Oracle Critical Patch Update Advisory – April 2018

Oracle Database Server Risk Matrix

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server divided as follows:

  • 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
  • 1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2841 Java VM Create Session, Create Procedure Multiple No 8.5 Network High Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0

This Critical Patch Update contains 1 new security fix for Oracle GoldenGate. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2832 Oracle GoldenGate None HTTP Yes 8.6 Network Low None None Changed High None None 12.2.0.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Communications Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 Oracle Communications Network Intelligence Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 7.3.x
CVE-2017-5645 Oracle Communications Unified Inventory Management Logging (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 7.x
CVE-2017-15095 Oracle Communications Calendar Server WCAP (jackson-databind) WCAP Yes 8.1 Network High None None Un-

changed
High High High 8.x
CVE-2017-15095 Oracle Communications Contacts Server REST (jackson-databind) RESTful Addressbook Protocol Yes 8.1 Network High None None Un-

changed
High High High 8.x
CVE-2016-6304 Oracle Communications EAGLE LNP Application Processor Security (OpenSSL) TLS Yes 7.5 Network Low None None Un-

changed
None None High 10.1.0.0.0 and Prior
CVE-2017-7805 Oracle Communications Messaging Server Security (NSS) TLS No 7.5 Network High Low None Un-

changed
High High High 8.x
CVE-2017-5662 Oracle Communications MetaSolv Solution Print Preview (Apache Batik) HTTP No 7.3 Network Low Low Required Un-

changed
High None High 6.3.0
CVE-2018-2756 Oracle Communications Order and Service Management WebUI HTTP No 6.3 Network Low Low Required Un-

changed
High Low None 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x
CVE-2017-3736 Oracle Communications Network Charging and Control Common (OpenSSL) TLS Yes 5.9 Network High None None Un-

changed
High None None 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0

Additional CVEs addressed are below:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-12617 Instantis EnterpriseTrack Web Server (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-

changed
High High High 17.1, 17.2
CVE-2017-15095 Primavera Unifier Core (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 16.x, 17.x
CVE-2018-2849 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 7.7 Network Low Low None Changed High None None 16.2, 17.1 – 17.12
CVE-2017-5662 Instantis EnterpriseTrack Sitewand (Apache Batik) HTTP No 7.3 Network Low Low Required Un-

changed
High None High 17.1, 17.2

Additional CVEs addressed are below:

  • The fix for CVE-2017-12617 also addresses CVE-2017-5664.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 12 new security fixes for the Oracle E-Business Suite. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2018), My Oracle Support Note 2369524.1.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2870 Oracle Human Resources General Utilities HTTP Yes 9.1 Network Low None None Un-

changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2871 Oracle Human Resources General Utilities HTTP Yes 9.1 Network Low None None Un-

changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2804 Oracle Application Object Library DB Privileges HTTP Yes 7.4 Network High None None Un-

changed
High High None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2864 Oracle Application Object Library Diagnostics HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2867 Oracle Application Object Library Diagnostics HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2872 Oracle General Ledger Account Hierarchy Manager HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2873 Oracle General Ledger Account Hierarchy Manager HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2865 Oracle General Ledger Consolidation Hierarchy Viewer HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2866 Oracle General Ledger Consolidation Hierarchy Viewer HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2868 Oracle Human Resources General Utilities HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2869 Oracle Human Resources General Utilities HTTP Yes 5.3 Network Low None None Un-

changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2874 Oracle Application Object Library Logging None No 4.3 Physical Low None Required Un-

changed
High None None 12.1.3

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Enterprise Manager Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 Enterprise Manager Ops Center Networking (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.2.2, 12.3.3
CVE-2017-5645 Oracle Application Testing Suite Load Testing for Web Apps (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.5.0.3, 13.1.0.1, 13.2.0.1
CVE-2015-7501 Enterprise Manager for MySQL Database EM Plugin: General (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-

changed
High High High 12.1.0.4
CVE-2016-0635 Enterprise Manager for MySQL Database EM Plugin: General (Spring Framework) HTTP No 8.8 Network Low Low None Un-

