Category: Oracle

Oracle Security Alert Advisory – CVE-2019-2729

Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

• Badcode of Knownsec 404 Team: CVE-2019-2729
• Fangrun Li of Creditease Security Team: CVE-2019-2729
• Foren Lim: CVE-2019-2729
• Lucifaer of 360CERT at QiHu360: CVE-2019-2729
• Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
• orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
• WenHui Wang of State Grid: CVE-2019-2729
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
• Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
• Yuxuan Chen: CVE-2019-2729
• Zhao Chang of Venustech ADLab: CVE-2019-2729
• Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date	Note
2019-June-21	Rev 3. Updated credit statement.
2019-June-20	Rev 2. Removed irrelevant paragraph about Oracle Database.
2019-June-18	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2019-2729 Oracle WebLogic Server Web Services HTTP Yes 9.8 Network Low None None Un- changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

Related:

• No Related Posts

Oracle Security Alert Advisory – CVE-2019-2725

Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0	Fusion Middleware

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory
• Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

• Badcode of Knownsec 404 Team: CVE-2019-2725
• Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
• Icematcha of Qianxin Yunying Labs: CVE-2019-2725
• icez of Tophant Competence Center: CVE-2019-2725
• Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
• Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
• Song Keya of Minsheng Banking Corp.: CVE-2019-2725
• Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
• ZengShuai Hao: CVE-2019-2725
• Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date	Note
2019-May-29	Rev 4. Updated Credit Statement.
2019-May-1	Rev 3. Updated Credit Statement.
2019-April-30	Rev 2. Updated WebLogic Server Versions.
2019-April-26	Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1. CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confid- entiality Inte- grity Avail- ability CVE-2019-2725 Oracle WebLogic Server Web Services HTTP Yes 9.8 Network Low None None Un- changed High High High 10.3.6.0, 12.1.3.0

Related:

• No Related Posts

Oracle Database Server Risk Matrix

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2517	Core RDBMS	DBFS_ROLE	Oracle Net	No	9.1	Network	Low	High	None	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2516	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2619	Portable Clusterware	Grid Infrastructure User	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2518	Java VM	Create Session, Create Procedure	Multiple	No	7.5	Network	High	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2571	RDBMS DataPump	DBA role	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2019-2582	Core RDBMS	None	Oracle Net	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.0.1, 18c

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Berkeley DB. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2708	Data Store	Local Logon	Local Logon	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	Prior to 6.138, prior to 6.2.38, prior to 18.1.32

Oracle Commerce Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Commerce. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2713	Oracle Commerce Merchandising	Asset Manager	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.2.0.3
CVE-2019-2659	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3
CVE-2019-2712	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.3, 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 26 new security fixes for Oracle Communications Applications. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-7489	Oracle Communications Instant Messaging Server	Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1
CVE-2019-3822	Oracle Communications Operations Monitor	Security (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2018-11219	Oracle Communications Operations Monitor	Security (Redis)	RESP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.4, 4.0
CVE-2017-5645	Oracle Communications Pricing Design Center	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1, 12.0
CVE-2016-1000031	Oracle Communications Service Broker	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Service Broker Engineered System Edition	Admin server FileUpload (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2018-11236	Oracle Communications Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-11236	Oracle Enterprise Communications Broker	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-11236	Oracle Enterprise Session Border Controller	Security (glibc)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1258	Oracle Communications Unified Inventory Management	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2, 7.3.4, 7.3.5, 7.4.0
CVE-2017-5664	Oracle Communications Application Session Controller	Security (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.7.1, 3.8.0
CVE-2016-1181	Oracle Communications Policy Management	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1, 12.2, 12.3, 12.4
CVE-2018-16864	Oracle Communications Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-16864	Oracle Enterprise Communications Broker	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	3.0.0, 3.1.0
CVE-2018-16864	Oracle Enterprise Session Border Controller	Security (Kernel)	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.0.0, 8.1.0, 8.2.0
CVE-2018-1000180	Oracle Communications Application Session Controller	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications Application Session Controller	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1, 3.8.0
CVE-2018-0732	Oracle Communications EAGLE LNP Application Processor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.0, 10.1, 10.2
CVE-2017-5664	Oracle Communications Instant Messaging Server	Security (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	10.0.1
CVE-2018-0732	Oracle Communications Operations Monitor	Security (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.4, 4.0
CVE-2017-0861	Oracle Communications EAGLE Application Processor	Security (Kernel)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	16.1.0, 16.2.0
CVE-2015-9251	Oracle Communications Interactive Session Recorder	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.0, 6.1, 6.2
CVE-2015-9251	Oracle Enterprise Operations Monitor	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.0
CVE-2018-12404	Oracle Communications Messaging Server	Security (NSS)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.0, 8.1
CVE-2017-5753	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3
CVE-2017-5754	Oracle Communications LSMS	Platform (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	13.1, 13.2, 13.3

Additional CVEs addressed are below:

• The fix for CVE-2016-1181 also addresses CVE-2016-1182.
• The fix for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693 and CVE-2018-7566.
• The fix for CVE-2017-5664 also addresses CVE-2016-8735, CVE-2017-12617 and CVE-2018-11784.
• The fix for CVE-2018-0732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0734, CVE-2018-0737 and CVE-2018-0739.
• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The fix for CVE-2018-11219 also addresses CVE-2018-11218.
• The fix for CVE-2018-11236 also addresses CVE-2018-11237 and CVE-2018-6485.
• The fix for CVE-2018-12404 also addresses CVE-2018-12384.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-16864 also addresses CVE-2018-16865.
• The fix for CVE-2018-7489 also addresses CVE-2017-7525.
• The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 8 new security fixes for the Oracle Construction and Engineering Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera P6 Enterprise Project Portfolio Management	Web Access (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2016-1000031	Primavera Unifier	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-19362	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11763	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2018-0734	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2018-11784	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	17.1, 17.2, 17.3
CVE-2019-2701	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	18.8

