLite)	None	TCP	No	0.0	Network	Low	None	Required	Un- changed	None	None	None	Prior to 18.1.40	See Note 1

Notes:

The CVE-2019-8457 is not exploitable in the context of Oracle Berkeley DB product, thus the CVSS score is 0.0.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Oracle Global Lifecycle Management/OPatch	Patch Installer (jackson-databind)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 12.2.0.1.20	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the Oracle Global Lifecycle Management product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14705	Oracle GoldenGate	Process Management	TCP	Yes	9.6	Adjacent Network	Low	None	None	Changed	High	High	High	Prior to 19.1.0.0.0
CVE-2019-0222	GoldenGate Stream Analytics	Security (ActiveMQ)	TCP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	Prior to 19.1.0.0.1
CVE-2019-14379	GoldenGate Stream Analytics	Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 19.1.0.0.1	See Note 1

Notes:

CVE-2019-14379 and other CVEs addressed by these patches are not exploitable in the Oracle GoldenGate product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2016-5017, CVE-2017-5637, CVE-2018-17190, CVE-2018-8012, CVE-2018-8088, CVE-2019-0201, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14439 and CVE-2019-14893.

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-18314	Oracle TimesTen In-Memory Database	Doc, EM Plug-in (Perl)	OracleNet	No	0.0	Network	Low	Low	None	Un- changed	None	None	None	Prior to 18.1.2.1.0	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14536	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Workbench	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.0, 11.1, 11.2, prior to 11.3.1
CVE-2020-14535	Oracle Commerce Service Center	Commerce Service Center	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14532	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14533	Oracle Commerce Platform	Dynamo Application Framework	HTTP	No	3.5	Network	Low	High	Required	Un- changed	Low	Low	None	11.1, 11.2, prior to 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 60 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14701	Oracle SD-WAN Aware	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2
CVE-2020-14606	Oracle SD-WAN Edge	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2, 9.0
CVE-2018-11058	Oracle Communications Analytics	Platform (RSA BSAFE)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.1
CVE-2019-16943	Oracle Communications Billing and Revenue Management	Business Operation Center, Billing Care (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.5.0.23.0, 12.0.0.3.0
CVE-2016-1000031	Oracle Communications Contacts Server	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-9546	Oracle Communications Contacts Server	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-1938	Oracle Communications Element Manager	Core (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-9546	Oracle Communications Evolved Communications Application Server	Session Design Center, Universal Data Recorder (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1
CVE-2020-1938	Oracle Communications Instant Messaging Server	Installation (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2020-9546	Oracle Communications Instant Messaging Server	Presence API (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2019-13990	Oracle Communications IP Service Activator	Netwok Processor Configuration Management (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2020-11656	Oracle Communications Network Charging and Control	Data Access Pack (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2019-2729	Oracle Communications Network Integrity	Integration (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2019-2904	Oracle Communications Network Integrity	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-5645	Oracle Communications Network Integrity	Cartridge Management (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-7060	Oracle Communications Diameter Signaling Router (DSR)	Platform (PHP)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0-8.4
CVE-2020-1945	Oracle Communications MetaSolv Solution	Online Help (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	6.3.0
CVE-2018-1258	Oracle Communications Network Integrity	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-9546	Oracle Communications Network Charging and Control	Installer (jackson-databind)	None	No	8.4	Local	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2020-14580	Oracle Communications Session Border Controller	System Admin	SSH	No	8.2	Network	Low	Low	Required	Changed	High	Low	Low	8.1.0, 8.2.0, 8.3.0
CVE-2016-1181	Oracle Communications Network Integrity	MSS Integration Cartridge (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-0861	Oracle Communications LSMS	Kernel	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	13.0-13.3
CVE-2020-1945	Oracle Communications Order and Service Management	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	7.3, 7.4
CVE-2020-5398	Oracle Communications BRM – Elastic Charging Engine	Orchestration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.3, 12.0
CVE-2019-17359	Oracle Communications Convergence	S/MIME Configuration (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0.1.0-3.0.2.1
CVE-2020-5398	Oracle Communications Element Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2019-0227	Oracle Communications Network Integrity	Adapters (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.5, 7.3.6
CVE-2019-16056	Oracle Communications Operations Monitor	VSP implementing webserver (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.4, 4.1-4.3
CVE-2019-0227	Oracle Communications Order and Service Management	Installer, CMWS, CMT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2020-5398	Oracle Communications Session Report Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-5398	Oracle Communications Session Route Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-14630	Oracle Enterprise Session Border Controller	File Upload	HTTP	No	7.5	Network	Low	High	Required	Changed	Low	Low	High	8.1.0, 8.2.0, 8.3.0
CVE-2019-10193	Oracle Communications Operations Monitor	FDP, VSP Login, Packet Inspector (Redis)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	3.4, 4.1
CVE-2019-12423	Oracle Communications Element Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Report Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Route Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14721	Oracle Enterprise Communications Broker	WebGUI	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	3.0.0-3.2.0
CVE-2020-11022	Oracle Communications Analytics	Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1
CVE-2020-11022	Oracle Communications Element Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Element Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Interactive Session Recorder	Dashboard (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1-6.4
CVE-2019-17091	Oracle Communications Network Integrity	Core (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.5, 7.3.6
CVE-2020-11022	Oracle Communications Operations Monitor	Mediation Engine, Dashboard, Grapahs, Calls (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.1-4.3
CVE-2020-11022	Oracle Communications Session Report Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Report Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Session Route Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Route Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14563	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.0.0-3.2.0
CVE-2020-14722	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	5.8	Network	High	None	Required	Changed	Low	Low	Low	3.0.0-3.2.0
CVE-2018-3639	Oracle Communications LSMS	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	13.0-13.3
CVE-2020-1951	Oracle Communications Messaging Server	Security (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.2, 8.1.0
CVE-2019-10247	Oracle Communications Analytics	Platform (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1
CVE-2020-1934	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-10247	Oracle Communications Services Gatekeeper	Platform Test Environment (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.0, 6.1, 7.0
CVE-2020-1934	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1934	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14574	Oracle Communications Interactive Session Recorder	FACE	None	No	4.7	Local	High	High	None	Un- changed	High	Low	None	6.1-6.4
CVE-2020-9488	Oracle Communications Instant Messaging Server	Installation (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.0.1.4.0
CVE-2020-9488	Oracle Communications Interactive Session Recorder	API, FACE, Archiver (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.1-6.4
CVE-2020-9488	Oracle Communications Network Charging and Control	Notification Gateway (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.0.1, 12.0.0-12.0.3

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693, CVE-2018-5390 and CVE-2018-7566.
The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The patch for CVE-2018-3639 also addresses CVE-2018-10675, CVE-2018-10872 and CVE-2018-3665.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10193 also addresses CVE-2019-10192.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16056 also addresses CVE-2019-16935.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2020-11656 also addresses CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 and CVE-2020-9327.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-1951 also addresses CVE-2020-1950.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-7060 also addresses CVE-2020-7059.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Primavera Gateway	Admin (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.2.0-16.2.11, 17.12.0-17.12.7
CVE-2020-10683	Primavera P6 Enterprise Project Portfolio Management	Web Access (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
CVE-2020-9546	Primavera Unifier	Platform (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-1945	Primavera Unifier	Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196	Primavera P6 Enterprise Project Portfolio Management	Web Access (kafka client)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	19.12.0-19.12.6
CVE-2020-9484	Instantis EnterpriseTrack	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	17.1-17.3
CVE-2020-11022	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
CVE-2020-2562	Primavera Portfolio Management	Investor Module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14528	Primavera Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14706	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.5
CVE-2020-14527	Primavera Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14549	Primavera Portfolio Management	Web Server	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14618	Primavera Unifier	Mobile App	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	Prior to 20.6
CVE-2020-14617	Primavera Unifier	Platform, Mobile App	HTTPS	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12; Mobile App: Prior to 20.6
CVE-2020-14653	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.18.2
CVE-2020-14529	Primavera Portfolio Management	Investor Module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-1934	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-14566	Primavera Portfolio Management	Web Access	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-9488	Instantis EnterpriseTrack	Logging (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-9488	Primavera Gateway	Admin (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-1945.
The patch for CVE-2018-17196 also addresses CVE-2017-12610 and CVE-2018-1288.
The patch for CVE-2020-10683 also addresses CVE-2018-1000632.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-9484 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 30 new security patches for the Oracle E-Business Suite. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2020), My Oracle Support Note 2679563.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14598	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14599	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14658	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14665	Oracle Trade Management	Invoice	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14670	Oracle Advanced Outbound Telephony	Settings	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14671	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14534	Oracle Applications Framework	Popups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.9
CVE-2020-14688	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14660	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14682	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14668	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14681	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14666	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14596	Oracle iStore	Address Book	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14582	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14686	Oracle iSupport	Others	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14719	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	12.2.4-12.2.9
CVE-2020-14720	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	12.2.4-12.2.9
CVE-2020-14610	Oracle Applications Framework	Attachments / File Upload	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.2.9
CVE-2020-14657	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14667	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14679	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3, 12.2.3-12.2.9
CVE-2020-14635	Oracle Application Object Library	Logging	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.5-12.2.9
CVE-2020-14554	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.8
CVE-2020-14716	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14717	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14659	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14661	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14555	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14590	Oracle Applications Framework	Page Request	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Enterprise Manager Base Platform	Enterprise Manager Install (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2017-5645	Oracle Application Testing Suite	Load Testing for Web Apps (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.1
CVE-2020-1945	Enterprise Manager Ops Center	Networking (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.4.0.0
CVE-2019-0227	Enterprise Manager for Fusion Middleware	Coherence Management (Apache Axis)	HTTP	Yes	8.8	Adjacent Network	Low	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2018-11776	Enterprise Manager Base Platform	Reporting Framework (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2019-0227	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.0.5, 13.3.0.0
CVE-2020-7595	Oracle Real User Experience Insight	APM Mesh (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.3.1.0
CVE-2020-2982	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2020-2984	Oracle Configuration Manager	Discovery and collection script	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.2.0.6
CVE-2020-2983	Oracle Data Masking and Subsetting	Data Masking	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2019-17091	Oracle Application Testing Suite	Load Testing for Web Apps (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2.0.1, 13.3.0.1
CVE-2019-12415	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.0.5, 13.3.0.0, 13.4.0.0
CVE-2020-1934	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0
CVE-2019-1551	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2019-1551 also addresses CVE-2020-1967.
The patch for CVE-2020-1934 also addresses CVE-2019-0220, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2020-1927.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-7595 also addresses CVE-2019-19956 and CVE-2019-20388.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Oracle Banking Payments	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1.0-14.4.0
CVE-2020-9546	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.9.0
CVE-2019-2904	Oracle Financial Services Lending and Leasing	Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.2.0
CVE-2017-5645	Oracle Financial Services Lending and Leasing	Core (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.8.0
CVE-2017-15708	Oracle Financial Services Market Risk Measurement and Management	User Interface (Apache Synapse)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.0.8
CVE-2019-13990	Oracle FLEXCUBE Investor Servicing	Infrastructure (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-13990	Oracle FLEXCUBE Private Banking	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2019-11358	Oracle Insurance Accounting Analyzer	User Interface (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2020-1945	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.6-8.1.0
CVE-2020-1945	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle FLEXCUBE Private Banking	Utilities (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.0.0, 12.1.0
CVE-2020-14569	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle Banking Enterprise Collections	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.7.0-2.9.0
CVE-2020-1945	Oracle Banking Platform	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.4.0-2.9.0
CVE-2019-0227	Oracle Financial Services Compliance Regulatory Reporting	Web Service to Regulatory Report (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2019-12402	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-12423	Oracle FLEXCUBE Private Banking	Core (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-0188	Oracle FLEXCUBE Private Banking	Core (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-17359	Oracle FLEXCUBE Private Banking	Core (Bouncy Castle Java Library)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2020-14602	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6-8.1.0
CVE-2020-14691	Oracle Financial Services Liquidity Risk Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6
CVE-2020-14605	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14685	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14692	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.8
CVE-2020-14693	Oracle Insurance Accounting Analyzer	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.9
CVE-2020-14662	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	8.0.6-8.1.0
CVE-2020-11022	Oracle Banking Enterprise Collections	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0-2.8.0
CVE-2020-11022	Oracle Banking Platform	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0-2.10.0
CVE-2020-14601	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-14615	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4
CVE-2019-12415	Oracle Banking Payments	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.1.0-14.4.0
CVE-2019-12415	Oracle FLEXCUBE Private Banking	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2020-14603	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14604	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14684	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.0.6-8.1.0
CVE-2020-9488	Oracle Banking Platform	Collections (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.4.0-2.10.0
CVE-2020-9488	Oracle FLEXCUBE Investor Servicing	Infrastructure (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-12402 and CVE-2019-5427.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14543	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14561	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14594	Oracle Hospitality Reporting and Analytics	Inventory Integration	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14616	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-17531	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-9546	Oracle WebLogic Server	Centralized Thirdparty Jars (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2018-11058	Oracle WebLogic Server	Security Service (RSA BSAFE)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14625	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14644	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14645	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14687	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Centralized Thirdparty Jars (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Console (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1945	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	3.2.0
CVE-2020-1945	Oracle Enterprise Repository	Security Subsystem (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0
CVE-2020-8112	Oracle Outside In Technology	Installation (OpenJPEG)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.5.5, 8.5.4	See Note 1
CVE-2020-14609	Oracle Business Intelligence Enterprise Edition	Analytics Web Answers	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14611	Oracle WebCenter Portal	Composer	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	High	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14584	Oracle BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14585	Oracle BI Publisher	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14690	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14608	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	12.2.1.3.0
CVE-2020-14723	Oracle Help Technologies	Web UIX	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2020-14588	Oracle WebLogic Server	Web Container	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14626	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14565	Oracle Unified Directory	Security	HTTP	No	8.1	Network	Low	High	Required	Changed	None	High	High	11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14642	Oracle Coherence	CacheStore	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-0227	Oracle WebCenter Portal	WebCenter Spaces Application (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-14639	Oracle WebLogic Server	Sample apps	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-5398	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14589	Oracle WebLogic Server	Web Container	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2967	Oracle WebLogic Server	Web Services	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14696	Oracle BI Publisher	Layout Templates	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14571	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14570	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14552	Oracle WebCenter Portal	Security Framework	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14557	Oracle WebLogic Server	Web Container	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14655	Oracle Security Service	SSL API	HTTPS	Yes	6.5	Network	High	None	None	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14652	Oracle WebLogic Server	Core	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-14862	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Knockout)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-1941	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.7.0
CVE-2020-14607	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14613	Oracle WebCenter Sites	Advanced User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14572	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14636	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14637	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14638	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14640	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14530	Oracle Security Service	None	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-12415	Oracle WebCenter Portal	Security Framework (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2966	Oracle WebLogic Server	Console	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14622	Oracle WebLogic Server	Core	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488	Oracle Fusion Middleware MapViewer	Install (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14548	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2019-17571.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267, CVE-2019-20330 and CVE-2020-9546.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-8112 also addresses CVE-2018-6616, CVE-2019-12973 and CVE-2020-6851.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17560	Oracle GraalVM Enterprise Edition	GraalVM Compiler (Apache NetBeans)	HTTPS	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	19.3.2, 20.1.0
CVE-2020-14583	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.3.2, 20.1.0
CVE-2020-11080	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.3.2, 20.1.0
CVE-2020-14718	Oracle GraalVM Enterprise Edition	JVMCI	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	19.3.2, 20.1.0

Additional CVEs addressed are below:

The patch for CVE-2019-17560 also addresses CVE-2019-17561.
The patch for CVE-2020-11080 also addresses CVE-2020-8172.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Health Sciences Empirica Inspections	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.0.1.2
CVE-2020-1938	Oracle Health Sciences Empirica Signal	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3
CVE-2020-5398	Oracle Healthcare Master Person Index	Master Data Management (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.2
CVE-2020-11022	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.2.1, 3.3.1, 3.3.2, 3.4.0

Additional CVEs addressed are below:

The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Hospitality Guest Access	Base (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14546	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14560	Oracle Hyperion BI+	UI and Visualization	HTTP	No	4.2	Network	High	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2020-14541	Hyperion Financial Close Management	Close Manager	HTTP	No	2.0	Network	High	High	Required	Un- changed	None	Low	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14595	Oracle iLearning	Assessment Manager	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	None	Low	6.1, 6.1.1

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-12626	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.2.0, 10.2.4
CVE-2020-5398	Oracle Insurance Policy Administration J2EE	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-5398	Oracle Insurance Rules Palette	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Rules Palette	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-9488	Oracle Insurance Data Gateway	Security (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	1.0

Additional CVEs addressed are below:

The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2020-5398 also addresses CVE-2018-15756 and CVE-2020-5397.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14664	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u251	See Note 1
CVE-2020-14583	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14593	Java SE, Java SE Embedded	2D	Multiple	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14562	Java SE	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 11.0.7, 14.0.1	See Note 1
CVE-2020-14621	Java SE, Java SE Embedded	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 2
CVE-2020-14556	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14573	Java SE	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11.0.7, 14.0.1	See Note 3
CVE-2020-14581	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14578	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14579	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14577	Java SE, Java SE Embedded	JSSE	TLS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Installation SEC (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/C++ (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-5398	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Server	Server: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14663	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14678	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14697	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14591	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14539	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14680	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14619	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14576	MySQL Server	Server: UDF	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14643	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14651	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14550	MySQL Client	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2019-1551	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.0.12 and prior, 8.0.20 and prior
CVE-2020-14568	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14623	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14540	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14575	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14620	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14624	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14656	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14547	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14597	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14614	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14654	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14725	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14632	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14567	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-14631	MySQL Server	Server: Security: Audit	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14586	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14702	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14641	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	High	None	None	8.0.20 and prior
CVE-2020-14559	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14553	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14633	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.20 and prior
CVE-2020-14634	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.20 and prior
CVE-2020-5258	MySQL Cluster	Cluster: Packaging (dojo)	Multiple	No	0.0	Network	Low	Low	Required	Un- changed	None	None	None	7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	See Note 1
CVE-2020-1967	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	No	0.0	Network	Low	None	None	Un- changed	None	None	None	4.0.12 and prior, 8.0.20 and prior	See Note 2

