Oracle Critical Patch Update Advisory – October 2014

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 31 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 3 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Java VM and SQLJ are components of the database that are installed by default. JPublisher is not installed by default; however, there are server-side components of JPublisher that are installed in the database by default.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6546 JPublisher Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6467 Java VM Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6545 Java VM Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6453 Java VM Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6560 Java VM Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6455 SQLJ Oracle Net Create Session No 9.0 Network Low Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2014-6537 Java VM Oracle Net Create Session No 6.5 Network Low Single Partial Partial Partial 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6483 Application Express HTTP Create Session No 6.0 Network Medium Single Partial Partial Partial All releases prior to 4.2.6
CVE-2014-0050 Application Express HTTP None Yes 5.0 Network Low None None None Partial All releases prior to 4.2.6
CVE-2014-6547 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4293 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4292 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4291 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4290 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4297 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4296 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6477 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4310 JPublisher Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6538 Java VM Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4295 Java VM Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4294 Java VM Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6563 Java VM Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6542 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4298 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4299 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4300 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6452 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6454 SQLJ Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6544 JDBC Oracle Net Create Session No 3.6 Network High Single Partial Partial None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-4289 JDBC Oracle Net Create Session No 3.6 Network High Single Partial Partial None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-2478 Core RDBMS Oracle Net none Yes 2.6 Network High None Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

Notes:

  1. These vulnerabilities have a CVSS score of 9.0 on Windows and the confidentiality, availability and integrity impacts are Complete. These vulnerabilities have a CVSS score of 6.5 on non-Windows and the confidentiality, availability and integrity impacts are Partial+.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2014-6544 and CVE-2014-4289.

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle Fusion Middleware. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1912224.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0114 Oracle Adaptive Access Manager HTTP OAAM Server (Struts based) Yes 7.5 Network Low None Partial Partial Partial 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-0114 Oracle Enterprise Data Quality HTTP Launchpad (Struts based) Yes 7.5 Network Low None Partial Partial Partial 8.1.2, 9.0.11
CVE-2014-0114 Oracle Identity Manager HTTP OIM Legacy UI (Struts based) Yes 7.5 Network Low None Partial Partial Partial 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2013-1741 Oracle OpenSSO HTTPS Web Agents Yes 7.5 Network Low None Partial+ Partial+ Partial+ 3.0-04 See Note 1
CVE-2014-0224 Oracle Endeca Information Discovery Studio HTTP Studio Yes 6.8 Network Medium None Partial Partial Partial 3.1 See Note 2
CVE-2014-6499 Oracle WebLogic Server HTTP WebLogic Tuxedo Connector Yes 6.8 Network Medium None Partial Partial Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0 See Note 3
CVE-2014-0114 Oracle WebLogic Server HTTP WLS-Console (Struts based) No 6.5 Network Low Single Partial+ Partial+ Partial+ 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
CVE-2014-6553 Oracle Access Manager HTTP Admin Console Yes 6.4 Network Low None Partial Partial None 11.1.1.5, 11.1.1.7
CVE-2014-6554 Oracle Access Manager HTTP Admin Console No 5.5 Network Low Single Partial Partial None 11.1.2.1, 11.1.2.2
CVE-2014-0050 Oracle Endeca Information Discovery Studio HTTP Studio Yes 5.0 Network Low None None None Partial 2.2.2, 2.3, 2.4, 3.0, 3.1 See Note 4
CVE-2014-6552 Oracle Access Manager HTTP Admin Console Yes 4.3 Network Medium None None Partial None 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-6462 Oracle Access Manager HTTP Admin Console Yes 4.3 Network Medium None None Partial None 11.1.2.1, 11.1.2.2
CVE-2014-0119 Oracle Enterprise Data Quality HTTP Internal Operations Yes 4.3 Network Medium None Partial None None 8.1.2, 9.0.11 See Note 5
CVE-2014-2880 Oracle Identity Manager HTTP User Management Yes 4.3 Network Medium None None Partial None 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-6522 Oracle JDeveloper HTTP ADF Faces Yes 4.3 Network Medium None None Partial None 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
CVE-2014-6534 Oracle WebLogic Server HTTP WLS Console No 4.0 Network Low Single None Partial None 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
CVE-2014-6487 Oracle Identity Manager HTTP End User Self Service No 3.5 Network Medium Single None Partial None 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-0114 Oracle JDeveloper HTTP ADF Controllers (Struts based) Yes 0.0 Network Low None None None None 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0 See Note 6

Notes:

  1. This fix also addresses CVE-2013-1739,CVE-2013-1740, CVE-2013-5605, CVE-2013-5606,CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
  2. This fix also addresses CVE-2014-3470,CVE-2010-5298,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198.
  3. Please refer to Doc ID My Oracle Support Note 1930466.1 for instructions on how to address this issue.
  4. This fix also addresses CVE-2013-4286,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033.
  5. This fix also addresses CVE-2013-4286,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033,CVE-2014-0050,CVE-2014-0075,CVE-2014-0095,CVE-2014-0096.
  6. Please refer to Doc ID My Oracle Support Note 1926728.1 for instructions on how to address this issue. This fix also addresses CVE-2014-0050.

Appendix – Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1912224.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6557 Application Performance Management HTTP End User Experience Management No 4.9 Network Medium Single Partial Partial None All releases prior to 12.1.0.6.2
CVE-2014-6488 Enterprise Manager for Oracle Database HTTP Content Management No 2.1 Network High Single None Partial None EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4 EM Plugin for DB: 12.1.0.4, 12.1.0.5, 12.1.0.6

Appendix – Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle E-Business Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2014), My Oracle Support Note 1923805.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4278 Oracle Applications Technology Stack HTTP Oracle Forms Yes 7.5 Network Low None Partial+ Partial+ Partial+ 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4 See Note 1
CVE-2014-6539 Oracle Applications Framework HTTP LOV Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6472 Oracle Applications Framework HTTP LOV Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-4281 Oracle Applications Framework HTTP Portal Integration Yes 4.3 Network Medium None None Partial None 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6471 Oracle Applications Manager HTTP OAM Diagnostics Yes 4.3 Network Medium None None Partial None 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6550 Oracle Applications Object Library HTTP iHelp Yes 4.3 Network Medium None None Partial None 11.5.10.2
CVE-2014-4285 Oracle Applications Technology HTTP Reports Configuration Yes 4.3 Network Medium None None Partial None 11.5.10.2
CVE-2014-6561 Oracle Payments HTTP Separate Remittance Advice Yes 4.3 Network Medium None Partial None None 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6523 Oracle Applications Framework HTTP REST Interface No 4.0 Network Low Single Partial None None 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6479 Oracle Applications Technology HTTP OC4J Configuration No 4.0 Network Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3

Notes:

  1. This is an Oracle E-Business Suite specific fix in Oracle Fusion Middleware.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6533 Oracle Transportation Management HTTP Security Yes 6.8 Network Medium None Partial Partial Partial 6.1, 6.2
CVE-2014-6498 Oracle Transportation Management HTTP Security Yes 5.0 Network Low None Partial None None 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5
CVE-2014-6461 Agile PLM HTTP Roles & Privileges No 4.9 Network Medium Single Partial+ Partial+ None 9.3.1.2
CVE-2014-6543 Agile PLM HTTP ITEM (Item & BOM) No 3.6 Network High Single Partial Partial None 9.3.3
CVE-2014-6536 Agile PLM HTTP Security No 3.5 Network Medium Single None Partial None 9.3.3

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6535 PeopleSoft Enterprise PeopleTools HTTP SECURITY Yes 5.8 Network Medium None Partial Partial None 8.52, 8.53, 8.54
CVE-2014-6460 PeopleSoft Enterprise PeopleTools HTTP QUERY No 4.9 Network Medium Single Partial+ Partial+ None 8.52, 8.53, 8.54
CVE-2014-6486 PeopleSoft Enterprise HRMS HTTPS Talent Acquisition Manager – Security No 4.0 Network Low Single None Partial None 9.2
CVE-2014-6482 PeopleSoft Enterprise PT PeopleTools HTTP Updates Change Assistant No 4.0 Network Low Single None Partial None 8.53, 8.54
CVE-2014-6475 PeopleSoft Enterprise PeopleTools HTTP Security No 3.5 Network Medium Single Partial None None 8.52, 8.53, 8.54

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6516 JD Edwards EnterpriseOne Tools HTTP Installation SEC No 4.3 Local Low Single Partial+ Partial+ Partial+ 8.98

Appendix – Oracle Industry Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Communications Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0114 Oracle Communications MetaSolv Solution HTTP Infrastructure, LSR, ASR (Struts based) Yes 7.5 Network Low None Partial Partial Partial MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
CVE-2014-6465 Oracle Communications Session Border Controller TCP/TLS Lawful Intercept No 6.3 Network Medium Single None None Complete SCX640m5

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0114 Oracle Retail Allocation HTTP General application (Struts based) Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
CVE-2014-0114 Oracle Retail Clearance Optimization Engine HTTP General application (Struts based) Yes 7.5 Network Low None Partial+ Partial+ Partial+ 13.3, 13.4, 14.0
CVE-2014-0114 Oracle Retail Invoice Matching HTTP General application (Struts based) Yes 7.5 Network Low None Partial+ Partial+ Partial+ 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
CVE-2014-0114 Oracle Retail Markdown Optimization HTTP General application (Struts based) Yes 7.5 Network Low None Partial+ Partial+ Partial+ 12.0, 13.0, 13.1, 13.2, 13.4

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0050 Oracle Health Sciences Empirica Inspections HTTP Tomcat, FileUpload Yes 5.0 Network Low None None None Partial 1.0.1.0 and prior See Note 1
CVE-2014-0050 Oracle Health Sciences Empirica Signal HTTP Tomcat, FileUpload Yes 5.0 Network Low None None None Partial 7.3.3.3 and prior See Note 1
CVE-2014-0050 Oracle Health Sciences Empirica Study HTTP Tomcat, FileUpload Yes 5.0 Network Low None None None Partial 3.1.2.0 and prior See Note 1

Notes:

  1. This fix also addresses CVE-2013-4286, CVE-2013-4322, CVE-2013-4590 and CVE-2014-0033.

Appendix – Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0114 Primavera Contract Management HTTP Web Access (Struts based) No 6.5 Network Low Single Partial Partial Partial 13.1, 14.0
CVE-2014-0114 Primavera P6 Enterprise Project Portfolio Management HTTP Web Access (Struts based) No 6.5 Network Low Single Partial Partial Partial 7.0, 8.0, 8.1, 8.2, 8.3

Appendix – Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6513 Java SE, Java SE Embedded Multiple AWT Yes 10.0 Network Low None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60 See Note 1
CVE-2014-6532 Java SE Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6503 Java SE Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6456 Java SE Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6562 Java SE Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 8u20 See Note 1
CVE-2014-6485 Java SE, JavaFX Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 8u20, JavaFX 2.2.65 See Note 1
CVE-2014-6492 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 2
CVE-2014-6493 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-4288 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6466 Java SE None Deployment No 6.9 Local Medium None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 3
CVE-2014-6458 Java SE None Deployment No 6.9 Local Medium None Complete Complete Complete Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6468 Java SE None Hotspot No 6.9 Local Medium None Complete Complete Complete Java SE 8u20 See Note 6
CVE-2014-6506 Java SE, Java SE Embedded Multiple Libraries Yes 6.8 Network Medium None Partial Partial Partial Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60 See Note 1
CVE-2014-6511 Java SE Multiple 2D Yes 5.0 Network Low None Partial None None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6476 Java SE Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6515 Java SE SSL/TLS Deployment Yes 5.0 Network Low None None Partial None Java SE 6u81, Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6504 Java SE, Java SE Embedded Multiple Hotspot Yes 5.0 Network Low None Partial None None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE Embedded 7u60 See Note 1
CVE-2014-6519 Java SE, Java SE Embedded Multiple Hotspot Yes 5.0 Network Low None None Partial None Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60 See Note 1
CVE-2014-6517 Java SE, Java SE Embedded, JRockit Multiple JAXP Yes 5.0 Network Low None Partial None None Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3 See Note 4
CVE-2014-6531 Java SE, Java SE Embedded HTTP Libraries Yes 4.3 Network Medium None Partial None None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60 See Note 1
CVE-2014-6512 Java SE, Java SE Embedded, JRockit Multiple Libraries Yes 4.3 Network Medium None None Partial None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3 See Note 4
CVE-2014-6457 Java SE, Java SE Embedded, JRockit SSL/TLS JSSE Yes 4.0 Network High None Partial Partial None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3 See Note 5
CVE-2014-6527 Java SE Multiple Deployment Yes 2.6 Network High None None Partial None Java SE 7u67, Java SE 8u20 See Note 1
CVE-2014-6502 Java SE, Java SE Embedded Multiple Libraries Yes 2.6 Network High None None Partial None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60 See Note 1
CVE-2014-6558 Java SE, Java SE Embedded, JRockit Multiple Security Yes 2.6 Network High None None Partial None Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3 See Note 4

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client deployment of Java on Firefox only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  3. Applies to client deployment of Java on Internet Explorer only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  4. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  5. Applies to client and server deployment of JSSE.
  6. Applies to client and server deployment of Java. This vulnerability requires local access to the victim environment in order to plant the affected jar file. Once the affected jar file was planted, this vulnerability can be triggered through sandboxed Java Web Start applications, sandboxed Java applets, and launching the affected application locally. It can also be triggered by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Appendix – Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 15 new security fixes for the Oracle Sun Systems Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6508 Solaris TCP/IP iSCSI Data Mover(IDM) Yes 7.8 Network Low None None None Complete 10, 11
CVE-2014-4276 Solaris CIFS Common Internet File System(CIFS) Yes 7.5 Network Low None Partial Partial Partial 11
CVE-2014-4282 Solaris None Kernel/X86 No 7.2 Local Low None Complete Complete Complete 11
CVE-2014-6473 Solaris None Zone Framework No 7.2 Local Low None Complete Complete Complete 10, 11 See Note 1
CVE-2014-0224 Fujitsu M10-1, Fujitsu M10-4, Fujitsu M10-4S servers SSL/TLS XCP Yes 6.8 Network Medium None Partial Partial Partial XCP prior to XCP2221
CVE-2014-6470 Solaris None Archive Utility No 6.8 Local Low Single Complete Complete Complete 11
CVE-2014-6529 Solaris None Hermon HCA PCIe driver No 6.8 Adjacent Network High None Complete Complete Complete 11
CVE-2014-4277 Solaris HTTP Automated Install Engine Yes 5.0 Network Low None Partial None None 11
CVE-2014-6490 Solaris SMB SMB server user component Yes 5.0 Network Low None None None Partial 11
CVE-2014-6497 Solaris None Kernel No 4.9 Local Low None None None Complete 11
CVE-2014-4275 Solaris None SMB server kernel module No 4.9 Local Low None None None Complete 11
CVE-2014-4280 Solaris None IPS transfer module No 4.6 Local Low None Partial Partial Partial 11
CVE-2014-4284 Solaris None IPS transfer module No 4.4 Local Medium None Partial Partial Partial 11
CVE-2014-4283 Solaris SSL/TLS Automated Install Engine Yes 4.3 Network Medium None Partial None None 11
CVE-2014-6501 Solaris None SSH No 2.1 Local Low None Partial None None 11

Notes:

  1. For Solaris 10, it only applies to SPARC systems with Solaris 8 and Solaris 9 branded zones.

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Virtualization. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2472 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) Yes 5.0 Network Low None None None Partial 5.0, 5.1
CVE-2014-2474 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) Yes 5.0 Network Low None None None Partial 5.0, 5.1
CVE-2014-2475 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) Yes 5.0 Network Low None None None Partial 4.63, 4.71, 5.0, 5.1
CVE-2014-2476 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) Yes 5.0 Network Low None None None Partial 5.0, 5.1
CVE-2014-6459 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) Yes 5.0 Network Low None None None Partial 5.0, 5.1
CVE-2014-2473 Oracle Secure Global Desktop Multiple SGD Proxy Server (ttaauxserv) and SGD SSL Daemon (ttassl) Yes 5.0 Network Low None None None Partial 5.0, 5.1
CVE-2014-6540 Oracle VM VirtualBox None Graphics driver (WDDM) for Windows guests No 1.9 Local Medium None None None Partial VirtualBox prior to 4.1.34, 4.2.26, 4.3.14

