Category: Oracle

Oracle Security Alert Advisory – CVE-2018-3110

Description

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.

If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.

Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18	Database

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.

Modification History

Date	Note
2018-August-10	Rev 1. Initial Release.

Oracle Database Server Risk Matrix This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here. CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2018-3110 Java VM Create Session Oracle Net No 9.9 Network Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18

Related:

• No Related Posts

Oracle Database Server Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Database Server divided as follows:

• 3 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
• 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-15095	Oracle Spatial (jackson-databind)	None	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.0.1, 18.1
CVE-2018-2939	Core RDBMS	Local Logon	Local Logon	No	8.4	Local	Low	Low	None	Changed	None	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2
CVE-2018-3004	Java VM	Create Session, Create Procedure	Multiple	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18.2

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-7489	Oracle Global Lifecycle Management OPatchAuto	DB specific extensions (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	All

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-2099	Oracle Communications User Data Repository	Security (Apache Xerces)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.x, 12.x
CVE-2016-0714	Oracle Communications Policy Management	Security (Apache Tomcat)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2016-2176	Oracle Communications Policy Management	Security (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	12.x
CVE-2017-7525	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.x
CVE-2016-5195	Oracle Communications Policy Management	Platform (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.x
CVE-2017-6074	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	ECz7.x, ECz8.x
CVE-2017-0379	Oracle Communications Interactive Session Recorder	Security (libgcrypt)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.x, 6.x
CVE-2015-7940	Oracle Communications Policy Management	CMP (Bouncy Castle)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.x
CVE-2017-5662	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	7.x, 8.x
CVE-2018-2904	Oracle Communications EAGLE LNP Application Processor	GUI	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.x
CVE-2018-0739	Oracle Communications Network Charging and Control	Security (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
CVE-2017-3633	Oracle Communications Policy Management	Security (MySQL)	Multiple	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	12.x
CVE-2018-2936	Oracle Communications Messaging Server	Web Client	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.x
CVE-2015-5600	Oracle Communications Policy Management	Security (OpenSSH)	SSH	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.x

Additional CVEs addressed are below:

• The fix for CVE-2015-5600 also addresses CVE-2014-2532.
• The fix for CVE-2016-0714 also addresses CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706 and CVE-2016-3092.
• The fix for CVE-2016-2099 also addresses CVE-2016-4463.
• The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107 and CVE-2016-2109.
• The fix for CVE-2017-3633 also addresses CVE-2017-3634, CVE-2017-3635, CVE-2017-3636, CVE-2017-3641, CVE-2017-3647, CVE-2017-3648, CVE-2017-3649, CVE-2017-3651, CVE-2017-3652, CVE-2017-3653 and CVE-2017-3732.
• The fix for CVE-2017-7525 also addresses CVE-2017-15707 and CVE-2018-1327.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Construction and Engineering Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2966	Primavera Unifier	Core	HTTP	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	16.x, 17.x, 18.x
CVE-2018-2968	Primavera Unifier	Core	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	16.x, 17.x, 18.x
CVE-2016-4055	Primavera Unifier	Core (Moment)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	16.x, 17.x, 18.x
CVE-2018-2960	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2961	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2965	Primavera Unifier	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x
CVE-2016-7103	Primavera Unifier	Core (jQueryUI)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.x, 17.x, 18.x
CVE-2018-2967	Primavera Unifier	Core	None	No	5.3	Physical	Low	None	None	Changed	High	None	None	16.x, 17.x, 18.x
CVE-2018-2962	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.4	Network	High	Low	Required	Changed	Low	Low	None	8.4, 15.x, 16.x, 17.x
CVE-2018-2963	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.4, 15.x, 16.x
CVE-2018-2969	Primavera Unifier	Core	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	16.x