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
This CVE is not exploitable in MySQL Enterprise Monitor. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14564	PeopleSoft Enterprise PeopleTools	Environment Mgmt Console	HTTP	Yes	8.2	Network	Low	None	Required	Changed	None	Low	High	8.56, 8.57, 8.58
CVE-2019-17359	PeopleSoft Enterprise HCM Global Payroll Switzerland	Global Payroll for Switzerland (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-16056	PeopleSoft Enterprise PeopleTools	Porting (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.57, 8.58
CVE-2019-11358	PeopleSoft Enterprise FIN Expenses	Expenses (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-14627	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14592	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14587	PeopleSoft Enterprise FIN Expenses	Expenses	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14612	PeopleSoft Enterprise HRMS	Time and Labor	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14558	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2019-1551	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-14600	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57, 8.58

Additional CVEs addressed are below:

The patch for CVE-2019-16056 also addresses CVE-2019-16935.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 47 new security patches for Oracle Retail Applications. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Customer Management and Segmentation Foundation	Segment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2019-12086	Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2020-2555	Oracle Retail Assortment Planning	Application Core (Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.0
CVE-2020-1945	Oracle Retail Financial Integration	PeopleSoft Integration (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2020-10683	Oracle Retail Integration Bus	RIB Kernal (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-13990	Oracle Retail Integration Bus	RIB Kernal (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-16943	Oracle Retail Merchandising System	Inventory Movement (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.2, 16.0.3
CVE-2019-16943	Oracle Retail Sales Audit	Transaction Maintenance (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2017-5645	Oracle Retail Service Backbone	Installer (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2019-13990	Oracle Retail Xstore Point of Service	Xenvironment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-9546	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-1945	Category Management Planning & Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Assortment Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Data Extractor for Merchandising	ODI Knowledge Module (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	1.9, 1.10
CVE-2020-1945	Oracle Retail Item Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Macro Space Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Merchandise Financial Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Predictive Application Server	RPAS Server (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Regular Price Optimization	Operations & Maintenance (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Replenishment Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Service Backbone	Install (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Size Profile Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Store Inventory Management	SIM Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2015-9251	Oracle Retail Customer Management and Segmentation Foundation	Promotions (jQuery)	HTTP	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	18.0
CVE-2020-5398	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2020-5398	Oracle Retail Financial Integration	PeopleSoft Integration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2017-12626	Oracle Retail Fusion Platform	Retail Portal Framework (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5
CVE-2020-5398	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-12423	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	15.0
CVE-2020-5398	Oracle Retail Predictive Application Server	RPAS Server (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-5398	Oracle Retail Service Backbone	RSB Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2019-10086	Customer Management and Segmentation Foundation	Promotions (Apache Commons-Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	18.0
CVE-2020-14709	Customer Management and Segmentation Foundation	Card	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	16.0, 17.0, 18.0
CVE-2019-3740	Oracle Retail Store Inventory Management	SIM Integration (BSAFE Crypto-J)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2019-17091	Oracle Retail Financial Integration	PeopleSoft Integration (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Integration Bus	RIB Kernal (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Invoice Matching	Pricing (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0
CVE-2019-17091	Oracle Retail Service Backbone	RSB kernel (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2018-10237	Oracle Retail Integration Bus	Packaging (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2020-14710	Customer Management and Segmentation Foundation	Security	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.0, 17.0, 18.0
CVE-2020-14708	Customer Management and Segmentation Foundation	Segment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	16.0, 17.0, 18.0
CVE-2018-15756	Oracle Retail Xstore Point of Service	Point of Sale (Spring Framework)	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	7.1
CVE-2020-9488	Oracle Retail Data Extractor for Merchandising	Knowledge Module (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	18.0
CVE-2020-9488	Oracle Retail Financial Integration	PeopleSoft Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0, 16.0
CVE-2020-9488	Oracle Retail Store Inventory Management	SIM Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3

Additional CVEs addressed are below:

The patch for CVE-2015-9251 also addresses CVE-2020-11022.
The patch for CVE-2017-12626 also addresses CVE-2019-12415.
The patch for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The patch for CVE-2019-12086 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 and CVE-2019-20330.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-9546 also addresses CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16943	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.20.5 and prior
CVE-2020-1938	Siebel UI Framework	EAI, SWSE (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2019-16943	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2020-14531	Siebel UI Framework	SWSE Server	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	20.6 and prior
CVE-2020-9488	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.20.5 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Supply Chain. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-2555	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-1000031	Oracle Rapid Planning	Middle Tier (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-5019	Oracle Rapid Planning	Middle Tier (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-10683	Oracle Rapid Planning	Middle Tier (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-4000	Oracle Rapid Planning	Middle Tier (jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Apache Ant)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2019-17563	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.3.7
CVE-2016-6814	Oracle Agile Engineering Data Management	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	6.2.1.0
CVE-2020-1945	Oracle Rapid Planning	Middle Tier (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1, 12.2
CVE-2015-7501	Oracle Rapid Planning	Middle Tier (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-14669	Oracle Configurator	UI Servlet	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1, 12.2
CVE-2019-0227	Oracle Agile Engineering Data Management	Install (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	6.2.1.0
CVE-2019-0227	Oracle Rapid Planning	Installation (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-5398	Oracle Rapid Planning	Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.1, 12.2
CVE-2018-15756	Oracle Rapid Planning	Middle Tier (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1, 12.2
CVE-2018-8013	Oracle Rapid Planning	Middle Tier (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.1, 12.2
CVE-2019-17091	Oracle Rapid Planning	Installation (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1, 12.2
CVE-2019-1547	Oracle Agile Engineering Data Management	Install (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	6.2.1.0
CVE-2020-14551	Oracle AutoVue	Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	21.0
CVE-2020-14544	Oracle Transportation Management	Data, Domain & Function Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	6.4.3

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Systems Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11656	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8
CVE-2020-14724	Oracle Solaris	Device Driver Utility	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	11
CVE-2018-12207	Oracle Solaris	Kernel	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11	See Note 1
CVE-2020-14537	Oracle Solaris	Packaging Scripts	None	No	5.5	Local	Low	High	Required	Changed	None	None	High	11
CVE-2020-14545	Oracle Solaris	Device Driver Utility	None	No	5.0	Local	High	Low	Required	Un- changed	None	High	Low	11
CVE-2019-5489	Oracle Solaris	Kernel	Multiple	No	3.5	Network	High	Low	None	Changed	Low	None	None	11
CVE-2020-14542	Oracle Solaris	libsuri	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	11

Notes:

Please refer to My Oracle Support Note 2609642.1 for further information on how CVE-2018-12207 impacts Oracle Solaris.

Additional CVEs addressed are below:

The patch for CVE-2020-11656 also addresses CVE-2020-1927 and CVE-2020-1934.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-12023	Oracle Utilities Framework	Common (jackson-databind)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14628	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 1
CVE-2020-14646	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14647	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14649	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14713	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14674	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14675	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14676	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14677	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14699	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14711	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 2
CVE-2020-14629	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14703	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14704	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14648	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14650	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14673	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14694	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14695	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14698	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14700	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14712	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	High	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14707	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14714	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14715	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12

Notes:

The CVE-2020-14628 is applicable to Windows VM only.
The CVE-2020-14711 is applicable to macOS host only.

No Related Posts

Oracle Critical Patch Update Advisory – April 2020

April 13, 2020September 18, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – April 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 399 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Application Performance Management, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Application Service Level Management, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Hyperion Financial Management, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Identity Manager Connector, version 9.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
Java Advanced Management Console, version 2.16	Java SE
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MICROS Relate CRM Software, version 11.4	Retail Applications
MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior	MySQL
MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.11.5331 and prior, 8.0.18.1217 and prior	MySQL
MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior	MySQL
MySQL Workbench, versions 8.0.19 and prior	MySQL
Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Express, versions prior to 19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle Banking Enterprise Collections, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Originations, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Enterprise Product Manufacturing, versions 2.7.0, 2.8.0	Oracle Banking Platform
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0	Oracle Banking Platform
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, version 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications ASAP Cartridges, versions 7.2, 7.3	Oracle Communications ASAP Cartridges
Oracle Communications Calendar Server, versions 8.0.0.2.0, 8.0.0.3.0	Oracle Communications Calendar Server
Oracle Communications Converged Application Server – Service Controller, version 6.1	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0, 8.1.0, 8.2.0, 8.2.1	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0	Oracle Communications Operations Monitor
Oracle Communications Service Broker, versions 6.0, 6.1	Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, versions 6.0, 6.1	Oracle Communications Services Gatekeeper
Oracle Communications Session Report Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.0.0, 8.1.0, 8.1.1, 8.2.0	Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2	Oracle Communications WebRTC Session Controller
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Server, version 7.7.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Data Foundation, versions 8.0.6-8.0.9	Oracle Financial Services Data Foundation
Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7, 8.0.8	Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, version 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7	Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing Analytics, versions 2.6, 2.7, 2.8	Oracle Financial Services Revenue Management and Billing Analytics
Oracle FLEXCUBE Core Banking, version 4.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0, 12.1	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle Global Lifecycle Management NextGen OUI Framework, versions 12.2.1.3.0, 12.2.1.4.0, 13.9.4.2.2	Fusion Middleware
Oracle Global Lifecycle Management OPatch, versions prior to 11.2.0.3.23, prior to 12.2.0.1.19, prior to 13.9.4.2.1	Global Lifecycle Management
Oracle GraalVM Enterprise Edition, versions 19.3.1, 20.0.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Information Manager, version 3.0	Health Sciences
Oracle Healthcare Data Repository, version 7.0	Health Sciences
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 11.1.1.9.0	Fusion Middleware
Oracle In-Memory Performance-Driven Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Java SE, versions 7u251, 8u241, 11.0.6, 14	Java SE
Oracle Java SE Embedded, version 8u241	Java SE
Oracle Knowledge, versions 8.6.0-8.6.3	Oracle Knowledge
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.4	Fusion Middleware
Oracle Real User Experience Insight, versions 13.1.2.1, 13.2.3.1, 13.3.1.0	Enterprise Manager
Oracle Retail Advanced Inventory Planning, versions 14.0, 15.0, 16.0	Retail Applications
Oracle Retail Back Office, version 14.1	Retail Applications
Oracle Retail Central Office, version 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Merchandising System, version 16.0	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0	Retail Applications
Oracle Retail Point-of-Service, version 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Returns Management, version 14.1	Retail Applications
Oracle Retail Store Inventory Management, version 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 18.0.1	Retail Applications
Oracle SD-WAN Edge, versions 7.3, 8.0, 8.1, 8.2	Oracle SD-WAN Edge
Oracle Secure Backup, versions prior to 18.1	Oracle Secure Backup
Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2, 4.2.0.3, 4.3.0.2-4.3.0.6, 4.4.0.0, 4.4.0.2	Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.1, 2.3.0.2, 2.4.0.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.40, prior to 6.0.20, prior to 6.1.6	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
OSS Support Tools, versions 20.0, 20.1	Support Tools
PeopleSoft Enterprise CS Campus Community, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Absence Management, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.6, 18.8.0-18.8.8, 19.12.0	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.2.0.0-16.2.19.3, 17.12.0.0-17.12.17.0, 18.8.0.0-18.8.18.0, 19.12.1.0-19.12.3.0, 20.1.0.0-20.2.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 20.2 and prior	Siebel
StorageTek Tape Analytics SW Tool, version 2.3.0	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

21superman: CVE-2020-2828
Abdullah H. AlJaber: CVE-2020-2753
Abdulrahman Nour of Redforce: CVE-2020-2865
Alexander Kornbrust of Red Database Security: CVE-2020-2737, CVE-2020-2946
Alves Christopher: CVE-2020-2752
Andrej Simko of Accenture: CVE-2020-2794, CVE-2020-2796, CVE-2020-2810
Andrew Hess: CVE-2020-2910
anhdaden of STAR Labs working with Trend Micro’s Zero Day Initiative: CVE-2020-2575, CVE-2020-2748, CVE-2020-2894, CVE-2020-2902, CVE-2020-2911
Anil Aravind: CVE-2020-2864
Bao Zhen: CVE-2020-2926
Barakat Soror: CVE-2020-2913, CVE-2020-2914
Barakat Soror working with Trend Micro Zero Day Initiative: CVE-2020-2907, CVE-2020-2958
Bengt Jonsson of Uppsala University: CVE-2020-2767
Bui Duong from Viettel Cyber Security: CVE-2020-2883, CVE-2020-2884
Bui Quang: CVE-2020-2933
Calvin Fong (Lord_Idiot) of STAR Labs working with Trend Micro Zero Day Initiative: CVE-2020-2748, CVE-2020-2758
Christian Freudigmann of Daimler TSS: CVE-2020-2738
Damian Bury: CVE-2020-2769, CVE-2020-2777
Dan Amodio of Contrast Security: CVE-2020-2800
Daniel Martinez Adan (aDoN90): CVE-2020-2738
elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2741
Esteban Montes Morales of Accenture: CVE-2020-2813
Fangrun Li of Cloud Security Team at Qihoo 360: CVE-2020-2798, CVE-2020-2801, CVE-2020-2963
Fatih Çelik: CVE-2020-2909
Florian Ohlms of Daimler TSS: CVE-2020-2738
GreenDog working with Trend Micro Zero Day Initiative: CVE-2020-2950
JanatiIdrissi Zouhair: CVE-2020-2752
Jang of VNPT ISC: CVE-2020-2883, CVE-2020-2884
John Simpson of Trend Micro Security Research working with the Zero Day Initiative: CVE-2020-2882, CVE-2020-2956
Julien Ahrens of RCE Security: CVE-2020-2870, CVE-2020-2871, CVE-2020-2872, CVE-2020-2873, CVE-2020-2874, CVE-2020-2876, CVE-2020-2877, CVE-2020-2878, CVE-2020-2879, CVE-2020-2880, CVE-2020-2881
Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2767
Kaki King: CVE-2020-2883
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2783, CVE-2020-2784, CVE-2020-2785, CVE-2020-2786, CVE-2020-2787
Khaled Sakr of Malcrove: CVE-2019-2899
khuyenn of Viettel Cyber Security: CVE-2020-2820, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2871
Kostis Sagonas of Uppsala University: CVE-2020-2767
Lalit Naphade: CVE-2020-2740
Longofo of Knownsec 404 Team: CVE-2020-2798, CVE-2020-2949, CVE-2020-2963
lufei from 0vul Team of Butian at Qi’anxin Group: CVE-2020-2869, CVE-2020-2883
Maoxin Lin of Dbappsecurity Team: CVE-2020-2869, CVE-2020-2934
Marc Durdin: CVE-2020-2930
Marco Ivaldi of Media Service: CVE-2020-2771, CVE-2020-2851, CVE-2020-2944
Marek Cybul: CVE-2020-2766
Martin Doyhenard of Onapsis: CVE-2020-2750
Matei “Mal” Badanoiu: CVE-2020-2869, CVE-2020-2875
Mauro Leggieri of TRAPMINE Inc.: CVE-2020-2895
Michal Bogdanowicz of STM Solutions: CVE-2020-2811
Minle Chen of PingAn Galaxy Lab: CVE-2020-2798
Nils Emmerich of ERNW : CVE-2020-2803, CVE-2020-2805
Owais Zaman of Sabic: CVE-2020-2594, CVE-2020-2706
Paul Fiterau Brostean of Uppsala University: CVE-2020-2767
Pavel Cheremushkin: CVE-2020-2929, CVE-2020-2951
Peter Dettman of cryptoworkshop.com: CVE-2020-2778
Philippe Antoine (Telecom Nancy): CVE-2020-2752
Piotr Domirski: CVE-2020-2745
Quynh Le of VNPT ISC: CVE-2020-2798
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2883
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-2798, CVE-2020-2829, CVE-2020-2963
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-2742, CVE-2020-2743, CVE-2020-2908
Robert Merget of Ruhr-University Bochum: CVE-2020-2767
Roger Meyer: CVE-2020-2514
RunOu of Bangcle Security: CVE-2020-2798
Rémi Badonnel (Telecom Nancy): CVE-2020-2752
Samrat Das of Emirates NBD: CVE-2020-2772
Sebastian Fuchs of NTT Security: CVE-2020-2744
Sebastian Wlodarczyk of Optima Partners: CVE-2020-2747
Simone Bordet of Webtide: CVE-2020-2781
Tarun Sehgal of eSec Forte Technologies: CVE-2020-2782
Tomasz Wisniewski: CVE-2020-2793
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-2789, CVE-2020-2807, CVE-2020-2808, CVE-2020-2809, CVE-2020-2815, CVE-2020-2817, CVE-2020-2818, CVE-2020-2819, CVE-2020-2820, CVE-2020-2821, CVE-2020-2822, CVE-2020-2823, CVE-2020-2824, CVE-2020-2825, CVE-2020-2826, CVE-2020-2827, CVE-2020-2831, CVE-2020-2832, CVE-2020-2833, CVE-2020-2834, CVE-2020-2835, CVE-2020-2836, CVE-2020-2837, CVE-2020-2838, CVE-2020-2839, CVE-2020-2840, CVE-2020-2841, CVE-2020-2842, CVE-2020-2843, CVE-2020-2844, CVE-2020-2845, CVE-2020-2846, CVE-2020-2847, CVE-2020-2848, CVE-2020-2849, CVE-2020-2850, CVE-2020-2852, CVE-2020-2854, CVE-2020-2855, CVE-2020-2856, CVE-2020-2857, CVE-2020-2858, CVE-2020-2860, CVE-2020-2861, CVE-2020-2863, CVE-2020-2871
Vahagn Vardanyan: CVE-2020-2733
Vaibhav Shukla: CVE-2020-2955
Venustech ADLab: CVE-2020-2798, CVE-2020-2801
Victor Rodriguez: CVE-2020-2739
Vishnu Dev TJ working with Trend Micro’s Zero Day Initiative: CVE-2020-2929
Xingwei Lin of Ant-financial Light-Year Security Lab: CVE-2020-2905
Xinlei Ying of Ant-financial Light-Year Security Lab: CVE-2020-2905
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-2869, CVE-2020-2934
Yu Wang of BMH Security Team: CVE-2020-2883
ZeddYu Lu: CVE-2020-2867
Zhan Julien: CVE-2020-2752
Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-2959
Zohaib Tasneem of Sabic: CVE-2020-2594, CVE-2020-2706

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Abdullah H. AlJaber
Andrej Simko of Accenture working with iDefense Labs
ICHIHARA Ryohei of DMM.com LLC
Jayson Grace of Sandia National Laboratories
KeChen Lin of Ping An Bank Security Team
Markus Loewe
Mathieu Deous of Datadoghq
Mehdi Benkaddour
MengLiang Ji of CICITLab
Michael Miller of Integrigy
Raju Mogulapalli of Rheem Manufacturing
tint0 of Viettel Cyber Security working with iDefense Labs
Tuan Anh Nguyen of Viettel Cyber Security