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
• The fix for CVE-2018-11763 also addresses CVE-2017-9798.
• The fix for CVE-2018-11784 also addresses CVE-2018-8034.
• The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 35 new security fixes for the Oracle E-Business Suite. 33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2019), My Oracle Support Note 2514102.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2638	Oracle General Ledger	Consolidation Hierarchy Viewer	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2633	Oracle Work in Process	Messages	HTTP	No	9.9	Network	Low	Low	None	Changed	High	High	Low	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2663	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2682	Oracle Applications Framework	Attachments / File Upload	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2665	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2639	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2671	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2675	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2600	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2651	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2661	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2655	Oracle Interaction Center Intelligence	Business Intelligence (OLTP)	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2652	Oracle iStore	Shopping Cart	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2583	Oracle iSupplier Portal	Attachments	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2660	Oracle Knowledge Management	Setup, Admin	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2604	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2664	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2677	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2551	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2603	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2653	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2654	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2662	Oracle Territory Management	Territory Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2640	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2641	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2642	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2643	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2018-0734	Application Server	Technology Stack Triage (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	0.9.8, 1.0.0, 1.0.1
CVE-2019-2621	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2669	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2676	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2670	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2673	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2674	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2622	Oracle Service Contracts	Renewals	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Enterprise Manager Ops Center	Networking (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.3
CVE-2016-4000	Oracle Configuration Manager	Collector of Config and Diag (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0
CVE-2018-1258	Enterprise Manager Base Platform	Enterprise Manager Install (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-1258	Enterprise Manager Ops Center	Networking (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.3
CVE-2018-11763	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.3.3
CVE-2018-1000180	Oracle Business Transaction Management	Security (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.0
CVE-2018-1656	Enterprise Manager Base Platform	Agent Next Gen (IBM Java)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.2.0.0.0, 13.3.0.0.0
CVE-2019-2726	Enterprise Manager Ops Center	Services Integration	HTTP	No	6.3	Network	High	Low	None	Changed	None	None	High	12.3.3
CVE-2019-2557	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	13.3.0.1
CVE-2018-0734	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
CVE-2018-0734	Enterprise Manager Ops Center	Networking (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.3.3

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The fix for CVE-2018-11763 also addresses CVE-2018-17189, CVE-2018-17199 and CVE-2019-0190.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257 and CVE-2018-15756.
• The fix for CVE-2018-1656 also addresses CVE-2018-12539.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Financial Services Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Banking Platform	Collections (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0, 2.4.1, 2.5.0, 2.6.0
CVE-2016-1000031	Oracle FLEXCUBE Private Banking	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-1258	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2018-11775	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
CVE-2015-9251	Oracle Financial Services Analytical Applications Infrastructure	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.3-7.3.5, 8.0.0-8.0.7
CVE-2015-9251	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5-8.0.7
CVE-2015-9251	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.7
CVE-2015-9251	Oracle Financial Services Liquidity Risk Management	Internal Operations (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.6
CVE-2015-9251	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.2-8.0.7
CVE-2015-9251	Oracle Financial Services Market Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6
CVE-2015-9251	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4-8.0.6
CVE-2015-9251	Oracle Financial Services Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5, 8.0.6

Additional CVEs addressed are below:

• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Food and Beverage Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-9251	Oracle Hospitality Reporting and Analytics	Report (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 53 new security fixes for Oracle Fusion Middleware. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2498664.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle API Gateway	Oracle API Gateway (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4.0
CVE-2018-19362	Oracle Business Process Management Suite	Runtime Engine (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-3253	Oracle Data Integrator	Install, config, upgrade (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0
CVE-2016-1000031	Oracle Endeca Information Discovery Integrator	Other Issues (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-3822	Oracle HTTP Server	Web Listener (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2016-1000031	Oracle Identity Analytics	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.5.8
CVE-2017-5645	Oracle JDeveloper	None (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2017-8287	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2017-8105	Oracle Outside In Technology	Installation (FreeType)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.3	See Note 1
CVE-2016-1000031	Oracle WebCenter Portal	Security Framework (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2018-19362	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2658	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0
CVE-2019-2646	Oracle WebLogic Server	EJB Container	T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2645	Oracle WebLogic Server	WLS Core Components	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-1258	Oracle WebLogic Server	WLS Core Components (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2578	Oracle WebCenter Sites	Advanced UI	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	12.2.1.3.0
CVE-2019-2595	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2706	Oracle Business Process Management Suite	BPM Foundation Services	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2019-2705	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3, 8.5.4	See Note 1
CVE-2018-14718	Oracle JDeveloper	Oracle JDeveloper (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2601	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1000180	Oracle API Gateway	Oracle API Gateway (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-11761	Oracle Business Process Management Suite	Runtime Engine (Apache Tika)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle Managed File Transfer	MFT Runtime Server (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2018-1000180	Oracle SOA Suite	B2B Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2647	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2648	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2649	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2650	Oracle WebLogic Server	WLS – Web Services	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-8013	Oracle Data Integrator	Install, config, upgrade (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.2.1.3.0
CVE-2019-2608	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2616	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2018-1305	FMW Platform	Provisioning (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0
CVE-2018-1305	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0
CVE-2019-2609	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2610	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2611	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2612	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2613	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2015-9251	Oracle Fusion Middleware MapViewer	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0
CVE-2015-9251	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0734	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2018-0734	Oracle Tuxedo	SSL/TLS (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1.0.0
CVE-2019-2618	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.5	Network	Low	High	None	Un- changed	High	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2576	Oracle Service Bus	Web Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2572	Oracle SOA Suite	Fabric Layer	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.1.9.0
CVE-2018-0495	Oracle Traffic Director	Security (NSS)	None	No	5.1	Local	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-2568	Oracle WebLogic Server	WLS Core Components	HTTP	No	5.0	Network	Low	Low	None	Changed	None	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2588	BI Publisher (formerly XML Publisher)	BI Publisher Security	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2615	Oracle WebLogic Server	WLS Core Components	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2579	Oracle WebCenter Sites	Advanced UI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.2.1.3.0
CVE-2019-2605	Oracle Business Intelligence Enterprise Edition	Web Catalog	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-2720	Oracle Data Integrator	ODI Tools	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	11.1.1.9.0, 12.2.1.3.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

