www.oracle.com
Open in
urlscan Pro
2a02:26f0:11a:489::a15
Public Scan
URL:
https://www.oracle.com/security-alerts/cpujan2021.html
Submission: On January 04 via api from US — Scanned from DE
Submission: On January 04 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: u30searchForm — GET /search
<form name="u30searchForm" id="u30searchForm" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="/search">
<input type="hidden" name="Nty" value="1">
<input type="hidden" name="Dy" value="1">
<!--<input type="hidden" name="Ntk" value="SI-Global">-->
<input type="hidden" name="Ntk" value="SI-ALL5">
<input type="hidden" name="cty" value="us">
<input type="hidden" name="lang" value="en">
<input type="hidden" name="NoBstNoRec" value="no">
<div class="u30s1">
<button id="u30closesearch" aria-label="Close Search" type="button">
<span>Close Search</span>
<svg width="9" height="14" viewBox="0 0 9 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M8 13L2 7L8 1" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
<span class="u30input">
<div class="u30inputw1">
<input id="u30input" name="Ntt" value="" type="text" placeholder="Search" autocomplete="off" aria-autocomplete="both" aria-activedescendant="" aria-label="Search Oracle.com" role="combobox" aria-expanded="false" aria-owns="u30autosuggest"
aria-haspopup="listbox">
</div>
<div id="u30searchw3" style="margin-left: -249px; width: calc(100vw - 0px); max-width: 1600px;">
<ul role="listbox" id="u30autosuggest" style="padding-left: 249px; padding-right: 0px;">
</ul>
<div id="u30results" style="padding-left: 0px; padding-right: 0px;">
<button id="u30closeresults" aria-label="Close Results" type="button">
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
<path d="M7,7 L17,17"></path>
<path d="M17,7 L7,17"></path>
</svg>
<span>Close</span>
</button>
<div id="u30resultsw1">
</div>
<div id="u30noresults">
<div class="u30result noresults">
<div>We’re sorry. We could not find a match for your search.</div>
<p>We suggest you try the following to help find what you’re looking for:</p>
<ul class="u30nr1">
<li>Check the spelling of your keyword search.</li>
<li>Use synonyms for the keyword you typed, for example, try "application" instead of "software."</li>
<li>Start a new search.</li>
</ul>
</div>
</div>
<ul id="u30skel" style="left: 0px; right: 0px;">
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</div>
</div>
<span class="u30submit">
<input class="u30searchbttn" type="submit" value="Submit Search">
</span>
<button id="u30clear" type="reset" aria-label="Clear Search">
<span>Clear Search</span>
<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M7 7L13 13M7 13L13 7M19 10C19 14.9706 14.9706 19 10 19C5.02944 19 1 14.9706 1 10C1 5.02944 5.02944 1 10 1C14.9706 1 19 5.02944 19 10Z" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
</span>
</div>
</form>Text Content
* Skip to content
* Click to view our Accessibility Policy
* Products
* Oracle Cloud Infrastructure Oracle Cloud Infrastructure
* OCI Overview
* AI and Machine Learning
* Analytics and BI
* Big Data
* Cloud Regions
* Compliance
* Compute
* Containers and Functions
* Cost Management and Governance
* Data Lake
* Database Services
* Developer Services
* DevOps
* Government Cloud
* Hybrid Cloud
* Integration
* Networking
* Observability and Management
* OCI | Microsoft Azure Partnership
* Security
* Storage
* VMware
* Oracle Cloud Applications Oracle Cloud Applications
* Applications Overview
* Enterprise Resource Planning (ERP)
* Financial Management
* Procurement
* Project Management
* Risk Management and Compliance
* Enterprise Performance Management
* Supply Chain & Manufacturing (SCM)
* Supply Chain Planning
* Inventory Management
* Manufacturing
* Maintenance
* Product Lifecycle Management
* More SCM applications
* Customer Experience (CX)
* Advertising
* Marketing
* Sales
* Service
* CX Industry Solutions
* Content Management
* Human Capital Management (HCM)
* Human Resources
* Talent Management
* Workforce Management
* Payroll
* Fusion Analytics
* NetSuite
* Hardware and Software Hardware and Software
* Java
* Oracle Database
* MySQL
* Linux