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Anton Hrytskevich
Chetan Tiwari
Daniel J. Grinkevich
Faizan Ahmed
Hamit Cibo
Heshie Brody
Jimmy Bruneel
Mohamed Yaser
r00t4dm from A-TEAM of Legendsec at Qi’anxin Group
Robert Lee Dick
Shriram
Wai Yan Aung
Yash Ahmed Quashim

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 July 2020
20 October 2020
19 January 2021
20 April 2021

References

Modification History

Date	Note
2020-July-20	Rev 11. Credit Statement Update.
2020-June-19	Rev 10. Credit Statement Update.
2020-June-15	Rev 9. Added note concerning the patch for CVE-2020-2801.
2020-May-27	Rev 8. Credit Statement Update.
2020-May-18	Rev 7. Updated protocol information for CVE-2020-2798, CVE-2020-2801, CVE-2020-2828, CVE-2020-2883, CVE-2020-2884 and CVE-2020-2915.
2020-May-06	Rev 6. Credit Statement Update.
2020-April-30	Rev 5. Credit Statement Update.
2020-April-24	Rev 4. Added CVE-2020-2575 for VirtualBox to the Virtualization Risk Matrix. This increases the overall number of security patches to 399. The releases listed in the patch availability document for Virtualization already include the patch for CVE-2020-2575. Updated CVSS score for CVE-2020-2894 in the Oracle Virtualization risk matrix. Modified the additional CVE list for CVE-2018-1165 in Oracle ZFS Storage Appliance Kit.
2020-April-17	Rev 3. Modified the affected versions for Oracle Outside In Technology vulnerabilities and updated the credit statement.
2020-April-16	Rev 2. Added entry in the Oracle Fusion Middleware risk matrix for Oracle WebLogic Server security patch to address CVE-2019-16943. This increases the overall number of security patches to 398. This is simply a documentation change. The patches were already listed in the patch availability document for Fusion Middleware.
2020-April-14	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 10 new security patches for the Oracle Database Products divided as follows:

8 new security patches for Oracle Database Server.
1 new security patch for Oracle Global Lifecycle Management.
1 new security patch for Oracle Secure Backup.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 8 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2735	Java VM	Create Session	Oracle Net	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-10251	Oracle Multimedia	Create Session	Oracle Net	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	12.1.0.2
CVE-2019-17563	WLM (Apache Tomcat)	None	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.0.1, 18c, 19c
CVE-2020-2737	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2853	Oracle Text	Create Session	OracleNet	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-7103	Oracle Application Express	None	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 19.1
CVE-2020-2514	Oracle Application Express	End User Role	HTTPS	No	4.6	Network	Low	Low	Required	Un- changed	None	Low	Low	Prior to 19.2
CVE-2020-2734	RDBMS/Optimizer	Execute on DBMS_SQLTUNE	Oracle Net	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c

Additional CVEs addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251 and CVE-2019-11358.
The patch for CVE-2019-17563 also addresses CVE-2019-12418.
The patch for CVE-2019-2853 also addresses CVE-2019-2756, CVE-2019-2759 and CVE-2019-2852.

Oracle Global Lifecycle Management Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-20330	Oracle Global Lifecycle Management OPatch	Patch Installer	HTTP	No	0.0	Network	High	None	None	Un- changed	None	None	None	Prior to 11.2.0.3.23, Prior to 12.2.0.1.19, Prior to 13.9.4.2.1	See Note 1

Notes:

The following CVEs addressed by this patch are not exploitable in the Oracle product, so the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2019-20330 also addresses CVE-2016-4000, CVE-2016-4463, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335 and CVE-2020-8840.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Secure Backup. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-5712	Oracle Secure Backup	PHP	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 18.1

Additional CVEs addressed are below:

The patch for CVE-2018-5712 also addresses CVE-2018-5711.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 39 new security patches for Oracle Communications Applications. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16943	Oracle Communications Calendar Server	Administration (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.2.0, 8.0.0.3.0
CVE-2015-3253	Oracle Communications Converged Application Server – Service Controller	Admin Console (Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-4000	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-2729	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-14379	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-16943	Oracle Communications Evolved Communications Application Server	SDP, SCF and URD (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1
CVE-2019-5482	Oracle Communications Operations Monitor	REST API (cURL)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-2904	Oracle Communications Service Broker	Admin Console (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1
CVE-2019-2904	Oracle Communications Services Gatekeeper	API Management Portal (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1
CVE-2019-10082	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10088	Oracle Communications Messaging Server	Security (Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.0.2, 8.1.0
CVE-2018-8039	Oracle Communications Session Report Manager	Core (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-8039	Oracle Communications Session Route Manager	Core (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1
CVE-2019-0211	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-0211	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-0227	Oracle Communications ASAP Cartridges	Web Service (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.2, 7.3
CVE-2019-0222	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2017-12626	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2018-15756	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2018-1000180	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (Bouncy Castle Java Library)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-0227	Oracle Communications Element Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Element Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-15163	Oracle Communications Operations Monitor	Packet Inspector, Traces functionality (libpcap)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-0227	Oracle Communications Session Report Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Session Report Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-15756	Oracle Communications Session Report Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1
CVE-2019-0227	Oracle Communications Session Route Manager	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10072	Oracle Communications Session Route Manager	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-15756	Oracle Communications Session Route Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.0, 8.1.0, 8.1.1
CVE-2017-12626	Oracle Communications Unified Inventory Management	Bulk Import (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3.0, 7.4.0
CVE-2019-11358	Oracle Communications Diameter Signaling Router (DSR)	IDIH Visualization (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0, 8.1.0, 8.2.0, 8.2.1
CVE-2019-11358	Oracle Communications Operations Monitor	Mediation Engine, Calls Page (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4.0, 4.0.0, 4.1.0
CVE-2019-11358	Oracle Communications WebRTC Session Controller	WSC-Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.2
CVE-2019-10247	Oracle Communications Element Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2018-20852	Oracle Communications Operations Monitor	VSP Webserver (Python)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
CVE-2019-10247	Oracle Communications Session Report Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-10247	Oracle Communications Session Route Manager	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.0, 8.1.0, 8.1.1, 8.2.0
CVE-2019-14821	Oracle SD-WAN Edge	OS (Kernel)	None	No	3.9	Local	High	High	None	Un- changed	Low	Low	Low	7.3, 8.0, 8.1, 8.2	See Note 1
CVE-2019-1010238	Oracle SD-WAN Edge	OS (Kernel)	SSH	No	2.0	Network	High	High	Required	Un- changed	None	None	Low	7.3, 8.0, 8.1, 8.2	See Note 1

Notes:

Versions 7.3, 8.0 and 8.1 are vulnerable only with Debian 5.1. Version 8.2 is vulnerable only with Oracle Linux 7.0.

Additional CVEs addressed are below:

The patch for CVE-2018-1000180 also addresses CVE-2018-1000613.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0222 also addresses CVE-2018-11775.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2018-11784.
The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-14379 also addresses CVE-2019-14439.
The patch for CVE-2019-15163 also addresses CVE-2019-15161, CVE-2019-15162, CVE-2019-15164 and CVE-2019-15165.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2019-5482 also addresses CVE-2019-15601 and CVE-2019-5481.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Instantis EnterpriseTrack	Logging (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1 – 17.3
CVE-2019-17195	Primavera Gateway	Admin (Connect2id Nimbus JOSE+JWT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.12.0
CVE-2019-16943	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.12.0 – 17.12.6, 18.8.0 – 18.8.8, 19.12.0
CVE-2019-16943	Primavera Unifier	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7 – 17.12, 18.8, 19.12
CVE-2019-13990	Primavera Unifier	Infrastructure (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7 – 17.12, 18.8
CVE-2019-10082	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	17.1 – 17.3
CVE-2019-17563	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	17.1 – 17.3
CVE-2019-12402	Primavera Gateway	Admin (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.8.0 – 18.8.8, 19.12.0
CVE-2019-10086	Primavera Gateway	Admin (Apache Commons Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	16.2.0 – 16.2.11, 17.12.0 – 17.12.6
CVE-2020-2594	Primavera P6 Enterprise Project Portfolio Management	Project Manager	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	16.2.0.0 – 16.2.19.3, 17.12.0.0 – 17.12.17.0, 18.8.0.0 – 18.8.18.0, 19.12.1.0 – 19.12.3.0, 20.1.0.0 – 20.2.0.0
CVE-2019-12415	Instantis EnterpriseTrack	Office Open document processor (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.1 – 17.3
CVE-2020-2706	Primavera P6 Enterprise Project Portfolio Management	Project Manager	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	16.2.0.0 – 16.2.19.3, 17.12.0.0 – 17.12.17.0, 18.8.0.0 – 18.8.18.0, 19.12.1.0 – 19.12.3.0, 20.1.0.0 – 20.2.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 74 new security patches for the Oracle E-Business Suite. 70 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2020), My Oracle Support Note 2650675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2838	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1-12.1.3
CVE-2020-2863	Oracle Advanced Outbound Telephony	User Interface	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2852	Oracle Advanced Outbound Telephony	Calendar	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2871	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2854	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2856	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2857	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2890	Oracle Applications Framework	Diagnostics	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2820	Oracle Common Applications Calendar	Notes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2020-2823	Oracle Common Applications Calendar	Notes	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2881	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2873	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2842	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2844	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2845	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2846	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2847	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2848	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2849	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2850	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2885	Oracle Document Management and Collaboration	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3,12.2.3-12.2.9
CVE-2020-2808	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2809	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2840	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2874	Oracle Email Center	Customer Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2794	Oracle Email Center	Email Address list and Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2813	Oracle Email Center	KB Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2796	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2855	Oracle iSupport	Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2878	Oracle iSupport	Mail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2843	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2815	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2872	Oracle iSupport	Profile	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2841	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2880	Oracle Learning Management	OTA Training Activities	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2831	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2834	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2835	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2836	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2837	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2858	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2860	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2861	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2876	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2807	Oracle Marketing Encyclopedia System	Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2824	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2825	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2826	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2827	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2832	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2870	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2877	Oracle Partner Management	Attribute Admin Setup	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2833	Oracle Quoting	Courseware	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2817	Oracle Scripting	Miscellaneous	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2879	Oracle Scripting	Miscellaneous	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2839	Oracle Service Intelligence	Internal Operations- Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2821	Oracle Trade Management	Budget	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2020-2822	Oracle Trade Management	Claims	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2818	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2819	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-2882	Oracle Human Resources	Hierarchy Diagrammers	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2956	Oracle Human Resources	Hierarchy Diagrammers	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2750	Oracle General Ledger	Account Hierarchy Manager	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2866	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.5-12.2.9
CVE-2020-2889	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3,12.2.3-12.2.9
CVE-2020-2887	Oracle Customer Interaction History	Outcome-Result	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.1-12.1.3,12.2.3-12.2.9
CVE-2020-2864	Oracle iSupplier Portal	Accounts	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.5-12.2.9
CVE-2020-2888	Oracle Marketing	Partners	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2753	Oracle Workflow	Workflow Notification Mailer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2886	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2810	Oracle iStore	Shopping Cart	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2789	Oracle iSupport	User Interface	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3,12.2.3-12.2.8
CVE-2020-2862	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2772	Oracle Human Resources	Absence Recording, Maintenance	HTTP	No	4.1	Network	Low	Low	Required	Changed	None	Low	None	12.2.6-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Enterprise Manager. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2633852.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2961	Enterprise Manager Base Platform	Discovery Framework (Oracle OHS)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.0.0, 13.3.0.0
CVE-2018-11058	Oracle Real User Experience Insight	Processing (Oracle Instant Client)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.1.2.1, 13.2.3.1, 13.3.1.0
CVE-2018-18311	Enterprise Manager Base Platform	Install (Perl)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.0.0, 13.3.0.0
CVE-2019-0227	Oracle Application Testing Suite	Oracle Flow Builder (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	13.2.0.1, 13.3.0.1
CVE-2019-1543	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-11358	Application Service Level Management	Service Level Agreements (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2.0.0, 13.3.0.0
CVE-2020-2946	Application Performance Management	EM Request Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-18311 also addresses CVE-2016-2381.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 35 new security patches for Oracle Financial Services Applications. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Banking Enterprise Collections	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-13990	Oracle Banking Enterprise Originations	Core (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Enterprise Originations	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-13990	Oracle Banking Enterprise Product Manufacturing	Core (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Enterprise Product Manufacturing	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.7.0, 2.8.0
CVE-2019-2904	Oracle Banking Platform	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-16943	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-2904	Oracle Financial Services Revenue Management and Billing Analytics	Dashboards (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6, 2.7, 2.8
CVE-2019-12419	Oracle FLEXCUBE Private Banking	Core (Apache CXF)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2019-2904	Oracle FLEXCUBE Private Banking	Framework (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2019-10088	Oracle FLEXCUBE Private Banking	Core (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	12.0, 12.1
CVE-2019-17359	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.6 – 8.0.9
CVE-2019-0227	Oracle FLEXCUBE Private Banking	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.0, 12.1
CVE-2017-12626	Oracle FLEXCUBE Private Banking	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 12.1
CVE-2020-2793	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2939	Oracle Financial Services Asset Liability Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2936	Oracle Financial Services Balance Sheet Planning	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.8
CVE-2020-2964	Oracle Financial Services Data Foundation	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2945	Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management	User Interfaces	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7, 8.0.8
CVE-2020-2941	Oracle Financial Services Funds Transfer Pricing	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2935	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.8
CVE-2020-2891	Oracle Financial Services Liquidity Risk Management	User Interfaces	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6
CVE-2020-2943	Oracle Financial Services Liquidity Risk Measurement and Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7, 8.0.8
CVE-2020-2938	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.8
CVE-2020-2942	Oracle Financial Services Price Creation and Discovery	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.7
CVE-2020-2940	Oracle Financial Services Profitability Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6, 8.0.7
CVE-2020-2937	Oracle Insurance Accounting Analyzer	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6 – 8.0.9
CVE-2020-2955	Oracle FLEXCUBE Core Banking	Transaction Processing	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	4.0
CVE-2019-17091	Oracle Banking Enterprise Product Manufacturing	Core (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Enterprise Originations	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Enterprise Product Manufacturing	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.7.0, 2.8.0
CVE-2019-12415	Oracle Banking Platform	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.9.0
CVE-2019-12415	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0.6 – 8.0.9
CVE-2019-12415	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.0.6, 8.0.8
CVE-2019-10247	Oracle FLEXCUBE Private Banking	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0, 12.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2019-12419 also addresses CVE-2019-12406.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Food and Beverage Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2746	Oracle Hospitality Reporting and Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 45 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update April 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2633852.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2950	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-1000031	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2915	Oracle Coherence	Caching, CacheStore, Invocation	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-13990	Oracle Fusion Middleware MapViewer	Install (Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-16943	Oracle Global Lifecycle Management NextGen OUI Framework	Tools (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.9.4.2.2, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-10328	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.4	See Note 1
CVE-2019-16943	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-16943	Oracle WebCenter Sites	Sites (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17571	Oracle WebLogic Server	Console (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-16943	Oracle WebLogic Server	Third Party Tools (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2801	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	See Note 2
CVE-2020-2883	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2884	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10088	Oracle Business Process Management Suite	BPM Composer (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	12.2.1.4.0
CVE-2017-5130	Oracle HTTP Server	Web Listener (LibXML2)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	11.1.1.9.0
CVE-2020-2867	Oracle WebLogic Server	Web Container	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-0222	Identity Manager Connector	General (Apache ActiveMQ)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.0
CVE-2018-15756	Identity Manager Connector	LDAP Gateway (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.0
CVE-2015-7940	Oracle Business Intelligence Enterprise Edition	Installation (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2017-12626	Oracle Endeca Information Discovery Integrator	Integrator ETL (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-17359	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-15903	Oracle Outside In Technology	DC-Specific Component (LibExpat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-16168	Oracle Outside In Technology	DC-Specific Component (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2018-20843	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-17359	Oracle SOA Suite	Installation (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2828	Oracle WebLogic Server	WLS Web Services	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0
CVE-2020-2739	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	7.4	Network	Low	None	Required	Changed	High	None	None	12.2.1.3.0
CVE-2020-2784	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2785	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2786	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2787	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2798	Oracle WebLogic Server	WLS Web Services	IIOP, T3	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2952	Oracle HTTP Server	Web Listener	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.1.1.9.0
CVE-2018-20622	Oracle Outside In Technology	Installation (JasPer)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.5.4	See Note 1
CVE-2019-11358	Oracle Big Data Discovery	Studio (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.6
CVE-2019-11358	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle WebCenter Sites	Advanced UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2020-2811	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle Big Data Discovery	Studio (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	1.6
CVE-2020-2747	Oracle Access Manager	SSO Engine	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2949	Oracle Coherence	Caching, CacheStore, Invocation	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247	Oracle Endeca Information Discovery Integrator	Integrator ETL (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0
CVE-2020-2783	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	8.5.4	See Note 1
CVE-2019-10247	Oracle Unified Directory	OpenDS SDK (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2766	Oracle WebLogic Server	Console	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2829	Oracle WebLogic Server	Management Services	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0
CVE-2019-1547	Oracle API Gateway	Oracle API Gateway (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2019-1547	Oracle Endeca Server	Product Code (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	7.7.0
CVE-2020-2740	Oracle Access Manager	Authentication Engine	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2745	Oracle Access Manager	Federation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2869	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
The patch for this issue will address the vulnerability only if the WLS instance is using JDK 1.7.0_191 or later, or JDK 1.8.0_181 or later.