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 24 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-6507 MySQL Server MySQL Protocol SERVER:DML No 8.0 Network Low Single Partial+ Partial+ Complete 5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-6491 MySQL Server MySQL Protocol SERVER:SSL:yaSSL Yes 7.5 Network Low None Partial+ Partial+ Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6500 MySQL Server MySQL Protocol SERVER:SSL:yaSSL Yes 7.5 Network Low None Partial+ Partial+ Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6469 MySQL Server MySQL Protocol SERVER:OPTIMIZER No 6.8 Network Low Single None None Complete 5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-0224 MySQL Server MySQL Protocol SERVER:SSL:OpenSSL Yes 6.8 Network Medium None Partial Partial Partial 5.6.19 and earlier See Note 1
CVE-2014-6530 MySQL Server MySQL Protocol CLIENT:MYSQLDUMP No 6.5 Network Low Single Partial+ Partial+ Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6555 MySQL Server MySQL Protocol SERVER:DML No 6.5 Network Low Single Partial+ Partial+ Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6489 MySQL Server MySQL Protocol SERVER:SP No 5.5 Network Low Single None Partial Partial+ 5.6.19 and earlier
CVE-2012-5615 MySQL Server MySQL Protocol SERVER:PRIVILEGES AUTHENTICATION PLUGIN API Yes 5.0 Network Low None Partial None None 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6559 MySQL Server MySQL Protocol C API SSL CERTIFICATE HANDLING Yes 4.3 Network Medium None Partial+ None None 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6494 MySQL Server MySQL Protocol CLIENT:SSL:yaSSL Yes 4.3 Network Medium None None None Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6496 MySQL Server MySQL Protocol CLIENT:SSL:yaSSL Yes 4.3 Network Medium None None None Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6495 MySQL Server MySQL Protocol SERVER:SSL:yaSSL Yes 4.3 Network Medium None None None Partial 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6478 MySQL Server MySQL Protocol SERVER:SSL:yaSSL Yes 4.3 Network Medium None None Partial None 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4274 MySQL Server MySQL Protocol SERVER:MyISAM No 4.1 Local Medium Single Partial+ Partial+ Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4287 MySQL Server MySQL Protocol SERVER:CHARACTER SETS No 4.0 Network Low Single None None Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6520 MySQL Server MySQL Protocol SERVER:DDL No 4.0 Network Low Single None None Partial+ 5.5.38 and earlier
CVE-2014-6484 MySQL Server MySQL Protocol SERVER:DML No 4.0 Network Low Single None None Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6464 MySQL Server MySQL Protocol SERVER:INNODB DML FOREIGN KEYS No 4.0 Network Low Single None None Partial+ 5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6564 MySQL Server MySQL Protocol SERVER:INNODB FULLTEXT SEARCH DML No 4.0 Network Low Single None None Partial+ 5.6.19 and earlier
CVE-2014-6505 MySQL Server MySQL Protocol SERVER:MEMORY STORAGE ENGINE No 4.0 Network Low Single None None Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6474 MySQL Server Memcached SERVER:MEMCACHED No 3.5 Network Medium Single None None Partial+ 5.6.19 and earlier
CVE-2014-6463 MySQL Server MySQL Protocol SERVER:REPLICATION ROW FORMAT BINARY LOG DML No 3.3 Network Low Multiple None None Partial+ 5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6551 MySQL Server MySQL Protocol CLIENT:MYSQLADMIN No 2.1 Local Low None Partial None None 5.5.38 and earlier, 5.6.19 and earlier

Notes:

  1. This fix also addresses CVE-2010-5298,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-3470

Related:

  • No Related Posts

Oracle Security Alert for CVE-2014-7169 – 26 September 2014

Oracle Security Alert for CVE-2014-7169

Description

This Security Alert addresses multiple publicly disclosed vulnerabilities affecting GNU Bash, specifically CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278. GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. These vulnerabilities affect multiple Oracle products. These vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. A remote user can exploit these vulnerabilities to execute arbitrary code on systems that are running affected versions of Bash.

For this document, the vulnerabilities listed above will be referred to collectively as CVE-2014-7169.

Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against these vulnerabilities. This Security Alert and the product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.

Due to the severity, public disclosure, and reports of active exploitation of CVE-2014-7169 and the related vulnerabilities, Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.


Affected Products and Versions

Please refer to Bash Vulnerabilities – CVE-2014-7169 for a list of Oracle products and versions that are affected by these vulnerabilities.That pagewill be updated when new information becomes available.

Patch Availability

Patch availability information related to these vulnerabilities can be found on the Bash Vulnerabilities – CVE-2014-7169 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.

Supported Products and Versions

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

Products in Extended Support

Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.

References

Modification History

Date Comments
2014-September-26 Rev 1. Initial Release
2014-September-27 Rev 2. Fixes available for Exalogic
2014-September-28 Rev 3. Tables modified for products affected with and without fixes
2014-September-29 Rev 4. Detailed product information moved to Bash Vulnerabilities – CVE-2014-7169
2014-September-30 Rev 5. Added additional CVEs to Solaris and Linux matrices

Appendix – Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Security Alert contains 1 new security fix for the Oracle Sun Systems Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-7169

CVE-2014-6271

CVE-2014-7186

CVE-2014-7187

CVE-2014-6277

CVE-2014-6278
Solaris Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 8, 9, 10, 11 See Note 1

Notes:

  1. The CVSS score is taken from

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.

Appendix – Oracle Linux and Virtualization

Oracle Linux Executive Summary

This Security Alert contains 1 new security fix for Oracle Linux. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Linux Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-7169

CVE-2014-6271

CVE-2014-7186

CVE-2014-7187

CVE-2014-6277

CVE-2014-6278
Oracle Linux Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 4, 5, 6, 7 See Note 1

Notes:

  1. The CVSS score is taken from

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.

Related:

  • No Related Posts

How to rebuild MS Agent Jobs from MSDB table?

This morning our DB server died.

They restored backups to another server but these didn’t include the many MS Agent jobs.

Anyway I have managed to get a backup of the old MSDB table where all the tables used to create MS Agent Jobs are held added to our new server.

Therefore I need a script to re-create them on the new server.

There must be a job somewhere in MS SQL to script them out as you can do it from the management console. Therefore does anyone know of a script to do this or where to find the MS one please let me know.

As no manual backups were created a lot of jobs will be missing and people won’t know what to do to re-create them manually (which is why I think being able to add them to the nightly backup process would be good – I’m a webdev so it’s not my job – I just happen to be the only person around to do this lovely task).

Any help would be much appreciated.

Related:

Oracle Critical Patch Update Advisory – July 2014

Oracle Critical Patch Update Advisory – July 2014

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 113 new security fixes across the product families listed below.

Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Please note that on April 18, 2014, Oracle released a Security Alert for CVE-2014-0160 OpenSSL “Heartbleed”. This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-0160.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Database
Oracle Database 12c Release 1, version 12.1.0.1 Database
Oracle Fusion Middleware 11g Release 1, version 11.1.1.7 Fusion Middleware
Oracle Fusion Middleware 12c Release 1, version 12.1.2.0 Fusion Middleware
Oracle Fusion Applications, versions 11.1.2 through 11.1.8 Fusion Applications
Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2 Fusion Middleware
Oracle Traffic Director, version 11.1.1.7.0 Fusion Middleware
Oracle iPlanet Web Proxy Server, version 4.0.24 Fusion Middleware
Oracle iPlanet Web Server, versions 6.1, 7.0 Fusion Middleware
Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0 Fusion Middleware
Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0 Fusion Middleware
Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0 Fusion Middleware
Oracle BI Publisher, version 11.1.1.7 Fusion Middleware
Oracle Glassfish Communications Server, version 2.0 Fusion Middleware
Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0 Fusion Middleware
Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle E-Business Suite Release 11i, version 11.5.10.2 E-Business Suite
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3 E-Business Suite
Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4 Oracle Supply Chain
Oracle Agile Product Collaboration, version 9.3.3 Oracle Supply Chain
Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, versions 9.1, 9.2 PeopleSoft
Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53 PeopleSoft
Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2 PeopleSoft
Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2 PeopleSoft
Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2 Siebel
Oracle Siebel UI Framework, versions 8.1.1, 8.2.2 Siebel
Oracle Siebel Core – Server OM Frwks, versions 8.1.1, 8.2.2 Siebel
Oracle Siebel Core – EAI, versions 8.1.1, 8.2.2 Siebel
Oracle Communications Messaging Server, version 7.0.5.30.0 Oracle Communications Applications
Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 Retail
Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 Retail
Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0 Retail
Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5 Oracle Java SE
Oracle JRockit, versions R27.8.2, R28.3.2 Oracle Java SE
Oracle Solaris, versions 8, 9, 10, 11.1 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1 Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14 Oracle Linux and Virtualization
Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1 Oracle Linux and Virtualization
Sun Ray Software, versions prior to 5.4.3 Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.5, 5.6 Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices

Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2014 Documentation Map, My Oracle Support Note 1662887.1.

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1
Oracle Fusion Applications Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (July 2014) My Oracle Support Note 1907352.1 for information on patches to be applied to Fusion Application environments.
Oracle Hyperion Oracle Hyperion Risk Matrix Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1
Oracle E-Business Suite Oracle E-Business Suite Risk Matrix Critical Patch Update Knowledge Document for Oracle E-Business Suite My Oracle Support Note 1668237.1
Oracle Applications – PeopleSoft Enterprise, Siebel CRM, Oracle Supply Chain Product Suite Oracle PeopleSoft Enterprise Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Supply Chain Risk Matrix
Critical Patch Update Knowledge Document for PeopleSoft Enterprise, Siebel Core, and Oracle Supply Chain Products Suite My Oracle Support Note 1684873.1
Oracle Communications Applications Oracle Communications Messaging Server Risk Matrix Critical Patch Update Knowledge Document for Oracle Communications Messaging Server My Oracle Support Note 1906392.1
Oracle Retail Industry Suite Oracle Retail Applications Risk Matrix Critical Patch Update July 2014 Patch Delivery Document for Oracle Retail Products, My Oracle Support Note 1684864.1
Oracle Java SE Oracle SE Risk Matrix
  • Critical Patch Update July 2014 Patch Availability Document for Java SE, My Oracle Support Note 1900468.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.
Oracle and Sun Systems Products Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update July 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1900373.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1684947.1
Oracle MySQL Oracle MySQL Risk Matrix Critical Patch Update July 2014 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 1684603.1


Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Alon Friedman; Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Borked of the Google Security Team; CERT/CC; Cihan Öncü of Biznet Bilişim A.Ş; David Litchfield of Datacom TSS; Florian Weimer of Red Hat; Ilja van Sprundel of ioactive.com; Jeroen Frijters; John Leitch working with HP’s Zero Day Initiative; Larry W. Cashdollar; Matt Bergin of KoreLogic Disclosures; Michael Miller of Integrigy; Peter Kamensky of ERPScan (Digital Security Research Group); Rafal Wojtczuk of Bromium; Rohan Stelling of BAE Systems Detica; Sayan Malakshinov of PSBank; Serguei Mourachov; Toby Clarke of Gotham Digital Science; and Yash Kadakia of Security Brigade.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexander Kornbrust of Red Database Security; Bartlomiej Balcerek of Wroclaw University of Technology; David Litchfield of Datacom TSS; Lutz Wolf of RedTeam Pentesting GmbH and Paul M. Wright for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Ateeq Khan; Bikash Dash; Cameron Crowley; Inti de Ceukalaire; Jayson Zabate; Provensec Labs; Koutrouss Naddara; Manoj Kumar; Monendra Sahu; Osanda Malith Jayathissa; Rodolfo Godalle; S. Venkatesh; Satheesh Raj; Suraj Radhakrishnan; and Yasser Gamal Ahmed for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 October 2014
  • 20 January 2015
  • 14 April 2015
  • 14 July 2015

References

Modification History

2014-July-24 Rev 2. Updated Package and/or Privilege Required for CVE-2014-4236
2014-July-15 Rev 1. Initial Release

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3751 XML Parser HTTP Create Session No 9.0 Network Low Single Complete Complete Complete 12.1.0.1
CVE-2013-3774 Network Layer Oracle Net None Yes 7.6 Network High None Complete Complete Complete 12.1.0.1
CVE-2014-4236 RDBMS Core Oracle Net Create Session, Grant on DBMS_REDACT No 6.5 Network Low Single Partial+ Partial+ Partial+ 11.2.0.4, 12.1.0.1
CVE-2014-4237 RDBMS Core Oracle Net Create Session No 4.0 Network Low Single Partial None None 11.2.0.4, 12.1.0.1
CVE-2014-4245 RDBMS Core Oracle Net Create Session No 3.5 Network Medium Single Partial+ None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-1741 Oracle GlassFish Server HTTPS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+ 2.1.1 See Note 1
CVE-2013-1741 Oracle Traffic Director HTTPS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+ 11.1.1.7.0 See Note 1
CVE-2013-1741 Oracle iPlanet Web Proxy Server HTTPS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+ 4.0.24 See Note 1
CVE-2013-1741 Oracle iPlanet Web Server HTTPS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+ 6.1, 7.0 See Note 1
CVE-2014-4257 Oracle WebCenter Portal HTTP Portlet Services Yes 7.1 Network Medium None Complete None None 11.1.1.7.0, 11.1.1.8.0
CVE-2014-2481 Oracle WebLogic Server HTTP Yes 6.8 Network Medium None Partial Partial Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-2480 Oracle WebLogic Server HTTP Yes 6.8 Network Medium None Partial Partial Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4255 Oracle WebLogic Server HTTP WLS – Security and Policy Yes 6.8 Network Medium None Partial Partial Partial 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4254 Oracle WebLogic Server HTTP WLS – Web Services Yes 6.8 Network Medium None Partial Partial Partial 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-2479 Oracle WebLogic Server HTTP WLS – Web Services Yes 6.8 Network Medium None Partial Partial Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4267 Oracle WebLogic Server HTTP WLS Core Components Yes 6.8 Network Medium None Partial Partial Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-2493 Oracle JDeveloper HTTP ADF Faces Yes 6.4 Network Low None Partial None Partial 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0
CVE-2014-4256 Oracle WebLogic Server HTTP WLS – Deployment Yes 5.8 Network Medium None Partial Partial None 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4249 BI Publisher HTTP Mobile Service Yes 5.0 Network Low None Partial None None 11.1.1.7
CVE-2014-4211 Oracle WebCenter Portal HTTP Portlet Services Yes 5.0 Network Low None None Partial None 11.1.1.7, 11.1.1.8
CVE-2014-4201 Oracle WebLogic Server HTTP WLS – Web Services Yes 5.0 Network Low None None None Partial 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4202 Oracle WebLogic Server HTTP WLS – Web Services Yes 5.0 Network Low None None None Partial 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4210 Oracle WebLogic Server HTTP WLS – Web Services Yes 5.0 Network Low None Partial None None 10.0.2.0, 10.3.6.0
CVE-2014-4253 Oracle WebLogic Server T3 WebLogic Server JVM Yes 5.0 Network Low None None None Partial+ 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2013-1620 GlassFish Communications Server Multiple Security Yes 4.3 Network Medium None Partial None None 2.0 See Note 2
CVE-2014-4212 Oracle Fusion Middleware HTTPS Process Mgmt & Notification Yes 4.3 Network Medium None Partial None None 11.1.1.7 See Note 3
CVE-2013-5855 Oracle GlassFish Server HTTP JavaServer Faces Yes 4.3 Network Medium None None Partial None 3.0.1, 3.1.2
CVE-2013-5855 Oracle JDeveloper HTTP JavaServer Faces Yes 4.3 Network Medium None None Partial None 11.1.2.4.0, 12.1.2.0.0
CVE-2014-4242 Oracle WebLogic Server HTTP Console Yes 4.3 Network Medium None None Partial None 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-4217 Oracle WebLogic Server HTTP WLS – Web Services Yes 4.3 Network Medium None None Partial None 10.0.2.0, 10.3.6.0, 12.1.1.0
CVE-2014-4241 Oracle WebLogic Server HTTP WLS – Web Services Yes 4.3 Network Medium None None Partial None 10.0.2.0, 10.3.6.0
CVE-2013-5855 Oracle WebLogic Server HTTP Web Container Yes 4.3 Network Medium None None Partial None 12.1.1.0, 12.1.2.0
CVE-2014-4251 Oracle HTTP Server HTTP plugin 1.1 No 3.5 Network Medium Single None Partial None 11.1.1.7.0, 12.1.2.0
CVE-2014-4222 Oracle HTTP Server HTTPS plugin 1.1 No 2.1 Network High Single Partial None None 11.1.1.7.0, 12.1.2.0

Notes:

  1. This fix also addresses CVE-2013-1739,CVE-2013-1740, CVE-2013-5605, CVE-2013-5606,CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
  2. This fix also addresses CVE-2013-2172. CVE-2013-2172 is equivalent to CVE-2013-2461
  3. Please refer to My Oracle Support Note 1905314.1 for instructions on optional configuration steps.