* On-Premises Applications
* All Software
* Servers and Storage
* Exadata
* Industries
* Industry Solutions and Resources Industry Solutions and Resources
* Oracle Industry Lab
* Customer success
* Join the community
* Product documentation
* Industries Industries
* All industries
* Automotive
* Communications
* Construction and Engineering
* Consumer Goods
* Education
* Energy and Water
* Financial Services
* Food and Beverage
* Government
* Health
* High Technology
* Hospitality
* Industrial Manufacturing
* Life Sciences
* Media and Entertainment
* Oil and Gas
* Professional Services
* Public Safety
* Retail
* Travel and Transportation
* Wholesale Distribution
* Resources
* Support Support
* Customer Experience Overview
* Support
* Community
* Renew Support
* Critical Patch Updates
* Oracle Support Rewards
* My Oracle Support Login
* Cloud Console Login
* Services Services
* Implementation and Migration Services
* Run and Innovate Services
* Training and Certification
* Help Center Help Center
* Documentation
* Reference Architectures
* Tutorials and Hands-On Labs
* Step-by-Step Videos
* Downloads Downloads
* Customer Downloads
* Developer Downloads
* Java Downloads
* Java Runtime Environment (JRE) Consumer Downloads
* Working with Us Working with Us
* Contracts and Policies
* Trust Center
* Invoicing
* Financing
* Customers
* Customer Programs Customer Programs
* Become a reference
* Join the community
* Write a review
* Customer Awards
* Oracle Support Rewards
* Customer Stories Customer Stories
* Explore all customer successes
* New customer partnerships
* Oracle’s business transformation success: Oracle@Oracle
* Advertising and CX customer success
* ERP customer success
* HCM customer success
* Autonomous Database customer success
* Oracle Cloud Infrastructure (OCI) customer success
* Partners
* Resources for Customers Partner Resources for Customers
* Global Cloud Partners
* Find a Partner
* Cloud Marketplace
* Resources for Partners Resources for Partners
* Build on Oracle Cloud Infrastructure
* Integrate with Oracle SaaS
* Expand services offerings on Oracle Cloud
* Become a Partner: OPN Journey Builder
* Oracle PartnerNetwork
* Log in to the OPN Portal
One with Oracle
Continuous innovation with Oracle partner ecosystem to deliver desired
outcome for our customers.
Learn about the Oracle | Microsoft Partnership - Oracle Database Service for
Azure
* Developers
Developers
* * Developer Resource Center
* Developer Community
* Developer Blog
* Developer Live
* Developer Events
* Events
Events
* Oracle CloudWorld
* Oracle Live
* Developer Live
* Customer Spotlight
* Search all events
* View all podcasts
* Cloud Infrastructure events
* CX events
* ERP events
* HCM events
* SCM events
* Company
* Company Company
* Executive Leadership
* Investor Relations
* Analyst Reports
* Corporate Responsibility
* Careers
* Diversity and Inclusion
* Corporate Governance
* Preview/Beta Testing
*
* Blogs
* Events
* News
* Research
* Oracle Education Foundation
* Oracle Academy
* Sustainability
* COVID-19 and Health Sciences
Close Search
Close
We’re sorry. We could not find a match for your search.
We suggest you try the following to help find what you’re looking for:
* Check the spelling of your keyword search.
* Use synonyms for the keyword you typed, for example, try "application"
instead of "software."
* Start a new search.
*
*
*
*
*
*
*
*
*
*
Clear Search
Search
View Accounts
Back
Cloud Account Sign in to Cloud
Oracle Account
* Sign-In
* Create an Account
* Help
* Sign Out
Contact Sales
Menu Menu
ORACLE CRITICAL PATCH UPDATE ADVISORY - JANUARY 2021
DESCRIPTION
A Critical Patch Update is a collection of patches for multiple security
vulnerabilities. These patches address vulnerabilities in Oracle code and in
third-party components included in Oracle products. These patches are usually
cumulative, but each advisory describes only the security patches added since
the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier published
security patches. Refer to “Critical Patch Updates, Security Alerts and
Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released security patches.