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2018), My Oracle Support Note 2379675.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2993	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3017	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2995	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3018	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3008	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2953	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2997	Oracle Scripting	Script Author	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2018-2991	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-3012	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2996	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2954	Oracle Order Management	Product Diagnostic Tools	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2988	Oracle Marketing	Products	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2934	Oracle Application Object Library	Attachments / File Upload	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3
CVE-2018-2994	Oracle iStore	Shopping Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle Enterprise Manager Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Enterprise Manager Base Platform	Installer (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager Base Platform	Security Framework (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	Application Replay (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.x
CVE-2017-5645	Enterprise Manager for MySQL Database	EM Plugin: General (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2.0.0 and prior
CVE-2017-5645	Enterprise Manager for Oracle Database	Provisioning (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.8, 13.2.2
CVE-2017-5645	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1.1.1, 13.2.1.1
CVE-2018-7489	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.2, 13.2.3
CVE-2018-1275	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-1275	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.1
CVE-2018-2976	Enterprise Manager Ops Center	Networking	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	12.2.2
CVE-2016-1181	Enterprise Manager for Fusion Middleware	FMW Plugin for CC (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2017-9798	Enterprise Manager Base Platform	Installer (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	13.2.x
CVE-2016-9878	Enterprise Manager Ops Center	Framework (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2017-9798	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.2, 12.3.3
CVE-2018-0739	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.2.2, 12.3.3

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2016-9878 also addresses CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 56 new security fixes for Oracle Financial Services Applications. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Banking Platform	Collections (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2017-5645	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3.x, 8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Analytical Applications Infrastructure	Inline Processing Engine (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x	See Note 1
CVE-2018-1275	Oracle Financial Services Behavior Detection Platform	Admin Tool (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Behavior Detection Platform	Ingestion (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.x
CVE-2017-5645	Oracle Financial Services Funds Transfer Pricing	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2017-5645	Oracle Financial Services Hedge Management and IFRS Valuations	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Loan Loss Forecasting and Provisioning	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.4, 8.0.5
CVE-2017-5645	Oracle Financial Services Profitability Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.1, 8.0.x
CVE-2018-3050	Oracle Banking Corporate Lending	Core module	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3027	Oracle Banking Payments	Payments Core	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3051	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3035	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3015	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-8013	Oracle Financial Services Analytical Applications Infrastructure	Link Analysis and Metadata browser (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.3.3.x, 8.0.x	See Note 1
CVE-2018-3040	Oracle Banking Corporate Lending	Core module	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3022	Oracle Banking Payments	Payments Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2014-3577	Oracle Financial Services Revenue Management and Billing	External Message (HTTP Client)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0
CVE-2018-3041	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.3.0, 14.0.0, 14.1.0
CVE-2018-3030	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2979	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3036	Oracle Banking Corporate Lending	Core module	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3020	Oracle Banking Payments	Payments Core	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3037	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3028	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2974	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2895	Oracle Banking Corporate Lending	Core module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-2896	Oracle Banking Payments	Payments Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-2897	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-2898	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2899	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3042	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3044	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3048	Oracle Banking Corporate Lending	Core module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3023	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3024	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3026	Oracle Banking Payments	Payments Core	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3043	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.3.0, 14.0.0, 14.1.0
CVE-2018-3045	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3049	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3031	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3032	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3034	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2980	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	None	Low	Low	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2981	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3019	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-3038	Oracle Banking Corporate Lending	Core module	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3046	Oracle Banking Corporate Lending	Core module	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
CVE-2018-3021	Oracle Banking Payments	Payments Core	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3025	Oracle Banking Payments	Payments Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
CVE-2018-3039	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3047	Oracle FLEXCUBE Enterprise Limits and Collateral Management	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0, 14.1.0
CVE-2018-3029	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-3033	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2975	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2018-2982	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Notes:

1. Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

• The fix for CVE-2014-3577 also addresses CVE-2015-5262.
• The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 38 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2394520.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Enterprise Data Quality	General (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-1275	Oracle Enterprise Repository	Security Subsystem (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2017-5645	Oracle Fusion Middleware MapViewer	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-2943	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2018-7489	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-7489	Oracle WebLogic Server	Console (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.2, 12.2.1.3
CVE-2018-1275	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2894	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2893	Oracle WebLogic Server	WLS Core Components	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-3100	Oracle Business Process Management Suite	Process Analysis & Discovery	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-3007	Oracle Tuxedo	Core	Jolt	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.1.1, 12.1.3, 12.2.2
CVE-2018-2935	Oracle WebLogic Server	JSF	HTTP	Yes	8.3	Network	Low	None	Required	Un- changed	High	High	Low	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2958	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2900	BI Publisher	Layout Tools	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	11.1.1.7.0
CVE-2017-12617	FMW Platform	Common Components (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.2.0, 12.2.1.3.0
CVE-2015-7940	Oracle JDeveloper	None (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-8013	Oracle Fusion Middleware MapViewer	Install (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.2, 12.2.1.3
CVE-2018-3102	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2992	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3009	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3010	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3092	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3103	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3093	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3094	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3095	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3096	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3097	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3104	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3098	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-3099	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	None	Low	8.5.3	See Note 1
CVE-2018-2925	BI Publisher	Web Server	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-0739	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-3109	Oracle Fusion Middleware MapViewer	Map Builder	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-0739	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	12.1.1
CVE-2016-9843	Oracle Outside In Technology	Outside In Search Export SDK (zlib)	HTTP	Yes	6.3	Network	Low	None	Required	Un- changed	Low	Low	Low	8.5.3	See Note 1
CVE-2018-2987	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2015-0204	Oracle Internet Directory	SSL/TLS	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	11.1.1.9.0	See Note 2
CVE-2018-2998	Oracle WebLogic Server	SAML	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2011-4461	Oracle Endeca Information Discovery Studio	Studio (Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	3.1, 3.2
CVE-2018-3108	Oracle Fusion Middleware	Oracle Notification Service	HTTPS	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.2.1.2, 12.2.1.3
CVE-2018-3101	Oracle WebCenter Portal	Portlet Services	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2933	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3	See Note 3
CVE-2018-3105	Oracle SOA Suite	Health Care FastPath	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
2. Please refer to MOS document (Doc ID 2420947.1) for instructions on how to address this issue.
3. Please refer to MOS document (Doc ID 2421480.1) for instructions on how to address this issue.

Additional CVEs addressed are below:

• The fix for CVE-2016-9843 also addresses CVE-2014-8157, CVE-2014-9029, CVE-2014-9746, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2016-0718, CVE-2016-5300, CVE-2016-9841 and CVE-2017-10989.
• The fix for CVE-2018-0739 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Hospitality Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2984	Oracle Hospitality Cruise Fleet Management System	Gangway Activity Web App	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.x
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Gift and Loyalty	iCard.net (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2956	Oracle Hospitality OPERA 5 Property Services	Integration	None	No	8.1	Local	High	None	None	Changed	High	High	High	5.5.x
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Configuration (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2016-1181	Oracle Hospitality Reporting and Analytics	Report (Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.0.0
CVE-2018-2957	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.x
CVE-2018-3002	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	9.x
CVE-2018-3000	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.1	Local	Low	None	None	Changed	High	None	None	8.x
CVE-2018-2978	Oracle Hospitality Simphony	Import/Export	HTTP	No	7.1	Network	High	Low	None	Un- changed	High	High	Low	2.8, 2.9, 2.10
CVE-2018-3013	Oracle Hospitality OPERA 5 Property Services	Report Server Config	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2018-3014	Oracle Hospitality OPERA 5 Property Services	Reports	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.5.x
CVE-2017-0785	MICROS Handheld Terminal	MC40 Zebra Handheld unit (WiFi)	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	Android 4.4.4 Security Patch Bulletin prior to February 1, 2018
CVE-2018-3003	Oracle Hospitality Cruise Fleet Management System	Fleet Management System Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	9.x
CVE-2018-3001	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.x
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 720 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.01.25ORC
CVE-2017-5715	MICROS 700 Series Tablet	MICROS Tablet 721 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.13ORC
CVE-2017-5715	MICROS Kitchen Display Controller	Kitchen Display System 210 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 0.00.16ORC
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 32 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.5.2.0
CVE-2017-5715	MICROS Workstation 6	Workstation 610 (BIOS 64 Bit)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 2.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 620 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2017-5715	MICROS Workstation 6	Workstation 650 (BIOS)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to BIOS 1.3.1.0
CVE-2018-2955	Oracle Hospitality OPERA 5 Property Services	Integration	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.5.x