• The fix for CVE-2017-8287 also addresses CVE-2017-8105.
• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-1305 also addresses CVE-2018-1304.
• The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.
• The fix for CVE-2018-19362 also addresses CVE-2018-19360 and CVE-2018-19361.
• The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Healthcare Master Person Index	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2629	Oracle Health Sciences Data Management Workbench	User Interface	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.4.8

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Hospitality Guest Access	Base (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2019-2702	Oracle Hospitality Cruise Dining Room Management	Web Service	HTTP	Yes	9.3	Network	Low	None	None	Changed	High	Low	None	8.0.80
CVE-2016-7103	Oracle Hospitality Cruise Fleet Management	FMS Suite (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.0.11
CVE-2018-11763	Oracle Hospitality Guest Access	Base (Apache HTTP Server)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	4.2.0, 4.2.1
CVE-2018-11784	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	4.2.0, 4.2.1

Additional CVEs addressed are below:

• The fix for CVE-2016-7103 also addresses CVE-2015-9251.
• The fix for CVE-2018-11784 also addresses CVE-2018-8034.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2699	Java SE	Windows DLL	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 8u202	See Note 1
CVE-2019-2697	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2698	Java SE	2D	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	Java SE: 7u211, 8u202	See Note 2
CVE-2019-2602	Java SE, Java SE Embedded	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 3
CVE-2019-2684	Java SE, Java SE Embedded	RMI	Multiple	Yes	5.9	Network	High	None	None	Un- changed	None	High	None	Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201	See Note 1

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle JD Edwards Products. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-12023	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC (OpenSSL)	JDENET	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-2565	JD Edwards World Technical Foundation	Service Enablement	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	A9.2, A9.3.1, A9.4
CVE-2015-9251	JD Edwards EnterpriseOne Tools	Web Runtime (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2564	JD Edwards EnterpriseOne Tools	Web Runtime	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	9.2

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-12023 also addresses CVE-2018-11307 and CVE-2018-12022.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2632	MySQL Server	Server : Pluggable Auth	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2693	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2694	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2695	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2692	MySQL Connectors	Connector/J	JDBC	No	6.3	Local	High	High	Required	Un- changed	High	High	High	8.0.15 and prior
CVE-2019-1559	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.12 and prior, 8.0.15 and prior
CVE-2019-1559	MySQL Server	Server: Compiling (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2018-3123	MySQL Server	Server: libmysqld	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2623	MySQL Server	Server: Options	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2018-0734	MySQL Enterprise Backup	Enterprise Backup (OpenSSL)	TLS	No	5.1	Local	High	None	None	Un- changed	High	None	None	3.12.3 and prior, 4.1.2 and prior
CVE-2019-2634	MySQL Server	Server: Replication	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2580	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2585	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2593	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2624	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2628	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2566	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2626	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2644	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2631	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2581	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2596	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2607	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2625	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2681	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2685	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2686	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2687	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2688	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2689	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2683	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2592	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.25 and prior, 8.0.15 and prior
CVE-2019-2587	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2635	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2584	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2589	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2606	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2620	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2627	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2691	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2636	MySQL Server	Server: Group Replication Plugin	MySQL Procotol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2614	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
CVE-2019-2617	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-2630	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.15 and prior
CVE-2019-1559	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	4.0.8 and prior, 8.0.14 and prior	See Note 1

Notes:

1. MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the SSL/TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 5.9.

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2598	PeopleSoft Enterprise PeopleTools	SQR	HTTP	No	8.7	Network	Low	High	None	Changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2590	PeopleSoft Enterprise HCM Talent Acquisition Manager	Job Opening	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	9.2
CVE-2018-1000180	PeopleSoft Enterprise PeopleTools	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2594	PeopleSoft Enterprise PT PeopleTools	Application Server	HTTP	No	6.8	Network	High	Low	None	Un- changed	High	High	None	8.55, 8.56, 8.57
CVE-2019-2707	PeopleSoft Enterprise ELM Enterprise Learning Management	Application Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2591	PeopleSoft Enterprise HRMS	Candidate Gateway	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2637	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2018-0734	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.55, 8.56, 8.57
CVE-2019-2597	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2700	PeopleSoft Enterprise ELM	Enterprise Learning Mgmt	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2
CVE-2019-2573	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57
CVE-2019-2586	PeopleSoft Enterprise PT PeopleTools	RemoteCall	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.55, 8.56, 8.57