In some instances, it has been reported that attackers have been successful
because targeted customers had failed to apply available Oracle patches. Oracle
therefore strongly recommends that customers remain on actively-supported
versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 329 new security patches across the product
families listed below. Please note that an MOS note summarizing the content of
this Critical Patch Update and other Oracle Software Security Assurance
activities is located at January 2021 Critical Patch Update: Executive Summary
and Analysis.
Please note that since the release of the October 2020 Critical Patch Update,
Oracle has released a Security Alert for Oracle WebLogic Server: CVE-2020-14750
(November 1, 2020). Customers are strongly advised to apply this Critical Patch
Update, which includes patches for this Alert as well as additional patches.
AFFECTED PRODUCTS AND PATCH INFORMATION
Security vulnerabilities addressed by this Critical Patch Update affect the
products listed below. The product area is shown in the Patch Availability
Document column.
Please click on the links in the Patch Availability Document column below to
access the documentation for patch availability information and installation
instructions.
Affected Products and Versions Patch Availability Document Business Intelligence
Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0,
13.4.0.0 Enterprise Manager Enterprise Manager for Fusion Applications, version
13.3.0.0 Enterprise Manager Enterprise Manager Ops Center, version 12.4.0.0
Enterprise Manager Hyperion Financial Reporting, version 11.1.2.4 Fusion
Middleware Hyperion Infrastructure Technology, version 11.1.2.4 Fusion
Middleware Instantis EnterpriseTrack, versions 17.1-17.3 Oracle Construction and
Engineering Suite JD Edwards EnterpriseOne Orchestrator, versions prior to
9.2.5.1 JD Edwards JD Edwards EnterpriseOne Tools, versions prior to 9.2.5.0 JD
Edwards MySQL Client, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and
prior MySQL MySQL Enterprise Monitor, versions 8.0.22 and prior MySQL MySQL
Server, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior MySQL
MySQL Workbench, versions 8.0.22 and prior MySQL Oracle Adaptive Access Manager,
version 11.1.2.3.0 Fusion Middleware Oracle Agile Engineering Data Management,
version 6.2.1.0 Oracle Supply Chain Products Oracle Agile PLM, versions 9.3.5,
9.3.6 Oracle Supply Chain Products Oracle Agile Product Lifecycle Management for
Process, version 6.1 Oracle Supply Chain Products Oracle Application Express
Opportunity Tracker, versions prior to 20.2 Database Oracle Application Express
Survey Builder, versions prior to 20.2 Database Oracle Application Testing
Suite, version 13.3.0.1 Enterprise Manager Oracle Argus Safety, version 8.2.2
Health Sciences Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0,
12.2.1.3.0 Fusion Middleware Oracle Banking Corporate Lending Process
Management, versions 14.1.0, 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle Banking Credit Facilities Process Management, versions
14.1.0, 14.3.0, 14.4.0 Oracle Financial Services Applications Oracle Banking
Extensibility Workbench, versions 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle Banking Liquidity Management, versions 14.0.0-14.4.0 Oracle
Financial Services Applications Oracle Banking Payments, version 14.4.0 Oracle
Financial Services Applications Oracle Banking Platform, versions 2.4.0, 2.4.1,
2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0 Oracle Banking Platform Oracle Banking Supply
Chain Finance, versions 14.2.0-14.4.0 Oracle Financial Services Applications
Oracle Banking Trade Finance Process Management, versions 14.1.0, 14.3.0, 14.4.0
Oracle Financial Services Applications Oracle Banking Virtual Account
Management, versions 14.1.0, 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Business Intelligence Enterprise Edition,
versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle
Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle Communications Application
Session Controller, version 3.9m0p2 Oracle Communications Application Session
Controller Oracle Communications ASAP, version 7.3 Oracle Communications ASAP
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9, 12.0.0.3
Oracle Communications BRM - Elastic Charging Engine Oracle Communications
Calendar Server, version 8.0.0.4.0 Oracle Communications Calendar Server Oracle
Communications Contacts Server, version 8.0.0.5.0 Oracle Communications Contacts
Server Oracle Communications Diameter Signaling Router (DSR), versions
8.0.0-8.2.2 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, versions 8.2.1.0-8.2.2.1 Oracle Communications
Element Manager Oracle Communications MetaSolv Solution, versions 6.3.0-6.3.1
Oracle Communications MetaSolv Solution Oracle Communications Network Charging
and Control, versions 6.0.1, 12.0.2 Oracle Communications Network Charging and
Control Oracle Communications Operations Monitor, versions 3.4, 4.1, 4.2, 4.3
Oracle Communications Operations Monitor Oracle Communications Performance
Intelligence Center (PIC) Software, version 10.4.0.2 Oracle Communications
Performance Intelligence Center (PIC) Software Oracle Communications Session
Report Manager, versions 8.2.1.0-8.2.2.1 Oracle Communications Session Report
Manager Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5.10,
12.1, 12.2 Oracle Supply Chain Products Oracle Configurator, versions 12.1, 12.2
Oracle Supply Chain Products Oracle Data Integrator, versions 11.1.1.9.0,
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Database Server, versions
12.1.0.2, 12.2.0.1, 18c, 19c Database Oracle E-Business Suite, versions
12.1.1-12.1.3, 12.2.3-12.2.10 E-Business Suite Oracle Endeca Information
Discovery Integrator, version 3.2.0.0 Fusion Middleware Oracle Enterprise
Communications Broker, versions 3.1, 3.2 Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, versions 11.1.1.9.0, 12.2.1.3.0 Fusion
Middleware Oracle Enterprise Repository, version 11.1.1.7.0 Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions
8.0.6-8.1.0 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.7, 8.1.0
Oracle Financial Services Asset Liability Management Oracle Financial Services
Data Integration Hub, versions 8.0.3, 8.0.6 Oracle Financial Services Data
Integration Hub Oracle Financial Services Funds Transfer Pricing, versions
8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Funds Transfer Pricing Oracle
Financial Services Market Risk Measurement and Management, version 8.0.6 Oracle
Financial Services Market Risk Measurement and Management Oracle Financial
Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial
Services Profitability Management Oracle Financial Services Revenue Management
and Billing, versions 2.9.0.0, 2.9.0.1 Oracle Financial Services Revenue
Management and Billing Oracle FLEXCUBE Core Banking, versions 11.5.0-11.9.0
Oracle Financial Services Applications Oracle FLEXCUBE Universal Banking,
version 14.4.0 Oracle Financial Services Applications Oracle Fusion Middleware
MapViewer, version 12.2.1.3.0 Fusion Middleware Oracle Global Lifecycle
Management OPatch Fusion Middleware Oracle Global Lifecycle Manager Global
Lifecycle Management Oracle GoldenGate Application Adapters, version 19.1.0.0.0
Fusion Middleware Oracle GraalVM Enterprise Edition, versions 19.3.4, 20.3.0
Oracle GraalVM Enterprise Edition Oracle Health Sciences Information Manager,
version 3.0.1 Health Sciences Oracle Healthcare Master Person Index, version
4.0.2.5 Health Sciences Oracle Hospitality Reporting and Analytics, version
9.1.0 Oracle Hospitality Reporting and Analytics Oracle Hospitality Simphony,
versions 18.2.7.2, 19.1.3 Oracle Hospitality Simphony Oracle Insurance
Allocation Manager for Enterprise Profitability, version 8.1.0 Oracle Insurance
Allocation Manager for Enterprise Profitability Oracle Insurance Insbridge
Rating and Underwriting, versions 5.0.0.20, 5.1.1.3 Oracle Insurance