Additional CVEs addressed are below:

The patch for CVE-2016-10328 also addresses CVE-2016-10244, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287 and CVE-2018-6942.
The patch for CVE-2018-20622 also addresses CVE-2017-13745, CVE-2017-14232, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20570, CVE-2018-20584, CVE-2018-9055, CVE-2018-9154 and CVE-2018-9252.
The patch for CVE-2019-0222 also addresses CVE-2018-11775.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-16168 also addresses CVE-2018-20346, CVE-2018-20506 and CVE-2019-8457.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-17571 also addresses CVE-2017-5645.
The patch for CVE-2020-2798 also addresses CVE-2020-2963.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle GraalVM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-15606	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.3.1, 20.0.0
CVE-2020-2803	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.3.1, 20.0.0
CVE-2020-2802	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.3.1, 20.0.0
CVE-2020-2799	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	No	6.3	Network	High	Low	None	Changed	None	High	None	19.3.1, 20.0.0
CVE-2020-2900	Oracle GraalVM Enterprise Edition	Tools	Multiple	No	3.7	Network	High	Low	Required	Un- changed	Low	Low	None	19.3.1, 20.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-15606 also addresses CVE-2019-15604 and CVE-2019-15605.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Health Sciences Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17091	Oracle Health Sciences Information Manager	Policy Engine (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.0
CVE-2019-17091	Oracle Healthcare Data Repository	Installation (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.0

Oracle Hyperion Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2777	Hyperion Financial Management	Security	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2899	Hyperion Financial Management	Security (Application Development Framework)	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4
CVE-2020-2769	Hyperion Financial Reporting	Web Based Report Designer	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.2.4

Oracle Java SE Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2803	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 1
CVE-2020-2805	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 1
CVE-2019-18197	Java SE	JavaFX (libxslt)	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 8u241	See Note 1
CVE-2020-2816	Java SE	JSSE	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Java SE: 11.0.6, 14	See Note 2
CVE-2020-2781	Java SE, Java SE Embedded	JSSE	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2830	Java SE, Java SE Embedded	Concurrency	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2767	Java SE	JSSE	HTTPS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 11.0.6, 14	See Note 3
CVE-2020-2800	Java SE, Java SE Embedded	Lightweight HTTP Server	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 2
CVE-2020-2778	Java SE	JSSE	HTTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 11.0.6, 14	See Note 3
CVE-2020-2764	Java SE	Advanced Management Console	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java Advanced Management Console: 2.16	See Note 2
CVE-2020-2754	Java SE, Java SE Embedded	Scripting	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2755	Java SE, Java SE Embedded	Scripting	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2773	Java SE, Java SE Embedded	Security	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2756	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3
CVE-2020-2757	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle JD Edwards. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2733	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-11058	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure Security (Oracle Security Service)	JDENET	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-1547	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	9.2
CVE-2019-1547	JD Edwards World Security	World Software Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.

Oracle Knowledge Risk Matrix

This Critical Patch Update contains 16 new security patches for Oracle Knowledge. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2791	Oracle Knowledge	Information Manager Console	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.2
CVE-2016-1000031	Oracle Knowledge	Information Manager Console, Web Applications – InfoCenter (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2020-2931	Oracle Knowledge	Web Applications – InfoCenter	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2015-1832	Oracle Knowledge	Web Applications – InfoCenter (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.6.0-8.6.3
CVE-2019-0227	Oracle Knowledge	Information Manager Console (Apache Axis)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.6.0-8.6.3
CVE-2016-3092	Oracle Knowledge	Web Applications – InfoCenter (Apache Commons Fileupload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2015-0254	Oracle Knowledge	Information Manager Console (Apache Standard Taglibs)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.6.0-8.6.1
CVE-2018-17197	Oracle Knowledge	Information Manager Console (Apache Tika)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2795	Oracle Knowledge	Information Manager Console	None	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.6.0-8.6.2
CVE-2019-11358	Oracle Knowledge	Answer Flow (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2015-9251	Oracle Knowledge	Information Manager Console, Web Applications – InfoCenter (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2017-14735	Oracle Knowledge	Web Applications – InfoCenter (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.6.0-8.6.3
CVE-2020-2524	Oracle Knowledge	InQuira Search	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2932	Oracle Knowledge	Information Manager Console	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	8.6.0-8.6.3
CVE-2020-2553	Oracle Knowledge	Information Manager Console	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	8.6.0-8.6.3
CVE-2020-2522	Oracle Knowledge	Information Manager Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.6.0-8.6.1

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.7.28 and prior, 8.0.18 and prior
CVE-2019-19646	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.19 and prior
CVE-2019-14889	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	8.0.19 and prior
CVE-2019-17563	MySQL Enterprise Monitor	Service Manager (Apache Tomcat)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.0.18.1217 and prior, 4.0.11.5331 and prior
CVE-2019-15601	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.29 and prior, 8.0.19 and prior
CVE-2019-15601	MySQL Workbench	MySQL Workbench (cURL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.19 and prior
CVE-2020-2780	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2790	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.28 and prior
CVE-2020-2768	MySQL Cluster	Cluster: General	Multiple	No	6.3	Network	Low	Low	Required	Un- changed	None	Low	High	7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior
CVE-2020-2804	MySQL Server	Server: Memcached	Memcached Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2760	MySQL Server	InnoDB	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-2752	MySQL Client	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.27 and prior, 8.0.17 and prior
CVE-2020-2806	MySQL Server	Server: Compiling	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.28 and prior
CVE-2020-2934	MySQL Connectors	Connector/J	MySQL Protocol	Yes	5.0	Network	High	None	Required	Un- changed	Low	Low	Low	8.0.19 and prior, 5.1.48 and prior
CVE-2020-2762	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2814	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2893	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2895	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2898	MySQL Server	Server: Charsets	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19
CVE-2020-2903	MySQL Server	Server: Connection Handling	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2896	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2770	MySQL Server	Server: Logging	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2765	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-2892	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2897	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2923	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2924	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2901	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2928	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2904	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2925	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2759	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2763	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2761	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2774	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2853	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2779	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2812	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2020-2875	MySQL Connectors	Connector/J	MySQL Protocol	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	8.0.14 and prior, 5.1.48 and prior
CVE-2019-1547	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	No	4.7	Local	High	Low	None	Un- changed	High	None	None	5.6.46 and prior, 5.7.26 and prior, 8.0.18 and prior
CVE-2020-2926	MySQL Server	Server: Group Replication GCS	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2921	MySQL Server	Server: Group Replication Plugin	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2930	MySQL Server	Server: Parser	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.19 and prior
CVE-2020-2922	MySQL Client	C API	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior
CVE-2020-2933	MySQL Connectors	Connector/J	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	5.1.48 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-19646 also addresses CVE-2019-19242, CVE-2019-19244, CVE-2019-19317, CVE-2019-19603, CVE-2019-19645, CVE-2019-19880, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19926, CVE-2019-19959 and CVE-2019-20218.
The patch for CVE-2019-5482 also addresses CVE-2019-5481.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2776	PeopleSoft Enterprise PeopleTools	Security	HTTP	Yes	8.6	Network	Low	None	None	Changed	None	None	High	8.56, 8.57
CVE-2019-0227	PeopleSoft Enterprise PeopleTools	Tools Admin API (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2020-2859	PeopleSoft Enterprise PeopleTools	nVision	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2019-17359	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57, 8.58
CVE-2020-2782	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	8.56, 8.57, 8.58
CVE-2020-2906	PeopleSoft Enterprise SCM Purchasing	Supplier Change	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2020-2954	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-2868	PeopleSoft Enterprise PeopleTools	Diagnostic Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-2751	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2797	PeopleSoft Enterprise PeopleTools	Process Scheduler	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-2775	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-2912	PeopleSoft Enterprise CS Campus Community	Self-Service	HTTP	No	5.0	Network	Low	Low	None	Changed	Low	None	None	9.2
CVE-2020-2899	PeopleSoft Enterprise SCM Purchasing	Purchasing	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	9.2
CVE-2020-2947	PeopleSoft Enterprise HCM Absence Management	Absence Management	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle Retail Applications. 17 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 15.0
CVE-2019-13990	Oracle Retail Back Office	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2019-13990	Oracle Retail Central Office	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2020-2953	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2019-13990	Oracle Retail Order Broker	Order Broker Foundation (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0, 19.0
CVE-2019-13990	Oracle Retail Point-of-Service	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2018-11058	Oracle Retail Predictive Application Server	RPAS Server (Oracle Security Service)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-13990	Oracle Retail Returns Management	Security (Apache Quartz)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2019-2880	Oracle Retail Store Inventory Management	Security	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0
CVE-2019-17563	MICROS Relate CRM Software	Segments (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.4
CVE-2019-17563	Oracle Retail Order Broker	System Administration (Apache Tomcat)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0
CVE-2020-5398	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5533	Oracle Retail Xstore Point of Service	Point of Sale (JasperReports)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	15.0
CVE-2019-0227	Oracle Retail Xstore Point of Service	Xenvironment (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.1
CVE-2019-17359	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	18.0.1
CVE-2017-12626	Oracle Retail Xstore Point of Service	Xenvironment (Apache POI)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	7.1
CVE-2019-17091	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Merchandising System	Inventory Tracking (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0
CVE-2018-10237	Oracle Retail Xstore Point of Service	Xstore Office (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	7.1, 15.0, 16.0, 17.0
CVE-2017-3160	Oracle Retail Xstore Point of Service	Xstore Services (Apache Cordova)	None	No	4.2	Local	High	Low	Required	Un- changed	Low	Low	Low	15.0
CVE-2019-10173	Oracle Retail Xstore Point of Service	Point of Sale (xstream)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	17.0
CVE-2019-10086	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-10072	Oracle Retail Xstore Point of Service	Xstore Services (Apache Tomcat)	HTTP	No	3.9	Network	High	High	Required	Un- changed	Low	Low	Low	15.0, 16.0, 17.0, 18.0
CVE-2018-1258	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	No	3.7	Network	High	Low	Required	Un- changed	Low	None	Low	17.0
CVE-2019-10082	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	No	3.3	Network	High	High	None	Un- changed	Low	None	Low	7.1
CVE-2018-11797	Oracle Retail Xstore Point of Service	Dataloader (Apache pdfbox)	HTTP	No	3.1	Network	High	High	Required	Un- changed	Low	None	Low	17.0
CVE-2018-10237	Oracle Retail Xstore Point of Service	Xstore Services (Google Guava)	HTTP	No	3.1	Network	High	High	Required	Un- changed	Low	Low	None	17.0

Additional CVEs addressed are below:

The patch for CVE-2017-5533 also addresses CVE-2017-5529.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-11797 also addresses CVE-2018-8036 and CVE-2019-0228.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2017-15706, CVE-2018-11784, CVE-2018-1304, CVE-2018-1305, CVE-2018-1336, CVE-2018-8014, CVE-2018-8034, CVE-2018-8037, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.
The patch for CVE-2019-10082 also addresses CVE-2019-10081, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098 and CVE-2019-9517.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Siebel CRM. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2738	Siebel UI Framework	EAI, SWSE	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	20.2 and prior

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle In-Memory Performance-Driven Planning	User Interface (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-2920	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.3, 9.3.5, 9.3.6
CVE-2020-2744	Oracle Transportation Management	Security	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	6.3.7, 6.4.2, 6.4.3
CVE-2020-2865	Oracle Configurator	Installation	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1, 12.2

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Support Tools. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	OSS Support Tools	Services Tools Bundle (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.0
CVE-2019-15601	OSS Support Tools	Services Tools Bundle (cURL)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	20.1

Additional CVEs addressed are below:

The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481.

Oracle Systems Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Systems. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	StorageTek Tape Analytics SW Tool	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.3.0
CVE-2020-2944	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10, 11
CVE-2020-2927	Oracle Solaris	Common Desktop Environment	None	No	7.8	Local	High	Low	None	Changed	High	High	High	10, 11
CVE-2020-2851	Oracle Solaris	Common Desktop Environment	None	No	7.8	Local	High	Low	None	Changed	High	High	High	10, 11
CVE-2018-1165	Oracle Solaris	SMB Server Kernel Module	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	11
CVE-2018-1165	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.8
CVE-2019-11358	StorageTek Tape Analytics SW Tool	Software (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0
CVE-2020-2749	Oracle Solaris	SMF command svcbundle	None	No	2.5	Local	High	Low	Required	Changed	None	Low	None	11
CVE-2020-2771	Oracle Solaris	Whodo	None	No	2.5	Local	High	Low	Required	Changed	Low	None	None	10, 11

Additional CVEs addressed are below:

The patch for CVE-2018-1165 also addresses CVE-2016-6489, CVE-2017-5754, CVE-2018-0732, CVE-2018-0734, CVE-2018-0737, CVE-2018-18227, CVE-2018-19622, CVE-2018-19623, CVE-2018-19624, CVE-2018-19625, CVE-2018-19626, CVE-2018-19627, CVE-2018-19628, CVE-2018-5407, CVE-2019-12387, CVE-2019-12855, CVE-2019-13057, CVE-2019-13565, CVE-2019-16056, CVE-2019-16168, CVE-2019-19269, CVE-2019-19553, CVE-2019-2412, CVE-2019-2878, CVE-2019-3008, CVE-2019-9579, CVE-2020-2558, CVE-2020-2578, CVE-2020-2680, CVE-2020-2749 and CVE-2020-7044.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000632	Oracle Utilities Framework	Common (Dom4J)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.2.0, 4.2.0.2, 4.2.0.3, 4.3.0.2 – 4.3.0.6, 4.4.0.0, 4.4.0.2
CVE-2017-12626	Oracle Utilities Network Management System	Upload (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	1.12.0.3, 2.3.0.1, 2.3.0.2, 2.4.0.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2902	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2959	Oracle VM VirtualBox	Core	MLD	Yes	8.6	Network	Low	None	None	Changed	None	None	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2742	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2905	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2908	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2758	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2929	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2575	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2911	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2907	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2958	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2913	Oracle VM VirtualBox	Core	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2914	Oracle VM VirtualBox	Core	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2910	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	High	None	Prior to 6.0.20, prior to 6.1.6
CVE-2020-2951	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2741	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2743	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2894	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2748	Oracle VM VirtualBox	Core	None	No	3.2	Local	Low	High	None	Changed	Low	None	None	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6
CVE-2020-2909	Oracle VM VirtualBox	Core	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	Prior to 5.2.40, prior to 6.0.20, prior to 6.1.6

No Related Posts

Oracle Critical Patch Update Advisory – January 2020

January 13, 2020September 18, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – January 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 334 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Hyperion Planning, version 11.1.2.4	Fusion Middleware
Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2	JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	MySQL
MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior	MySQL
MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior	MySQL
MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior	MySQL
MySQL Workbench, versions 8.0.18 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.3	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6	Oracle Supply Chain Products
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 21.0.2	Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.3.0	Oracle Financial Services Applications
Oracle Big Data Discovery, version 1.6	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clinical, version 5.2	Health Sciences
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0	Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Instant Messaging Server, version 10.0.1.3.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Border Controller
Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3	Oracle Communications Session Router
Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3	Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Inventory Management, versions 7.3, 7.4	Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5	Oracle Communications Unified Session Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1	Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0	Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0	Oracle Financial Services Applications
Oracle GraalVM Enterprise Edition, version 19.3.0.2	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5	Health Sciences
Oracle Healthcare Master Person Index, version 3.0	Health Sciences
Oracle Hospitality Cruise Materials Management, version 7.30.567	Oracle Hospitality Cruise Materials Management
Oracle Hospitality Guest Access, version 4.2	Oracle Hospitality Guest Access
Oracle Hospitality OPERA 5, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Suites Management, versions 3.7, 3.8	Oracle Hospitality Suites Management
Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle iLearning, version 6.1	iLearning
Oracle Java SE, versions 7u241, 8u231, 11.0.5, 13.0.1	Java SE
Oracle Java SE Embedded, version 8u231	Java SE
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 13.4.4	Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0	Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Sales Audit, version 15.0.3.16.0.2	Retail Applications
Oracle Secure Global Desktop, versions 5.4, 5.5	Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0	Fusion Middleware
Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4	Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3	Oracle Utilities Applications
Oracle Utilities Work and Asset Management (v1), version 1.9.1.2	Oracle Utilities Applications
Oracle VM Server for SPARC, version 3.6	Systems
Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2	Virtualization
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft PeopleTools, versions 8.56, 8.57	PeopleSoft
Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.10 and prior	Siebel
Sun ZFS Storage Appliance Kit, version 8.8.6	Systems
Tape Library ACSLS, versions 8.5, 8.5.1	Systems

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Add of STAR labs: CVE-2020-2674
Afanti of North China Electric Power University: CVE-2020-2550
Alexander Kornbrust of Red Database Security: CVE-2020-2511, CVE-2020-2516, CVE-2020-2527, CVE-2020-2572, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645
ALVES Christopher: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
An Trinh: CVE-2020-6950
Andrej Simko of Accenture: CVE-2020-2582, CVE-2020-2596, CVE-2020-2597, CVE-2020-2657, CVE-2020-2658, CVE-2020-2661, CVE-2020-2662, CVE-2020-2665, CVE-2020-2667, CVE-2020-2668, CVE-2020-2669, CVE-2020-2670, CVE-2020-2671, CVE-2020-2672
Andres Georgieff of Sandia National Laboratories: CVE-2020-2561
André Lenoir of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2020-2682
Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2020-2698, CVE-2020-2701, CVE-2020-2726, CVE-2020-2727
Bengt Jonsson of Uppsala University: CVE-2020-2655
Bo Zhang: CVE-2020-2654
Daniel Le Souef of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Daniel Martinez Adan (aDoN90): CVE-2020-2538, CVE-2020-2539
Davide Berardi: CVE-2020-2703
Devin Rosenbauer of Identity Works LLC: CVE-2020-2729
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-2568, CVE-2020-2569, CVE-2020-2731
Ehsan Nikavar: CVE-2020-2531
elasticheart from ICC working with Trend Micro Zero Day Initiative: CVE-2020-2681, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2704, CVE-2020-2705
Giuseppino Cadeddu of Quantum Leap: CVE-2020-2599
Harold Zang of Trustwave Hivint: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Harrison Neal: CVE-2020-2510, CVE-2020-2512, CVE-2020-2515, CVE-2020-2517
Instructor working with Trend Micro Zero Day Initiative: CVE-2020-2693
JanatiIdrissi Zouhair: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Jang from VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-2555
Jonas Mattsson of Outpost24 Ghost Labs: CVE-2020-2533, CVE-2020-2534
Juraj Somorovsky of Ruhr-University Bochum: CVE-2020-2655
Kasper Leigh Haabb, Secunia Research at Flexera: CVE-2020-2540, CVE-2020-2541, CVE-2020-2542, CVE-2020-2543, CVE-2020-2576
Kirtikumar Anandrao Ramchandani: CVE-2020-2545
Kostis Sagonas of Uppsala University: CVE-2020-2655
Kylinking of NSFocus Security Team: CVE-2020-2551
Long Kuan: CVE-2020-2654
Looke of PingAn Galaxy Lab: CVE-2020-2547, CVE-2020-2548, CVE-2020-2549, CVE-2020-2552
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-2702
Lukasz Mikula: CVE-2020-2563
Lukasz Plonka of ING Tech Poland: CVE-2020-2663
Lukasz Rupala of ING Tech Poland: CVE-2020-2663
Marco Ivaldi of Media Service: CVE-2020-2656, CVE-2020-2696
Martin Doyhenard of Onapsis: CVE-2020-2586, CVE-2020-2587
Matthias Kaiser of Apple Information Security: CVE-2020-2546
Michal Skowron: CVE-2020-2537
Microsoft Vulnerability Research of Microsoft Corp.: CVE-2020-2536
Mohammad Sedghi: CVE-2020-2535
Nicolas Verdier of Tehtris: CVE-2020-2651, CVE-2020-2652, CVE-2020-2653
Or Hanuka of Motorola Solutions: CVE-2020-2557
Owais Zaman of Sabic: CVE-2020-2592, CVE-2020-2707
Paul Fiterau Brostean of Uppsala University: CVE-2020-2655
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
RACV Information Security Team: CVE-2020-2675, CVE-2020-2676, CVE-2020-2677
Reno Robert: CVE-2020-2698
Robert Merget of Ruhr-University Bochum: CVE-2020-2655
Rémi Badonnel: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Sravya Nandimandalam: CVE-2020-2519
Stefano Ciccone of Aon’s Cyber Labs: CVE-2020-2551
Tom Tran: CVE-2020-2559, CVE-2020-2728
Tomasz Wisniewski: CVE-2020-2688
Tzachy Horesh (Motorola Solutions) of Motorola Solutions: CVE-2020-2557
Vivek Parikh: CVE-2020-2678
ZHAN Julien: CVE-2020-2570, CVE-2020-2573, CVE-2020-2574
Zhongcheng Li (CK01) of Topsec Alpha Team: CVE-2020-2725
Zohaib Tasneem of Sabic: CVE-2020-2707