changed
High High High 12.1.0.4
CVE-2017-15095 Enterprise Manager for Virtualization Generic Virtualization (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 13.2
CVE-2017-5664 Enterprise Manager for MySQL Database EM Plugin: General (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-

changed
None High None 12.1.0.4
CVE-2018-2742 Enterprise Manager Ops Center Framework HTTP Yes 7.3 Network Low None None Un-

changed
Low Low Low 12.2.2, 12.3.3
CVE-2018-2750 Enterprise Manager Base Platform UI Framework HTTP Yes 7.1 Network Low None Required Changed Low Low Low 12.1.0.5
CVE-2017-3736 Enterprise Manager Base Platform Discovery Framework (OpenSSL) HTTPS Yes 5.9 Network High None None Un-

changed
High None None 12.1.0.5, 13.2.0.0
CVE-2017-3736 Enterprise Manager Ops Center Networking (OpenSSL) HTTPS Yes 5.9 Network High None None Un-

changed
High None None 12.2.2, 12.3.3

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.
  • The fix for CVE-2017-5664 also addresses CVE-2017-12617.
  • The fix for CVE-2018-2742 also addresses CVE-2016-3092, CVE-2017-10393 and CVE-2017-10400.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 36 new security fixes for Oracle Financial Services Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The “Oracle Financial Services Analytical Applications Infrastructure” is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-7489 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (jackson-databind) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 8.0.x See Note 1
CVE-2018-7489 Oracle Financial Services Hedge Management and IFRS Valuations Hedge Definition, Valuation-run definition (jackson-databind) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 8.0.4, 8.0.5
CVE-2018-7489 Oracle Financial Services Market Risk Measurement and Management Infrastructure (jackson-databind) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 8.0.5
CVE-2017-5645 Oracle FLEXCUBE Core Banking Securities (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 11.5.0, 11.6.0, 11.7.0
CVE-2017-5645 Oracle FLEXCUBE Private Banking Core (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.0.0, 12.1.0
CVE-2017-15095 Oracle Banking Enterprise Collections Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 2.6
CVE-2017-15095 Oracle Banking Enterprise Originations Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 2.6
CVE-2017-15095 Oracle Banking Enterprise Product Manufacturing Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 2.6
CVE-2017-15095 Oracle Banking Platform Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 2.4, 2.5, 2.6
CVE-2017-12617 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-

changed
High High High 7.3.x, 8.0.x See Note 1
CVE-2018-2855 Oracle Financial Services Basel Regulatory Capital Basic Portfolio, Attribution HTTP No 8.1 Network Low Low None Un-

changed
High High None 8.0.x
CVE-2018-2856 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Portfolio, Attribution HTTP No 8.1 Network Low Low None Un-

changed
High High None 8.0.x
CVE-2017-5662 Oracle Financial Services Analytical Applications Infrastructure Link Analysis and Metadata browser (Apache Batik) HTTP No 7.3 Network Low Low Required Un-

changed
High None High 7.3.x, 8.0.x See Note 1
CVE-2018-2746 Oracle Banking Corporate Lending Core module HTTP No 7.1 Network Low Low None Un-

changed
High Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2746 Oracle Banking Payments Payments Core HTTP No 7.1 Network Low Low None Un-

changed
High Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2746 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 7.1 Network Low Low None Un-

changed
High Low None 12.3.0, 14.0.0
CVE-2018-2746 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 7.1 Network Low Low None Un-

changed
High Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2746 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 7.1 Network Low Low None Un-

changed
High Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2747 Oracle Banking Corporate Lending Core module HTTP No 6.5 Network Low Low None Un-

changed
High None None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2747 Oracle Banking Payments Payments Core HTTP No 6.5 Network Low Low None Un-

changed
High None None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2747 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 6.5 Network Low Low None Un-

changed
High None None 12.3.0, 14.0.0
CVE-2018-2747 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 6.5 Network Low Low None Un-

changed
High None None 12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2747 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 6.5 Network Low Low None Un-