Appendix – Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Hyperion. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4271 Hyperion Essbase TCP Agent Yes 5.0 Network Low None None None Partial+ 11.1.2.2, 11.1.2.3
CVE-2014-0436 Hyperion BI+ HTTP Web Analysis Yes 4.3 Network Medium None None Partial None 11.1.2.2, 11.1.2.3
CVE-2014-4203 Hyperion Enterprise Performance Management Architect HTTP Property Editing No 4.1 Local Medium Single Partial Partial Partial 11.1.2.2, 11.1.2.3
CVE-2014-4270 Hyperion Common Admin HTTP User Interface No 4.0 Network Low Single Partial None None 11.1.2.2, 11.1.2.3
CVE-2014-4269 Hyperion Common Admin HTTP User Interface No 4.0 Network Low Single Partial None None 11.1.2.2, 11.1.2.3
CVE-2014-4246 Hyperion Analytic Provider Services XML SVP No 3.5 Network Medium Single Partial None None 11.1.2.2, 11.1.2.3
CVE-2014-4206 Hyperion Enterprise Performance Management Architect HTTP Data Synchronizer No 3.3 Local Medium None None Partial Partial 11.1.2.2, 11.1.2.3

Appendix – Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4239 Solaris SSL/TLS Common Agent Container (Cacao) No 4.0 Network Low Single Partial None None 2.3.1.0, 2.3.1.1, 2.3.1.2, 2.4.0.0, 2.4.1.0, 2.4.2.0 See Note 1

Notes:

  1. Applies only when Cacao is running on Solaris platform.

Appendix – Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0224 Oracle Applications Technology Stack HTTPS IAS For App Technology Yes 6.8 Network Medium None Partial Partial Partial 11.5.10.2
CVE-2014-2482 Oracle Concurrent Processing HTTP No 5.5 Network Low Single Partial Partial None 12.1.3, 12.2.2, 12.2.3
CVE-2014-4213 Oracle Applications Manager HTTP Yes 4.3 Network Medium None None Partial None 12.0.6, 12.1.3, 12.2.2, 12.2.3
CVE-2014-4235 Oracle iStore HTTP No 3.5 Network Medium Single None Partial None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3
CVE-2014-4248 Oracle Application Object Library HTTP Logging No 1.0 Local High Single Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle Supply Chain Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4229 Oracle Transportation Management HTTP Data, Domain & Function Security No 5.5 Network Low Single Partial Partial None 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4
CVE-2014-4234 Oracle Transportation Management HTTP Data, Domain & Function Security Yes 5.0 Network Low None Partial None None 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4
CVE-2014-2492 Oracle Agile Product Collaboration HTTP Web client (PC) Yes 4.3 Network Medium None None Partial None 9.3.3

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2456 PeopleSoft Enterprise ELS Enterprise Learning Management HTTP Enterprise Learning Mgmt No 5.5 Network Low Single Partial Partial None 9.1, 9.2
CVE-2014-2496 PeopleSoft Enterprise PT PeopleTools HTTPS Test Framework No 5.5 Network Low Single Partial Partial None 8.52, 8.53
CVE-2014-4226 PeopleSoft Enterprise FIN Install HTTPS Install Yes 5.1 Network High None Partial+ Partial+ Partial+ 9.1, 9.2
CVE-2014-4204 PeopleSoft Enterprise PT PeopleTools HTTP PIA Core Technology No 3.5 Network Medium Single None Partial None 8.53
CVE-2014-2495 PeopleSoft Enterprise SCM Purchasing HTTP Purchasing No 2.3 Adjacent Network Medium Single Partial+ None None 9.1, 9.2

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Siebel CRM. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4231 Siebel Travel & Transportation HTTP Diary Yes 4.3 Network Medium None None Partial None 8.1.1, 8.2.2
CVE-2014-4230 Siebel UI Framework HTTP Open_UI Yes 4.3 Network Medium None None Partial None 8.1.1, 8.2.2
CVE-2014-2491 Siebel UI Framework HTTP Portal Framework Yes 4.3 Network Medium None None Partial None 8.1.1, 8.2.2
CVE-2014-4205 Siebel UI Framework HTTP Portal Framework Yes 4.3 Network Medium None None Partial None 8.1.1, 8.2.2
CVE-2014-4250 Siebel Core – Server OM Frwks HTTP Object Manager No 3.5 Network Medium Single Partial None None 8.1.1, 8.2.2
CVE-2014-2485 Siebel Core – EAI HTTP Integration Business Services No 1.4 Local Low Multiple Partial None None 8.1.1, 8.2.2

Appendix – Oracle Industry Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-1741 Oracle Communications Messaging Server SSL/TLS Security Yes 7.5 Network Low None Partial Partial Partial 7.0.5.30.0 and earlier See Note 1

Notes:

  1. This fix also addresses CVE-2013-1620, CVE-2013-1739, CVE-2013-1740, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491 and CVE-2014-1492.

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0114 Oracle Retail Back Office HTTP Security Yes 7.5 Network Low None Partial Partial Partial 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
CVE-2014-0114 Oracle Retail Central Office HTTP Security Yes 7.5 Network Low None Partial Partial Partial 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
CVE-2014-0114 Oracle Retail Returns Management HTTP Security Yes 7.5 Network Low None Partial Partial Partial 2.0, 13.1, 13.2, 13.3, 13.4, 14.0

Appendix – Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4227 Java SE Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4219 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-2490 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4216 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4247 Java SE Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 8u5 See Note 1
CVE-2014-2483 Java SE Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u60 See Note 1
CVE-2014-4223 Java SE Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u60 See Note 1
CVE-2014-4262 Java SE Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4209 Java SE Multiple JMX Yes 6.4 Network Low None Partial Partial None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4265 Java SE Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4220 Java SE Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4218 Java SE Multiple Libraries Yes 5.0 Network Low None None Partial None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4252 Java SE Multiple Security Yes 5.0 Network Low None Partial None None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4266 Java SE Multiple Serviceability Yes 5.0 Network Low None None Partial None Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4268 Java SE Multiple Swing Yes 5.0 Network Low None Partial None None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4264 Java SE SSL/TLS Security Yes 5.0 Network Low None None None Partial Java SE 7u60, Java SE 8u5 See Note 2
CVE-2014-4221 Java SE Multiple Libraries Yes 4.3 Network Medium None Partial None None Java SE 7u60, Java SE 8u5 See Note 1
CVE-2014-4244 Java SE, JRockit Multiple Security Yes 4.0 Network High None Partial Partial None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2 See Note 3
CVE-2014-4263 Java SE, JRockit Multiple Security Yes 4.0 Network High None Partial Partial None Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2 See Note 4
CVE-2014-4208 Java SE Multiple Deployment Yes 2.6 Network High None None Partial None Java SE 7u60, Java SE 8u5 See Note 1

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of JSSE.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. Applies to Diffie-Hellman key agreement in client and server deployment of Java.

Appendix – Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle and Sun Systems Products Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-4225 Solaris None Patch installation scripts No 6.9 Local Medium None Complete Complete Complete 10
CVE-2014-4215 Solaris None CPU performance counters (CPC) drivers No 4.9 Local Low None None None Complete 10, 11.1
CVE-2014-4224 Solaris None sockfs No 4.9 Local Low None None None Complete 8, 9, 10, 11.1
CVE-2014-4239 (Oracle Enterprise Manager Grid Control) Solaris SSL/TLS Common Agent Container (Cacao) No 4.0 Network Low Single Partial None None 8, 9, 10, 11.1

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0211 Oracle Secure Global Desktop (SGD) TCP LibXfont Yes 7.5 Network Low None Partial Partial Partial 4.63, 4.71, 5.0, 5.1 See Note 1
CVE-2014-2487 Oracle VM VirtualBox None Core No 6.9 Local Medium None Complete Complete Complete VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14 See Note 2
CVE-2014-4261 Oracle VM VirtualBox None Core No 6.9 Local Medium None Complete Complete Complete VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14 See Note 2
CVE-2014-0224 Oracle Secure Global Desktop (SGD) SSL/TLS OpenSSL Yes 6.8 Network Medium None Partial Partial Partial 4.63, 4.71, 5.0, 5.1 See Note 3
CVE-2013-4286 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 5.8 Network Medium None Partial Partial None 4.63, 4.71, 5.0, 5.1 See Note 4
CVE-2014-0098 Oracle Secure Global Desktop (SGD) HTTP Apache HTTP Server Yes 5.0 Network Low None None None Partial 4.63, 4.71, 5.0, 5.1 See Note 5
CVE-2012-3544 Oracle Virtual Desktop Infrastructure (VDI) HTTP Apache Tomcat Yes 5.0 Network Low None None None Partial VDI prior to 3.5.1
CVE-2012-3544 Sun Ray Software HTTP Apache Tomcat Yes 5.0 Network Low None None None Partial Sun Ray Software prior to 5.4.3
CVE-2014-4228 Oracle VM VirtualBox None Graphics driver (WDDM) for Windows guests No 4.4 Local Medium None Partial Partial Partial+ VirtualBox prior to 4.1.34, 4.2.26, 4.3.12
CVE-2014-0033 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 4.3 Network Medium None Partial None None 4.63
CVE-2014-4232 Oracle Secure Global Desktop (SGD) HTTP Workspace Web Application Yes 4.3 Network Medium None None Partial None 4.63, 4.71, 5.0, 5.1
CVE-2014-2489 Oracle VM VirtualBox None Core No 4.1 Local Medium Single Partial+ Partial+ Partial+ VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12
CVE-2014-2477 Oracle VM VirtualBox None Core No 3.6 Local Low None None Partial Partial VirtualBox prior to 4.0.26, 4.1.34, 4.2.26, 4.3.12
CVE-2014-2486 Oracle VM VirtualBox None Core No 3.0 Local Medium Single None Partial+ Partial+ VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12
CVE-2014-2488 Oracle VM VirtualBox None Core No 1.0 Local High Single Partial+ None None VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

Notes:

  1. This fix also addresses CVE-2014-0209 and CVE-2014-0210.
  2. Applies only when VirtualBox is running on a Windows host operating system.
  3. This fix also addresses CVE-2010-5298, CVE-2013-6449 and CVE-2013-6450, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221 and CVE-2014-3470.
  4. This fix also addresses CVE-2013-4322, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119.
  5. This fix also addresses CVE-2013-6438.

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2484 MySQL Server MySQL Protocol SRFTS No 6.5 Network Low Single Partial+ Partial+ Partial+ 5.6.17 and earlier
CVE-2014-4258 MySQL Server MySQL Protocol SRINFOSC No 6.5 Network Low Single Partial+ Partial+ Partial+ 5.5.37 and earlier, 5.6.17 and earlier
CVE-2014-4260 MySQL Server MySQL Protocol SRCHAR No 5.5 Network Low Single None Partial Partial+ 5.5.37 and earlier, 5.6.17 and earlier
CVE-2014-2494 MySQL Server MySQL Protocol ENARC No 4.0 Network Low Single None None Partial+ 5.5.37 and earlier
CVE-2014-4238 MySQL Server MySQL Protocol SROPTZR No 4.0 Network Low Single None None Partial+ 5.6.17 and earlier
CVE-2014-4207 MySQL Server MySQL Protocol SROPTZR No 4.0 Network Low Single None None Partial+ 5.5.37 and earlier
CVE-2014-4233 MySQL Server MySQL Protocol SRREP No 4.0 Network Low Single None None Partial+ 5.6.17 and earlier
CVE-2014-4240 MySQL Server MySQL Protocol SRREP No 3.6 Local Low None Partial Partial None 5.6.17 and earlier
CVE-2014-4214 MySQL Server MySQL Protocol SRSP No 3.3 Network Low Multiple None None Partial+ 5.6.17 and earlier
CVE-2014-4243 MySQL Server MySQL Protocol ENFED No 2.8 Network Medium Multiple None None Partial+ 5.5.35 and earlier, 5.6.15 and earlier

Related:

  • No Related Posts

Oracle Security Alert for CVE-2014-0160 – 18 April 2014

Oracle Security Alert for CVE-2014-0160

Description

This Security Alert addresses CVE-2014-0160 (‘Heartbleed’), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago.

Due to the severity, public disclosure and the reported exploitation of CVE-2014-0160 “in the wild,” Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.


Affected Products and Versions

Please refer to OpenSSL Security Bug – Heartbleed / CVE-2014-0160 for a list of Oracle products and versions that are affected by this vulnerability.

Note: The page, OpenSSL Security Bug – Heartbleed / CVE-2014-0160 will be updated when new information becomes available.

Patch Availability

Patch availability information related to vulnerability CVE-2014-0160 can be found on the OpenSSL Security Bug – Heartbleed / CVE-2014-0160 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.

Supported Products and Versions

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.

Products in Extended Support

Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.

References

Modification History

Date Comments
2014-April-18 Rev 1. Initial Release

Appendix – Third Party Components Risk Matrix

Third Party Components Risk Matrix Executive Summary

This Security Alert addresses the Heartbleed vulnerability in the OpenSSL third party component as it relates to Oracle products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Third Party Components Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0160 OpenSSL Library SSL/TLS Heartbeat Extension Yes 5.0 Network Low None Partial None None 1.0.1 – 1.0.1f See Note 1

Notes:

  1. This vulnerability affects a number of Oracle products that include the affected OpenSSL libraries. See OpenSSL Security Bug – Heartbleed / CVE-2014-0160 for the list of affected products and current patch availability information.

Related:

  • No Related Posts

Oracle Critical Patch Update Advisory – April 2014

Oracle Critical Patch Update Advisory – April 2014

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 104 new security fixes across the product families listed below.

Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Database
Oracle Database 12c Release 1, version 12.1.0.1 Database
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.7, 11.1.1.8 Fusion Middleware
Oracle Fusion Middleware 12c Release 1, versions 12.1.1.0, 12.1.2.0 Fusion Middleware
Oracle Fusion Applications, versions 11.1.2 through 11.1.8 Fusion Applications
Oracle Access Manager, versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0 Fusion Middleware
Oracle Containers for J2EE, version 10.1.3.5 Fusion Middleware
Oracle Data Integrator, version 11.1.1.3.0 Fusion Middleware
Oracle Endeca Server, version 2.2.2 Fusion Middleware
Oracle Event Processing, version 11.1.1.7.0 Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5, Sun Role Manager, version 5.0 Fusion Middleware
Oracle OpenSSO, version 8.0 Update 2 Patch 5 Fusion Middleware
Oracle OpenSSO Policy Agent, version 3.0-03 Fusion Middleware
Oracle WebCenter Portal, versions 11.1.1.7, 11.1.1.8 Fusion Middleware
Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0 Fusion Middleware
Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle E-Business Suite Release 11i, 12i E-Business Suite
Oracle Agile PLM Framework, versions 9.3.1.1, 9.3.3.0 Oracle Supply Chain
Oracle Agile Product Lifecycle Management for Process, versions 6.0.0.7, 6.1.1.3 Oracle Supply Chain
Oracle Transportation Management, versions 6.3, 6.3.4 Oracle Supply Chain
Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0 PeopleSoft
Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions 8.52, 8.53 PeopleSoft
Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53 PeopleSoft
Oracle Siebel UI Framework, versions 8.1.1, 8.2.2 Siebel
Oracle iLearning, versions 6.0, 6.1 iLearning
Oracle JavaFX, version 2.2.51 Oracle Java SE
Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8 Oracle Java SE
Oracle Java SE Embedded, version 7u51 Oracle Java SE
Oracle JRockit, versions R27.8.1, R28.3.1 Oracle Java SE
Oracle Solaris, versions 9, 10, 11.1 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1 Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24, 4.3.10 Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.5, 5.6 Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices

Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.


Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update April 2014 Documentation Map, My Oracle Support Note 1637289.1.

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update April 2014 Availability Document, My Oracle Support Note 1618213.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update April 2014 Availability Document, My Oracle Support Note 1618213.1
Oracle Fusion Applications Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (April 2014) My Oracle Support Note 1644949.1 for information on patches to be applied to Fusion Application environments.
Oracle Hyperion Oracle Hyperion Risk Matrix Patch Set Update and Critical Patch Update April 2014 Availability Document, My Oracle Support Note 1618213.1
Oracle Applications – E-Business Suite Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle E-Business Suite products, so Oracle customers should refer to Oracle E-Business Suite Releases 11i and 12i Critical Patch Update Knowledge Document (April 2014), My Oracle Support Note 1614525.1 for information on patches to be applied to EBS environments.
Oracle Applications – PeopleSoft Enterprise, Siebel CRM, Oracle Supply Chain, and iLearning Product Suite Oracle PeopleSoft Enterprise Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle Supply Chain Risk Matrix

Oracle iLearning Products Risk Matrix
Critical Patch Update Knowledge Document for PeopleSoft Enterprise, Siebel Core, Oracle Supply Chain and Oracle iLearning Products, My Oracle Support Note 1638652.1
Oracle Java SE Oracle SE Risk Matrix
  • Critical Patch Update April 2014 Patch Availability Document for Java SE, My Oracle Support Note 1636775.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.
Oracle and Sun Systems Products Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update April 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1637067.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Patch Set Update and Critical Patch Update April 2014 Availability Document, My Oracle Support Note 1635985.1
Oracle MySQL Oracle MySQL Risk Matrix Critical Patch Update April 2014 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 1635913.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update April 2014 Availability Document, My Oracle Support Note 1618213.1.


Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Andrey Medov of Positive Technologies; Ben Murphy via HP’s Zero Day Initiative; Borked of the Google Security Team; Christopher Meyer of Ruhr-University Bochum; Ilja van Sprundel of ioactive.com; Jing Wang; John Marrett; Juraj Somorovsky of Ruhr-University Bochum; Jörg Delker; lokihardt@ASRT via HP’s Zero Day Initiative; Mikhail Firstov of Positive Technologies; Patroklos Argyroudis and Alex Zaharis; Paul M. Wright; Red Hat Security Response Team; Sergey Bobrov of Positive Technologies; Tibor Jager of Ruhr-University Bochum; Timo Boettcher of RedTeam Pentesting GmbH; Timo Warns; Tor Erling Bjorstad of mnemonic AS; Vitaliy Toropov via HP’s Zero Day Initiative; and Yuki Chen of Trend Micro.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Oliver Gruskovnjak of Portcullis Inc; and Yash Kadakia of Security Brigade for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Abstergo Industries; Adam Willard of Foreground Security; Adi Ivascu; Amir Sohail; Aniket Singh; Ankit Bharathan; Ateeq Khan; Avik Sarkar; Ben Khlifa Fahmi; Christian Galeone; Deepanker Chawla; Gaurav Mishra; Gopal Bisht; Gurjant Singh Sadhra; James Pearson; Jerold Camacho; Ketan Sirigiri; Koutrouss Naddara of Kotros Nadara; Mazin Ahmed; Mohamed M. Fouad; Muhammad Talha Khan; Rakesh Singh of Zero Day Guys; Salman Khan; Sebastian Neef of Internetwache PGP; Shahmeer Baloch; Sherin Panikar; Simone Memoli; Sky_BlaCk; Thamatam Deepak; and Tony Trummer and Tushar Dalvi for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 July 2014
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015

References

Modification History

2014-April-30 Rev 3. Updated note for CVE-2014-0457
2014-April-28 Rev 2. Updated CVSS scores for CVE-2014-2407, CVE-2014-2415, CVE-2014-2416, CVE-2014-2417 and CVE-2014-2418
2014-April-15 Rev 1. Initial Release

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2406 Core RDBMS Oracle Net Create Session, Advisor, Select Any Dictionary No 8.5 Network Medium Single Complete Complete Complete 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1 See Note 1
CVE-2014-2408 Core RDBMS Oracle Net Create Session, Grant Any Object Privilege No 6.6 Network High Single Complete Complete None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

Notes:

  1. The CVSS Base Score is 8.5 only for Windows. For Linux, Unix and other platforms, the CVSS Base Score is 6.0, and the impacts for Confidentiality, Integrity and Availability are Partial+.

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Fusion Middleware. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the April 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1618213.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2470 Oracle WebLogic Server T3 WLS Security Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
CVE-2014-2416 Oracle Data Integrator HTTP Data Quality Yes 7.5 Network Low None Partial Partial Partial 11.1.1.3.0
CVE-2014-2417 Oracle Data Integrator HTTP Data Quality Yes 7.5 Network Low None Partial Partial Partial 11.1.1.3.0
CVE-2014-2415 Oracle Data Integrator HTTP Data Quality Yes 7.5 Network Low None Partial Partial Partial 11.1.1.3.0
CVE-2014-2418 Oracle Data Integrator HTTP Data Quality Yes 7.5 Network Low None Partial Partial Partial 11.1.1.3.0
CVE-2014-2407 Oracle Data Integrator HTTP Data Quality Yes 6.8 Network Medium None Partial Partial Partial 11.1.1.3.0
CVE-2014-2411 Oracle Identity Analytics HTTP Security No 6.5 Network Low Single Partial Partial+ Partial Oracle Identity Analytics 11.1.1.5, Sun Role Manager 5.0
CVE-2014-0414 Oracle Containers for J2EE HTTP HTTP Request Handling Yes 5.0 Network Low None Partial None None 10.1.3.5
CVE-2014-0450 Oracle WebCenter Portal HTTP People Connection Yes 5.0 Network Low None Partial+ None None 11.1.1.7, 11.1.1.8
CVE-2014-2426 Oracle OpenSSO HTTP Admin Console No 4.9 Network Medium Single None Partial Partial 8.0 Update 2 Patch 5
CVE-2014-0426 Oracle Containers for J2EE HTTP HTTP Request Handling Yes 4.3 Network Medium None None Partial None 10.1.3.5
CVE-2014-0413 Oracle Containers for J2EE HTTP HTTP Request Handling Yes 4.3 Network Medium None None Partial+ None 10.1.3.5
CVE-2014-2400 Oracle Endeca Server HTTP Oracle Endeca Information Discovery (Formerly Latitude) Yes 4.3 Network Medium None None Partial None 2.2.2 See Note 1
CVE-2014-2399 Oracle Endeca Server HTTP Oracle Endeca Information Discovery (Formerly Latitude) Yes 4.3 Network Medium None None Partial None 2.2.2 See Note 1
CVE-2013-1620 Oracle OpenSSO HTTPS Web Agents Yes 4.3 Network Medium None Partial None None 3.0-03
CVE-2014-2404 Oracle Access Manager HTTP WebGate No 4.0 Network Low Single Partial None None 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0 See Note 2
CVE-2014-2452 Oracle Access Manager HTTP Webserver Plugin No 4.0 Network Low Single None None Partial+ 11.1.1.5
CVE-2014-2424 Oracle Event Processing HTTP CEP system No 4.0 Network Low Single None Partial None 11.1.1.7.0
CVE-2014-2425 Oracle OpenSSO HTTP Other No 4.0 Network Low Single Partial+ None None 8.0 Update 2 Patch 5
CVE-2014-0465 Oracle OpenSSO HTTP Admin Console No 3.5 Network Medium Single None Partial None 8.0 Update 2 Patch 5

Notes:

  1. Please refer to My Oracle Support Note 1629648.1 for instructions on how to address this issue.
  2. Please refer to My Oracle Support Note 1643382.1 for instructions on how to address this issue.

Appendix – Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Hyperion. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2455 Hyperion Common Admin HTTP User Interface No 6.0 Network Medium Single Partial+ Partial+ Partial+ 11.1.2.2, 11.1.2.3
CVE-2014-2453 Hyperion Common Admin HTTP User Interface Yes 4.3 Network Medium None None Partial None 11.1.2.2, 11.1.2.3
CVE-2014-2454 Hyperion Common Admin HTTP User Interface Yes 4.3 Network Medium None Partial None None 11.1.2.2, 11.1.2.3

Appendix – Oracle Applications

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2461 Oracle Transportation Management HTTP Security Yes 5.0 Network Low None Partial None None 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3
CVE-2014-2465 Oracle Agile PLM Framework HTTP Security Yes 4.3 Network Medium None None Partial None 9.3.3
CVE-2014-2457 Oracle Agile Product Lifecycle HTTP Install Yes 4.3 Network Medium None None Partial None 6.0, 6.1.0
CVE-2014-2458 Oracle Agile Product Lifecycle HTTP Install Yes 4.3 Network Medium None None Partial None 6.1.0.3, 6.1.1.3
CVE-2014-2460 Oracle Transportation Management HTTP CSV Management No 4.0 Network Low Single Partial None None 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3
CVE-2014-2459 Oracle Transportation Management HTTP Security No 3.7 Local High None Partial+ Partial+ Partial+ 6.3.2, 6.3.3
CVE-2014-2467 Oracle Agile PLM Framework HTTP Security No 3.5 Network Medium Single None Partial None 9.3.3
CVE-2014-2445 Oracle Agile PLM Framework HTTP Security No 3.5 Network Medium Single None Partial+ None 9.3.3
CVE-2014-2464 Oracle Agile PLM Framework HTTP Security No 3.5 Network Medium Single Partial None None 9.3.3.0
CVE-2014-2466 Oracle Agile PLM Framework HTTP Security No 2.1 Network High Single Partial None None 9.3.3

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2448 PeopleSoft Enterprise PT PeopleTools HTTP Install and Packaging Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-2437 PeopleSoft Enterprise PT PeopleTools HTTP Integration Broker Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-2433 PeopleSoft Enterprise PT PeopleTools HTTP Integration Broker Yes 5.0 Network Low None None None Partial 8.53
CVE-2014-2447 PeopleSoft Enterprise PT PeopleTools HTTP Integration Broker Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-2443 PeopleSoft Enterprise PT PeopleTools HTTP PIA Core Technology Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2014-2429 PeopleSoft Enterprise CS Campus Self Service HTTP Campus Mobile No 4.0 Network Low Single Partial None None 9.0
CVE-2014-2449 PeopleSoft Enterprise HRMS Talent Acquisition Manager HTTP Security No 4.0 Network Low Single Partial None None 9.0, 9.1, 9.2
CVE-2014-2446 PeopleSoft Enterprise PT PeopleTools HTTP QAS No 4.0 Network Low Single Partial None None 8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2468 Siebel UI Framework HTTP Open_UI. Yes 4.3 Network Medium None None Partial None 8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2471 Oracle iLearning HTTP Learner Pages Yes 4.3 Network Medium None None Partial None 6.0, 6.1

Appendix – Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 37 new security fixes for Oracle Java SE. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0429 Java SE, JRockit, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R27.8.1, JRockit R28.3.1, Java SE Embedded 7u51 See Note 1
CVE-2014-0457 Java SE, JRockit, Java SE Embedded Multiple Libraries Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R27.8.1, JRockit R28.3.1, Java SE Embedded 7u51 See Note 2
CVE-2014-0456 Java SE, Java SE Embedded Multiple Hotspot Yes 10.0 Network Low None Complete Complete Complete Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2421 Java SE, JavaFX, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JavaFX 2.2.51, Java SE Embedded 7u51 See Note 2
CVE-2014-2410 Java SE Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 8 See Note 2
CVE-2014-2397 Java SE, Java SE Embedded Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0432 Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0455 Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0461 Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0448 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 7u51, Java SE 8 See Note 2
CVE-2014-2428 Java SE, Java SE Embedded Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2412 Java SE, Java SE Embedded Multiple AWT Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0451 Java SE, Java SE Embedded Multiple AWT Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0458 Java SE, Java SE Embedded Multiple JAX-WS Yes 7.5 Network Low None Partial Partial Partial Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2423 Java SE, Java SE Embedded Multiple JAX-WS Yes 7.5 Network Low None Partial Partial Partial Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0452 Java SE, Java SE Embedded Multiple JAX-WS Yes 7.5 Network Low None Partial Partial Partial Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2414 Java SE, Java SE Embedded Multiple JAXB Yes 7.5 Network Low None Partial Partial Partial Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2402 Java SE, Java SE Embedded Multiple Libraries Yes 7.5 Network Low None Partial Partial Partial Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0446 Java SE, Java SE Embedded Multiple Libraries Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0454 Java SE, Java SE Embedded Multiple Security Yes 7.5 Network Low None Partial Partial Partial Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2427 Java SE, Java SE Embedded Multiple Sound Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2422 Java SE, JavaFX Multiple JavaFX Yes 6.8 Network Medium None Partial Partial Partial Java SE 7u51, Java SE 8, JavaFX 2.2.51 See Note 2
CVE-2014-2409 Java SE, Java SE Embedded Multiple Deployment Yes 6.4 Network Low None Partial Partial None Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0460 Java SE, JRockit, Java SE Embedded Multiple JNDI Yes 5.8 Network Medium None Partial Partial None Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R27.8.1, JRockit R28.3.1, Java SE Embedded 7u51 See Note 1
CVE-2013-6954 Java SE, JRockit, Java SE Embedded Multiple AWT Yes 5.0 Network Low None None None Partial Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R28.3.1, Java SE Embedded 7u51 See Note 1
CVE-2013-6629 Java SE, Java SE Embedded Multiple AWT Yes 5.0 Network Low None Partial None None Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 1
CVE-2014-0449 Java SE, Java SE Embedded Multiple Deployment Yes 5.0 Network Low None Partial None None Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2403 Java SE, Java SE Embedded Multiple JAXP Yes 5.0 Network/td> Low None Partial None None Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2401 Java SE, JavaFX, Java SE Embedded Multiple 2D Yes 5.0 Network Low None Partial None None Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JavaFX 2.2.51, Java SE Embedded 7u51 See Note 2
CVE-2014-0463 Java SE Multiple Scripting Yes 4.3 Network Medium None Partial None None Java SE 8 See Note 2
CVE-2014-0464 Java SE Multiple Scripting Yes 4.3 Network Medium None Partial None None Java SE 8 See Note 2
CVE-2014-0459 Java SE, Java SE Embedded Multiple 2D Yes 4.3 Network Medium None None None Partial Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-2413 Java SE, Java SE Embedded Multiple Libraries Yes 4.3 Network Medium None None Partial None Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2
CVE-2014-0453 Java SE, JRockit, Java SE Embedded Multiple Security Yes 4.0 Network High None Partial Partial None Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R27.8.1, JRockit R28.3.1, Java SE Embedded 7u51 See Note 1
CVE-2014-2398 Java SE, JavaFX, JRockit, HTTP Javadoc No 3.5 Network Medium Single None Partial None Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JavaFX 2.2.51, JRockit R27.8.1, JRockit R28.3.1 See Note 3
CVE-2014-1876 Java SE, JRockit, Java SE Embedded Multiple Libraries No 2.6 Local High None None Partial Partial Java SE 5.0u61, Java SE 6u71, Java SE 7u51, Java SE 8, JRockit R27.8.1, JRockit R28.3.1, Java SE Embedded 7u51 See Note 4
CVE-2014-2420 Java SE, Java SE Embedded Multiple Deployment Yes 2.6 Network High None None Partial None Java SE 6u71, Java SE 7u51, Java SE 8, Java SE Embedded 7u51 See Note 2

Notes:

  1. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  2. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  3. Applies to sites that run the Javadoc tool as a service and then host the resulting documentation. It is recommended that sites filter HTML where it is not explicitly allowed for javadocs.
  4. Applies to the unpack200 tool.