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.
• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 24 new security fixes for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2014-9515	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Dozer)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0
CVE-2019-3772	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0, 17.0, 18.0
CVE-2016-1000031	Oracle Retail Order Broker	System Administration (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 5.2, 15.0, 16.0
CVE-2017-5533	Oracle Retail Order Broker	System Administration (Jasper)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0
CVE-2018-19362	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.60.9.0.0
CVE-2016-1000031	Oracle Retail Xstore Point of Service	Xenvironment (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1
CVE-2018-3314	MICROS Relate CRM Software	Customer	HTTP	No	8.2	Network	High	Low	None	Changed	High	High	None	11.4
CVE-2018-12023	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0
CVE-2018-14718	Oracle Retail Merchandising System	Documentation (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3120	MICROS Lucas	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	2.9.5.6, 2.9.5.7
CVE-2018-2880	MICROS Retail-J	Back Office	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.2
CVE-2018-15756	Oracle Retail Invoice Matching	Security (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2018-15756	Oracle Retail Order Broker	System Administration (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.1, 5.2, 15.0, 16.0
CVE-2018-11763	Oracle Retail Xstore Point of Service	Point of Sale (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-11763	Oracle Retail Xstore Point of Service	Xstore Office (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.0, 7.1
CVE-2018-1000180	Oracle Retail Xstore Point of Service	Xenvironment (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	7.0, 7.1
CVE-2019-2424	Oracle Retail Convenience Store Back Office	Level 3 Maintenance Functions	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.6
CVE-2019-2558	Oracle Retail Point-of-Service	Infrastructure	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	13.4, 14.0, 14.1
CVE-2018-1305	MICROS Relate CRM Software	Internal Operations (Apache Tomcat)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.4
CVE-2015-9251	Oracle Retail Allocation	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0.2
CVE-2015-9251	Oracle Retail Invoice Matching	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2018-3312	Oracle Retail Customer Engagement	Segment	HTTP	No	5.5	Network	High	High	None	Un- changed	Low	High	Low	16.0, 17.0
CVE-2018-11784	Oracle Retail Order Broker	System Administration (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0
CVE-2018-11784	Oracle Retail Order Broker	Upgrade Install (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.1, 5.2, 15.0

Additional CVEs addressed are below:

• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The fix for CVE-2018-11784 also addresses CVE-2018-8034.
• The fix for CVE-2018-12023 also addresses CVE-2018-12022.
• The fix for CVE-2018-1305 also addresses CVE-2018-11784 and CVE-2018-1304.
• The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-19362.
• The fix for CVE-2018-19362 also addresses CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-7489.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 8 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2014-0114	Oracle Knowledge	Information Manager Console (Apache Commons BeanUtils)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-1000031	Oracle Knowledge	Information Manager Console (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-2141	Oracle Knowledge	Information Manager Console (JGroups)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2015-1832	Oracle Knowledge	Information Manager Console (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2016-0635	Oracle Knowledge	AnswerFlow (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.5.1.0 – 8.5.1.7, 8.6.0
CVE-2014-0107	Oracle Knowledge	Information Manager Console (Apache Xalan)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2719	Oracle Knowledge	Web Applications (InfoCenter)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
CVE-2019-2570	Siebel Core – Server BizLogic Script	Integration – Scripting	HTTP	No	4.7	Network	Low	High	None	Un- changed	Low	Low	Low	19.3

Additional CVEs addressed are below:

• The fix for CVE-2014-0114 also addresses CVE-2016-1000031 and CVE-2016-3092.
• The fix for CVE-2015-1832 also addresses CVE-2016-2141.
• The fix for CVE-2016-1000031 also addresses CVE-2016-3092.
• The fix for CVE-2016-2141 also addresses CVE-2015-1832.

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Sun Systems Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2704	Oracle Solaris	IPS Package Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11
CVE-2018-20685	Oracle Solaris	SunSSH	SSH	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	10
CVE-2019-2577	Oracle Solaris	File Locking Services	None	No	3.3	Local	Low	Low	None	Un- changed	None	None	Low	11

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Agile Recipe Management for Pharmaceuticals	Recipe (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2016-1000031	Oracle Agile PLM	Application Server (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5
CVE-2019-2567	Oracle Configurator	Active Model Generation	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1, 12.2
CVE-2019-2709	Oracle Transportation Management	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.3.7, 6.4.2, 6.4.3
CVE-2019-2575	Oracle AutoVue 3D Professional Advanced	Format Handling – 2D	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	21.0.0, 21.0.1

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-9251	OSS Support Tools	Remote Diagnostic Agent (jQuery)	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.1

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Utilities Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-14952	Oracle Utilities Framework	Common (icu4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-8088	Oracle Utilities Framework	Common (slf4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2016-1000031	Oracle Utilities Framework	User Interface (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0
CVE-2018-1258	Oracle Utilities Network Management System	Web Gateway client (Spring Framework)	T3	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.12.0.3
CVE-2015-9251	Oracle Real-Time Scheduler	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0
CVE-2015-9251	Oracle Utilities Mobile Workforce Management	Mobile Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.3.0

Additional CVEs addressed are below:

• The fix for CVE-2017-14952 also addresses CVE-2014-7923, CVE-2014-7926, CVE-2014-7940, CVE-2014-8146, CVE-2014-8147, CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2016-7415, CVE-2017-17484, CVE-2017-7867 and CVE-2017-7868.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-3822	Oracle Secure Global Desktop	Core (curl)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.4
CVE-2019-2656	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2680	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2696	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2703	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2721	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2722	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2723	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2657	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2690	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2679	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	Low	None	Changed	Low	None	High	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2678	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-2574	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	Prior to 5.2.28, prior to 6.0.6
CVE-2019-1559	Oracle Secure Global Desktop	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.4
CVE-2018-11784	Oracle Secure Global Desktop	Application Server (Apache Tomcat)	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	5.4

Additional CVEs addressed are below:

• The fix for CVE-2018-11784 also addresses CVE-2018-8034.
• The fix for CVE-2019-1559 also addresses CVE-2018-0734, CVE-2018-0735 and CVE-2018-5407.
• The fix for CVE-2019-3822 also addresses CVE-2018-16890 and CVE-2019-3823.