changed
High None None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2748 Oracle Banking Corporate Lending Core module HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2748 Oracle Banking Payments Payments Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2854 Oracle Financial Services Basel Regulatory Capital Basic Portfolio, Attribution HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.x
CVE-2018-2859 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Portfolio, Attribution HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.x
CVE-2018-2807 Oracle FLEXCUBE Core Banking Securities HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.5.0, 11.6.0, 11.7.0
CVE-2018-2748 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 14.0.0
CVE-2018-2748 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2748 Oracle FLEXCUBE Universal Banking Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
CVE-2018-2749 Oracle Banking Corporate Lending Core module HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2749 Oracle Banking Payments Payments Core HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0
CVE-2018-2749 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 14.0.0
CVE-2018-2749 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0
CVE-2018-2749 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0

Notes:

  1. Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 Oracle Big Data Discovery Data Processing (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 1.6.0
CVE-2017-5645 Oracle Business Intelligence Data Warehouse Administration Console DAC Installation (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 11.1.1.6.4
CVE-2017-5645 Oracle Endeca Information Discovery Integrator Integrator Acquisition System (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 3.1, 3.2
CVE-2017-5645 Oracle Endeca Server Product Code (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 7.7
CVE-2017-5645 Oracle Enterprise Repository Core Issues – 12c (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 11.1.1.7.0, 12.1.3.0.0
CVE-2017-5645 Oracle Enterprise Repository Security Subsystem (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 11.1.1.7.0, 12.1.3.0.0
CVE-2016-5019 Oracle Fusion Middleware MapViewer Tile Server (Apache MyFaces Trinidad) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 11.1.1.7.0, 11.1.1.9.0
CVE-2017-5645 Oracle Managed File Transfer MFT Runtime Server (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-5645 Oracle WebCenter Portal Security Framework (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.2.1.2.0, 12.2.1.3.0
CVE-2017-5645 Oracle WebLogic Server WL Diagnostics Framework (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2628 Oracle WebLogic Server WLS Core Components T3 Yes 9.8 Network Low None None Un-

changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2016-6814 Oracle Big Data Discovery Data Processing (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 1.6.0
CVE-2018-2739 Oracle Access Manager Web Server Plugin HTTP Yes 9.3 Network Low None Required Changed High High None 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
CVE-2018-2879 Oracle Access Manager Authentication Engine HTTP Yes 9.0 Network High None None Changed High High High 11.1.2.3.0, 12.2.1.3.0 See Note 1
CVE-2015-7501 Oracle Business Intelligence Enterprise Edition Security (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-

changed
High High High 11.1.1.7.0, 11.1.1.9.0
CVE-2015-7501 Oracle GoldenGate Veridata None (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-

changed
High High High 11.2.0.1.2, 12.1.3.0.0
CVE-2015-7501 Oracle WebLogic Portal – (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-

changed
High High High 10.3.6.0.0
CVE-2015-7501 Real-Time Decisions (RTD) Solutions Configuration (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-

changed
High High High 3.2.0.0.0
CVE-2018-2834 Oracle Data Visualization Desktop Security HTTP No 8.5 Local Low None Required Changed Low High High 12.2.4.1.1 See Note 2
CVE-2018-2828 Oracle WebCenter Content Content Server HTTP No 8.2 Network Low Low Required Changed High Low Low 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2791 Oracle WebCenter Sites Advanced UI HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-12617 Management Pack for Oracle GoldenGate Monitor (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-

changed
High High High 11.2.1.0.13
CVE-2017-15095 Oracle WebCenter Portal Security Framework (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 12.2.1.2.0, 12.2.1.3.0
CVE-2017-12617 Oracle WebCenter Sites Advanced UI (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-

changed
High High High 11.1.1.8.0
CVE-2017-7525 Oracle WebLogic Server Sample apps (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
CVE-2018-2770 Oracle Adaptive Access Manager OAAM Admin HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.2.3.0
CVE-2015-7940 Oracle Mobile Security Suite LEGACY: BMAX (Bouncy Castle Java package) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 3.0.1
CVE-2018-2765 Oracle Security Service Oracle SSL API HTTPS Yes 7.5 Network Low None None Un-