Appendix – Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle and Sun Systems Products Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0447 Solaris None Kernel No 4.9 Local Low None None None Complete 10, 11.1
CVE-2014-0442 Solaris None Print Filter Utility No 4.6 Local Low None Partial Partial Partial 9, 10, 11.1
CVE-2014-0421 Solaris None SPARC64-X Platform No 4.6 Local Low None Partial Partial Partial 10 See Note 1

Notes:

  1. Applies only when Solaris is running on SPARC64-X platform.

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-6462 Oracle Secure Global Desktop (SGD) TCP LibXfont Yes 9.3 Network Medium None Complete Complete Complete 4.63, 4.71, 5.0, 5.1
CVE-2014-2439 Oracle Secure Global Desktop (SGD) HTTP Workspace Web Application Yes 6.4 Network Low None Partial Partial None 5.0, 5.1
CVE-2014-0981 Oracle VM VirtualBox None Core No 4.4 Local Medium None Partial+ Partial+ Partial+ VirtualBox prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24, 4.3.8 See Note 1
CVE-2014-2441 Oracle VM VirtualBox None Graphics driver(WDDM) for Windows guests No 4.4 Local Medium None Partial Partial Partial+ VirtualBox prior to 4.1.32, 4.2.24, 4.3.10
CVE-2014-2463 Oracle Secure Global Desktop (SGD) HTTP Workspace Web Application Yes 4.3 Network Medium None None Partial None 4.63, 4.71, 5.0, 5.1

Notes:

  1. This fix also addresses CVE-2014-0982 and CVE-2014-0983.

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 14 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-2444 MySQL Server MySQL Protocol InnoDB No 6.5 Network Low Single Partial+ Partial+ Partial+ 5.6.15 and earlier
CVE-2014-2436 MySQL Server MySQL Protocol RBR No 6.0 Network Medium Single Partial+ Partial+ Partial+ 5.5.36 and earlier, 5.6.16 and earlier
CVE-2014-2440 MySQL Client MySQL Protocol Client Yes 5.1 Network High None Partial Partial Partial 5.5.36 and earlier, 5.6.16 and earlier See Note 1
CVE-2014-2434 MySQL Server MySQL Protocol DML No 4.0 Network Low Single None None Partial+ 5.6.15 and earlier
CVE-2014-2435 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.16 and earlier
CVE-2014-2442 MySQL Server MySQL Protocol MyISAM No 4.0 Network Low Single None None Partial+ 5.6.15 and earlier
CVE-2014-2450 MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.6.15 and earlier
CVE-2014-2419 MySQL Server MySQL Protocol Partition No 4.0 Network Low Single None None Partial+ 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-0384 MySQL Server MySQL Protocol XML No 4.0 Network Low Single None None Partial+ 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2430 MySQL Server MySQL Protocol Performance Schema No 3.5 Network Medium Single None None Partial 5.5.36 and earlier, 5.6.16 and earlier
CVE-2014-2451 MySQL Server MySQL Protocol Privileges No 3.5 Network Medium Single None None Partial 5.6.15 and earlier
CVE-2014-2438 MySQL Server MySQL Protocol Replication No 3.5 Network Medium Single None None Partial+ 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2432 MySQL Server MySQL Protocol Federated No 2.8 Network Medium Multiple None None Partial+ 5.5.35 and earlier, 5.6.15 and earlier
CVE-2014-2431 MySQL Server MySQL Protocol Options Yes 2.6 Network High None None None Partial+ 5.5.36 and earlier, 5.6.16 and earlier

Notes:

  1. CVE-2014-2440 is equivalent to CVE-2014-0001.

Related:

  • No Related Posts

Oracle Critical Patch Update Advisory – January 2014

Oracle Critical Patch Update Advisory – January 2014

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Database
Oracle Database 12c Release 1, version 12.1.0.1 Database
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1 Fusion Middleware
Oracle Fusion Middleware 12c Release 2, version 12.1.2 Fusion Middleware
Oracle Enterprise Data Quality, versions 8.1, 9.0.8 Fusion Middleware
Oracle Forms and Reports 11g, Release 2, version 11.1.2.1 Fusion Middleware
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2 Fusion Middleware
Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle HTTP Server 12c, version 12.1.2 Fusion Middleware
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1 Fusion Middleware
Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle iPlanet Web Proxy Server, version 4.0 Fusion Middleware
Oracle iPlanet Web Server, versions 6.1, 7.0 Fusion Middleware
Oracle Outside In Technology, versions 8.4.0, 8.4.1 Fusion Middleware
Oracle Portal, version 11.1.1.6 Fusion Middleware
Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1 Fusion Middleware
Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0 Fusion Middleware
Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0 Fusion Middleware
Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2 Fusion Middleware
Oracle E-Business Suite Release 11i, version 11.5.10.2 E-Business Suite
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2 E-Business Suite
Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1 Oracle Supply Chain
Oracle AutoVue, versions 20.1.1 Oracle Supply Chain
Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3 Oracle Supply Chain
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2 Oracle Supply Chain
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0 PeopleSoft
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2 PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53 PeopleSoft
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2 PeopleSoft
Oracle Siebel Core, versions 8.1.1, 8.2.2 Siebel
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2 Siebel
Oracle iLearning, version 6.0 iLearning
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2 Oracle FLEXCUBE
Oracle JavaFX, versions 2.2.45 and earlier Oracle Java SE
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier Oracle Java SE
Oracle Java SE Embedded, versions 7u45 and earlier Oracle Java SE
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier Oracle Java SE
Oracle Solaris versions 8, 9, 10, 11.1 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10 Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6 Oracle Linux and Virtualization
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0 Oracle MySQL Product Suite
Oracle MySQL Server, versions 5.1, 5.5, 5.6 Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices

Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2014 Documentation Map, My Oracle Support Note 1592294.1.

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Applications – E-Business Suite Oracle E-Business Suite Risk Matrix Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1
Oracle Applications – Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite Oracle Supply Chain Risk Matrix

Oracle PeopleSoft Enterprise Risk Matrix

Oracle Siebel CRM Risk Matrix

Oracle iLearning Products Risk Matrix
Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products suite, My Oracle Support Note 1608821.1
Oracle FLEXCUBE Products Suite Oracle Financial Services Software Risk Matrix Contact Oracle Customer Support for patches, https://support.oracle.com
Oracle Java Oracle JDK and JRE Risk Matrix
  • Critical Patch Update January 2014 Patch Availability Document for Java, My Oracle Support Note 1607034.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7.
Oracle and Sun Systems Products Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update January 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1607615.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1608471.1
Oracle MySQL Oracle MySQL Risk Matrix Critical Patch Update January 2014 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1609570.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; Alexander Kornbrust of Red Database Security; Alexey Tyurin of ERPScan (Digital Security Research Group); Apple Inc.; Arseniy Akuney of TELUS Security Labs; Borked of the Google Security Team; Carlo Di Dato of iDefense; Christopher Meyer of Ruhr-University Bochum; Daniel EkBerg of Kentor AB Sweden; Esteban Martinez Fayo formerly of Application Security Inc.; Fernando Muñoz; Information Security Office for the University of Texas at Austin; John Leitch working with HP’s Zero Day Initiative; Joseph Sheridan of Reactionis; Juraj Somorovsky of Ruhr-University Bochum; Matthew Daley; Oliver Gruskovnjak of Portcullis Inc; Sam Thomas of Pentest Limited; Sebastian Schinzel of University of Applied Sciences Münster; Tanel Poder; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Moez Roy; Owais Mohammad Khan formerly of KPMG; Tor Erling Bjorstad; and Yash Kadakia of Security Brigade for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Abdullah Hussam Gazi; Adam Willard of Foreground Security; Ali Hasan Ghauri; Ali Hussein of Help AG Middle East; Anand Tiwari; Ben Khlifa Fahmi; Dibyendu Sikdar; Griffin Francis; James Pearson; Johnathan Simon; Koutrouss Naddara of Kotros Nadara; Mohammed Osman; Muhammad Talha Khan; Osanda Malith Jayathissa; Peter Jaric; Rafay Baloch; Rakesh Singh of Zero Day Guys; Sky_BlaCk; Sunil Dadhich; Suraj Radhakrishnan; and Vishnu Patel for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 April 2014
  • 15 July 2014
  • 14 October 2014
  • 20 January 2015

References

Modification History

2014-January-14 Rev 1. Initial Release

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5853 Core RDBMS Oracle Net Yes 5.0 Network Low None None None Partial 11.1.0.7, 11.2.0.3, 12.1.0.1
CVE-2014-0378 Spatial Oracle Net Local Login, Create Session No 4.1 Local Medium Single Partial Partial Partial 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-0377 Core RDBMS Oracle Net Create Session, Create Role, Create User, Select privilege on SYS tables. No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5858 Core RDBMS Oracle Net Create Session, Create View No 4.0 Network Low Single None Partial None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5764 Core RDBMS Oracle Net Create Session, Alter Session No 3.5 Network Medium Single None None Partial+ 11.1.0.7, 11.2.0.3, 12.1.0.1

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1594621.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-4316 Oracle WebCenter Sites HTTP WebCenter Sites Community Yes 10.0 Network Low None Complete Complete Complete 11.1.1.6.1, 11.1.1.8.0 See Note 1
CVE-2013-5785 Oracle Reports Developer HTTP Security and Authentication Yes 7.5 Network Low None Partial+ Partial+ Partial+ 11.1.1.6, 11.1.1.7, 11.1.2.1 See Note 2
CVE-2007-0009 Oracle HTTP Server HTTPS OSSL Module Yes 6.8 Network Medium None Partial Partial Partial OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 3
CVE-2014-0400 Oracle Internet Directory HTTP OID LDAP server No 6.3 Network Medium Single Complete None None 11.1.1.6, 11.1.1.7
CVE-2013-1862 Oracle HTTP Server HTTP Web Listener Yes 5.1 Network High None Partial Partial Partial OHS: 11.1.1.6.0, 11.1.1.7.0, 12.1.2.0 Oracle Forms and Reports: 11.1.2.1
CVE-2012-3544 Oracle Enterprise Data Quality HTTP Internal Operations Yes 5.0 Network Low None None None Partial 8.1, 9.0.8 See Note 4
CVE-2013-1654 Oracle HTTP Server HTTPS OSSL Module Yes 5.0 Network Low None None Partial None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 Fusion Middleware: 10.1.3.5.0
CVE-2012-4605 Oracle HTTP Server HTTPS OSSL Module Yes 5.0 Network Low None Partial None None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 5
CVE-2014-0391 Oracle Identity Manager HTTP End User Self Service Yes 5.0 Network Low None Partial None None 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5869 Oracle WebCenter Portal HTTP Page Service Yes 5.0 Network Low None Partial None None 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
CVE-2013-1620 Oracle GlassFish Server HTTPS Security Yes 4.3 Network Medium None Partial None None GlassFish Enterprise Server 2.1.1, Sun Java Application Server 8.1, 8.2
CVE-2012-3499 Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 6
CVE-2013-5900 Oracle Identity Manager HTTP End User Self Service Yes 4.3 Network Medium None None Partial None 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5901 Oracle Identity Manager HTTP Identity Console Yes 4.3 Network Medium None Partial+ None None 11.1.2.0, 11.1.2.1
CVE-2014-0374 Oracle Portal HTTP Page Parameters and Events Yes 4.3 Network Medium None None Partial None 11.1.1.6
CVE-2013-1620 Oracle Traffic Director HTTPS Security Yes 4.3 Network Medium None Partial None None 11.1.1.6, 11.1.1.7
CVE-2013-1620 Oracle iPlanet Web Proxy Server HTTPS Security Yes 4.3 Network Medium None Partial None None 4.0
CVE-2013-1620 Oracle iPlanet Web Server HTTPS Security Yes 4.3 Network Medium None Partial None None 6.1, 7.0
CVE-2014-0383 Oracle Identity Manager HTTP Identity Console No 3.5 Network Medium Single Partial None None 11.1.2.0, 11.1.2.1
CVE-2007-1858 Oracle HTTP Server HTTPS OSSL Module Yes 2.6 Network High None Partial None None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
CVE-2013-5808 Oracle iPlanet Web Proxy Server HTTP Administration Yes 2.6 Network High None Partial None None 4.0
CVE-2013-5879 Oracle Outside In Technology HTTP Outside In Maintenance No 1.5 Local Medium Single None None Partial 8.4.0, 8.4.1 See Note 7

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316, CVE-2013-2251, CVE-2013-2248, CVE-2013-2135 and CVE-2013-2134. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.
  2. Please refer to Doc ID My Oracle Support Note 1608683.1 for instructions on how to address this issue.
  3. This fix also addresses CVE-2007-0008.
  4. Please refer to Doc ID My Oracle Support Note 1595538.1 for instructions on how to address this issue.
  5. This fix also addresses CVE-2006-0998 and CVE-2006-0999.
  6. This fix also addresses CVE-2012-4558.
  7. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix – Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3830 Hyperion Strategic Finance Microsoft RPC Server No 7.1 Network High Single Complete Complete Complete 11.1.2.1, 11.1.2.2
CVE-2014-0367 Hyperion Essbase Administration Services HTTP Admin Console No 5.5 Network Low Single Partial Partial None 11.1.2.1, 11.1.2.2, 11.1.2.3

Appendix – Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5890 Oracle Payroll HTTP Exception Reporting No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2
CVE-2014-0398 Oracle Application Object Library HTTP Discoverer Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2014-0366 Oracle Applications Framework HTTP Attachments No 4.0 Network Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2013-5874 Oracle Application Object Library None Logging No 1.7 Local Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 16 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5897 Oracle Agile Product Lifecycle Management for Process HTTP Manage Data Cache No 5.5 Network Low Single Partial+ Partial+ None 6.0, 6.1, 6.1.1
CVE-2014-0372 Oracle Demantra Demand Management HTTP DM Others No 5.5 Network Low Single Partial+ Partial+ None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2
CVE-2013-5877 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial None None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1
CVE-2013-5880 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial None None 12.2.0, 12.2.1, 12.2.2
CVE-2013-5795 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial+ None None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
CVE-2012-3544 Oracle Transportation Management HTTP Application Server Yes 5.0 Network Low None None None Partial 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0434 Oracle Agile Product Lifecycle Management for Process HTTP Installation Yes 4.3 Network Medium None None Partial None 6.0, 6.1, 6.1.1
CVE-2014-0379 Oracle Demantra Demand Management HTTP DM Others Yes 4.3 Network Medium None None Partial None 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2
CVE-2013-2067 Oracle Transportation Management HTTP Application Server No 4.0 Network Low Single Partial+ None None 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-2071 Oracle Transportation Management HTTP Application Server No 4.0 Network Low Single Partial None None 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0399 Oracle Transportation Management HTTP Data, Domain & Function Security No 4.0 Network Low Single Partial None None 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0435 Oracle Transportation Management HTTP Data, Domain & Function Security No 4.0 Network Low Single None None Partial 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-5871 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial None None 20.1.1
CVE-2013-5868 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial+ None None 20.1.1
CVE-2014-0444 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial None None 20.1.1
CVE-2014-0371 Oracle Demantra Demand Management HTTP DM Others No 3.5 Network Medium Single None Partial None 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle PeopleSoft Products. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5873 PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0441 PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 5.0 Network Low None None None Partial 8.52, 8.53
CVE-2014-0396 PeopleSoft Enterprise PeopleTools HTTP Portal – Web Services Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0443 PeopleSoft Enterprise PeopleTools HTTP Security Yes 5.0 Network Low None None Partial None 8.52
CVE-2014-0394 PeopleSoft Enterprise PeopleTools HTTP Updates Environment Mgmt Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0395 PeopleSoft Enterprise PeopleTools HTTP Updates Environment Mgmt Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2013-5909 PeopleSoft Enterprise HRMS HTTP Org and Workforce Dev No 4.9 Network Medium Single Partial Partial None 9.1, 9.2
CVE-2013-5886 PeopleSoft Enterprise HRMS HTTP Common Application Objects Yes 4.3 Network Medium None None Partial None 9.1, 9.2
CVE-2014-0380 PeopleSoft Enterprise PeopleTools HTTP MultiChannel Framework (MCF) Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2014-0445 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2014-0392 PeopleSoft Enterprise HRMS HTTP Security No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2014-0388 PeopleSoft Enterprise HRMS Human Resources HTTP Org and Workforce Dev No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2014-0440 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology No 4.0 Network Low Single None None Partial 8.52, 8.53
CVE-2014-0439 PeopleSoft Enterprise PeopleTools HTTP Report Distribution No 4.0 Network Low Single None Partial None 8.52, 8.53
CVE-2014-0438 PeopleSoft Enterprise PeopleTools None Panel Processor No 4.0 Network Low Single Partial None None 8.52, 8.53
CVE-2014-0425 PeopleSoft Enterprise SCM Services Procurement HTTP Security No 4.0 Network Low Single Partial None None 9.2
CVE-2014-0381 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 2.6 Network High None None Partial None 8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0369 Siebel Core – EAI HTTP Java Integration Yes 5.0 Network Low None Partial None None 8.1.1, 8.2.2
CVE-2014-0370 Siebel Life Sciences HTTP Clinical Trip Report No 2.8 Network Medium Multiple None None Partial 8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0389 Oracle iLearning HTTP Learner Pages Yes 4.3 Network Medium None None Partial None 6.0

Appendix – Oracle Financial Services Software

Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-4316 Oracle FLEXCUBE Private Banking HTTP Core Yes 10.0 Network Low None Complete Complete Complete 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2 See Note 1

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.