Related:

• No Related Posts

Oracle Database Server Risk Matrix

This Critical Patch Update contains 3 new security fixes for the Oracle Database Server. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2444	Core RDBMS	Local Logon	Local Logon	No	8.2	Local	Low	Low	Required	Changed	High	High	High	12.2.0.1, 18c
CVE-2019-2406	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.1.0.2, 12.2.0.1, 18c
CVE-2019-2547	Java VM	Create Session, Create Procedure	Multiple	No	3.5	Network	Low	Low	Required	Un- changed	None	None	Low	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle Communications Applications. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Oracle Communications Converged Application Server – Service Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2016-1000031	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Commons Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2017-5645	Oracle Communications Online Mediation Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1
CVE-2018-11776	Oracle Communications Policy Management	Security (Apache Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 12.5
CVE-2017-5645	Oracle Communications Service Broker	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2016-1000031	Oracle Communications Services Gatekeeper	Security (Apache Commons Collections Fileupload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-9206	Oracle Communications Services Gatekeeper	Security (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2017-5645	Oracle Communications WebRTC Session Controller	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2016-6814	Oracle Communications Unified Inventory Management	Security (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	prior to 7.4.0
CVE-2016-0635	Oracle Communications Converged Application Server	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2018-1258	Oracle Communications Diameter Signaling Router (DSR)	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 8.3
CVE-2018-1258	Oracle Communications Performance Intelligence Center (PIC) Software	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 10.2.1
CVE-2018-1258	Oracle Communications Services Gatekeeper	Security (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	prior to 6.1.0.4.0
CVE-2018-14718	Oracle Communications Billing and Revenue Management	Billing Operations Center, Billing Care (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.5, 12.0
CVE-2016-1181	Oracle Communications Converged Application Server	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.0.0.1
CVE-2017-15095	Oracle Communications Diameter Signaling Router (DSR)	Security (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 8.3
CVE-2016-1181	Oracle Communications WebRTC Session Controller	Security (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	prior to 7.2
CVE-2018-1000180	Oracle Communications Converged Application Server	Security (Bouncy Castle)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.0.0.1
CVE-2017-9798	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 8.3
CVE-2018-5390	Oracle Communications Session Border Controller	Security (Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-1000180	Oracle Communications WebRTC Session Controller	Security (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-1000300	Oracle Communications WebRTC Session Controller	Security (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	prior to 7.2
CVE-2017-0379	Oracle Communications WebRTC Session Controller	Security (libgcrypt)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	prior to 7.2
CVE-2018-8013	Oracle Communications Diameter Signaling Router (DSR)	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 8.3
CVE-2018-8013	Oracle Communications WebRTC Session Controller	Security (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	prior to 7.2
CVE-2019-2399	Oracle Communications Diameter Signaling Router (DSR)	Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	prior to 8.3
CVE-2015-9251	Oracle Communications Converged Application Server	Security (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.0.0.1
CVE-2015-9251	Oracle Communications WebRTC Session Controller	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	prior to 7.2
CVE-2018-0732	Oracle Communications Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0
CVE-2018-0732	Oracle Communications Unified Session Manager	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	SCz7.3.5
CVE-2018-0732	Oracle Communications WebRTC Session Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	prior to 7.2
CVE-2018-0732	Oracle Enterprise Communications Broker	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	PCz2.1, PCz2.2, PCz3.0
CVE-2018-0732	Oracle Enterprise Session Border Controller	Security (OpenSSL)	TLS	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	ECz7.4.0, ECz7.5.0, ECz8.0.0, ECz8.1.0

Additional CVEs addressed are below:

• The fix for CVE-2016-0635 also addresses CVE-2018-1258.
• The fix for CVE-2016-1181 also addresses CVE-2014-0114 and CVE-2016-1182.
• The fix for CVE-2017-0379 also addresses CVE-2017-9526.
• The fix for CVE-2017-15095 also addresses CVE-2017-7525.
• The fix for CVE-2018-0732 also addresses CVE-2017-3735, CVE-2017-3736, CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.
• The fix for CVE-2018-1000180 also addresses CVE-2015-7940 and CVE-2018-1000613.
• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The fix for CVE-2018-11776 also addresses CVE-2016-1000031.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
• The fix for CVE-2018-14718 also addresses CVE-2017-15095, CVE-2017-7525, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 and CVE-2018-7489.
• The fix for CVE-2018-5390 also addresses CVE-2018-6922.
• The fix for CVE-2018-9206 also addresses CVE-2015-9251.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-9206	Primavera Unifier	Core (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-14718	Primavera Unifier	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	16.1, 16.2, 17.1-17.12, 18.8
CVE-2018-0732	Primavera P6 Enterprise Project Portfolio Management	Project Manager (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
CVE-2019-2512	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	4.7	Network	High	None	Required	Changed	Low	Low	None	8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-14718 also addresses CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2019), My Oracle Support Note 2480398.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2489	Oracle One-to-One Fulfillment	OCM Query	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2453	Oracle Performance Management	Performance Management Plan	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3
CVE-2019-2445	Oracle Content Manager	Cover Letter	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2497	Oracle CRM Technical Foundation	Messages	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2400	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2440	Oracle Marketing	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2498	Oracle Partner Management	Partner Dash board	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2447	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2470	Oracle Partner Management	Partner Detail	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2546	Oracle Applications Manager	SQL Extensions	HTTP	Yes	8.1	Network	Low	None	Required	Un- changed	None	High	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2488	Oracle CRM Technical Foundation	Session Management	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2396	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2496	Oracle CRM Technical Foundation	Messages	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2491	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2492	Oracle Email Center	Message Display	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
CVE-2019-2485	Oracle Mobile Field Service	Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Enterprise Manager Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-4000	Enterprise Manager Base Platform	Agent Next Gen (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1258	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-12023	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-14718	Enterprise Manager for Virtualization	Plug-In Lifecycle (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.2.2, 13.2.3, 13.3.1
CVE-2018-0732	Enterprise Manager Base Platform	Discovery Framework (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0.5, 13.2.0, 13.3.0
CVE-2018-1000300	Enterprise Manager Ops Center	Networking (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.2, 12.3.3
CVE-2018-0732	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.2, 12.3.3
CVE-2018-3303	Enterprise Manager Base Platform	EM Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	13.2, 13.3
CVE-2018-3304	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2018-3305	Oracle Application Testing Suite	Load Testing for Web Apps	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
CVE-2015-9251	Enterprise Manager Ops Center	Networking (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.2, 12.3.3