changed
High None None 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2016-3092 Oracle WebCenter Sites Advanced UI (Apache Commons Fileupload) HTTP Yes 7.5 Network Low None None Un-

changed
None None High 11.1.1.8.0, 12.2.1.2.0
CVE-2015-7940 Oracle WebLogic Server CIE Related Components (Bouncy Castle Java package) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 12.1.3.0, 12.2.1.2
CVE-2017-5662 Oracle Business Intelligence Enterprise Edition BI Platform Security (Apache Batik) HTTP No 7.3 Network Low Low Required Un-

changed
High None High 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-5662 Oracle Enterprise Repository Security Subsystem (Apache Batik) HTTP No 7.3 Network Low Low Required Un-

changed
High None High 11.1.1.7.0, 12.1.3.0.0
CVE-2013-1768 Oracle WebLogic Server WLS Security (Apache OpenJPA) HTTP Yes 7.3 Network Low None None Un-

changed
Low Low Low 12.2.1.3
CVE-2018-2768 Oracle Outside In Technology Outside In Filters HTTP Yes 7.1 Network Low None Required Un-

changed
High None Low 8.5.3 See Note 3
CVE-2018-2806 Oracle Outside In Technology Outside In Filters HTTP Yes 7.1 Network Low None Required Un-

changed
High None Low 8.5.3 See Note 3
CVE-2018-2801 Oracle Outside In Technology Outside In Image Export SDK HTTP Yes 7.1 Network Low None Required Un-

changed
High None Low 8.5.3 See Note 3
CVE-2018-2587 Oracle Access Manager Web Server Plugin HTTP Yes 6.5 Network High None None Un-

changed
Low High None 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
CVE-2017-3736 Oracle Endeca Information Discovery Studio Endeca Server (OpenSSL) HTTPS Yes 5.9 Network High None None Un-

changed
High None None 7.6.1.0.0, 7.7.0.0.0
CVE-2018-2760 Oracle HTTP Server OSSL Module HTTPS Yes 5.9 Network High None None Un-

changed
High None None 12.1.3, 12.2.1.2
CVE-2017-3736 Oracle Tuxedo Docs-ATMI-IB (OpenSSL) HTTPS Yes 5.9 Network High None None Un-

changed
High None None 12.1.1.0.0

Notes:

  1. Please refer to Doc ID My Oracle Support Note 2386496.1 for instructions on how to address this issue.
  2. Please refer to Doc ID My Oracle Support Note 2384640.1 for instructions on how to address this issue.
  3. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

  • The fix for CVE-2017-12617 also addresses CVE-2016-3092, CVE-2016-8745, CVE-2017-5664 and CVE-2017-7674.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.
  • The fix for CVE-2017-7525 also addresses CVE-2017-15707.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Hospitality Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2829 Oracle Hospitality Simphony Enterprise Management Console HTTP Yes 8.6 Network Low None None Un-

changed
High Low Low 2.10
CVE-2017-13082 MICROS Handheld Terminal MC40 Zebra Handheld unit (Fusion) WPA, WPA2 Yes 8.1 Adjacent

Network
Low None None Un-

changed
High High None Prior to Fusion 2.03.0.0.021R
CVE-2018-2803 Oracle Hospitality Reporting and Analytics Report HTTP No 8.1 Network Low Low None Un-

changed
High High None 9.0
CVE-2018-2833 Oracle Hospitality Simphony Enterprise Management Console HTTP No 8.1 Network Low Low None Un-

changed
High High None 2.7, 2.8, 2.9, 2.10
CVE-2018-2851 Oracle Hospitality Simphony First Edition Enterprise Management Console HTTP No 8.1 Network Low Low None Un-

changed
High High None 1.6, 1.7
CVE-2018-2824 Oracle Hospitality Simphony Enterprise Management Console HTTP No 7.7 Network Low Low None Changed High None None 2.8, 2.9, 2.10
CVE-2018-2827 Oracle Hospitality Suite8 Profile HTTP No 7.6 Network Low Low Required Un-

changed
High Low High 8.x
CVE-2018-2848 Oracle Hospitality Simphony First Edition Client Application Loader HTTP Yes 7.5 Network Low None None Un-