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

An Trinh
Andres Georgieff of Sandia National Laboratories
Benjamin Horvat of Cologne-Intelligence
Josh Bressers of Elastic
Marek Cybul
Markus Loewe
Martin Doyhenard of Onapsis
Matias Mevied of Onapsis
Quentin Rhoads-Herrera of Critical Start
Tolga Han Jonas Özgan of Cologne-Intelligence
Vahagn Vardanyan
Vladimir Egorov

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Aditya Shende
Ahmet Gürel
Andy Bentley
Apoorv Raj Saxena of FireCompass
Arcot Manju
Hardikkumar Patel
Jimmy Bruneel
Joby Y Daniel
Lutfu Mert Ceylan
Mohamed Yaser
Mohammed Rafi
Pankaj Kumar Thakur (Nepal)
Roger Meyer
Sai Kiran Battaluri
Saiteja Pinoju
Zeel D. Chavda

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 April 2020
14 July 2020
20 October 2020
19 January 2021

References

Modification History

Date	Note
2020-April-20	Rev 7. Updated affected versions associated with CVE-2020-2555.
2020-March-11	Rev 6. Updated affected versions of Oracle AutoVue associated with CVE-2019-10247 and CVE-2020-2592. Updated affected versions associated with CVE-2020-2569.
2020-March-5	Rev 5. Updated affected versions associated with CVE-2020-2517.
2020-January-23	Rev 4. Updated affected versions associated with CVE-2020-2555 and modified credit entries for CVE-2020-2551, CVE-2020-2559 and CVE-2020-2663.
2020-January-17	Rev 3. Updated MOS note number for Oracle Communications Session Border Controller.
2020-January-15	Rev 2. JavaSE and Database Versions Updated.
2020-January-14	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 12 new security patches for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2511	Core RDBMS	Create Session	OracleNet	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2510	Core RDBMS	None	OracleNet	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2518	Java VM	Create Session	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-10072	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2512	Database Gateway for ODBC	None	OracleNet	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2515	Database Gateway for ODBC	Create Session	OracleNet	No	5.0	Network	High	Low	None	Un- changed	Low	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2527	Core RDBMS	Create Index, Create Table	OracleNet	No	4.1	Network	Low	High	None	Changed	Low	None	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2731	Core RDBMS	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2568	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2569	Oracle Applications DBA	Local Logon	Local Logon	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2517	Database Gateway for ODBC	Create Procedure, Create Database Link	OracleNet	No	3.3	Network	High	High	None	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-2516	Core RDBMS	Create Materialized View, Create Table	OracleNet	No	2.4	Network	Low	High	Required	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

This patch also addresses four additional vulnerabilities: CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232. For Windows platform – due to CVE-2019-0232 – the CVSS 3.0 score is 8.1.

Additional CVEs addressed are below:

The patch for CVE-2019-10072 also addresses CVE-2018-11784, CVE-2019-0199, CVE-2019-0221 and CVE-2019-0232.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Communications Applications. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Communications Instant Messaging Server	Presence-api (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2017-5645	Oracle Communications Instant Messaging Server	Core (Log4j)	XMPP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.3.0
CVE-2018-16395	Oracle Communications Interactive Session Recorder	Security (Ruby)	TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0, 6.1, 6.2, 6.3
CVE-2018-11058	Oracle Communications IP Service Activator	Database Client (NZ)	TCPS/HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.4, 7.4.0
CVE-2019-8457	Oracle Communications Unified Inventory Management	Tools (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2019-3862	Oracle Communications Diameter Signaling Router (DSR)	Platform (libssh2)	SSH	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-0227	Oracle Communications Design Studio	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.4.1.1.0, 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-16168	Oracle Communications Design Studio	Core (SQLite)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0
CVE-2019-10072	Oracle Communications Instant Messaging Server	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0.1.3.0
CVE-2018-6829	Oracle Communications Interactive Session Recorder	General (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	6.0, 6.1, 6.2, 6.3
CVE-2019-11477	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-11477	Oracle Communications Session Router	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.4, 8.0, 8.1, 8.2
CVE-2019-11477	Oracle Communications Subscriber-Aware Load Balancer	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 8.1, 8.3
CVE-2018-15756	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.3, 7.4
CVE-2019-11477	Oracle Enterprise Communications Broker	IP Stack (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	PCz3.0, PCz3.1, PCz3.2
CVE-2019-11477	Oracle Enterprise Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.5, 8.0, 8.1, 8.2, 8.3
CVE-2019-11358	Oracle Communications Interactive Session Recorder	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2, 6.3
CVE-2019-17091	Oracle Communications Unified Inventory Management	Maps (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-11358	Oracle Communications Unified Inventory Management	Maps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3, 7.4
CVE-2019-1559	Oracle Communications Diameter Signaling Router (DSR)	Platform (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1, 8.2, 8.3, 8.4
CVE-2019-1559	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Session Router	Security (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.4, 8.0, 8.1, 8.2, 8.3
CVE-2019-1559	Oracle Communications Unified Session Manager	Routing (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.3.5, 8.2.5
CVE-2018-0734	Oracle Enterprise Communications Broker	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	PCz3.0, PCz3.1, PCz3.2
CVE-2018-0734	Oracle Enterprise Session Border Controller	Security (OpenSSL)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	7.5, 8.0, 8.1, 8.2, 8.3

Additional CVEs addressed are below:

The patch for CVE-2018-0734 also addresses CVE-2018-0735, CVE-2018-5407, CVE-2019-1547 and CVE-2019-1559.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10072 also addresses CVE-2018-11784 and CVE-2019-0232.
The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479.
The patch for CVE-2019-14379 also addresses CVE-2018-14718, CVE-2018-19362, CVE-2019-12086 and CVE-2019-14439.
The patch for CVE-2019-1559 also addresses CVE-2018-0734.
The patch for CVE-2019-16168 also addresses CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Construction and Engineering. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14540	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-14540	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-10088	Primavera Unifier	Core (Apache Tika)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2019-0227	Primavera Gateway	Provider (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.2.11, 17.12.6
CVE-2019-0227	Primavera Unifier	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2556	Primavera P6 Enterprise Project Portfolio Management	Core	None	No	7.3	Local	Low	Low	Required	Changed	Low	High	Low	16.2.0.0-16.2.19.0, 17.12.0.0-17.12.16.0, 18.8.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0
CVE-2012-1695	Instantis EnterpriseTrack	Mobile (Mobile Application Framework)	HTTP	Yes	6.8	Network	High	None	None	Changed	None	High	None	17.1, 17.2, 17.3	See Note 1
CVE-2019-11358	Primavera Gateway	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.2.18, 16.2.11, 17.12.6, 18.8.8.1
CVE-2019-17091	Primavera P6 Enterprise Project Portfolio Management	Web Access (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.15.0, 18.1.0.0-18.8.15.0, 19.12.0.0
CVE-2019-12415	Primavera Gateway	Admin (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	17.12.6, 18.8.8.1
CVE-2019-12415	Primavera Unifier	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-2707	Primavera P6 Enterprise Project Portfolio Management	WebAccess	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0

Notes:

JRockit is removed.

Additional CVEs addressed are below:

The patch for CVE-2012-1695 also addresses CVE-2012-3135.
The patch for CVE-2019-0227 also addresses CVE-2014-3596 and CVE-2018-8032.
The patch for CVE-2019-10088 also addresses CVE-2019-10093 and CVE-2019-10094.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-14540 also addresses CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 23 new security patches for the Oracle E-Business Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2020), My Oracle Support Note 2613782.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2586	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2587	Oracle Human Resources	Hierarchy Diagrammers	HTTPS	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2651	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2652	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2653	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2669	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2670	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2671	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2672	Oracle Email Center	Message Display	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2582	Oracle iStore	Shopping Cart	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2658	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2661	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2662	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2665	Oracle iSupport	Others	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2591	Oracle Web Applications Desktop Integrator	Application Service	HTTPS	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2020-2603	Oracle Field Service	Wireless	HTTPS	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2666	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.2.5-12.2.9
CVE-2020-2566	Oracle Applications Framework	Attachments / File Upload	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2596	Oracle CRM Technical Foundation	Message Hooks	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2657	Oracle CRM Technical Foundation	Preferences	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-2667	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2668	Oracle iSupport	Others	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-2597	Oracle One-to-One Fulfillment	Call Phone Number Page	HTTPS	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 50 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	Enterprise Manager Ops Center	Networking (Oracle Security Service)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-5482	Enterprise Manager Ops Center	Networking (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2904	Oracle Application Testing Suite	Load Testing for Web Apps (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2016-4000	Oracle Application Testing Suite	Oracle Flow Builder (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2673	Oracle Application Testing Suite	Oracle Flow Builder	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-12626	Oracle Application Testing Suite	Oracle Flow Builder (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2019-11358	Oracle Application Testing Suite	Oracle Flow Builder (jQuery)	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2609	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2017-14735	Oracle Application Testing Suite	Load Testing for Web Apps (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2017-14735	Oracle Application Testing Suite	Oracle Flow Builder (Antisamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2631	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2636	Enterprise Manager Base Platform	Application Service Level Mgmt	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2626	Enterprise Manager Base Platform	Cloud Control Manager – OMS	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2634	Enterprise Manager Base Platform	Configuration Standard Framewk	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2624	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2633	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2642	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2645	Enterprise Manager Base Platform	Connector Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2617	Enterprise Manager Base Platform	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2610	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2611	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2612	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2618	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2619	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2620	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2621	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2616	Enterprise Manager Base Platform	Enterprise Manager Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2622	Enterprise Manager Base Platform	Event Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2629	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2630	Enterprise Manager Base Platform	Extensibility Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2613	Enterprise Manager Base Platform	Global EM Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2628	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2639	Enterprise Manager Base Platform	Host Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2625	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2643	Enterprise Manager Base Platform	Job System	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2623	Enterprise Manager Base Platform	Metrics Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2615	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2644	Enterprise Manager Base Platform	Oracle Management Service	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2608	Enterprise Manager Base Platform	Repository	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2632	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2635	Enterprise Manager Base Platform	System Monitoring	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2614	Enterprise Manager for Fusion Middleware	APM Mesh	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	13.2.0.0, 13.3.0.0
CVE-2020-2637	Enterprise Manager for Oracle Database	Change Manager – web based	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2641	Enterprise Manager for Oracle Database	Discovery Framework	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2638	Enterprise Manager for Oracle Database	Enterprise Config Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2020-2640	Enterprise Manager for Oracle Database	Target Management	HTTP	No	6.0	Network	Low	High	None	Un- changed	High	Low	Low	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-12415	Oracle Application Testing Suite	Load Testing for Web Apps (Apache POI)	none	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2020-2646	Enterprise Manager Base Platform	Command Line Interface	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.1.0.5, 13.2.0.0, 13.3.0.0
CVE-2019-1547	Enterprise Manager Ops Center	Networking (RSA Bsafe)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	12.3.3, 12.4.0

Additional CVEs addressed are below:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5482 also addresses CVE-2019-5481.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 24 new security patches for Oracle Financial Services Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.3-7.3.5, 8.0.0-8.0.8
CVE-2019-0227	Oracle Financial Services Funds Transfer Pricing	Web Service (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.2-8.0.7
CVE-2020-2718	Oracle Banking Corporate Lending	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2713	Oracle Banking Payments	Core	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	14.1.0-14.3.0
CVE-2020-2688	Oracle Financial Services Analytical Applications Infrastructure	Object Migration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.4-8.0.8
CVE-2020-2723	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2699	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2716	Oracle Banking Corporate Lending	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2711	Oracle Banking Payments	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	14.1.0-14.3.0
CVE-2020-2721	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2684	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2715	Oracle Banking Corporate Lending	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2717	Oracle Banking Corporate Lending	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2710	Oracle Banking Payments	Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2712	Oracle Banking Payments	Core	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	14.1.0-14.3.0
CVE-2020-2730	Oracle Financial Services Revenue Management and Billing	File Upload	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	2.7.0.0, 2.7.0.1, 2.8.0.0
CVE-2020-2720	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2722	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2685	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2683	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTPS	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.1-12.4.0, 14.0.0-14.3.0
CVE-2020-2719	Oracle Banking Corporate Lending	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.3.0-12.4.0, 14.0.0-14.3.0
CVE-2020-2714	Oracle Banking Payments	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	14.1.0-14.3.0
CVE-2020-2724	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.0-12.4.0, 14.0.0-14.1.0
CVE-2020-2700	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.0.1-12.4.0, 14.0.0-14.3.0

Oracle Food and Beverage Applications Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2697	Oracle Hospitality Suites Management	Request Tracker	None	No	4.9	Physical	Low	Low	None	Un- changed	High	Low	None	3.7, 3.8

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Fusion Middleware. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update January 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2602410.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2555	Oracle Coherence	Caching,CacheStore,Invocation	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2551	Oracle WebLogic Server	WLS Core Components	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2546	Oracle WebLogic Server	Application Container – JavaEE	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2728	Identity Manager	OIM – LDAP user and role Synch	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-0227	Oracle Big Data Discovery	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	1.6
CVE-2019-0227	Oracle Endeca Information Discovery Studio	Studio (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	3.2.0
CVE-2017-12626	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.2.0
CVE-2019-0227	Oracle Tuxedo	TX SALT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.1.0.0, 12.1.3.0.0
CVE-2020-6950	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle WebLogic Server	Third Party Tools (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2543	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2020-2549	Oracle WebLogic Server	WLS Core Components	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0
CVE-2020-2537	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2538	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	12.2.1.3.0
CVE-2020-2540	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2541	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2576	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2542	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.4	See Note 1
CVE-2020-2530	Oracle HTTP Server	Web Listener	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2533	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2534	Oracle Reports Developer	Security and Authentication	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2539	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Analytics Server and Analytics Web General (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-12415	Oracle Endeca Information Discovery Studio	Studio (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	3.2.0
CVE-2019-12415	Oracle Enterprise Repository	Security Subsystem (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2020-2729	Identity Manager	Advanced Console	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.1.2.3.0, 12.2.1.3.0
CVE-2020-2536	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.5.4	See Note 1
CVE-2019-10247	Oracle Endeca Information Discovery Integrator	Integrator Acquistion System (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	3.2.0
CVE-2020-2545	Oracle HTTP Server	OSSL Module	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2545	Oracle Security Service	SSL API	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2020-2550	Oracle WebLogic Server	WLS Core Components	None	No	5.1	Local	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2547	Oracle WebLogic Server	Console	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2548	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0
CVE-2020-2552	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0
CVE-2020-2535	Oracle Business Intelligence Enterprise Edition	Analytics Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2544	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2519	Oracle WebLogic Server	Console	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-2531	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-15845	Oracle GraalVM Enterprise Edition	Interpreter and runtime (Ruby)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.3.0.2	See Note 1
CVE-2020-2604	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	19.3.0.2	See Note 2
CVE-2019-16776	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	19.3.0.2
CVE-2020-2595	Oracle GraalVM Enterprise Edition	GraalVM Compiler	Multiple	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	19.3.0.2
CVE-2020-2581	Oracle GraalVM Enterprise Edition	LLVM Interpreter	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	19.3.0.2

Notes:

This vulnerability is in the standard Ruby libraries, not in the TruffleRuby interpreter.
GraalVM Enterprise 19.3 and above includes both Java SE 8 and Java SE 11.