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114, CVE-2015-6420 and CVE-2016-1182.
• The fix for CVE-2017-0785 also addresses CVE-2017-13088 and CVE-2017-13218.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2907	Hyperion Financial Reporting	Security Models	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	11.1.2
CVE-2018-2915	Hyperion Data Relationship Management	Access and security	HTTPS	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	11.1.2.4.330

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2989	Oracle iLearning	Learner Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.2

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Insurance Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Insurance Policy Administration	Policy Administration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0
CVE-2018-1275	Oracle Insurance Policy Administration	Policy Administration (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0, 10.1, 10.2, 11.0

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2938	Java SE	Java DB	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 6u191, 7u181, 8u172	See Note 1
CVE-2018-2964	Java SE	Deployment	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u172, 10.0.1	See Note 2
CVE-2018-2941	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172, 10.0.1	See Note 2
CVE-2018-2942	Java SE	Windows DLL	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u181, 8u172	See Note 3
CVE-2018-2972	Java SE	Security	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 10.0.1	See Note 3
CVE-2018-2973	Java SE, Java SE Embedded	JSSE	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2940	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171	See Note 2
CVE-2018-2952	Java SE, Java SE Embedded, JRockit	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18	See Note 3

Notes:

1. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVE-2018-2938 addresses CVE-2018-1313.
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 10 new security fixes for Oracle JD Edwards Products. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2944	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.2
CVE-2018-2947	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2018-2945	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2946	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2948	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2949	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2950	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2999	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-3006	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2017-3736	JD Edwards World Security	GUI / World Vision (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

• The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	MySQL Enterprise Monitor	Service Manager (Apache Log4j)	Log4j	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2017-0379	MySQL Workbench	Workbench: Security: Encryption (libgcrypt)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.0.11 and prior
CVE-2018-3064	MySQL Server	InnoDB	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Connectors	Connector/ODBC (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3.10 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2018-3070	MySQL Server	Client mysqldump	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3060	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	High	None	Un- changed	None	High	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3065	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-0739	MySQL Server	Server: Installing (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3073	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-0739	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3074	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3062	MySQL Server	Server: Memcached	memcached	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3081	MySQL Client	Client programs	MySQL Protocol	No	5.0	Network	High	High	None	Un- changed	None	Low	High	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
CVE-2018-3071	MySQL Server	Audit Log	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3079	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3054	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3077	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior, 8.0.11 and prior
CVE-2018-3078	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3080	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3061	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.22 and prior
CVE-2018-3067	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3063	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.60 and prior
CVE-2018-3075	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.11 and prior
CVE-2018-3058	MySQL Server	MyISAM	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3056	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.7.22 and prior, 8.0.11 and prior
CVE-2018-2598	MySQL Workbench	Workbench: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.3.10 and earlier
CVE-2018-3066	MySQL Server	Server: Options	MySQL Protocol	No	3.3	Network	High	High	None	Un- changed	Low	Low	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-2767	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior
CVE-2018-3084	MySQL Server	Shell: Core / Client	None	No	2.8	Local	Low	Low	Required	Un- changed	None	None	Low	8.0.11 and prior
CVE-2018-3082	MySQL Server	Server: DDL	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.11 and prior

Additional CVEs addressed are below:

• The fix for CVE-2017-0379 also addresses CVE-2017-9526.
• The fix for CVE-2018-0739 also addresses CVE-2017-3737 and CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	PeopleSoft Enterprise FIN Install	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-1275	PeopleSoft Enterprise FIN Install	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-2990	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	8.55, 8.56
CVE-2018-2977	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.55, 8.56
CVE-2018-0739	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	8.55, 8.56
CVE-2018-2951	PeopleSoft Enterprise PeopleTools	Configuration Manager	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	8.55, 8.56
CVE-2018-3068	PeopleSoft Enterprise HCM Human Resources	Compensation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2929	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2919	PeopleSoft Enterprise PeopleTools	Unified Navigation	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2985	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-2986	PeopleSoft Enterprise PeopleTools	Workflow	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56
CVE-2018-3016	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.55, 8.56
CVE-2018-3072	PeopleSoft HRMS	Candidate Gateway	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.2
CVE-2018-2970	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56
CVE-2018-3076	PeopleSoft Enterprise CS Financial Aid	ISIR Processing	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.0, 9.2

Additional CVEs addressed are below:

• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.
• The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Policy Automation	Determinations Engine (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
CVE-2017-5645	Oracle Policy Automation Connector for Siebel	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.6
CVE-2017-5645	Oracle Policy Automation for Mobile Devices	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5533	MICROS Lucas	Security (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6
CVE-2017-5533	MICROS Relate CRM Software	Internal Operations (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.x, 11.4.x
CVE-2018-1275	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2018-1275	Oracle Retail Central Office	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Clearance Optimization Engine	General Application (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.5
CVE-2017-5645	Oracle Retail Financial Integration	PeopleSoft Integration Bugs (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	Order Broker Foundation (JasperReports)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.2, 15.0, 16.0
CVE-2018-1275	Oracle Retail Point-of-Service	Infrastructure (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3
CVE-2018-1275	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0, 14.1
CVE-2017-5645	Oracle Retail Service Backbone	Install (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2017-5645	Oracle Retail Service Layer	Installation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x
CVE-2016-6814	Oracle Retail Integration Bus	RIB Kernal (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-6814	Oracle Retail Service Backbone	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	16.0.025
CVE-2016-1181	MICROS XBR	Retail (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.0.2, 7.0.4
CVE-2017-12617	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2016-3506	Oracle Retail Convenience and Fuel POS Software	Point of Sale	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.1.132
CVE-2018-2882	MICROS Retail-J	Interfaces	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2016-9878	Oracle Retail Back Office	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Central Office	Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2017-5664	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	2.1.132
CVE-2015-7940	Oracle Retail Convenience and Fuel POS Software	OPT Server (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.1.132
CVE-2016-9878	Oracle Retail Integration Bus	Install (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2016-9878	Oracle Retail Point-of-Sale	Transaction (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2016-9878	Oracle Retail Returns Management	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	14.0, 14.1
CVE-2018-2888	MICROS Retail-J	Back Office	none	No	6.7	Physical	High	High	Required	Changed	High	High	Low	10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-3052	MICROS Relate CRM Software	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	10.8.x, 11.4.x
CVE-2018-3053	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations	HTTP	No	6.4	Network	Low	Low	None	Changed	None	Low	Low	16.x, 17.x
CVE-2018-2881	MICROS Retail-J	Database	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
CVE-2018-2891	Oracle Retail Bulk Data Integration	BDI Job Scheduler	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2017-5533 also addresses CVE-2017-5529.
• The fix for CVE-2017-5664 also addresses CVE-2016-8735.
• The fix for CVE-2018-1275 also addresses CVE-2016-9878, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2959	Siebel UI Framework	UIF Open UI	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	18.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 22 new security fixes for the Oracle Sun Systems Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-2930	Solaris Cluster	NAS device addition	RPC	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3, 4.3
CVE-2015-7501	Tape Library ACSLS	Software (Apache Commons Collections)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to ACSLS 8.4.0-3
CVE-2018-3057	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 8.7.18
CVE-2018-2928	Solaris	RAD	Multiple	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	11.3
CVE-2018-2892	Solaris	Availability Suite Service	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2908	Solaris	Kernel	RPC	No	7.7	Network	Low	Low	None	Changed	None	None	High	11.3
CVE-2018-2926	Solaris	NVIDIA-GFX Kernel driver	ISCSI	No	7.6	Network	Low	Low	None	Un- changed	Low	Low	High	11.3
CVE-2018-2918	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 8.7.18
CVE-2018-2920	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	Prior to 8.7.19
CVE-2018-2932	Oracle SuperCluster Specific Software	SuperCluster Virtual Assistant	Multiple	Yes	7.1	Network	High	None	Required	Un- changed	High	Low	High	Prior to 2.5.0
CVE-2018-1171	Solaris	Kernel	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	10, 11.3
CVE-2018-2921	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	Prior to 8.7.18
CVE-2018-2924	Sun ZFS Storage Appliance Kit (AK)	API frameworks	None	No	5.7	Local	Low	High	None	Changed	Low	Low	Low	Prior to 8.7.18
CVE-2018-2937	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Prior to 8.7.19
CVE-2018-2917	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2905	Sun ZFS Storage Appliance Kit (AK)	Core Services	SSL/TLS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Prior to 8.7.20
CVE-2018-2903	Solaris	Kernel	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	10, 11.3
CVE-2018-2927	Sun ZFS Storage Appliance Kit (AK)	HTTP data path subsystems	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	Prior to 8.7.18
CVE-2018-2906	Hardware Management Pack	Ipmitool	IPMI	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	11.3
CVE-2018-2901	Solaris	Kernel	DHCP	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	10, 11.2
CVE-2018-2916	Sun ZFS Storage Appliance Kit (AK)	API frameworks	Multiple	No	2.7	Network	Low	High	None	Un- changed	None	None	Low	Prior to 8.7.18
CVE-2018-2923	Sun ZFS Storage Appliance Kit (AK)	Core Services	None	No	2.3	Local	Low	High	None	Un- changed	Low	None	None	Prior to 8.7.20