changed
High None None 1.6, 1.7
CVE-2018-2850 Oracle Hospitality Cruise Fleet Management System Fleet Management System Suite Multiple Yes 7.3 Network Low None None Un-

changed
Low Low Low 9.x
CVE-2018-2847 Oracle Hospitality Simphony First Edition Operations HTTP No 6.5 Network Low Low None Un-

changed
High None None 1.6, 1.7
CVE-2018-2852 Oracle Hospitality Guest Access Base HTTP No 6.4 Network Low Low None Changed Low Low None 4.2.0, 4.2.1
CVE-2018-2802 Oracle Hospitality Simphony Client Application Loader HTTP No 5.4 Network Low Low None Un-

changed
Low Low None 2.8, 2.9
CVE-2018-2853 Oracle Hospitality Simphony First Edition Operations, Client Application Loader HTTP No 5.4 Network Low Low None Un-

changed
Low Low None 1.6, 1.7

Additional CVEs addressed are below:

  • The fix for CVE-2017-13082 also addresses CVE-2017-13077, CVE-2017-13078 and CVE-2017-13080.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of “High”, lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2825 Java SE Libraries Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 10 See Note 1
CVE-2018-2826 Java SE Libraries Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 10 See Note 1
CVE-2018-2814 Java SE, Java SE Embedded Hotspot Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 See Note 1
CVE-2018-2811 Java SE Install None No 7.7 Local High None Required Changed High High High Java SE: 8u162, 10 See Note 2
CVE-2018-2794 Java SE, JRockit Security None No 7.7 Local High None Required Changed High High High Java SE: 6u181, 7u171, 8u162, 10, JRockit: R28.3.17 See Note 3
CVE-2018-2783 Java SE, Java SE Embedded, JRockit Security Multiple Yes 7.4 Network High None None Un-

changed
High High None Java SE: 6u181, 7u161, 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17 See Note 3
CVE-2018-2798 Java SE, Java SE Embedded, JRockit AWT Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2796 Java SE, Java SE Embedded, JRockit Concurrency Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2799 Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2797 Java SE, Java SE Embedded, JRockit JMX Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2795 Java SE, Java SE Embedded, JRockit Security Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2815 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 5.3 Network Low None None Un-

changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2800 Java SE, JRockit RMI Multiple Yes 4.2 Network High None Required Un-

changed
Low Low None Java SE: 6u181, 7u171, 8u162; JRockit: R28.3.17 See Note 4
CVE-2018-2790 Java SE, Java SE Embedded Security Multiple Yes 3.1 Network High None Required Un-

changed
None Low None Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 See Note 1

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to installation process on client deployment of Java.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle JD Edwards Products. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 JD Edwards World Security Security Vulnerability (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High A9.2, A9.3, A9.4
CVE-2017-15095 JD Edwards EnterpriseOne Tools EnterpriseOne Mobility Sec (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 9.2.2
CVE-2017-3736 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) HTTP Yes 5.9 Network High None None Un-

changed
High None None 9.2.2

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2755 MySQL Server Server: Replication MySQL Protocol No 7.7 Local High None Required Changed High High High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2805 MySQL Server GIS Extension MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.6.39 and prior
CVE-2018-2782 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2784 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2819 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2758 MySQL Server Server : Security : Privileges MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2817 MySQL Server Server: DDL MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2775 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2780 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-

changed
None None High 5.7.21 and prior
CVE-2017-3737 MySQL Enterprise Monitor Monitoring: Agent (OpenSSL) HTTPS Yes 5.9 Network High None None Un-

changed
High None None 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior
CVE-2018-2761 MySQL Server Client programs MySQL Protocol Yes 5.9 Network High None None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2786 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-

changed
None Low High 5.7.21 and prior
CVE-2018-2787 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-

changed
None Low High 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2812 MySQL Server Server: Optimizer MySQL Protocol No 5.5 Network Low High None Un-

changed
None Low High 5.7.21 and prior
CVE-2018-2877 MySQL Cluster Cluster: ndbcluster/plugin None No 5.0 Local Low Low Required Un-