Additional CVEs addressed are below:

The patch for CVE-2019-15845 also addresses CVE-2019-16201, CVE-2019-16254 and CVE-2019-16255.
The patch for CVE-2019-16776 also addresses CVE-2019-16775 and CVE-2019-16777.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Clinical	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2
CVE-2019-2904	Oracle Health Sciences Data Management Workbench	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4, 2.5
CVE-2018-15756	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17359	Oracle Hospitality Guest Access	Base (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.2
CVE-2020-2675	Oracle Hospitality OPERA 5	Login	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.5
CVE-2020-2676	Oracle Hospitality OPERA 5	Printing	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5
CVE-2020-2677	Oracle Hospitality OPERA 5	Login	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	5.5, 5.6
CVE-2020-2599	Oracle Hospitality Cruise Materials Management	MMS All	None	No	4.2	Physical	High	None	None	Un- changed	High	None	None	7.30.567

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Hyperion Planning	Application Development Framework	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4
CVE-2020-2563	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4

Oracle iLearning Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2709	Oracle iLearning	Learner Pages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	6.1

Oracle Java SE Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2604	Java SE, Java SE Embedded	Serialization	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2019-16168	Java SE	JavaFX (SQLite)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 8u231	See Note 2
CVE-2019-13117	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2019-13118	Java SE	JavaFX (libxslt)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 8u231	See Note 2
CVE-2020-2601	Java SE, Java SE Embedded	Security	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2585	Java SE	JavaFX	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 8u231	See Note 1
CVE-2020-2655	Java SE	JSSE	HTTPS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 11.0.5, 13.0.1	See Note 1
CVE-2020-2593	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2654	Java SE	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1	See Note 3
CVE-2020-2590	Java SE, Java SE Embedded	Security	Kerberos	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1
CVE-2020-2659	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231; Java SE Embedded: 8u231	See Note 1
CVE-2020-2583	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u241, 8u231, 11.0.5, 13.0.1; Java SE Embedded: 8u231	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-14379	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-16943	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics SEC (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-12086	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jackson databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-11358	JD Edwards EnterpriseOne Tools	Web Runtime SEC (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 19 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16168	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.18 and prior
CVE-2020-2579	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2627	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2570	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2573	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2574	MySQL Client	C API	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
CVE-2020-2577	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2589	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.17 and prior
CVE-2020-2580	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2020-2588	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2020-2660	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2679	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.18 and prior
CVE-2019-1547	MySQL Enterprise Backup	Security (OpenSSL)	TLS	No	4.7	Local	High	Low	None	Un- changed	High	None	None	3.12.4 and prior, 4.1.3 and prior
CVE-2020-2584	MySQL Server	Server: Options	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	High	None	None	5.7.28 and prior, 8.0.18 and prior
CVE-2020-2694	MySQL Server	Server: Information Schema	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	8.0.18 and prior
CVE-2020-2572	MySQL Server	Server: Audit Plugin	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	5.7.28 and prior, 8.0.18 and prior
CVE-2019-8457	MySQL Cluster	Cluster: General (SQLite)	Multiple	Yes	0.0	Network	Low	None	Required	Un- changed	None	None	None	7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior	See Note 1

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 9.8. SQLite is removed from MySQL Cluster releases with the January 2020 Critical Patch Update.

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-15708	PeopleSoft Enterprise PeopleTools	Portal (Apache Commons)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-2729	PeopleSoft Enterprise PeopleTools	Security (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2017-12626	PeopleSoft Enterprise PeopleTools	Change Impact Analyzer (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.56, 8.57
CVE-2019-0227	PeopleSoft Enterprise PeopleTools	Portal (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2017-1000376	PeopleSoft PeopleTools	PeopleCode (libffi)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.56, 8.57
CVE-2020-2598	PeopleSoft Enterprise PeopleTools	Activity Guide	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2600	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2606	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2607	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2663	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2602	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2020-2695	PeopleSoft Enterprise CC Common Application Objects	Approval Framework	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.1, 9.2
CVE-2019-1547	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.56, 8.57
CVE-2020-2561	PeopleSoft Enterprise HCM Human Resources	Company Dir / Org Chart Viewer	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2020-2687	PeopleSoft Enterprise PeopleTools	Elastic Search	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2017-15708 also addresses CVE-2019-10086.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Retail Applications. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle Retail Assortment Planning	Application Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-2904	Oracle Retail Clearance Optimization Engine	Dataset Componen (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	Dataset Component (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2016-5019	Oracle Retail Clearance Optimization Engine	General Application (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.3
CVE-2019-12814	Oracle Retail Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.0
CVE-2019-2904	Oracle Retail Markdown Optimization	Common Component Integration (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.4
CVE-2019-12419	Oracle Retail Order Broker	Order Broker Foundation (CXF)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2019-2904	Oracle Retail Sales Audit	Operational Insights (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3. 16.0.2
CVE-2018-1258	Oracle Retail Clearance Optimization Engine	Dataset Component (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.0.5
CVE-2018-1258	Oracle Retail Markdown Optimization	Common Component Integration (Spring Framework)	HTTPS	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	13.4.4
CVE-2016-1181	Oracle Retail Clearance Optimization Engine	Dataset Component (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.0.5
CVE-2016-1181	Oracle Retail Markdown Optimization	Common Component Integration (Struts1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.4.4
CVE-2018-8039	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.2, 15.0
CVE-2019-0227	Oracle Retail Order Broker	System Administration (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0
CVE-2020-2650	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	16.0
CVE-2020-2648	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	6.2	Physical	Low	High	None	Un- changed	High	High	High	16.0
CVE-2019-17091	Oracle Retail Assortment Planning	Application Core (Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0.3
CVE-2019-12415	Oracle Retail Clearance Optimization Engine	General Application (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.0
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3
CVE-2019-12415	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0.3, 16.0.3
CVE-2020-2567	Oracle Retail Customer Management and Segmentation Foundation	Security	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	18.0
CVE-2020-2649	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	16.0

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2016-5019 also addresses CVE-2019-2904.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12419 also addresses CVE-2019-12406.
The patch for CVE-2019-12814 also addresses CVE-2018-11307, CVE-2019-12384, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267 and CVE-2019-17531.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.

Oracle Siebel CRM Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Siebel Engineering – Installer & Deployment	Siebel Approval Manager (jackson databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.8 and prior
CVE-2019-14379	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.10 and prior
CVE-2020-2564	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.10 and prior
CVE-2020-2559	Siebel UI Framework	UIF Open UI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.7 and prior
CVE-2020-2560	Siebel UI Framework	SWSE Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	19.10 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Systems Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle Systems. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-9636	Sun ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8.6
CVE-2019-2729	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2016-1000031	Tape Library ACSLS	Software (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5
CVE-2020-2696	Oracle Solaris	Common Desktop Environment	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	10
CVE-2020-2565	Oracle Solaris	Consolidation Infrastructure	None	No	7.5	Local	High	Low	Required	Changed	High	High	High	11
CVE-2019-2725	Tape Library ACSLS	Application Server (Oracle WebLogic Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2018-15756	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5
CVE-2020-2605	Oracle Solaris	Filesystem	None	No	7.1	Local	Low	Low	None	Un- changed	None	High	High	11
CVE-2019-11358	Tape Library ACSLS	Software (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5, 8.5.1
CVE-2020-2680	Oracle Solaris	Filesystem	None	No	6.0	Local	Low	High	None	Changed	None	None	High	11
CVE-2020-2558	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2578	Oracle Solaris	Kernel	SMB	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	11
CVE-2020-2647	Oracle Solaris	Kernel	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	10, 11
CVE-2020-2664	Oracle Solaris	Filesystem	None	No	4.6	Local	Low	Low	Required	Changed	Low	Low	None	11
CVE-2020-2656	Oracle Solaris	X Window System	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	10, 11
CVE-2019-9579	Oracle Solaris	SMB Server	None	No	3.3	Local	Low	Low	None	Un- changed	None	Low	None	11
CVE-2020-2571	Oracle VM Server for SPARC	Templates	None	No	3.3	Local	Low	None	Required	Un- changed	None	Low	None	3.6

Additional CVEs addressed are below:

The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-9636 also addresses CVE-2017-15906, CVE-2018-1000030, CVE-2018-1060, CVE-2018-11759, CVE-2018-15473, CVE-2018-17189, CVE-2018-20684, CVE-2019-0215, CVE-2019-1559, CVE-2019-5718 and CVE-2019-9208.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Oracle Agile PLM MCAD Connector	CAX Client (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	3.4, 3.5, 3.6
CVE-2019-0232	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2.0, 6.2.1
CVE-2017-12626	Oracle Agile PLM	Security (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2019-10072	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.3.5, 9.3.6
CVE-2019-0227	Oracle Agile PLM Framework	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	9.3.3
CVE-2020-2592	Oracle AutoVue	Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.2
CVE-2019-10247	Oracle AutoVue	Security (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.2
CVE-2020-2557	Oracle Demantra Demand Management	Security	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Utilities Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Utilities Work and Asset Management (v1)	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2
CVE-2019-11358	Oracle Real-Time Scheduler	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2019-11358	Oracle Utilities Mobile Workforce Management	Next Gen Mobile Application (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0.1-2.3.0.3
CVE-2014-3004	Oracle Utilities Framework	Common (Castor)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-2674	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2682	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-0227	Oracle Secure Global Desktop	Web Services (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	5.4, 5.5
CVE-2020-2698	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2701	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2702	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2726	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2681	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2689	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2690	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2691	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2692	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2703	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16
CVE-2020-2704	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2705	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2725	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2678	Oracle VM VirtualBox	Core	None	No	6.4	Local	High	Low	None	Changed	Low	High	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-17091	Oracle Secure Global Desktop	Core (Mojarra)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2020-2727	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2020-2693	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
CVE-2019-10092	Oracle Secure Global Desktop	Web Server (Apache HTTPD Server)	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	5.4, 5.5
CVE-2019-1547	Oracle Secure Global Desktop	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	5.4, 5.5

Additional CVEs addressed are below:

The patch for CVE-2019-10092 also addresses CVE-2019-10098.
The patch for CVE-2019-1547 also addresses CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Critical Patch Update Advisory – October 2019

October 14, 2019September 18, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – October 2019

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

This Critical Patch Update contains 219 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Diagnostic Assistant, version 2.12.36	Support Tools
Enterprise Manager Base Platform, versions 13.2, 13.3	Enterprise Manager
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071	Systems
Hyperion Data Relationship Management, version 11.1.2.4	Fusion Middleware
Hyperion Enterprise Performance Management Architect, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 4.0.1.0	JD Edwards
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0	Retail Applications
MICROS Retail XBRi Loss Prevention, version 10.8.3	Retail Applications
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.17 and prior	MySQL
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior	MySQL
MySQL Workbench, versions 8.0.17 and prior	MySQL
Oracle Agile PLM, versions 9.3.3-9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, versions 13.2, 13.3	Enterprise Manager
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clusterware, version 19.0.0.0.0	Support Tools
Oracle Data Integrator, version 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Retail Performance Analytics
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle Forms, version 12.2.1.3.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, version 19.2.0	Oracle GraalVM Enterprise Edition
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13	Java SE
Oracle Java SE Embedded, version 8u221	Java SE
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle NoSQL Database, versions prior to 19.3.12	NoSQL Database
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15	Oracle Policy Automation
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 17.0	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 16.0	Retail Applications
Oracle Retail Xstore Office, version 7.1	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0	Retail Applications
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, version 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Virtual Directory, version 11.1.1.9.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14	Virtualization
Oracle Web Services, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.8 and prior	Siebel

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Alaa Kachouh of Bankmed: CVE-2019-3019
Alexander Kornbrust of Red Database Security: CVE-2018-2875, CVE-2019-2895, CVE-2019-2939
Alpha66647777: CVE-2019-2978
Amaal Khalid of SecureMisr: CVE-2019-2979, CVE-2019-2980
Andrej Simko of Accenture: CVE-2019-2930, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3024
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2930
Andrzej Dyjak of sigsegv.pl: CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972
anhdaden of STAR Labs: CVE-2019-2984, CVE-2019-3002, CVE-2019-3005
Anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2019-3026, CVE-2019-3031
Badcode of Knownsec 404 Team: CVE-2019-2888
Bartlomiej Stasiek: CVE-2019-2941
Dimitrios – Georgios Karetsos of COSMOTE – Mobile Telecommunications S.A.: CVE-2019-2959
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2019-2954, CVE-2019-2955
Ehsan Nikavar: CVE-2019-2898
Emad Al-Mousa of Saudi Aramco: CVE-2019-2940
Huyna of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-3017
Imre Rad: CVE-2019-2996
Jakub Palaczynski: CVE-2019-2927
Jakub Palaczynski of ING Tech Poland: CVE-2019-2886
Jan Jancar of Masaryk University: CVE-2019-2894
Jean-Benjamin Rousseau of SEC Consult Vulnerability Lab: CVE-2019-17091
Krzysztof Bednarski of ING Tech Poland: CVE-2019-2886
Kyle Stiemann of Liferay: CVE-2019-17091
Laura Rowieska: CVE-2019-2897
Lewei Qu of Baidu, Inc.: CVE-2019-3021
lofiboy of infiniti Team, VinCSS (a member of Vingroup): CVE-2019-2926, CVE-2019-2944
Longofo of Knownsec 404 Team: CVE-2019-2888
Lukasz Mikula: CVE-2019-2932
Lukasz Rupala of ING Tech Poland: CVE-2019-2900, CVE-2019-3012
Marco Ivaldi of Media Service: CVE-2019-3010
Marek Cybul: CVE-2019-3014, CVE-2019-3015
Michal Skowron: CVE-2019-2897
MitAh of Tencent Security Xuanwu Lab: CVE-2019-2999
TSM_007 of TSM: CVE-2019-3012
Owais Zaman of Sabic: CVE-2019-3020
Philippe Antoine, Christopher Alves, Zouhair Janatil-Idrissi, Julien Zhan (Telecom Nancy): CVE-2019-2993, CVE-2019-3011
Ramnath Shenoy of NCC Group: CVE-2019-3015
Resecurity, Inc.: CVE-2019-3028
Rob Hamm of sas.com: CVE-2019-2949
RunningSnail: CVE-2019-2889
Saeed Shiravi: CVE-2019-3012
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2019-2959
Steven Danneman of Security Innovation: CVE-2019-2922, CVE-2019-2923, CVE-2019-2924
tint0 of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-2904
Tomasz Wisniewski: CVE-2019-2906
Vahagn Vardanyan: CVE-2019-2905, CVE-2019-2907
Venustech ADLab: CVE-2019-2887, CVE-2019-2890
Vladimir Egorov: CVE-2019-2905, CVE-2019-2907
Walid Faour: CVE-2019-3025
Zohaib Tasneem of Sabic: CVE-2019-3020

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Amit Kaplan of GE
An Trinh
Bartlomiej Zogala
Ben Heimerdinger of Code White GmbH
Cornelius Aschermann of Ruhr-University Bochum
George R
Joshua Graham of TSS
Lucas Fink
Markus Wulftange of Code White GmbH
Roberto Suggi Liverani of NATO Communications and Information Agency
Roy Haroush of GE
Sergej Schumilo of Ruhr-University Bochum
Simon Worner
Tin Duong of Fortinet’s FortiGuard Labs
voidfyoo of Chaitin Tech

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Arun Babu
Ben Stock of CISPA Helmholtz Center for Information Security (Germany)
Dudy Shaul
Khiem Tran
Malavika SK
Nick Nikiforakis
Pooja B Sen
Ronak Nahar
Sajjad Hashemian
Shubham Garg [nullb0t] of JMIETI
Stefano Calzavara
Wai Yan Aung

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 January 2020
14 April 2020
14 July 2020
20 October 2020

References

Modification History

Date	Note
2019-October-15	Rev 1. Initial Release.
2019-November-26	Rev 2. Update Entry for CVE-2019-2941
2020-January-22	Rev 3. Update affected version Entry for CVE-2019-2888

Oracle Database Server Risk Matrix

This Critical Patch Update contains 11 new security patches for the Oracle Database Server divided as follows:

10 new security patches for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2909	Java VM	None	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2956	Core RDBMS (jackson-databind)	Create Session	Multiple	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2913	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2939	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2018-2875	Core RDBMS	Create Session	OracleNet	No	5.0	Network	Low	Low	None	Changed	Low	None	None	12.2.0.1, 18c, 19c
CVE-2019-2734	Core RDBMS	Create Session, Execute on DBMS_ADVISOR	OracleNet	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2018-11784	WLM (Apache Tomcat)	None	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.2.0.1, 18c, 19c
CVE-2019-2954	Core RDBMS	Create Session, Create Procedure	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2955	Core RDBMS	Local Logon	Multiple	No	3.9	Local	Low	Low	Required	Un- changed	None	Low	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2940	Core RDBMS	Create Session	OracleNet	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c

Additional CVEs addressed are below:

The patch for CVE-2018-11784 also addresses CVE-2018-8034.
The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-14721	Oracle NoSQL Database	NoSQL (jackson-databind)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 19.3.12

Additional CVEs addressed are below:

The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle Construction and Engineering. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-6056	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-14379	Primavera Gateway	Admin (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.2, 16.2, 17.12, 18.8
CVE-2019-14379	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-3020	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	9.3	Network	Low	None	Required	Changed	High	High	None	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.11
CVE-2019-0232	Instantis EnterpriseTrack	Generic (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0211	Instantis EnterpriseTrack	Generic (Apache HTTP Server)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-0227	Instantis EnterpriseTrack	Generic (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2017-12626	Instantis EnterpriseTrack	Generic (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2017-12626	Primavera Gateway	Admin (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.12
CVE-2017-12626	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
CVE-2017-12626	Primavera Unifier	Core (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2976	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	17.1.0-17.12.12
CVE-2019-11358	Primavera Unifier	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

The patch for CVE-2017-6056 also addresses CVE-2016-5425.
The patch for CVE-2019-0211 also addresses CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217 and CVE-2019-0220.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-0232 also addresses CVE-2019-10072.
The patch for CVE-2019-14379 also addresses CVE-2019-12086, CVE-2019-14439, CVE-2019-14540 and CVE-2019-16335.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 10 new security patches for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2019), My Oracle Support Note 2586423.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2942	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-2990	Oracle iStore	Order Tracker	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-2994	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2019-2995	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3000	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3022	Oracle Content Manager	Content	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2019-3027	Oracle Application Object Library	Login Help	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.5-12.2.9
CVE-2019-2930	Oracle Field Service	Wireless	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2019-3024	Oracle Installed Base	Engineering Change Order	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.2.3-12.2.9
CVE-2019-2925	Oracle Workflow	Worklist	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.3, 12.2.3-12.2.8

Oracle Enterprise Manager Risk Matrix

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4000	Enterprise Manager Base Platform	Command Line Interface (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 13.3
CVE-2019-5443	Enterprise Manager Ops Center	Networking (cURL)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.3.3, 12.4.0
CVE-2019-2895	Enterprise Manager for Exadata	Exadata Plug-In Deploy and Ins	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
CVE-2019-9517	Enterprise Manager Ops Center	OS Provisioning (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.3.3, 12.4.0
CVE-2019-11358	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.3, 12.4.0
CVE-2019-11358	Oracle Application Testing Suite	Load Testing for Web Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2, 13.3
CVE-2019-10247	Enterprise Manager Base Platform	Agent Next Gen (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	13.2, 13.3