Appendix – Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2014-0410 Java SE Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0415 Java SE Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5907 Java SE, JRockit, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 2
CVE-2014-0428 Java SE, Java SE Embedded Multiple CORBA Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0422 Java SE, Java SE Embedded Multiple JNDI Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0385 Java SE HTTP Install Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45 on OS X See Note 3
CVE-2013-5889 Java SE Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0408 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45 on OS X See Note 1
CVE-2013-5893 Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0417 Java SE, JavaFX, Java SE Embedded Multiple 2D Yes 9.3 Network Medium None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JavaFX 2.2.45, Java SE Embedded 7u45 See Note 1
CVE-2014-0387 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u65, Java SE 7u45 on Firefox See Note 1
CVE-2014-0424 Java SE Multiple Deployment Yes 7.5 Network Low None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0373 Java SE Multiple Serviceability Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5878 Java SE, Java SE Embedded Multiple Security Yes 7.5 Network Low None Partial Partial Partial Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5904 Java SE Multiple Deployment Yes 6.8 Network Medium None Partial Partial Partial Java SE 7u45 See Note 1
CVE-2013-5870 Java SE, JavaFX Multiple JavaFX Yes 6.8 Network Medium None Partial Partial Partial Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2014-0403 Java SE Multiple Deployment Yes 5.8 Network Medium None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0375 Java SE Multiple Deployment Yes 5.8 Network Medium None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0423 Java SE, JRockit, Java SE Embedded Multiple Beans No 5.5 Network Low Single Partial None Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 2
CVE-2013-5905 Java SE HTTP Install Yes 5.1 Network High None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 3
CVE-2013-5906 Java SE HTTP Install Yes 5.1 Network High None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 3
CVE-2013-5902 Java SE Multiple Deployment Yes 5.1 Network High None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0418 Java SE Multiple Deployment Yes 5.1 Network High None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5887 Java SE HTTP Deployment Yes 5.0 Network Low None None None Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5899 Java SE Multiple Deployment Yes 5.0 Network Low None Partial None None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5896 Java SE, Java SE Embedded Multiple CORBA Yes 5.0 Network Low None None None Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5884 Java SE, Java SE Embedded Multiple CORBA Yes 5.0 Network Low None Partial None None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0416 Java SE, Java SE Embedded Multiple JAAS Yes 5.0 Network Low None None Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0376 Java SE, Java SE Embedded Multiple JAXP Yes 5.0 Network Low None None Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0368 Java SE, Java SE Embedded Multiple Networking Yes 5.0 Network Low None Partial None None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5910 Java SE, Java SE Embedded Multiple Security Yes 5.0 Network Low None None Partial None Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5895 Java SE, JavaFX Multiple JavaFX Yes 5.0 Network Low None Partial None None Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2013-5888 Java SE Multiple Deployment No 4.6 Local Low None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 4
CVE-2014-0382 Java SE, JavaFX Multiple JavaFX Yes 4.3 Network Medium None None None Partial Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2013-5898 Java SE HTTP Deployment Yes 4.0 Network High None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0411 Java SE, JRockit, Java SE Embedded SSL/TLS JSSE Yes 4.0 Network High None Partial Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 5

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  3. Applies to installation process on client deployment of Java.
  4. Applies to client deployment of Java under GNOME environment on Linux and Solaris.
  5. Applies to client and server deployment of JSSE.

Appendix – Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle and Sun Systems Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2003-1067 Solaris None Localization (L10N) No 7.2 Local Low None Complete Complete Complete 8, 9 See Note 1
CVE-2013-5834 Solaris None “ps” command line utility No 6.2 Local High None Complete Complete Complete 8
CVE-2013-5833 Solaris None Filesystem No 4.9 Local Low None None None Complete 8, 9
CVE-2013-5876 Solaris None Kernel No 4.9 Local Low None None None Complete 10, 11.1
CVE-2013-5821 Solaris None Remote Procedure Call (RPC) No 4.6 Local Low None Partial Partial Partial 8, 9, 10, 11.1
CVE-2014-0390 Solaris HTTP Java Web Console Yes 4.3 Network Medium None None Partial None 10
CVE-2013-5883 Solaris None Kernel No 3.2 Local Low Single None Partial Partial 8 See Note 1
CVE-2013-5875 Solaris None Role Based Access Control (RBAC) No 2.7 Local Medium Multiple None Partial Partial 11.1
CVE-2013-5872 Solaris None Name Service Cache Daemon (NSCD) No 2.1 Local Low None None None Partial+ 10, 11.1
CVE-2013-2924 Solaris None Localization (L10N) No 1.9 Local Medium None None None Partial 11.1
CVE-2013-5885 Solaris None Audit No 1.7 Local Low Single None Partial None 11.1

Notes:

  1. Applies only when Solaris is running on SPARC platform.

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-2067 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 6.8 Network Medium None Partial Partial Partial SGD prior to SGD 4.63 with December 2013 PSU , 4.71
CVE-2014-0419 Oracle Secure Global Desktop (SGD) HTTP Administration Console and Workspace Web Applications Yes 5.1 Network High None Partial Partial Partial SGD prior to 4.63 with December 2013 PSU , 4.71, 5.0 with December 2013 PSU, 5.10
CVE-2012-3544 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 5.0 Network Low None None None Partial SGD prior to 4.63 with December 2013 PSU, 4.71
CVE-2013-5892 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial+ Partial+ Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, 4.3.6
CVE-2014-0407 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial+ Partial+ Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0405 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial Partial Partial VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4 See Note 1
CVE-2013-2071 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 2.6 Network High None Partial None None SGD prior to 4.71 with December 2013 PSU, 5.0 with December 2013 PSU See Note 2
CVE-2014-0406 Oracle VM VirtualBox None Core No 2.4 Local High Single None Partial+ Partial VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0404 Oracle VM VirtualBox None Core No 2.4 Local High Single None Partial Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

Notes:

  1. Applies only when a Windows guest with VirtualBox Additions installed is running on VirtualBox.
  2. SGD releases prior to SGD 4.7 are not affected by CVE-2013-2071 as they do not ship with Apache Tomcat 7.x, which is the only affected release of Tomcat.

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-4316 MySQL Enterprise Monitor HTTP Service Manager Yes 10.0 Network Low None Complete Complete Complete 3.0.4 and earlier, 2.3.14 and earlier See Note 1
CVE-2013-5860 MySQL Server MySQL Protocol GIS No 6.8 Network Low Single None None Complete 5.6.14 and earlier
CVE-2013-5882 MySQL Server MySQL Protocol Stored Procedure No 6.8 Network Low Single None None Complete 5.6.13 and earlier
CVE-2014-0433 MySQL Server MySQL Protocol Thread Pooling Yes 4.3 Network Medium None None None Partial 5.6.13 and earlier
CVE-2013-5894 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.13 and earlier
CVE-2013-5881 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.14 and earlier
CVE-2014-0412 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0402 MySQL Server MySQL Protocol Locking No 4.0 Network Low Single None None Partial+ 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0386 MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2013-5891 MySQL Server MySQL Protocol Partition No 4.0 Network Low Single None None Partial+ 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0401 MySQL Server MySQL Protocol Privileges No 4.0 Network Low Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0427 MySQL Server MySQL Protocol FTS No 3.5 Network Medium Single None None Partial+ 5.6.13 and earlier
CVE-2014-0431 MySQL Server MySQL Protocol InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.14 and earlier
CVE-2014-0437 MySQL Server MySQL Protocol Optimizer No 3.5 Network Medium Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0393 MySQL Server MySQL Protocol InnoDB No 3.3 Network Low Multiple None Partial None 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0430 MySQL Server MySQL Protocol Performance Schema No 2.8 Network Medium Multiple None None Partial+ 5.6.13 and earlier
CVE-2014-0420 MySQL Server MySQL Protocol Replication No 2.8 Network Medium Multiple None None Partial+ 5.5.34 and earlier, 5.6.14 and earlier
CVE-2013-5908 MySQL Server MySQL Protocol Error Handling Yes 2.6 Network High None None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316. The CVSS score is 10.0 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 7.5 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.

Related:

  • No Related Posts

Our server hosting provider asked for our root password

I work at a company that develops and hosts a small business critical system. We have an “Elastic cloud server” from a professional hosting provider.

I recently got an email from them saying that they’ve had some problems with their backup solution and that they needed to install a new kernel. And they wanted us to send them the root password so they could do this work. I know that the email came from them. It’s not support@hotmail.com or anything like that.

I called them and asked them about this, and they were like “yep, we need the password to do this”.

It just seems odd to send the root password over email like this. Do I have any reason to be concerned?

Related:

Oracle Critical Patch Update Advisory – October 2013

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database 10g and 11g include Enterprise Manager Database Control which can be exploited by the vulnerabilities listed in the Oracle Enterprise Manager section. These vulnerabilities are not listed in the Oracle Database risk matrix. Oracle customers should refer to the section, Oracle Enterprise Manager for affected versions of Enterprise Manager Database Control and apply the patches as per the instructions in the Database Section of the Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5771
XML Parser Oracle Net None Yes 6.4 Network Low None Partial None Partial See Note 1
CVE-2013-3826
Core RDBMS Oracle Net None Yes 5.0 Network Low None Partial None None 11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1 See Note 2

CVE-2011-3389

(Oracle Fusion Middleware)

Oracle Security Service SSL/TLS None Yes 4.3 Network Medium None Partial None None 11.1.0.7, 11.2.0.2, 11.2.0.3

CVE-2013-0169

(Oracle Fusion Middleware)

Oracle Security Service SSL/TLS None Yes 2.6 Network High None Partial None None 11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1

Notes:

  1. This vulnerability does not affect supported versions. Unsupported versions may be affected and should be upgraded to a supported release or patch set. Refer to the Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1 for information on supported versions. Refer to Critical Patch Update Supported Products and Versions for links to support policies.
  2. Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database. To remediate this security vulnerability, customers should configure network encryption in their clients and servers to protect sensitive data sent over untrusted networks. Refer to http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#CIHFDJDG – “Oracle Advanced Security section” of “Oracle Database Licensing Information 11g Release 2 (11.2)” for details of this licensing change.

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle Fusion Middleware. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5815
Oracle Identity Analytics HTTP Security Yes 7.5 Network Low None Partial Partial+ Partial Oracle Identity Analytics 11.1.1.5, Sun Role Manager 4.1, 5.0
CVE-2013-3831
Oracle Portal HTTP Demos No 5.5 Network Low Single Partial+ Partial+ None 11.1.1.6.0
CVE-2013-5813
Oracle WebCenter Content HTTP Content Server No 6.4 Network Low None Partial+ Partial+ None 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
CVE-2013-3827
Oracle GlassFish Server HTTP Java Server Faces Yes 5.0 Network Low None Partial None None 2.1.1, 3.0.1, 3.1.2
CVE-2013-5816
Oracle GlassFish Server SOAP Metro Yes 5.0 Network Low None None None Partial 2.1.1, 3.0.1, 3.1.2
CVE-2013-3827
Oracle JDeveloper HTTP Java Server Faces Yes 5.0 Network Low None Partial None None 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0
CVE-2013-3828
Oracle Web Services HTTP Test Page Yes 5.0 Network Low None Partial None None 10.1.3.5.0, 11.1.1.6.0
CVE-2013-3827
Oracle WebLogic Server HTTP Web Container Yes 5.0 Network Low None Partial None None 10.3.6.0, 12.1.1.0
CVE-2013-3833
Oracle Access Manager HTTP Authentication Engine Yes 4.3 Network Medium None None Partial None 11.1.1.5.0, 11.1.2.0.0
CVE-2013-5773
Oracle Containers for J2EE HTTP Servlet Runtime Yes 4.3 Network Medium None None Partial None 10.1.3.5.0 See Note 1
CVE-2013-2172
Oracle GlassFish Server SOAP Metro Yes 4.3 Network Medium None None Partial None 2.1.1, 3.0.1, 3.1.2 See Note 2
CVE-2013-5798
Oracle Identity Manager HTTP End User Self Service Yes 4.3 Network Medium None None Partial None 11.1.2.0.0, 11.1.2.1.0
CVE-2011-3389
Oracle Security Service SSL/TLS None Yes 4.3 Network Medium None Partial None None FMW: 11.1.1.6, 11.1.1.7 Forms: 11.1.2.1
CVE-2013-3836
Oracle Web Cache HTTP ESI/Partial Page Caching No 3.5 Network Medium Single Partial+ None None 11.1.1.6, 11.1.1.7
CVE-2013-0169
Oracle Security Service SSL/TLS None Yes 2.6 Network High None Partial None None FMW: 11.1.1.6, 11.1.1.7 Forms: 11.1.2.1 OHS: 12.1.2
CVE-2013-5791
Oracle Outside In Technology None Outside In Filters No 1.5 Local Medium Single None None Partial+ 8.4.0, 8.4.1 See Note 3
CVE-2013-5763
Oracle Outside In Technology None Outside In Maintenance No 1.5 Local Medium Single None None Partial 8.4.0 See Note 3

Notes:

  1. Please refer to MOS note https://support.oracle.com/epmos/faces/DocumentDisplay?id=1586861.1 for configuration.
  2. CVE-2013-2172 is equivalent to CVE-2013-2461.
  3. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix – Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Enterprise Manager Grid Control. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5766
Enterprise Manager Base Platform HTTP DB Performance Advisories/UIs Yes 4.3 Network Medium None None Partial None EM Base Platform: 10.2.0.5, 11.1.0.1

EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3

EM Plugin for DB: 12.1.0.2, 12.1.0.3
CVE-2013-3762
Enterprise Manager Base Platform HTTP Schema Management Yes 4.3 Network Medium None None Partial None EM Base Platform: 10.2.0.5, 11.1.0.1

EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3

EM Plugin for DB: 12.1.0.2, 12.1.0.3, 12.1.0.4
CVE-2013-5827
Enterprise Manager Base Platform HTTP Storage Management Yes 4.3 Network Medium None None Partial+ None EM Base Platform: 10.2.0.5, 11.1.0.1

EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3

EM Plugin for DB: 12.1.0.2
CVE-2013-5828
Enterprise Manager Base Platform HTTP Storage Management Yes 4.3 Network Medium None None Partial+ None EM Base Platform: 10.2.0.5, 11.1.0.1

EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3

EM Plugin for DB: 12.1.0.2, 12.1.0.3

Appendix – Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2013), My Oracle Support Note 1585639.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5792
Techstack HTTP Apache Yes 5.0 Network Low None Partial None None 12.1

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Supply Chain Products Suite. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5826
Oracle Transportation Management HTTP Install / Installation Yes 5.0 Network Low None None None Partial 6.3, 6.3.1
CVE-2013-5799
Oracle Agile PLM Framework HTTP Security Yes 4.3 Network Medium None None Partial None 9.3.2

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5836
PeopleSoft Enterprise PeopleTools HTTP Business Interlink Yes 5.0 Network Low None Partial None None 8.51, 8.52, 8.53
CVE-2013-3835
PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 5.0 Network Low None Partial None None 8.51, 8.52, 8.53
CVE-2013-5794
PeopleSoft Enterprise PeopleTools HTTP Portal Yes 5.0 Network Low None Partial None None 8.51, 8.52, 8.53
CVE-2013-5841
PeopleSoft Enterprise PeopleTools HTTP Portal Yes 5.0 Network Low None Partial None None 8.51, 8.52, 8.53
CVE-2013-5765
PeopleSoft Enterprise PeopleTools HTTP XML Publisher Yes 5.0 Network Low None None None Partial 8.51, 8.52, 8.53
CVE-2013-3785
PeopleSoft Enterprise HRMS HTTP Career’s Home No 4.0 Network Low Single Partial None None 9.1
CVE-2013-5847
PeopleSoft Enterprise HRMS eCompensation HTTP eCompensation No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2013-5779
PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology No 4.0 Network Low Single Partial None None 8.51, 8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Siebel CRM. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5835
Siebel UI Framework HTTP Open_UI Yes 6.8 Network Medium None Partial Partial Partial 8.1.1, 8.2.2
CVE-2013-5761
Siebel Core – Server BizLogic Script HTTP Integration – Scripting Yes 5.8 Network Medium None Partial Partial None 8.1.1, 8.2.2
CVE-2013-3841
Siebel Core – EAI HTTP Web Services Yes 5.0 Network Low None Partial None None 8.1.1, 8.2.2
CVE-2013-5867
Siebel Core – Server Infrastructure HTTP SISNAPI & Network Infrastructu Yes 5.0 Network Low None None None Partial 8.1.1, 8.2.2
CVE-2013-5796
Siebel Core – EAI HTTP Web Services Yes 4.3 Network Medium None None None Partial 8.1.1, 8.2.2
CVE-2013-5769
Siebel Core – EAI HTTP Web Services No 4.0 Network Low Single None None Partial 8.1.1
CVE-2013-3840
Siebel Core – EAI HTTP Web Services No 4.0 Network Low Single Partial None None 8.1.1, 8.2.2
CVE-2013-3832
Siebel Server Remote HTTP File System Management No 4.0 Network Low Single None Partial None 8.1.1, 8.2.2
CVE-2013-5768
Siebel UI Framework HTTP ActiveX Controls No 4.0 Network Low Single None Partial None 8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle iLearning. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5822
Oracle iLearning HTTP Learner Administration Yes 6.8 Network Medium None Partial Partial Partial 5.2.1, 6.0
CVE-2013-5845
Oracle iLearning HTTP Learner Administration Yes 4.3 Network Medium None None Partial None 5.2.1, 6.0

Appendix – Oracle Industry Applications

Oracle Industry Applications Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Industry Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Industry Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3814
Oracle Retail Invoice Matching HTTP System Administration No 5.5 Network Low Single Partial+ Partial+ None 10.2, 11.0, 12.0, 12.0IN, 12.1, 13.0, 13.1, 13.2
CVE-2013-5856
Oracle Health Sciences InForm HTTP Web No 3.6 Network High Single Partial Partial None 4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.5 SP0, 5.5 SP0b, 5.5.1, 6.0.0
CVE-2013-5857
Oracle Health Sciences InForm HTTP Web No 3.6 Network High Single Partial Partial None 4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b
CVE-2013-5811
Oracle Health Sciences InForm HTTP Web No 3.5 Network Medium Single Partial+ None None 4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b
CVE-2013-5762
Oracle Siebel CTMS HTTP SC-OC Integration No 2.4 Local High Single Partial None Partial+ 8.1.1.x
CVE-2013-5837
Oracle Health Sciences InForm None Cognos No 2.1 Network High Single Partial+ None None 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.0.3, 5.0.4

Appendix – Oracle Financial Services Software

Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-2251
Oracle FLEXCUBE Private Banking HTTP Core No 6.0 Network Medium Single Partial+ Partial+ Partial+ 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1 See Note 1

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.1: CVE-2013-2251, CVE-2013-2248, CVE-2013-2135, and CVE-2013-2134.

Appendix – Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5859
Instantis EnterpriseTrack HTTP Instantis EnterpriseTrack Yes 5.0 Network Low None Partial None None 8.0.6, 8.5
CVE-2013-3766
Primavera P6 Enterprise Project Portfolio Management HTTP Web Access No 4.0 Network Low Single None Partial None 8.1, 8.2, 8.3

Appendix – Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 51 new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of “Complete”, lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5782
Java SE, JRockit, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5830
Java SE, JRockit, Java SE Embedded Multiple Libraries Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5809
Java SE, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5829
Java SE, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5814
Java SE, Java SE Embedded Multiple CORBA Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5824
Java SE, Java SE Embedded Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5788
Java SE, Java SE Embedded Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5787
Java SE, Java SE Embedded Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5789
Java SE, Java SE Embedded Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5817
Java SE, Java SE Embedded Multiple JNDI Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5842
Java SE, Java SE Embedded Multiple Libraries Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5843
Java SE, JavaFX, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JavaFX 2.2.40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5832
Java SE, Java SE Embedded Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5850
Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5838
Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u25 and earlier, Java SE Embedded 7u25 and earlier See Note 2
CVE-2013-5805
Java SE, Java SE Embedded Multiple Swing Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5806
Java SE, Java SE Embedded Multiple Swing Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5846
Java SE, JavaFX Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5810
Java SE, JavaFX Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5844
Java SE, JavaFX Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5777
Java SE, JavaFX Multiple JavaFX Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5852
Java SE, Java SE Embedded Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 3
CVE-2013-5802
Java SE, JRockit, Java SE Embedded Multiple JAXP Yes 7.5 Network Low None Partial Partial Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5775
Java SE, JavaFX Multiple JavaFX Yes 7.5 Network Low None Partial Partial Partial Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5804
Java SE, JRockit HTTP Javadoc Yes 6.4 Network Low None Partial Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier See Note 4
CVE-2013-5812
Java SE, Java SE Embedded Multiple Deployment Yes 6.4 Network Low None Partial None Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-3829
Java SE, Java SE Embedded Multiple Libraries Yes 6.4 Network Low None Partial Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5783
Java SE, Java SE Embedded Multiple Swing Yes 6.4 Network Low None Partial Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5825
Java SE, JRockit, Java SE Embedded Multiple JAXP Yes 5.0 Network Low None None None Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-4002
Java SE, JRockit, Java SE Embedded Multiple JAXP Yes 5.0 Network Low None None None Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5823
Java SE, JRockit, Java SE Embedded Multiple Security Yes 5.0 Network Low None None None Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5778
Java SE, Java SE Embedded Multiple 2D Yes 5.0 Network Low None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5801
Java SE, Java SE Embedded Multiple 2D Yes 5.0 Network Low None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5776
Java SE, Java SE Embedded Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5818
Java SE, Java SE Embedded Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5819
Java SE, Java SE Embedded Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5831
Java SE, Java SE Embedded Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5820
Java SE, Java SE Embedded Multiple JAX-WS Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5851
Java SE, Java SE Embedded Multiple JAXP Yes 5.0 Network Low None Partial None None Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5840
Java SE, Java SE Embedded Multiple Libraries Yes 5.0 Network Low None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5774
Java SE, Java SE Embedded Multiple Libraries Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5848
Java SE, JavaFX Multiple Deployment Yes 5.0 Network Low None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, JavaFX 2.2.40 and earlier See Note 2
CVE-2013-5780
Java SE, JRockit, Java SE Embedded Multiple Libraries Yes 4.3 Network Medium None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5800
Java SE, Java SE Embedded Kerberos JGSS Yes 4.3 Network Medium None Partial None None Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5849
Java SE, Java SE Embedded Multiple AWT Yes 4.3 Network Medium None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5790
Java SE, Java SE Embedded Multiple BEANS Yes 4.3 Network Medium None Partial None None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5784
Java SE, Java SE Embedded Multiple SCRIPTING Yes 4.3 Network Medium None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier See Note 2
CVE-2013-5797
Java SE, JRockit, JavaFX HTTP Javadoc No 3.5 Network Medium Single None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, JavaFX 2.2.40 and earlier See Note 4
CVE-2013-5772
Java SE HTTP jhat Yes 2.6 Network High None None Partial None Java SE 7u40 and earlier, Java SE 6u60 and earlier See Note 5
CVE-2013-5803
Java SE, JRockit, Java SE Embedded Kerberos JGSS Yes 2.6 Network High None None None Partial Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier See Note 1
CVE-2013-5854
Java SE, JavaFX Multiple JavaFX Yes 2.6 Network High None Partial None None Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier See Note 2

Notes:

  1. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  2. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  3. Applies to installation process on client deployment of Java.
  4. Applies to sites that run the Javadoc tool as a service and then host the resulting documentation. It is recommended that sites filter HTML where it is not explicitly allowed for javadocs.
  5. Applies to the jhat developer tool.

Appendix – Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 12 new security fixes for the Oracle and Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-5781
SPARC Enterprise T4 Servers None Sun System Firmware/Integrated Lights Out Manager (ILOM) No 6.9 Local Medium None Complete Complete Complete Sun System Firmware before 8.3.0.b
CVE-2013-0149
Sun Blade 6000 10GBE switched NEM, Sun Network 10GBE Switch 72P, Oracle Switch OSPF Switch Platform Software Yes 5.8 Network Medium None Partial None Partial Sun Blade 6000 10GBE switched NEM 1.2 prior to Patch 13255101, Sun Network 10GBE Switch 72P 1.2 prior to Patch 13255111, Oracle Switch ES1-24 1.3 prior to Patch 17050841
CVE-2013-5866
Solaris None Kernel No 5.2 Local High None Partial Partial Complete 11.1
CVE-2013-5862
Solaris None CPU performance counters (CPC) drivers No 4.9 Local Low None None None Complete 10, 11.1
CVE-2013-5864
Solaris None USB hub driver No 4.9 Local Low None None None Complete 10, 11.1
CVE-2013-5863
Solaris HTTP IPS repository daemon Yes 4.3 Network Medium None None Partial None 11.1
CVE-2013-5839
Solaris HTTP Oracle Java Web Console Yes 4.3 Network Medium None None Partial None 10
CVE-2013-3837
Solaris SNMP Cacao Yes 4.3 Network Medium None None None Partial 10, 11.1
CVE-2013-5861
Solaris SSL Kernel/KSSL Yes 4.3 Network Medium None None None Partial 11.1
CVE-2013-3838
SPARC Enterprise T & M Series Servers None Sun System Firmware/Hypervisor No 4.0 Local High None None None Complete Sun System Firmware before 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d and 9.0.1.e See Note 1
CVE-2013-3842
Solaris None Oracle Configuration Manager (OCM) No 2.1 Local Low None Partial None None 10
CVE-2013-5865
Solaris None Utility/User administration No 1.7 Local Low Single None None Partial 11.1

Notes:

  1. CVE-2013-3838 applies to Sun System Firmware before 6.7.13 for SPARC T1, 7.4.6.c for SPARC T2, 8.3.0.b for SPARC T3 & T4, 9.0.0.d for SPARC T5 and 9.0.1.e for SPARC M5.

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3834
Oracle Secure Global Desktop Multiple ttaauxserv Yes 5.0 Network Low None None None Partial 5
CVE-2013-3792
Oracle VM VirtualBox None Core No 3.8 Local High Single None None Complete VirtualBox prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-2251
MySQL Enterprise Monitor HTTP Service Manager No 8.5 Network Medium Single Complete Complete Complete 2.3.13 and earlier See Note 1
CVE-2013-5807
MySQL Server MySQL Protocol Replication No 4.9 Network Medium Single Partial+ Partial+ None 5.5.32 and earlier, 5.6.12 and earlier
CVE-2013-5786
MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.12 and earlier
CVE-2012-2750
MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.1, 5.5.22 and earlier
CVE-2013-3839
MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.1.70 and earlier, 5.5.32 and earlier, 5.6.12 and earlier
CVE-2013-5767
MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.6.12 and earlier
CVE-2013-5793
MySQL Server MySQL Protocol InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.12 and earlier
CVE-2013-5770
MySQL Server MySQL Protocol Locking No 2.1 Network High Single None None Partial+ 5.6.11 and earlier

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.1: CVE-2013-2251, CVE-2013-2248, CVE-2013-2135, and CVE-2013-2134. The CVSS score is 8.5 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 6.0 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial.

Related:

  • No Related Posts

Oracle Critical Patch Update Advisory – July 2013

Oracle Critical Patch Update Advisory – July 2013

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 89 new security fixes across the product families listed below.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Database
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 10g Release 2, versions 10.2.0.4, 10.2.0.5 Database
Oracle Access Manager, versions 11.1.1.5.0 Fusion Middleware
Oracle Endeca Server, versions 7.4.0, 7.5.1.1 Fusion Middleware
Oracle HTTP Server, versions 10.1.3.5.0 Fusion Middleware
Oracle JRockit, versions R27.7.5 and earlier, R28.2.7 and earlier Fusion Middleware
Oracle Outside In Technology, versions 8.3.7, 8.4.0, 8.4.1 Fusion Middleware
Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0 Fusion Middleware
Oracle Hyperion BI, versions 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, 11.1.2.2.305 and earlier Hyperion
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.2, 12.1.0.3 Enterprise Manager
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Enterprise Manager
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 E-Business Suite
Oracle E-Business Suite Release 11i, version 11.5.10.2 E-Business Suite
Oracle Agile Collaboration Framework, version 9.3.1 Oracle Supply Chain
Oracle Agile PLM Framework, version 9.3.1 Oracle Supply Chain
Oracle Agile Product Framework, version 9.3.1 Oracle Supply Chain
Oracle PeopleSoft Enterprise Portal, version 9.1 PeopleSoft
Oracle PeopleSoft HRMS, version 9.1 PeopleSoft
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53 PeopleSoft
Oracle iLearning, versions 5.2.1, 6.0 iLearning
Oracle Policy Automation, versions 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2 Oracle Industry Applications Product Suite
Oracle Solaris versions 8, 9, 10, 11.1 Oracle and Sun Systems Product Suite
Oracle Solaris Cluster versions 3.2, 3.3, 4 prior to 4.1 SRU 3 Oracle and Sun Systems Product Suite
Oracle SPARC Enterprise M Series Servers Firmware version XCP 1114 and earlier Oracle and Sun Systems Product Suite
Oracle Secure Global Desktop, versions 4.6 prior to 4.63, 4.7 prior to 4.71 Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.1, 5.5, 5.6 Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices

Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, FLEXCUBE, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2013 Documentation Map, My Oracle Support Note 1563067.1.

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1548709.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1548709.1
Oracle Hyperion Oracle Hyperion Risk Matrix Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1548709.1
Oracle Enterprise Manager Oracle Enterprise Manage Risk Matrix Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1548709.1
Oracle Applications – E-Business Suite Oracle Applications, E-Business Suite Risk Matrix Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2013), My Oracle Support Note 1559732.1
Oracle Applications – Oracle Supply Chain, PeopleSoft Enterprise, and iLearning Products Suite Oracle Supply Chain Risk Matrix

Oracle PeopleSoft Enterprise Risk Matrix

Oracle iLearning Products Risk Matrix
Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise and iLearning Products suite, My Oracle Support Note 1564896.1
Oracle Policy Automation Industry Suite Oracle Industry Applications Risk Matrix Critical Patch Update July 2013 Patch Availability Document My Oracle Support Note 1566029.1
Oracle and Sun Systems Product Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update July 2013 Patch Delivery Document for Oracle and Sun Systems Product Suite My Oracle Support Note 1547593.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1564097.1
Oracle MySQL Server Oracle MySQL Risk Matrix Critical Patch Update July 2013 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1563224.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2013 Availability Document, My Oracle Support Note 1548709.1.