changed
None None High 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
CVE-2018-2759 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2766 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2777 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2810 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2818 MySQL Server Server : Security : Privileges MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2839 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2778 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2779 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2781 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2816 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2846 MySQL Server Server: Performance Schema MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2769 MySQL Server Server: Pluggable Auth MySQL Protocol No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2776 MySQL Server Group Replication GCS XCom No 4.9 Network Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2762 MySQL Server Server: Connection MySQL Protocol No 4.4 Local Low High None Un-

changed
None None High 5.7.21 and prior
CVE-2018-2771 MySQL Server Server: Locking MySQL Protocol No 4.4 Network High High None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2813 MySQL Server Server: DDL MySQL Protocol No 4.3 Network Low Low None Un-

changed
Low None None 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2018-2773 MySQL Server Client programs None No 4.1 Local High High None Un-

changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
CVE-2016-9878 MySQL Enterprise Monitor EM Plugin: General (Spring Framework) HTTP No 3.8 Physical High High None Un-

changed
High None None 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior

Additional CVEs addressed are below:

  • The fix for CVE-2017-3737 also addresses CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2772 PeopleSoft Enterprise PeopleTools Rich Text Editor HTTP No 8.8 Network Low Low None Un-

changed
High High High 8.54, 8.55, 8.56
CVE-2018-2774 PeopleSoft Enterprise PT PeopleTools SQR HTTP Yes 7.3 Network Low None None Un-

changed
Low Low Low 8.54, 8.55, 8.56
CVE-2018-2793 PeopleSoft Enterprise PT PeopleTools PsAdmin None No 6.2 Local Low None None Un-

changed
High None None 8.54, 8.55, 8.56
CVE-2018-2878 PeopleSoft Enterprise HCM Shared Components Notepad HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.2
CVE-2018-2788 PeopleSoft Enterprise PeopleTools Fluid Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.55, 8.56
CVE-2018-2821 PeopleSoft Enterprise PeopleTools Rich Text Editor HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56
CVE-2018-2838 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_HIER_TOP HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1
CVE-2017-3736 PeopleSoft Enterprise PeopleTools Security (OpenSSL) HTTP Yes 5.9 Network High None None Un-

changed
High None None 8.54, 8.55, 8.56
CVE-2018-2752 PeopleSoft Enterprise HCM Security HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2
CVE-2018-2785 PeopleSoft Enterprise PeopleTools Stylesheet HTTP Yes 4.7 Network Low None Required Changed None Low None 8.54, 8.55, 8.56
CVE-2018-2820 PeopleSoft Enterprise PeopleTools Fluid Core HTTP No 4.3 Network Low Low None Un-

changed
Low None None 8.54, 8.55, 8.56
CVE-2018-2809 PeopleSoft Enterprise PeopleTools Fluid Homepage & Navigation HTTP Yes 4.3 Network Low None Required Un-

changed
None Low None 8.54, 8.55, 8.56

Additional CVEs addressed are below:

  • The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 MICROS Lucas Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 2.9.5
CVE-2017-5645 Oracle Retail Advanced Inventory Planning Operations & Maintenance (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 13.2, 13.4, 14.1, 15.0
CVE-2017-5645 Oracle Retail Back Office Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 14.0.4, 14.1.3
CVE-2017-5645 Oracle Retail Central Office Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 14.0.4, 14.1.3
CVE-2017-5645 Oracle Retail EFTLink Installation (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 1.1.124, 15.0.1, 16.0.2
CVE-2017-5645 Oracle Retail Insights Integration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 14.0, 14.1, 15.0, 16.0
CVE-2017-5645 Oracle Retail Invoice Matching Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-5645 Oracle Retail Order Broker System Administration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 5.0, 5.1, 5.2, 15.0, 16.0
CVE-2017-5645 Oracle Retail Order Management System Upgrade Install (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 4.0, 4.5, 4.7, 5.0
CVE-2017-5645 Oracle Retail Point-of-Service Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 14.0.4, 14.1.3
CVE-2017-5645 Oracle Retail Price Management Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
CVE-2017-5645 Oracle Retail Returns Management Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 2.3.8, 2.4.9, 14.0.4, 14.1.3
CVE-2017-5645 Oracle Retail Store Inventory Management SIM Integration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1
CVE-2016-6814 Oracle Retail Insights ODI Configuration (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 14.0, 14.1, 15.0, 16.0
CVE-2016-0635 Oracle Retail Invoice Matching Security (Spring Framework) HTTP No 8.8 Network Low Low None Un-

changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2016-3506 Oracle Retail Merchandising System Installation HTTP Yes 8.1 Network High None None Un-

changed
High High High 15.0
CVE-2017-15095 Oracle Retail Order Broker System Administration (jackson-databind) HTTP Yes 8.1 Network High None None Un-

changed
High High High 5.2
CVE-2017-12617 Oracle Retail Order Broker Upgrade Install (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-

changed
High High High 5.2, 15.0
CVE-2018-2840 Oracle Retail Xstore Point of Service Xstore Office HTTP Yes 7.6 Network Low None Required Un-

changed
High Low Low 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2
CVE-2016-9878 Oracle Retail Customer Engagement Internal Operations (Spring Framework) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 16.0
CVE-2017-5664 Oracle Retail Order Management System Upgrade Install (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-

changed
None High None 5.0
CVE-2016-9878 Oracle Retail Predictive Application Server RPAS Fusion Client (Spring Framework) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 13.4.3, 14.0.3, 14.1.3
CVE-2017-9798 Oracle Retail Xstore Point of Service Xstore Office (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 6.0.11, 6.5.11, 7.0.6, 7.1.6
CVE-2017-5645 Oracle Retail Xstore Point of Service Xenvironment (Apache Log4j) HTTP No 7.2 Network Low High None Un-

changed
High High High 6.0.11, 7.0.6, 7.1.6, 15.0.1
CVE-2018-2876 Oracle Retail Integration Bus RIB Kernal(Apache Commons Collections) HTTP Yes 7.1 Network Low None Required Changed Low Low Low 13.2
CVE-2018-2862 Oracle Retail Point-of-Service User Interface HTTP No 7.1 Network Low Low None Un-

changed
High Low None 13.3.8, 13.4.9, 14.0.4, 14.1.3
CVE-2017-15095 Oracle Retail Xstore Point of Service Xenvironment (jackson-databind) HTTP No 6.6 Network High High None Un-

changed
High High High 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2
CVE-2018-2861 Oracle Retail Back Office Security HTTP Yes 6.5 Network Low None None Un-

changed
Low None Low 13.4.9, 14.0.4, 14.1.3
CVE-2018-2738 Oracle Retail Central Office Security HTTP Yes 6.5 Network Low None None Un-

changed
Low Low None 13.4.9, 14.0.4, 14.1.3
CVE-2018-2737 Oracle Retail Returns Management Security HTTP Yes 6.5 Network Low None None Un-

changed
Low Low None 2.3.8, 2.4.9, 14.0.4, 14.1.3
CVE-2016-5007 Oracle Retail Xstore Point of Service Point of Sale (Spring Framework) HTTP Yes 6.5 Network Low None None Un-

changed
Low Low None 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1

Additional CVEs addressed are below:

  • The fix for CVE-2016-5007 also addresses CVE-2014-0054.
  • The fix for CVE-2016-9878 also addresses CVE-2016-5007.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-5645 also addresses CVE-2017-12617.
  • The fix for CVE-2018-2876 also addresses CVE-2015-7501.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5664 Siebel UI Framework EAI (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-

changed
None High None 17.0
CVE-2018-2789 Siebel Core – Server Framework Services HTTP No 5.0 Network Low Low None Changed Low None None 17.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle Sun Systems Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-17562 Integrated Lights Out Manager (ILOM) System Management (GoAhead) HTTP No 9.1 Network Low High None Changed High High High 3.x, 4.x
CVE-2018-2754 Solaris ZVNET Driver None No 7.7 Local Low None None Un-

changed
None High High 11.3
CVE-2018-2764 Solaris Kernel NFS Yes 7.5 Network Low None None Un-