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.
• The fix for CVE-2018-12023 also addresses CVE-2018-11307, CVE-2018-12022 and CVE-2018-14718.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Financial Services Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-4000	Oracle Banking Platform	Patching (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.6.0, 2.6.1, 2.6.2
CVE-2016-1000031	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2017-5645	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-14718	Oracle Banking Platform	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.5.0, 2.6.0, 2.6.1, 2.6.2
CVE-2018-14718	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
CVE-2018-1000632	Oracle FLEXCUBE Investor Servicing	Infrastructure (dom4j)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
CVE-2017-14735	Oracle Banking Platform	Infrastructure (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.5.0, 2.6.0, 2.6.1
CVE-2019-2549	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.2
CVE-2019-2550	Oracle FLEXCUBE Direct Banking	Logoff Page	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.0.2

Additional CVEs addressed are below:

• The fix for CVE-2018-14718 also addresses CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2401	Oracle Hospitality Reporting and Analytics	Admin	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.0
CVE-2019-2402	Oracle Hospitality Simphony	Client Application Loader	HTTP	Yes	7.7	Network	High	None	None	Un- changed	High	High	Low	2.10
CVE-2019-2425	Oracle Hospitality Reporting and Analytics	Report	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	9.1.0
CVE-2019-2403	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.10
CVE-2019-2407	Oracle Hospitality Reporting and Analytics	Report	None	No	6.1	Local	Low	Low	None	Un- changed	High	Low	None	9.1.0
CVE-2019-2397	Oracle Hospitality Reporting and Analytics	Report	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 62 new security fixes for Oracle Fusion Middleware. 57 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the January 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2466391.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Fusion Middleware MapViewer	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2017-5645	Oracle GoldenGate Application Adapters	Application Adapters (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.1
CVE-2018-1275	Oracle Service Architecture Leveraging Tuxedo	Internal Operations (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.2.0.0
CVE-2017-5645	Oracle SOA Suite	Installation & Templates (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0.0, 12.2.1.3.0
CVE-2015-1832	Oracle WebLogic Server	Third Party Tools (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	12.2.1.3
CVE-2018-14718	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2019-2414	Oracle HTTP Server	Web Listener	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	12.2.1.3
CVE-2018-0732	Oracle API Gateway	Oracle API Gateway (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.2.4.0
CVE-2018-1000180	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2018-0732	Oracle Endeca Server	Third Party (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.7.0
CVE-2018-1000180	Oracle Enterprise Repository	Security Subsystem – 12c (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2019-2467	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2468	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2473	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2474	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2475	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2476	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2477	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2479	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2017-13745	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.5.3	See Note 1
CVE-2018-1000180	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.3.0
CVE-2018-1000180	Oracle WebLogic Server	WLS Core Components (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.2.1.3
CVE-2019-2462	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2538	Oracle Managed File Transfer	MFT Runtime Server	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	19.1.0.0.0, 12.2.1.3.0
CVE-2019-2429	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2438	Oracle Web Cache	ESI/Partial Page Caching	HTTP	Yes	6.9	Network	High	None	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2018-11775	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0
CVE-2019-2452	Oracle WebLogic Server	WLS Core Components	HTTP	No	6.7	Network	Low	High	None	Un- changed	Low	High	High	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2019-2456	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2463	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2469	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	None	High	8.5.3, 8.5.4	See Note 1
CVE-2019-2418	Oracle WebLogic Server	WLS Core Components	T3	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2015-9251	Oracle Business Process Management Suite	Runtime Engine (JQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2019-2413	Oracle Reports Developer	Valid Session	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3
CVE-2017-14735	Oracle WebCenter Sites	Third Party Tools (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.8.0
CVE-2015-9251	Oracle WebLogic Server	Sample apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0, 12.2.1.3
CVE-2019-2395	Oracle WebLogic Server	WLS – Web Services	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	None	Low	10.3.6.0
CVE-2019-2457	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2458	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2459	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2460	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2461	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2464	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2465	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2466	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2472	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2478	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2019-2480	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3, 8.5.4	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9583	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9392	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2016-9389	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.5.3	See Note 1
CVE-2019-2427	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2019-2441	Oracle WebLogic Server	Application Container – JavaEE	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.1.3
CVE-2018-3147	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.5.3, 8.5.4	See Note 1
CVE-2019-2398	Oracle WebLogic Server	WLS – Deployment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.3
CVE-2017-14229	Oracle Outside In Technology	Outside In Filters (Jasper Project)	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	8.5.3	See Note 1

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

• The fix for CVE-2015-1832 also addresses CVE-2018-1313.
• The fix for CVE-2016-9392 also addresses CVE-2016-9389.
• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613 and CVE-2018-3246.
• The fix for CVE-2018-1275 also addresses CVE-2018-1258, CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.
• The fix for CVE-2018-14718 also addresses CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14719, CVE-2018-14720 and CVE-2018-14721.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 6 new security fixes for Oracle Health Sciences Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1258	Oracle Health Sciences Information Manager	Health Policy Engine (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0
CVE-2018-1258	Oracle Healthcare Master Person Index	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0, 4.0
CVE-2019-2430	Oracle Argus Safety	Console	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1, 8.2
CVE-2019-2431	Oracle Argus Safety	Console	HTTP	Yes	6.1	Network	High	None	Required	Changed	None	High	None	8.1, 8.2
CVE-2015-9251	Oracle Healthcare Foundation	Install (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1, 7.2
CVE-2019-2432	Oracle Argus Safety	Login	HTTP	No	4.9	Network	High	Low	None	Changed	Low	Low	None	8.1, 8.2