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle AutoVue VueLink Integration	Installation Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	21.0.0, 21.0.1
CVE-2016-6814	Oracle Agile PLM	Event Java PX (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2016-1181	Agile Recipe Management for Pharmaceuticals	UI Components-Framework (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.4
CVE-2016-1181	Oracle Transportation Management	Install (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.2, 6.3.7, 6.4.1
CVE-2017-5662	Oracle Agile PLM MCAD Connector	CAX Client (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	3.3, 3.4, 3.5, 3.6
CVE-2018-0739	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2018-0739	Oracle Transportation Management	Install (OpenSSL)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	6.2
CVE-2018-3069	Oracle Agile Product Lifecycle Management for Process	Installation	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	6.2.0.0

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2018-0739 also addresses CVE-2017-3738 and CVE-2018-0733.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1000300	OSS Support Tools	Services Tools Bundle (curl)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Prior to 18.3

Additional CVEs addressed are below:

• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Utilities Network Management System	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.x, 2.3.x
CVE-2017-5645	Oracle Utilities Work and Asset Management	Logging (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.9.1.2.12
CVE-2016-5019	Oracle Utilities Framework	Help (Apache Trinidad)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	4.3.x
CVE-2017-5662	Oracle Utilities Network Management System	Install (Apache Batik)	HTTP	No	7.3	Network	Low	Low	Required	Un- changed	High	None	High	1.12.x, 2.3.x

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Virtualization. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-3086	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3087	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3088	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3089	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3090	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.2.16
CVE-2018-3085	Oracle VM VirtualBox	Core	None	No	8.5	Local	Low	None	Required	Changed	Low	High	High	Prior to 5.2.16
CVE-2018-1000300	Oracle Secure Global Desktop	Core (curl)	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	5.3, 5.4
CVE-2018-3055	Oracle VM VirtualBox	Core	None	No	7.1	Local	Low	None	Required	Changed	Low	None	High	Prior to 5.2.16
CVE-2018-1305	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.3, 5.4
CVE-2018-0739	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	None	None	High	5.3, 5.4
CVE-2018-3091	Oracle VM VirtualBox	Core	None	No	6.3	Local	Low	None	Required	Changed	High	None	None	Prior to 5.2.16
CVE-2018-3005	Oracle VM VirtualBox	Core	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	Prior to 5.2.16

Additional CVEs addressed are below:

• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.

Related:

• No Related Posts