Critical Patch Update Supported Products and Versions

Critical Patch Update patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Critical Patch Update patches are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, customers are recommended to upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Critical Patch Update patches are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download Critical Patch Update patches for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; Alexey Tyurin of ERPScan (Digital Security Research Group); Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Ari Rubinstein of Salesforce.com; Balint Varga-Perke of Silent Signal LLC; Borked of the Google Security Team; David Hoyt; Esteban Martinez Fayo of Application Security, Inc.; Jeff Kayser of Jibe Consulting, Inc.; Guy Lichtman of McAfee Security Research; Joonas Kuorilehto of Codenomicon; Masashi Shiraishi of JPCERT/CC Vulnerability Handling Team; Michael Schaefer of Schutzwerk GmbH; Nicolas Grgoire of HP’s Zero Day Initiative; Peter Babel of Schutzwerk GmbH; Richard Warren of NCC Group; Rohan Stelling of BAE Systems Detica; Takahiro Haruyama of Internet Initiative Japan Inc. via JPCERT/CC; and Travis Emmert via iDefense.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Joseph Sheridan of Reactionis; and Shmuel Amar of CyberInt for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this Quarter, Oracle recognizes Adam Willard of Foreground Security; Bradley Johnson; David Hoyt; Dhaval Chauhan; Issam Rabhi and Imen Essoussi; Kamil Sevi; Madhuri Goud; Mayank Bhatodra; Mirza Akif Israr; Shashank Kumar; Sky_BlaCk; Sunil Dadhich; and Vinesh N. Redkar for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 October 2013
  • 14 January 2014
  • 15 April 2014
  • 15 July 2014
  • Starting with the October 2013 Critical Patch Update, security fixes for Java SE will be released under the normal Critical Patch Update schedule.

References

Modification History

2013-Sep-11 Rev 4. Updated version information for CVE-2013-3755
2013-August-04 Rev 3. Updated credit list
2013-July-24 Rev 2. Updated client only note for CVE-2013-3751
2013-July-16 Rev 1. Initial Release

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database includes Enterprise Manager Database Control that is affected by some of the vulnerabilities listed in the Oracle Enterprise Manager section. These vulnerabilities are not listed in the Oracle Database risk matrix. Oracle recommends that customers refer to the section, Oracle Enterprise Manager for affected versions of Enterprise Manager Database Control and apply the patches as per the instructions in the Database Section of the Critical Patch Update July 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1548709.1.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3751
XML Parser HTTP Create Session No 9.0 Network Low Single Complete Complete Complete 11.2.0.2, 11.2.0.3
CVE-2013-3774
Network Layer Oracle Net None Yes 7.6 Network High None Complete Complete Complete 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2013-3760
Oracle executable Local None No 7.2 Local Low None Complete Complete Complete 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2013-3771
Oracle executable Local None No 7.2 Local Low None Complete Complete Complete 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2013-3789
Core RDBMS Oracle Net Create Session, Create Procedure No 6.5 Network Low Single Partial+ Partial+ Partial+ 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2013-3790
Core RDBMS Oracle Net Privileged Account No 2.1 Network High Single None Partial None 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations:

CVE-2013-3751

.

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 21 new security fixes for Oracle Fusion Middleware. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2013 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1548709.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-2461
Oracle JRockit Multiple Yes 7.5 Network Low None Partial Partial Partial R27.7.5 and earlier, R28.2.7 and earlier See Note 1
CVE-2013-3763
Oracle Endeca Server HTTP Software No 5.5 Network Low Single Partial Partial None 7.4.0, 7.5.1.1
CVE-2013-3764
Oracle Endeca Server HTTP Software No 5.5 Network Low Single Partial Partial None 7.4.0, 7.5.1.1
CVE-2013-3770
Oracle WebCenter Content HTTP Content Server No 5.5 Network Low Single Partial Partial None 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0
CVE-2010-2068
Oracle HTTP Server HTTP Proxy Plug-In Yes 5.0 Network Low None Partial None None See Note 2
CVE-2007-3847
Oracle HTTP Server HTTP Web Listener Yes 5.0 Network Low None None None Partial See Note 2
CVE-2008-2364
Oracle HTTP Server HTTP Web Listener Yes 5.0 Network Low None None None Partial See Note 2
CVE-2010-0425
Oracle HTTP Server HTTP Web Listener Yes 5.0 Network Low None Partial+ None None 10.1.3.5.0
CVE-2013-3755
Oracle Access Manager HTTP SSO Engine Yes 4.3 Network Medium None None Partial None 11.1.1.5.0
CVE-2006-5752
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None 10.1.3.5.0
CVE-2007-6388
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None 10.1.3.5.0
CVE-2007-5000
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None 10.1.3.5.0
CVE-2012-2687
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None See Note 2
CVE-2011-3348
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None None Partial See Note 2
CVE-2011-0419
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None None Partial See Note 2
CVE-2005-3352
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None 10.1.3.5.0
CVE-2010-0434
Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None Partial None None 10.1.3.5.0
CVE-2013-3769
Oracle WebCenter Content HTTP Site Studio Yes 4.3 Network Medium None None Partial None 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0
CVE-2013-3772
Oracle WebCenter Content HTTP Web Forms Yes 4.3 Network Medium None None Partial None 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0
CVE-2013-3781
Oracle Outside In Technology None Outside In Filters No 1.5 Local Medium Single None None Partial+ 8.3.7, 8.4.0, 8.4.1 See Note 3
CVE-2013-3776
Oracle Outside In Technology None Outside In Filters No 1.5 Local Medium Single None None Partial+ 8.3.7, 8.4.0, 8.4.1 See Note 3

Notes:

  1. Oracle released a Java SE Critical Patch Update on June 18, 2013 to address multiple vulnerabilities affecting the Java Runtime Environment. Oracle CVE-2013-2461 refers to the advisories that are applicable to JRockit from the Java SE Critical Patch Update. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The complete list of all vulnerabilities addressed in JRockit under CVE-2013-2461 is as follows: CVE-2013-2461, CVE-2013-2407, CVE-2013-2457, CVE-2013-1571, CVE-2013-2451.
  2. Fixed in all supported releases and patchsets.
  3. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix – Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3803
Hyperion BI+ HTTP Intelligence Service No 3.5 Network Medium Single Partial None None 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, 11.1.2.2.305 and earlier

Appendix – Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1548709.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3758
Enterprise Manager Base Platform HTTP Schema Management Yes 4.3 Network Medium None None Partial None EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3 EM Plugin for DB: 12.1.0.2, 12.1.0.3
CVE-2013-3791
Enterprise Manager Base Platform HTTP User Interface Framework Yes 4.3 Network Medium None None Partial None EM Base Platform: 10.2.0.5 EM DB Control: 11.1.0.7

Appendix – Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle E-Business Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2013), My Oracle Support Note 1559732.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3756
Oracle Landed Cost Management HTTP Shipment Workbench No 5.5 Network Low Single Partial+ Partial+ None 12.1.1, 12.1.2, 12.1.3
CVE-2013-3767
Oracle Application Object Library HTTP Oracle Access Gate Yes 4.3 Network Medium None None Partial None Access Gate 1.2.1
CVE-2013-3777
Oracle Application Object Library HTTP Signon Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.0.6, 12.1.3
CVE-2013-3778
Oracle Applications Technology Stack HTTP Help Yes 4.3 Network Medium None None Partial None 12.0.6, 12.1.3
CVE-2013-3788
Oracle iSupplier Portal HTTP Supplier Management Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3
CVE-2013-3747
Oracle Applications Technology Stack HTTP Client System Analyzer No 4.0 Network Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3
CVE-2013-3749
Oracle Application Object Library HTTP Logging No 3.5 Network Medium Single Partial None None 11.5.10.2, 12.0.6, 12.1.3

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3822
Oracle Agile PLM Framework HTTP Web Client (CS) Yes 4.3 Network Medium None None Partial None 9.3.1
CVE-2013-3824
Oracle Agile Collaboration Framework HTTP Manufacturing/Mfg Parts No 4.0 Network Low Single None Partial None 9.3.1
CVE-2013-3825
Oracle Agile Product Collaboration HTTP Folders & Files Attachment No 4.0 Network Low Single Partial None None 9.3.1
CVE-2013-3823
Oracle Agile PLM Framework HTTP Security No 3.5 Network Medium Single Partial None None 9.3.1

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3800
PeopleSoft Enterprise PeopleTools HTTP Business Interlinks Yes 6.4 Network Low None Partial Partial None 8.51, 8.52, 8.53
CVE-2013-3821
PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 6.4 Network Low None Partial None Partial 8.51, 8.52, 8.53
CVE-2013-3819
PeopleSoft Enterprise PeopleTools HTTP Mobile Applications Yes 6.4 Network Low None Partial None Partial 8.51, 8.52, 8.53
CVE-2013-3784
PeopleSoft Enterprise HRMS HTTP Time and Labor No 5.5 Network Low Single Partial Partial None 9.1
CVE-2013-3820
PeopleSoft Enterprise PeopleTools HTTP Business Interlink Yes 5.0 Network Low None None None Partial 8.51, 8.52, 8.53
CVE-2013-3761
PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 4.3 Network Medium None None Partial None Portal 9.1, PeopleTools 8.52
CVE-2013-3759
PeopleSoft Enterprise PeopleTools HTTP PIA Search Functionality Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2013-3818
PeopleSoft Enterprise PeopleTools HTTP Portal Yes 4.3 Network Medium None None Partial None 8.51, 8.52, 8.53
CVE-2013-3768
PeopleSoft Enterprise PeopleTools HTTP Rich Text Editor Yes 4.3 Network Medium None None Partial None 8.51, 8.52, 8.53
CVE-2013-3780
PeopleSoft Enterprise Portal HTTP Saved Search No 4.0 Network Low Single Partial None None 9.1

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3775
Oracle iLearning HTTP Learner Pages Yes 4.3 Network Medium None None Partial None 5.2.1, 6.0

Appendix – Oracle Industry Applications

Oracle Industry Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Industry Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Industry Applications Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3816
Oracle Policy Automation Multiple Determinations Engine No 4.0 Network Low Single Partial+ None None 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2

Appendix – Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 16 new security fixes for the Oracle and Sun Systems Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3753
Solaris TCP/IP Kernel/STREAMS framework Yes 7.8 Network Low None None None Complete 11
CVE-2013-3748
Solaris iSCSI/iSER Driver/IDM (iSCSI Data Mover) Yes 7.8 Network Low None None None Complete 11
CVE-2013-3750
Solaris None Kernel/VM No 7.2 Local Low None Complete Complete Complete 11 See Note 1
CVE-2013-3754
Solaris Cluster None HA for TimesTen No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2013-3746
Solaris Cluster None Zone Cluster Infrastructure No 7.2 Local Low None Complete Complete Complete 3.2, 3.3, 4 prior to 4.1 SRU 3
CVE-2013-3757
Solaris NFS SMF/File Locking Services Yes 6.4 Network Low None None Partial Partial 8, 9, 10, 11
CVE-2013-3786
Solaris None Kernel No 6.0 Local High Single Complete Complete Complete 9, 10, 11
CVE-2013-3813
Solaris NFSv2 Libraries/PAM-Unix Yes 5.8 Network Medium None Partial Partial None 10
CVE-2013-3773
SPARC Enterprise M Series Servers HTTP XSCF Control Package (XCP) Yes 5.0 Network Low None None None Partial XCP 1114 and earlier
CVE-2013-0398
Solaris TCP/IP Utility/Remote Execution Server(in.rexecd) Yes 5.0 Network Low None Partial None None 8, 9, 10, 11
CVE-2013-3799
Solaris None Kernel No 4.9 Local Low None None None Complete 10, 11 See Note 2
CVE-2013-3765
Solaris None Kernel/VM No 4.9 Local Low None None None Complete 11
CVE-2013-3797
Solaris None Filesystem/DevFS No 4.7 Local Medium None None None Complete 11
CVE-2013-3752
Solaris NDMP Service Management Facility (SMF) Yes 4.3 Network Medium None None Partial None 11
CVE-2013-3787
Solaris SCTP Kernel Yes 4.3 Network Medium None None None Partial 10, 11
CVE-2013-3745
Solaris None Libraries/Libc No 2.1 Local Low None None None Partial+ 8, 9, 10, 11

Notes:

  1. CVE-2013-3750 occurs only when Solaris is running on X86 platform.
  2. CVE-2013-3799 occurs only when Solaris is running on AMD64 platform.

Appendix – Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Virtualization. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-3779
Secure Global Desktop HTTP Web UI Yes 7.5 Network Low None Partial Partial Partial All 4.6 releases including 4.63, 4.7 prior to 4.71
CVE-2013-3782
Secure Global Desktop HTTP Web UI Yes 4.3 Network Medium None None Partial None 4.6 prior to 4.63, 4.7 prior to 4.71

Appendix – Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub-

component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-

tication
Confiden-

tiality
Integrity Avail-

ability
CVE-2013-1861
MySQL Server MySQL Protocol GIS No 6.8 Network Low Single None None Complete 5.1.69 and earlier, 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3798
MySQL Server MySQL Protocol MemCached Yes 5.8 Network Medium None None Partial Partial+ 5.6.11 and earlier
CVE-2013-3809
MySQL Server MySQL Protocol Audit Log No 4.0 Network Low Single None Partial None 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3793
MySQL Server MySQL Protocol Data Manipulation Language No 4.0 Network Low Single None None Partial+ 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3795
MySQL Server MySQL Protocol Data Manipulation Language No 4.0 Network Low Single None None Partial+ 5.6.11 and earlier
CVE-2013-3802
MySQL Server MySQL Protocol Full Text Search No 4.0 Network Low Single None None Partial+ 5.1.69 and earlier, 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3806
MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.11 and earlier
CVE-2013-3805
MySQL Server MySQL Protocol Prepared Statements No 4.0 Network Low Single None None Partial+ 5.5.30 and earlier, 5.6.10
CVE-2013-3804
MySQL Server MySQL Protocol Server Optimizer No 4.0 Network Low Single None None Partial+ 5.1.69 and earlier, 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3796
MySQL Server MySQL Protocol Server Optimizer No 4.0 Network Low Single None None Partial+ 5.6.11 and earlier
CVE-2013-3808
MySQL Server MySQL Protocol Server Options No 4.0 Network Low Single None None Partial+ 5.1.68 and earlier, 5.5.30 and earlier, 5.6.10
CVE-2013-3801
MySQL Server MySQL Protocol Server Options No 4.0 Network Low Single None None Partial+ 5.5.30 and earlier, 5.6.10
CVE-2013-3783
MySQL Server MySQL Protocol Server Parser No 4.0 Network Low Single None None Partial+ 5.5.31 and earlier
CVE-2013-3794
MySQL Server MySQL Protocol Server Partition No 4.0 Network Low Single None None Partial+ 5.5.30 and earlier, 5.6.10
CVE-2013-3807
MySQL Server MySQL Protocol Server Privileges Yes 4.0 Network High None Partial Partial None 5.6.11 and earlier
CVE-2013-3811
MySQL Server MySQL Protocol InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.11 and earlier
CVE-2013-3812
MySQL Server MySQL Protocol Server Replication No 3.5 Network Medium Single None None Partial+ 5.5.31 and earlier, 5.6.11 and earlier
CVE-2013-3810
MySQL Server MySQL Protocol XA Transactions No 3.5 Network Medium Single None None Partial+ 5.6.11 and earlier

Related:

  • No Related Posts