Additional CVEs addressed are below:

• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Hospitality Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-5684	Oracle Hospitality Cruise Fleet Management	Corporate Access Module (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	9.0.10
CVE-2016-5684	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Shared Libraries (Freeimage)	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	8.0.8
CVE-2019-2411	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	TCP	No	7.6	Network	Low	Low	Required	Changed	None	Low	High	8.0.8
CVE-2019-2409	Oracle Hospitality Cruise Shipboard Property Management System	SPMS Suite	None	No	7.3	Local	Low	Low	Required	Changed	Low	Low	High	8.0.8
CVE-2019-2410	Oracle Hospitality Cruise Shipboard Property Management System	DGS RES Online, FMS Sender, FMS Receiver, OHC WPF Security	None	No	5.1	Local	Low	None	None	Un- changed	Low	Low	None	8.0.8

Additional CVEs addressed are below:

• The fix for CVE-2016-5684 also addresses CVE-2015-0852.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2415	Hyperion BI+	Foundation UI & Servlets	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	11.1.2.4

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Insurance Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-1258	Oracle Insurance Calculation Engine	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.2
CVE-2018-1258	Oracle Insurance Rules Palette	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.0, 10.2
CVE-2018-8013	Oracle Insurance Policy Administration J2EE	User Interface (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	10.0, 10.2
CVE-2015-9251	Oracle Insurance Insbridge Rating and Underwriting	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.2, 5.4, 5.5
CVE-2017-14735	Oracle Insurance Policy Administration J2EE	Core (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.0, 10.2

Additional CVEs addressed are below:

• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 5 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application (in Java SE 8) has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2540	Java Advanced Management Console	Server	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Java Advanced Management Console: 2.12
CVE-2018-11212	Java SE	ImageIO (libjpeg)	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2426	Java SE	Networking	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 1
CVE-2019-2449	Java SE	Deployment	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	None	Low	Java SE: 8u192	See Note 2
CVE-2019-2422	Java SE	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u201, 8u192, 11.0.1; Java SE Embedded: 8u191	See Note 2

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-8013	JD Edwards EnterpriseOne Tools	Web Runtime SEC (Apache Batik)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.2
CVE-2018-0732	JD Edwards World Security	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	A9.3, A9.3.1, A9.4

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2017-3738, CVE-2018-0733, CVE-2018-0737 and CVE-2018-0739.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-10933	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.13 and prior
CVE-2019-2435	MySQL Connectors	Connector/Python	TLS	Yes	8.1	Network	Low	None	Required	Un- changed	High	High	None	8.0.13 and prior, 2.1.8 and prior
CVE-2018-0732	MySQL Workbench	MySQL Workbench (OpenSSL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2534	MySQL Server	Server: Replication	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2533	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.13 and prior
CVE-2019-2529	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2482	MySQL Server	Server: PS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2434	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2455	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2503	MySQL Server	Server: Connection Handling	MySQL Protocol	No	6.4	Adjacent Network	High	Low	None	Un- changed	High	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2436	MySQL Server	Server: Replication	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.13 and prior
CVE-2018-0734	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	No	5.1	Local	High	None	None	Un- changed	High	None	None	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2536	MySQL Server	Server: Packaging	MySQL Protocol	No	5.0	Local	High	High	Required	Changed	None	None	High	8.0.13 and prior
CVE-2019-2502	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2510	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2539	MySQL Server	Server: Connection	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2494	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2495	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2537	MySQL Server	Server: DDL	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2420	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2481	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2507	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2530	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2528	MySQL Server	Server: Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2531	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
CVE-2019-2486	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2532	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.24 and prior, 8.0.13 and prior
CVE-2019-2535	MySQL Server	Server: Options	MySQL Protocol	No	4.1	Local	High	High	None	Un- changed	None	None	High	8.0.13 and prior
CVE-2019-2513	MySQL Server	Shell	None	No	2.5	Local	High	Low	Required	Changed	Low	None	None	8.0.13 and prior
CVE-2018-0732	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	None	No	0.0	Local	Low	None	None	Un- changed	None	None	None	8.0.13 and prior, 4.0.7 and prior	See Note 1

Notes:

1. MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-0734 also addresses CVE-2018-5407.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 20 new security fixes for Oracle PeopleSoft Products. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2416	PeopleSoft Enterprise PeopleTools	Application Server	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-1000300	PeopleSoft Enterprise PeopleTools	File Processing (cURL)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2405	PeopleSoft Enterprise PeopleTools	Security	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2018-0732	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.55, 8.56, 8.57
CVE-2019-2433	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2443	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.55, 8.56, 8.57
CVE-2019-2417	PeopleSoft Enterprise PeopleTools	Performance Monitor	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2421	PeopleSoft Enterprise HCM eProfile Manager Desktop	Guided Self Service	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2442	PeopleSoft Enterprise PeopleTools	Fluid Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2015-9251	PeopleSoft Enterprise PeopleTools	Mobile Application Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2423	PeopleSoft Enterprise PeopleTools	PIA Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2499	PeopleSoft Enterprise PeopleTools	PIA Search Functionality	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2439	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2471	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.55, 8.56, 8.57
CVE-2019-2519	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2019-2419	PeopleSoft Enterprise CC Common Application Objects	Form and Approval Builder	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2	See Note 1
CVE-2019-2404	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2490	PeopleSoft Enterprise PeopleTools	Panel Processor	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.55, 8.56, 8.57
CVE-2019-2408	PeopleSoft Enterprise PeopleTools	Feeds	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	8.55, 8.56, 8.57
CVE-2019-2493	PeopleSoft Enterprise CS Campus Community	Frameworks	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	9.0, 9.2

Notes:

1. This Enterprise Common Component is used by all PeopleSoft Application products. Please refer to the MOS Note Doc ID 2493366.1 for patch information.