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-9517 also addresses CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2019-10098.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-14379	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
CVE-2019-14379	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.2-8.0.8
CVE-2019-2980	Oracle FLEXCUBE Direct Banking	eMail	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.0.2, 12.0.3
CVE-2019-11358	Oracle Financial Services Enterprise Financial Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-11358	Oracle Financial Services Retail Performance Analytics	UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2019-2979	Oracle FLEXCUBE Direct Banking	Payments	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	None	High	None	12.0.2, 12.0.3
CVE-2019-3019	Oracle Banking Digital Experience	Loan Calculator	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2019-14439.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3025	Oracle Hospitality RES 3700	Interface	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	5.7
CVE-2019-2934	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2937	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2947	Oracle Hospitality Reporting and Analytics	Inventory Integration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2936	Oracle Hospitality Reporting and Analytics	Admin – Configuration	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-11358	Oracle Hospitality Materials Control	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2019-2952	Oracle Hospitality Reporting and Analytics	Admin-Configuration	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 37 new security patches for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2019 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2568292.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2904	Oracle JDeveloper and ADF	ADF Faces	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2016-1000031	Oracle Virtual Directory	Virtual Directory Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2019-2905	Oracle Business Intelligence Enterprise Edition	Installation	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2906	BI Publisher (formerly XML Publisher)	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2891	Oracle WebLogic Server	Console	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2900	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-0188	Oracle Enterprise Repository	Security Subsystem – 12c (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2017-12626	Oracle Enterprise Repository	Security Subsystem – 12c (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0
CVE-2018-15756	Oracle GoldenGate Application Adapters	3rd Party (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.2.1.0
CVE-2019-12086	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2970	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2901	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2902	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2903	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2971	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2019-2972	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.4	See Note 1
CVE-2016-1000031	Oracle SOA Suite	BPEL Service Engine and Fabric Layer (Apache Commons FileUpload)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2907	Oracle Web Services	SOAP with Attachments API for Java	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-2890	Oracle WebLogic Server	Web Services	T3	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2943	Oracle Data Integrator	Studio	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2019-2897	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2016-7103	Oracle Business Intelligence Enterprise Edition	BI Platform Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2886	Oracle Forms	Services	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle JDeveloper and ADF	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle Service Bus	Web Container (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2889	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2019-11358	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-17091	Oracle WebLogic Server	Web Container (JavaServer Faces)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle WebLogic Server	Web Services (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-1559	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2019-1559	Oracle Business Intelligence Enterprise Edition	Secure Store (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-3012	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2888	Oracle WebLogic Server	EJB Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2898	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2887	Oracle WebLogic Server	Web Services	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2899	Oracle JDeveloper and ADF	OAM	HTTP	No	2.4	Network	Low	High	Required	Un- changed	Low	None	None	11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2016-7103 also addresses CVE-2015-9251.
The patch for CVE-2019-11358 also addresses CVE-2015-9251.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GraalVM. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2986	Oracle GraalVM Enterprise Edition	LLVM Interpreter	Multiple	No	7.7	Network	Low	Low	None	Changed	None	None	High	19.2.0
CVE-2019-9511	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.2.0
CVE-2019-2989	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	19.2.0

Oracle Health Sciences Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Oracle Healthcare Foundation	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1.1, 7.2.2
CVE-2019-11358	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.1.0, 3.2.1, 3.3.1

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Hospitality Guest Access	Base (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2953	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	8.0.80
CVE-2019-10247	Oracle Hospitality Guest Access	Base (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.

Oracle Hyperion Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2927	Hyperion Data Relationship Management	Access and Security	HTTP	No	6.4	Network	High	High	Required	Un- changed	High	High	High	11.1.2.4
CVE-2019-2959	Hyperion Financial Reporting	Security Models	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2019-2941	Hyperion Profitability and Cost Management	Modeling	HTTP	No	4.0	Network	High	High	Required	Changed	Low	Low	None	11.1.2.4

Oracle Java SE Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2949	Java SE, Java SE Embedded	Kerberos	Kerberos	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2989	Java SE, Java SE Embedded	Networking	Multiple	Yes	6.8	Network	High	None	None	Changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2958	Java SE, Java SE Embedded	Libraries	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-11068	Java SE	JavaFX (libxslt)	Multiple	Yes	5.6	Network	High	None	None	Un- changed	Low	Low	Low	Java SE: 8u221	See Note 1
CVE-2019-2977	Java SE	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	None	Low	Java SE: 11.0.4, 13	See Note 2
CVE-2019-2975	Java SE, Java SE Embedded	Scripting	Multiple	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	Java SE: 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2999	Java SE	Javadoc	Multiple	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	Java SE: 7u231, 8u221, 11.0.4, 13	See Note 2
CVE-2019-2996	Java SE, Java SE Embedded	Deployment	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 8u221; Java SE Embedded: 8u221	See Note 2
CVE-2019-2987	Java SE	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 11.0.4, 13	See Note 1
CVE-2019-2962	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2988	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2992	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2
CVE-2019-2964	Java SE, Java SE Embedded	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 3
CVE-2019-2973	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2981	Java SE, Java SE Embedded	JAXP	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2978	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2894	Java SE, Java SE Embedded	Security	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2983	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2933	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 1
CVE-2019-2945	Java SE, Java SE Embedded	Networking	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 7u231, 8u221, 11.0.4, 13; Java SE Embedded: 8u221	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle JD Edwards. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Deployment (Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.1.0

Oracle MySQL Risk Matrix

This Critical Patch Update contains 34 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-8457	MySQL Workbench	MySQL Workbench (SQLite)	MySQL Workbench	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.17 and prior
CVE-2019-5443	MySQL Server	Server: Compiling (cURL)	MySQL Protocol	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-10072	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-1543	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	5.3.13 and prior, 8.0.17 and prior
CVE-2019-3011	MySQL Server	Server: C API	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2966	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2967	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2974	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior
CVE-2019-2946	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3004	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2914	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2969	MySQL Server	Client programs	MySQL Protocol	No	6.2	Local	Low	None	None	Un- changed	High	None	None	5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
CVE-2019-2991	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.017 and prior
CVE-2019-2920	MySQL Connectors	Connector/ODBC	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	5.3.13 and prior, 8.0.17 and prior
CVE-2019-2993	MySQL Server	Server: C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2922	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2923	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2924	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-1549	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Workbench	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.17 and prior
CVE-2019-2963	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2968	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3003	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2997	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2948	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.26 and prior, 8.0.16 and prior
CVE-2019-2950	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.16 and prior
CVE-2019-2982	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2998	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2960	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-2957	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2938	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.7.27 and prior, 8.0.17 and prior
CVE-2019-3018	MySQL Server	InnoDB	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-3009	MySQL Server	Server: Connection	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.17 and prior
CVE-2019-2910	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior
CVE-2019-2911	MySQL Server	Information Schema	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	5.6.45 and prior, 5.7.27 and prior, 8.0.17 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-1549 also addresses CVE-2019-1547, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-5443 also addresses CVE-2019-5435 and CVE-2019-5436.
The patch for CVE-2019-8457 also addresses CVE-2019-9936 and CVE-2019-9937.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 13 new security patches for Oracle PeopleSoft. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-0729	PeopleSoft Enterprise PeopleTools	Integration Broker (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57
CVE-2019-3862	PeopleSoft Enterprise PeopleTools	File Processing (libssh2)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.56, 8.57
CVE-2019-2932	PeopleSoft Enterprise PeopleTools	Tree Manager	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	8.56, 8.57
CVE-2019-2915	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2985	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3014	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2929	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-2931	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-11358	PeopleSoft Enterprise PeopleTools	Portal, Charting (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57
CVE-2019-3001	PeopleSoft Enterprise SCM eProcurement	eProcurement	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2019-3023	PeopleSoft Enterprise PeopleTools	Stylesheet	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.56, 8.57
CVE-2019-2951	PeopleSoft Enterprise HCM Human Resources	US Federal Specific	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2
CVE-2019-3015	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.56, 8.57

Additional CVEs addressed are below:

The patch for CVE-2019-3862 also addresses CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861 and CVE-2019-3863.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0227	Oracle Policy Automation Connector for Siebel	Core (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10.4.6
CVE-2019-11358	Oracle Policy Automation	Determinations Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15
CVE-2019-11358	Oracle Policy Automation Connector for Siebel	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.6
CVE-2019-11358	Oracle Policy Automation for Mobile Devices	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0-12.2.15

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Retail Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-19362	MICROS Retail XBRi Loss Prevention	Retail (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.3
CVE-2019-14379	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-0232	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.4
CVE-2018-15756	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2019-12086	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.1, 15.0, 16.0, 17.0, 18.0
CVE-2019-11358	Oracle Retail Customer Insights	Retail Science Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-2896	MICROS Relate CRM Software	Internal Operations	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.1.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0,
CVE-2019-2884	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	17.0
CVE-2018-3300	Oracle Retail Xstore Office	Internal Operations	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	7.1
CVE-2019-10247	Oracle Retail Xstore Point of Service	Dataloader (jackson-databind)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	7.1, 15.0, 16.0, 17.0
CVE-2019-2883	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	17.0
CVE-2019-2872	Oracle Retail Xstore Point of Service	Point of Sale	None	No	2.7	Physical	High	High	Required	Un- changed	Low	Low	None	17.0.3, 18.0.1, 19.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-10247 also addresses CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241 and CVE-2019-10246.
The patch for CVE-2019-14379 also addresses CVE-2019-12086 and CVE-2019-14439.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2965	Siebel Core – DB Deployment and Configuration	Install – Configuration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	19.8 and prior
CVE-2019-11358	Siebel Mobile Applications	CG Mobile Connected (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.8 and prior
CVE-2018-8037	Siebel UI Framework	Customizable Prod/Configurator (Apache Tomcat)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.7 and prior
CVE-2019-2935	Siebel UI Framework	EAI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.8 and prior

Oracle Systems Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Systems . 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-1000007	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (cURL)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-3010	Oracle Solaris	XScreenSaver	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11
CVE-2015-5180	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (glibc)	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3071
CVE-2018-7185	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NTP)	NTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-18066	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (Net SNMP)	SNMP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2018-0732	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2361, Prior to XCP3070
CVE-2019-6109	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (OpenSSH)	SSH	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	Prior to XCP2361, Prior to XCP3070
CVE-2017-17558	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (USB Driver)	None	No	6.6	Physical	Low	Low	None	Un- changed	High	High	High	Prior to XCP2360, Prior to XCP3060
CVE-2018-12404	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to XCP2361, Prior to XCP3070
CVE-2019-2765	Oracle Solaris	Filesystem	None	No	5.3	Local	High	Low	None	Changed	Low	Low	Low	10, 11
CVE-2019-2961	Oracle Solaris	SMF services & legacy daemons	None	No	3.6	Local	High	Low	None	Un- changed	None	Low	Low	11
CVE-2019-3008	Oracle Solaris	LDAP Library	None	No	1.8	Local	High	High	Required	Un- changed	None	None	Low	11

Additional CVEs addressed are below:

The patch for CVE-2017-17558 also addresses CVE-2017-16531.
The patch for CVE-2018-0732 also addresses CVE-2016-8610 and CVE-2019-1559.
The patch for CVE-2018-1000007 also addresses CVE-2018-1000120 and CVE-2018-16842.
The patch for CVE-2018-12404 also addresses CVE-2018-12384.
The patch for CVE-2018-18066 also addresses CVE-2018-18065.
The patch for CVE-2019-6109 also addresses CVE-2018-20685 and CVE-2019-6111.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2019-0232	Oracle Agile PLM	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.3-9.3.6
CVE-2019-11358	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-11358	Diagnostic Assistant	Libraries (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.12.36
CVE-2019-12814	Oracle Clusterware	Trace File Analyzer (TFA) Collector (jackson-databind)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	19.0.0.0.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-3028	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3017	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2944	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3026	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3021	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2984	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3002	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3005	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	None	None	High	Prior to 5.2.34, prior to 6.0.14
CVE-2019-3031	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-1547	Oracle VM VirtualBox	Core (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	Prior to 5.2.34, prior to 6.0.14
CVE-2019-2926	Oracle VM VirtualBox	Core	None	No	2.3	Local	Low	High	None	Un- changed	None	None	Low	Prior to 5.2.34, prior to 6.0.14

Additional CVEs addressed are below:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.

No Related Posts

Oracle Security Alert for CVE-2019-2729 – 18 Jun 2019

June 17, 2019September 18, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2729

Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2729
Fangrun Li of Creditease Security Team: CVE-2019-2729
Foren Lim: CVE-2019-2729
Jkgh006: CVE-2019-2729
Lucifaer of 360CERT at QiHu360: CVE-2019-2729
Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
WenHui Wang of State Grid: CVE-2019-2729
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
Yuxuan Chen: CVE-2019-2729
Zhao Chang of Venustech ADLab: CVE-2019-2729
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date	Note
2019-July-11	Rev 4. Updated credit statement.
2019-June-21	Rev 3. Updated credit statement.
2019-June-20	Rev 2. Removed irrelevant paragraph about Oracle Database.
2019-June-18	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

No Related Posts

Oracle Security Alert for CVE-2019-2725 – 26 Apr 2019

April 25, 2019September 18, 2020 Oracle Leave a comment

Oracle Security Alert Advisory – CVE-2019-2725

Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

References

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

Badcode of Knownsec 404 Team: CVE-2019-2725
Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
Icematcha of Qianxin Yunying Labs: CVE-2019-2725
icez of Tophant Competence Center: CVE-2019-2725
Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
Song Keya of Minsheng Banking Corp.: CVE-2019-2725
Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
ZengShuai Hao: CVE-2019-2725
Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date	Note
2019-May-29	Rev 4. Updated Credit Statement.
2019-May-1	Rev 3. Updated Credit Statement.
2019-April-30	Rev 2. Updated WebLogic Server Versions.
2019-April-26	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2725	Oracle WebLogic Server	Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0

No Related Posts

Oracle Critical Patch Update Advisory – April 2019

April 15, 2019September 18, 2020 Oracle Leave a comment

Oracle Critical Patch Update Advisory – April 2019

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 297 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2019 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.3.3	Enterprise Manager
FMW Platform, version 12.2.1.3.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4	JD Edwards
MICROS Lucas, versions 2.9.5.6, 2.9.5.7	Retail Applications
MICROS Relate CRM Software, version 11.4	Retail Applications
MICROS Retail-J, version 12.1.2	Retail Applications
MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior	MySQL
MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior	MySQL
MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior	MySQL
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1	Oracle Supply Chain Products
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0	Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32	Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Business Transaction Management, version 12.1.0	Enterprise Manager
Oracle Commerce Merchandising, version 11.2.0.3	Oracle Commerce
Oracle Commerce Platform, versions 11.2.0.3, 11.3.1	Oracle Commerce
Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0	Oracle Communications Application Session Controller
Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0	Oracle Communications EAGLE Application Processor
Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2	Oracle Communications EAGLE LNP Application Processor
Oracle Communications Instant Messaging Server, version 10.0.1	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2	Oracle Communications Interactive Session Recorder
Oracle Communications LSMS, versions 13.1, 13.2, 13.3	Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0, 8.1	Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4, 4.0	Oracle Communications Operations Monitor
Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4	Oracle Communications Policy Management
Oracle Communications Pricing Design Center, versions 11.1, 12.0	Oracle Communications Pricing Design Center
Oracle Communications Service Broker, version 6.0	Oracle Communications Service Broker
Oracle Communications Service Broker Engineered System Edition, version 6.0	Oracle Communications Service Broker Engineered System Edition
Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0	Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Configuration Manager, version 12.1.0	Enterprise Manager
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0	Oracle Enterprise Communications Broker
Oracle Enterprise Operations Monitor, versions 3.4, 4.0	Oracle Enterprise Operations Monitor
Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 – 7.3.5, 8.0.0 – 8.0.7	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.4 – 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Data Integration Hub, versions 8.0.5 – 8.0.7	Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 – 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 – 8.0.7	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, versions 8.0.2 – 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 – 8.0.7	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Profitability Management, versions 8.0.4 – 8.0.6	Oracle Financial Services Profitability Management
Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	Fusion Middleware
Oracle Health Sciences Data Management Workbench, version 2.4.8	Health Sciences
Oracle Healthcare Master Person Index, versions 3.0, 4.0	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0.11	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 12.2.1.3.0	Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5.8	Fusion Middleware
Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12	Java SE
Oracle Java SE Embedded, version 8u201	Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Knowledge, versions 8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1	Oracle Knowledge
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.3, 8.5.4	Fusion Middleware
Oracle Real-Time Scheduler, version 2.3.0	Oracle Utilities Applications
Oracle Retail Allocation, version 15.0.2	Retail Applications
Oracle Retail Convenience Store Back Office, version 3.6	Retail Applications
Oracle Retail Customer Engagement, versions 16.0, 17.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0	Retail Applications
Oracle Retail Merchandising System, versions 15.0, 16.0	Retail Applications
Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0	Retail Applications
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1	Retail Applications
Oracle Retail Workforce Management Software, version 1.60.9.0.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.0, 7.1	Retail Applications
Oracle Secure Global Desktop, version 5.4	Virtualization
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Traffic Director, version 11.1.1.9.0	Fusion Middleware
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0.0	Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0	Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, version 2.3.0	Oracle Utilities Applications
Oracle Utilities Network Management System, version 1.12.0.3	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6	Virtualization
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
OSS Support Tools, version 19.1	Support Tools
PeopleSoft Enterprise ELM, version 9.2	PeopleSoft
PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7 – 17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, version 19.3	Siebel