changed
None None High 10, 11.3
CVE-2018-2718 Solaris RPC NFS Yes 7.5 Network Low None None Un-

changed
None None High 10, 11.3
CVE-2018-2822 Solaris Cluster Cluster Geo None No 6.6 Local Low Low None Un-

changed
High Low Low 4.3
CVE-2018-2857 Sun ZFS Storage Appliance Kit (AK) HTTP data path subsystems HTTP No 6.3 Network Low Low None Un-

changed
Low Low Low Prior to 8.7.17
CVE-2018-2753 Solaris Python modules None No 6.0 Local High Low Required Un-

changed
High High None 11.3
CVE-2017-5753 Solaris Kernel None No 5.6 Local High Low None Changed High None None 10, 11.3
CVE-2018-2858 Sun ZFS Storage Appliance Kit (AK) HTTP data path subsystems HTTP Yes 5.3 Network Low None None Un-

changed
Low None None Prior to 8.7.17
CVE-2018-2808 Solaris Kernel None No 5.0 Local Low Low Required Un-

changed
None None High 11.3
CVE-2018-2863 Sun ZFS Storage Appliance Kit (AK) API frameworks HTTP No 5.0 Network Low Low None Changed Low None None Prior to 8.7.17
CVE-2018-2563 Solaris LDAP Library LDAP No 4.2 Network High Low None Un-

changed
Low Low None 10, 11.3
CVE-2018-2792 Hardware Management Pack Ipmitool Multiple No 3.8 Network Low High None Un-

changed
Low Low None Prior to 2.4.3
CVE-2018-2763 Solaris NTPD None No 3.3 Local Low Low None Un-

changed
None Low None 11.3

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-15095 Oracle Agile PLM Framework Web Client (CS) HTTP No 8.8 Network Low Low None Un-

changed
High High High 9.3.6
CVE-2018-2823 Oracle Transportation Management Database HTTP No 6.5 Network Low Low None Un-

changed
None High None 6.4.3
CVE-2018-2572 Oracle Agile Product Lifecycle Management for Process Installation HTTP Yes 6.1 Network Low None Required Changed Low Low None 6.1.1.6, 6.2.0.0, 6.2.1.0
CVE-2017-3736 Oracle Agile Engineering Data Management Install (OpenSSL) HTTP Yes 5.9 Network High None None Un-

changed
High None None 6.1.3, 6.2.0, 6.2.1
CVE-2017-3736 Oracle Transportation Management Install (OpenSSL) HTTP Yes 5.9 Network High None None Un-

changed
High None None 6.2

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-3736 OSS Support Tools Services Tools Bundle (OpenSSL) HTTP No 6.5 Network Low Low None Un-

changed
High None None Prior to 18.2

Additional CVEs addressed are below:

  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2017-5645 Oracle Utilities Framework Logging (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-

changed
High High High 2.2.0, 4.2.0, 4.3.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote

Exploit

without

Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base

Score
Attack

Vector
Attack

Complex
Privs

Req’d
User

Interact
Scope Confid-

entiality
Inte-

grity
Avail-

ability
CVE-2018-2842 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2843 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2844 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2830 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2835 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2836 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2837 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-2860 Oracle VM VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to 5.1.36, Prior to 5.2.10
CVE-2017-9798 Oracle Secure Global Desktop (SGD) Web Server (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-

changed
High None None 5.3
CVE-2018-2845 Oracle VM VirtualBox Core None No 6.6 Local Low Low None Un-

changed
Low Low High Prior to 5.1.36, Prior to 5.2.10
CVE-2018-0739 Oracle VM VirtualBox Core (OpenSSL) TLS Yes 6.5 Network Low None Required Un-

changed
None None High Prior to 5.1.36, Prior to 5.2.10
CVE-2017-3737 Oracle Secure Global Desktop (SGD) Core (OpenSSL) TLS Yes 5.9 Network High None None Un-

changed
High None None 5.3
CVE-2018-2831 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 5.1.36, Prior to 5.2.10

Additional CVEs addressed are below:

  • The fix for CVE-2017-3737 also addresses CVE-2017-3738.

Related:

  • No Related Posts

Leave a Reply