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.
• The fix for CVE-2018-1000300 also addresses CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 and CVE-2018-1000301.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-1000031	Oracle Retail Back Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Central Office	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Returns Management	Security (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3, 13.4, 14.0, 14.1
CVE-2016-1000031	Oracle Retail Service Backbone	Install (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-7658	Oracle Retail Xstore Payment	Security (Jetty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3
CVE-2018-1258	Oracle Retail Customer Insights	Other (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0, 16.0
CVE-2018-3311	Oracle Retail Xstore Payment	Security	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	3.3
CVE-2018-1000180	Oracle Retail Convenience and Fuel POS Software	Point of Sale (Bouncy Castle Java Library)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.8.1
CVE-2018-8013	Oracle Retail Integration Bus	RIB Kernel (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	17.0
CVE-2018-3125	Oracle Retail Merchandising System	Security (SQL Logger)	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	14.1
CVE-2017-14735	Oracle Retail Back Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2017-14735	Oracle Retail Central Office	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Customer Insights	Other (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2017-14735	Oracle Retail Returns Management	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.3, 13.4, 14.0, 14.1
CVE-2015-9251	Oracle Retail Sales Audit	Operational Insights (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0
CVE-2015-9251	Oracle Retail Workforce Management Software	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.60.9, 1.64.0

Additional CVEs addressed are below:

• The fix for CVE-2018-1000180 also addresses CVE-2018-1000613.
• The fix for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
• The fix for CVE-2018-3311 also addresses CVE-2015-4760.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-9206	Siebel UI Framework	UIF Open UI (jQuery FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.10, 18.11

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5645	Tape Library ACSLS	Software (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2018-1275	Tape Library ACSLS	Software (Spring Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.4
CVE-2016-0635	Tape Library ACSLS	Software (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.4
CVE-2019-2541	Oracle Solaris	DHCP Client	DHCP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	10
CVE-2019-2437	Oracle Solaris	Kernel	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11
CVE-2019-2412	Sun ZFS Storage Appliance Kit (AK)	Object Store	None	No	6.4	Local	High	High	None	Un- changed	High	High	High	prior to 8.8.2
CVE-2018-3646	Oracle Solaris	Kernel	None	No	5.6	Local	High	Low	None	Changed	High	None	None	11
CVE-2018-3639	Oracle Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11
CVE-2019-2543	Oracle Solaris	Kernel	KSSL	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2544	Oracle Solaris	Kernel	None	No	4.0	Local	Low	None	None	Un- changed	Low	None	None	10, 11
CVE-2019-2545	Oracle Solaris	LDoms IO	None	No	4.0	Local	Low	None	None	Un- changed	None	None	Low	10, 11

Additional CVEs addressed are below:

• The fix for CVE-2018-1275 also addresses CVE-2018-1270, CVE-2018-1271 and CVE-2018-1272.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2015-8965	Oracle Agile PLM	Gantt Chart (JViews)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2018-0732	Oracle Agile Engineering Data Management	Install (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.1.3, 6.2.0, 6.2.1
CVE-2019-2487	Oracle Transportation Management	UI Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	6.3.7, 6.4.1, 6.4.2, 6.4.3
CVE-2017-14735	Oracle Agile PLM	Security (AntiSamy)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2015-9251	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2018-0732	OSS Support Tools	Services Tools Bundle (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 19.1

Additional CVEs addressed are below:

• The fix for CVE-2018-0732 also addresses CVE-2018-0737.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Utilities Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-4000	Oracle Utilities Network Management System	System wide (Jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2
CVE-2015-9251	Oracle Utilities Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	4.3.0.1-4.3.0.4

Additional CVEs addressed are below:

• The fix for CVE-2016-4000 also addresses CVE-2018-1000180 and CVE-2018-1000613.

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 30 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2019-2500	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2524	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2552	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-3309	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	prior to 5.2.22
CVE-2019-2520	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2521	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2522	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2523	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2526	Oracle VM VirtualBox	Core	None	No	7.8	Local	High	Low	None	Changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2548	Oracle VM VirtualBox	Core	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	prior to 5.2.24, prior to 6.0.2
CVE-2018-11763	Oracle Secure Global Desktop (SGD)	Web Server (Apache HTTP Server)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.4
CVE-2019-2511	Oracle VM VirtualBox	Core	SOAP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2508	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2509	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.24, prior to 6.0.2
CVE-2019-2527	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	prior to 5.2.26, prior to 6.0.4
CVE-2019-2450	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2451	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2555	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2554	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2556	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2018-11784	Oracle Secure Global Desktop (SGD)	Application Server (Apache Tomcat)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.4
CVE-2018-0734	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.0
CVE-2019-2525	Oracle VM VirtualBox	Core	None	No	5.6	Local	High	Low	None	Changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2446	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2448	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2501	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2504	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2505	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2506	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2
CVE-2019-2553	Oracle VM VirtualBox	Core	None	No	3.8	Local	Low	Low	None	Changed	Low	None	None	prior to 5.2.24, prior to 6.0.2

Additional CVEs addressed are below:

• The fix for CVE-2018-0734 also addresses CVE-2018-0735 and CVE-2018-5407.

Related:

• No Related Posts