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://www.java.com/en/. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Andrej Simko of Accenture: CVE-2019-2603, CVE-2019-2639, CVE-2019-2640, CVE-2019-2641, CVE-2019-2642, CVE-2019-2643, CVE-2019-2651, CVE-2019-2652, CVE-2019-2653, CVE-2019-2654, CVE-2019-2660, CVE-2019-2661, CVE-2019-2662, CVE-2019-2663, CVE-2019-2664, CVE-2019-2665
Andrej Simko of Accenture working with iDefense Labs: CVE-2019-2551, CVE-2019-2600, CVE-2019-2603, CVE-2019-2604, CVE-2019-2622, CVE-2019-2652, CVE-2019-2669, CVE-2019-2670, CVE-2019-2671, CVE-2019-2673, CVE-2019-2674, CVE-2019-2675, CVE-2019-2676, CVE-2019-2677
Andres Georgieff of Sandia National Laboratories: CVE-2019-2586, CVE-2019-2621
Andy Nguyen: CVE-2019-2678, CVE-2019-2679, CVE-2019-2680
anhdaden of StarLabs working with Trend Micro’s Zero Day Initiative: CVE-2019-2722
Athul Jayaram: CVE-2019-2706
Badcode of Knownsec 404 Team: CVE-2019-2615, CVE-2019-2618
Corwin de Boor: CVE-2019-2684
Devin Rosenbauer of Identity Works LLC: CVE-2019-2572
Dhiraj Mishra: CVE-2018-3123
Ehsan Nikavar: CVE-2019-2605
fluoroacetate working with Trend Micro’s Zero Day Initiative: CVE-2019-2723
Frank Lycops: CVE-2019-2704
huyna of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2019-2574
Jakub Palaczynski: CVE-2019-2591
James Forshaw: CVE-2019-2721
Jason Matthyser of MWR Labs working with Trend Micro Zero Day Initiative: CVE-2019-2574, CVE-2019-2656, CVE-2019-2657
Jonas Mattsson of Outpost24 Ghost Labs: CVE-2019-2578, CVE-2019-2579
Jonathan Jacobi: CVE-2019-2703
Juan Pablo Perez Etchegoyen of Onapsis: CVE-2019-2568
Krzysztof Przybylski of STM Solutions: CVE-2019-2720
Lionel Debroux: CVE-2019-2708
Luca Rupp of Usd AG: CVE-2019-2709
Lucas Pinheiro of Microsoft Corp.: CVE-2019-2696
Lukasz Mikula: CVE-2019-2598
Lukasz Rupala of ING Tech Poland: CVE-2019-2595, CVE-2019-2601
Martin Doyhenard of Onapsis: CVE-2019-2633, CVE-2019-2638
Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698
Matthew McPeak of Tempus Consulting Group: CVE-2019-2567
Matthias Kaiser of Apple Information Security: CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648, CVE-2019-2649, CVE-2019-2650
Mehdi Esmaeilpour: CVE-2019-2605
Michael Nielson: CVE-2019-2692
Minle Chen of PingAn Galaxy Lab: CVE-2019-2615, CVE-2019-2618
Niklas Baumstark working with Trend Micro’s Zero Day Initiative: CVE-2019-2690
Omri Herscovici of Check Point Software: CVE-2019-2608, CVE-2019-2609, CVE-2019-2610, CVE-2019-2611, CVE-2019-2612, CVE-2019-2613, CVE-2019-2705
Omur Ugur of Turk Telekom: CVE-2019-2576
Quentin Rhoads-Herrera of Critical Start: CVE-2019-2564
Robert Xiao: CVE-2019-2684
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2019-2713
Steven Seeley of Source Incite working with iDefense: CVE-2019-2557
TheFloW working with Trend Micro Zero Day Initiative: CVE-2019-2574
Vahagn Vardanyan: CVE-2019-2575, CVE-2019-2588, CVE-2019-2616
Vladimir Egorov: CVE-2019-2575, CVE-2019-2588, CVE-2019-2616
Wang Cheng of Venustech ADLab: CVE-2019-2615, CVE-2019-2647
Yaniv Balmas of Check Point Software: CVE-2019-2608, CVE-2019-2609, CVE-2019-2610, CVE-2019-2611, CVE-2019-2612, CVE-2019-2613, CVE-2019-2705

Security-In-Depth Contributors

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

Ian McLauchlan of Miton
Jakub Tyrlik
Jean-Benjamin Rousseau of SEC Consult Vulnerability Lab
Guillaume Crouquet of SEC Consult Vulnerability Lab
Richard O’Donnell of IRM Security
Thomas Friedlein of Federal Motor Transport Authority (Germany)

On-Line Presence Security Contributors

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

Ankit Singh
Bharat
Brian Carpenter
Celal Erdik of Ebruu Tech Limited
Chirag Gupta
David Wilkins
Dhamu Harker
F0xman
Grishma Sinha of Lucideus Tech
Ismail Tasdelen
jw c
Kamal Elsayed Hussein
lhf012
Mansouri Badis
Markus Wulftange of Code White
Mohit Tirkey
Pratik Luhana
Rajat Sharma
Sagar Gharbudve
Sameer Phad
Sanjay Singh Jhala
Seth Duda
Shubham Maheshwari
Small Boys
Vismit Sudhir Rakhecha (Druk) (2 reports)
Wai Yan Aung
Yashraj Choudhary
Zhouyuan of Fortinet, Inc.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 July 2019
15 October 2019
14 January 2020
14 April 2020

References

Modification History

Date	Note
2019-May-28	Rev 6. Updated Security-In-Depth Contributors section.
2019-May-16	Rev 5. Corrected CVE# in Enterprise Manager Products Suite risk matrix. CVE-2018-0161 was replaced with CVE-2019-2726.
2019-May-3	Rev 4. Updated Security-In-Depth Contributors section.
2019-May-1	Rev 3. Updated CVSS score for CVE-2019-2633 and CVE-2019-2638.
2019-April-19	Rev 2. Updated credit for CVE-2019-2696.
2019-April-16	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2517	Core RDBMS	DBFS_ROLE	Oracle Net	No	9.1	Network	Low	High	None	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2516	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2619	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2518	Java VM	Create Session, Create Procedure	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2571	RDBMS DataPump	DBA role	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2582	Core RDBMS	None	Oracle Net	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0.1, 18c

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Berkeley DB. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2708	Data Store	Local Logon	Local Logon	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 6.138, prior to 6.2.38, prior to 18.1.32

Oracle Commerce Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2713	Oracle Commerce Merchandising	Asset Manager	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.2.0.3
CVE-2019-2659	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3
CVE-2019-2712	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3, 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 26 new security fixes for Oracle Communications Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-7489	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1
CVE-2019-3822	Oracle Communications Operations Monitor	Security (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2018-11219	Oracle Communications Operations Monitor	Security (Redis)	RESP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2017-5645	Oracle Communications Pricing Design Center	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1, 12.0
CVE-2016-1000031	Oracle Communications Service Broker	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Service Broker Engineered System Edition	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2018-11236	Oracle Communications Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-11236	Oracle Enterprise Communications Broker	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-11236	Oracle Enterprise Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1258	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2, 7.3.4, 7.3.5, 7.4.0
CVE-2017-5664	Oracle Communications Application Session Controller	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2016-1181	Oracle Communications Policy Management	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1, 12.2, 12.3, 12.4
CVE-2018-16864	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-16864	Oracle Enterprise Communications Broker	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-16864	Oracle Enterprise Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1000180	Oracle Communications Application Session Controller	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications EAGLE LNP Application Processor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2
CVE-2017-5664	Oracle Communications Instant Messaging Server	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	10.0.1
CVE-2018-0732	Oracle Communications Operations Monitor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4, 4.0
CVE-2017-0861	Oracle Communications EAGLE Application Processor	Security (Kernel)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	16.1.0, 16.2.0
CVE-2015-9251	Oracle Communications Interactive Session Recorder	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2
CVE-2015-9251	Oracle Enterprise Operations Monitor	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.0
CVE-2018-12404	Oracle Communications Messaging Server	Security (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1
CVE-2017-5753	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3
CVE-2017-5754	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3

Additional CVEs addressed are below:

The fix for CVE-2016-1181 also addresses CVE-2016-1182.
The fix for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693 and CVE-2018-7566.
The fix for CVE-2017-5664 also addresses CVE-2016-8735, CVE-2017-12617 and CVE-2018-11784.
The fix for CVE-2018-0732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0734, CVE-2018-0737 and CVE-2018-0739.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11219 also addresses CVE-2018-11218.
The fix for CVE-2018-11236 also addresses CVE-2018-11237 and CVE-2018-6485.
The fix for CVE-2018-12404 also addresses CVE-2018-12384.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-16864 also addresses CVE-2018-16865.
The fix for CVE-2018-7489 also addresses CVE-2017-7525.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Construction and Engineering Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera P6 Enterprise Project Portfolio Management	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2016-1000031	Primavera Unifier	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11763	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2018-0734	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11784	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2019-2701	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	18.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-11763 also addresses CVE-2017-9798.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 35 new security fixes for the Oracle E-Business Suite. 33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2019), My Oracle Support Note 2514102.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2638	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2633	Oracle Work in Process	Messages	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2663	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2682	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2665	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2639	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2671	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2675	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2600	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2651	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2661	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2655	Oracle Interaction Center Intelligence	Business Intelligence (OLTP)	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2652	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2583	Oracle iSupplier Portal	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2660	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2604	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2664	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2677	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2551	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2603	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2653	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2654	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2662	Oracle Territory Management	Territory Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2640	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2641	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2642	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2643	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2018-0734	Application Server	Technology Stack Triage (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	0.9.8, 1.0.0, 1.0.1
CVE-2019-2621	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2669	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2676	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2670	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2673	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2674	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2622	Oracle Service Contracts	Renewals	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Enterprise Manager Ops Center	Networking (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3
CVE-2016-4000	Oracle Configuration Manager	Collector of Config and Diag (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0
CVE-2018-1258	Enterprise Manager Base Platform	Enterprise Manager Install (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-1258	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.3
CVE-2018-11763	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.3
CVE-2018-1000180	Oracle Business Transaction Management	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.0
CVE-2018-1656	Enterprise Manager Base Platform	Agent Next Gen (IBM Java)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.2.0.0.0, 13.3.0.0.0
CVE-2019-2726	Enterprise Manager Ops Center	Services Integration	HTTP	No	6.3	Network	High	Low	None	Changed	None	None	High	12.3.3
CVE-2019-2557	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	13.3.0.1
CVE-2018-0734	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-0734	Enterprise Manager Ops Center	Networking (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3.3

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-11763 also addresses CVE-2018-17189, CVE-2018-17199 and CVE-2019-0190.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
The fix for CVE-2018-1656 also addresses CVE-2018-12539.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Financial Services Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Banking Platform	Collections (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0
CVE-2016-1000031	Oracle FLEXCUBE Private Banking	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-1258	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-11775	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2015-9251	Oracle Financial Services Analytical Applications Infrastructure	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.3-7.3.5, 8.0.0-8.0.7
CVE-2015-9251	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5-8.0.7
CVE-2015-9251	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Liquidity Risk Management	Internal Operations (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.6
CVE-2015-9251	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.7
CVE-2015-9251	Oracle Financial Services Market Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6
CVE-2015-9251	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.6
CVE-2015-9251	Oracle Financial Services Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6

Additional CVEs addressed are below:

The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-9251	Oracle Hospitality Reporting and Analytics	Report (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 53 new security fixes for Oracle Fusion Middleware. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle API Gateway	Oracle API Gateway (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-19362	Oracle Business Process Management Suite	Runtime Engine (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-3253	Oracle Data Integrator	Install, config, upgrade (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2016-1000031	Oracle Endeca Information Discovery Integrator	Other Issues (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-3822	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-1000031	Oracle Identity Analytics	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle JDeveloper	None (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2017-8287	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2017-8105	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2016-1000031	Oracle WebCenter Portal	Security Framework (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-19362	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2658	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2019-2646	Oracle WebLogic Server	EJB Container	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2645	Oracle WebLogic Server	WLS Core Components	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-1258	Oracle WebLogic Server	WLS Core Components (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2578	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0
CVE-2019-2595	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2706	Oracle Business Process Management Suite	BPM Foundation Services	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2019-2705	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3, 8.5.4	See Note 1
CVE-2018-14718	Oracle JDeveloper	Oracle JDeveloper (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2601	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1000180	Oracle API Gateway	Oracle API Gateway (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-11761	Oracle Business Process Management Suite	Runtime Engine (Apache Tika)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle SOA Suite	B2B Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2647	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2648	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2649	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2650	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-8013	Oracle Data Integrator	Install, config, upgrade (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2608	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2616	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1305	FMW Platform	Provisioning (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2018-1305	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2609	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2610	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2611	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2612	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2613	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2015-9251	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0734	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-0734	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1.0.0
CVE-2019-2618	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2576	Oracle Service Bus	Web Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2572	Oracle SOA Suite	Fabric Layer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0
CVE-2018-0495	Oracle Traffic Director	Security (NSS)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-2568	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.0	Network	Low	Low	None	Changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2588	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2615	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2579	Oracle WebCenter Sites	Advanced UI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.2.1.3.0
CVE-2019-2605	Oracle Business Intelligence Enterprise Edition	Web Catalog	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2720	Oracle Data Integrator	ODI Tools	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The fix for CVE-2017-8287 also addresses CVE-2017-8105.
The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The fix for CVE-2018-1305 also addresses CVE-2018-1304.
The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.
The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Healthcare Master Person Index	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2629	Oracle Health Sciences Data Management Workbench	User Interface	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.4.8

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1000031	Oracle Hospitality Guest Access	Base (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2702	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	Yes	9.3	Network	Low	None	None	Changed	High	Low	None	8.0.80
CVE-2016-7103	Oracle Hospitality Cruise Fleet Management	FMS Suite (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.0.11
CVE-2018-11763	Oracle Hospitality Guest Access	Base (Apache HTTP Server)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	4.2.0, 4.2.1
CVE-2018-11784	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

The fix for CVE-2016-7103 also addresses CVE-2015-9251.
The fix for CVE-2018-11784 also addresses CVE-2018-8034.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2699	Java SE	Windows DLL	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u202	See Note 1
CVE-2019-2697	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2698	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2602	Java SE, Java SE Embedded	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 3
CVE-2019-2684	Java SE, Java SE Embedded	RMI	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle JD Edwards Products. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	JDENET	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-2565	JD Edwards World Technical Foundation	Service Enablement	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	A9.2, A9.3.1, A9.4
CVE-2015-9251	JD Edwards EnterpriseOne Tools	Web Runtime (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2564	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2

Additional CVEs addressed are below:

The fix for CVE-2018-0732 also addresses CVE-2018-0737.
The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2632	MySQL Server	Server : Pluggable Auth	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2693	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2694	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2695	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2692	MySQL Connectors	Connector/J	JDBC	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.0.15 and prior
CVE-2019-1559	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.12 and prior, 8.0.15 and prior
CVE-2019-1559	MySQL Server	Server: Compiling (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2018-3123	MySQL Server	Server: libmysqld	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2623	MySQL Server	Server: Options	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2018-0734	MySQL Enterprise Backup	Enterprise Backup (OpenSSL)	TLS	No	5.1	Local	High	None	None	Un- changed	High	None	None	3.12.3 and prior, 4.1.2 and prior
CVE-2019-2634	MySQL Server	Server: Replication	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2580	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2585	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2593	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2624	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2628	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2566	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2626	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2644	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2631	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2581	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2596	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2607	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2625	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2681	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2685	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2687	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2688	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2689	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2683	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2592	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2587	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2635	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2584	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2589	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2606	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2620	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2627	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2691	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2636	MySQL Server	Server: Group Replication Plugin	MySQL Procotol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2614	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2617	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2630	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-1559	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	4.0.8 and prior, 8.0.14 and prior	See Note 1

Notes:

MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the SSL/TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 5.9.

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-2598	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	8.7	Network	Low	High	None	Changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2590	PeopleSoft Enterprise HCM Talent Acquisition Manager	Job Opening	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	9.2
CVE-2018-1000180	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2594	PeopleSoft Enterprise PT PeopleTools	Application Server	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2707	PeopleSoft Enterprise ELM Enterprise Learning Management	Application Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2591	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2637	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-0734	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2597	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2700	PeopleSoft Enterprise ELM	Enterprise Learning Mgmt	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2
CVE-2019-2573	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57
CVE-2019-2586	PeopleSoft Enterprise PT PeopleTools	RemoteCall	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-9515	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Dozer)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2019-3772	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0, 18.0
CVE-2016-1000031	Oracle Retail Order Broker	System Administration (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	System Administration (Jasper)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2018-19362	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.60.9.0.0
CVE-2016-1000031	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1
CVE-2018-3314	MICROS Relate CRM Software	Customer	HTTP	No	8.2	Network	High	Low	None	Changed	High	High	None	11.4
CVE-2018-12023	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0
CVE-2018-14718	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3120	MICROS Lucas	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	2.9.5.6, 2.9.5.7
CVE-2018-2880	MICROS Retail-J	Back Office	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-15756	Oracle Retail Invoice Matching	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2018-15756	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.1, 5.2, 15.0, 16.0
CVE-2018-11763	Oracle Retail Xstore Point of Service	Point of Sale (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-11763	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-1000180	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.0, 7.1
CVE-2019-2424	Oracle Retail Convenience Store Back Office	Level 3 Maintenance Functions	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.6
CVE-2019-2558	Oracle Retail Point-of-Service	Infrastructure	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-1305	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.4
CVE-2015-9251	Oracle Retail Allocation	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0.2
CVE-2015-9251	Oracle Retail Invoice Matching	Security (jQuery)	HTTP	Yes

Oracle Critical Patch Update Advisory – July 2020

Description

Affected Products and Patch Information

Note:

Risk Matrix Content

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

Security-In-Depth Contributors

On-Line Presence Security Contributors

Critical Patch Update Schedule

References

Modification History

Oracle Database Products Risk Matrices

Oracle Database Server Risk Matrix

Oracle Berkeley DB Risk Matrix

Oracle Global Lifecycle Management Risk Matrix

Oracle GoldenGate Risk Matrix

Oracle TimesTen In-Memory Database Risk Matrix

Oracle Commerce Risk Matrix

Oracle Communications Applications Risk Matrix

Oracle Construction and Engineering Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hospitality Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle iLearning Risk Matrix

Oracle Insurance Applications Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Supply Chain Risk Matrix

Oracle Systems Risk Matrix

Oracle Utilities Applications Risk Matrix

Oracle Virtualization Risk Matrix

Related:

Oracle Critical Patch Update Advisory – April 2020

Description

Affected Products and Patch Information

Note:

Risk Matrix Content

Workarounds

Skipped Critical Patch Updates

Critical Patch Update Supported Products and Versions

Credit Statement

Security-In-Depth Contributors

On-Line Presence Security Contributors

Critical Patch Update Schedule

References

Modification History

Oracle Database Products Risk Matrices

Oracle Database Server Risk Matrix

Oracle Global Lifecycle Management Risk Matrix

Oracle Secure Backup Risk Matrix

Oracle Communications Applications Risk Matrix

Oracle Construction and Engineering Risk Matrix

Oracle E-Business Suite Risk Matrix

Oracle Enterprise Manager Risk Matrix

Oracle Financial Services Applications Risk Matrix

Oracle Food and Beverage Applications Risk Matrix

Oracle Fusion Middleware Risk Matrix

Oracle GraalVM Risk Matrix

Oracle Health Sciences Applications Risk Matrix

Oracle Hyperion Risk Matrix

Oracle Java SE Risk Matrix

Oracle JD Edwards Risk Matrix

Oracle Knowledge Risk Matrix

Oracle MySQL Risk Matrix

Oracle PeopleSoft Risk Matrix

Oracle Retail Applications Risk Matrix

Oracle Siebel CRM Risk Matrix