Applications Oracle Insurance Policy Administration, versions 10.2.0, 10.2.4,
11.0.2, 11.1.0-11.3.0 Oracle Insurance Applications Oracle Insurance Rules
Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 Oracle Insurance
Applications Oracle Java SE, versions 7u281, 8u271 Java SE Oracle Java SE
Embedded, version 8u271 Java SE Oracle Managed File Transfer, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Outside In Technology, versions
8.5.4, 8.5.5 Fusion Middleware Oracle Real-Time Decision Server, version 3.2.1.0
Fusion Middleware Oracle Retail Assortment Planning, version 16.0.3 Retail
Applications Oracle Retail Bulk Data Integration, versions 15.0.3, 16.0.3 Retail
Applications Oracle Retail Customer Management and Segmentation Foundation,
versions 16.0, 17.0, 18.0, 19.0 Retail Applications Oracle Retail Extract
Transform and Load, versions 13.2.5, 13.2.8 Retail Applications Oracle Retail
Financial Integration, versions 14.1.3, 15.0.3, 16.0.3 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3, 15.0.3, 16.0.3 Retail
Applications Oracle Retail Invoice Matching, versions 13.2, 14.0, 14.1 Retail
Applications Oracle Retail Merchandising System, version 15.0 Retail
Applications Oracle Retail Order Broker, versions 15.0, 16.0 Retail Applications
Oracle Retail Order Broker Cloud Service, version 15.0 Retail Applications
Oracle Retail Sales Audit, version 14.1 Retail Applications Oracle Retail
Service Backbone, versions 14.1.3, 15.0.3, 16.0.3 Retail Applications Oracle
Retail Store Inventory Management, versions 14.0.4.0, 14.1.3.0, 14.1.3.9,
15.0.3.0, 16.0.3.0 Retail Applications Oracle SD-WAN Edge, version 9.0 Oracle
SD-WAN Edge Oracle Secure Backup Oracle Secure Backup Oracle Transportation
Management, version 1.4.3 Oracle Supply Chain Products Oracle Utilities
Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0,
4.4.0.2.0 Oracle Utilities Applications Oracle VM VirtualBox, versions prior to
6.1.18 Virtualization Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle WebCenter Sites, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions 10.3.6.0.0,
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle ZFS
Storage Appliance Kit, version 8.8 Systems PeopleSoft Enterprise FIN Payables,
version 9.2 PeopleSoft PeopleSoft Enterprise HCM Human Resources, version 9.2
PeopleSoft PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
PeopleSoft Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.9,
18.8.0-18.8.10, 19.12.0-19.12.10 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0-16.2.20,
17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10 Oracle Construction and
Engineering Suite Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8,
19.12, 20.12 Oracle Construction and Engineering Suite Siebel Applications,
versions 20.12 and prior Siebel StorageTek Tape Analytics SW Tool, version 2.3.1
Systems
Affected Products and Versions Patch Availability Document Business Intelligence
Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0,
13.4.0.0 Enterprise Manager Enterprise Manager for Fusion Applications, version
13.3.0.0 Enterprise Manager Enterprise Manager Ops Center, version 12.4.0.0
Enterprise Manager Hyperion Financial Reporting, version 11.1.2.4 Fusion
Middleware Hyperion Infrastructure Technology, version 11.1.2.4 Fusion
Middleware Instantis EnterpriseTrack, versions 17.1-17.3 Oracle Construction and
Engineering Suite JD Edwards EnterpriseOne Orchestrator, versions prior to
9.2.5.1 JD Edwards JD Edwards EnterpriseOne Tools, versions prior to 9.2.5.0 JD
Edwards MySQL Client, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and
prior MySQL MySQL Enterprise Monitor, versions 8.0.22 and prior MySQL MySQL
Server, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior MySQL
MySQL Workbench, versions 8.0.22 and prior MySQL Oracle Adaptive Access Manager,
version 11.1.2.3.0 Fusion Middleware Oracle Agile Engineering Data Management,
version 6.2.1.0 Oracle Supply Chain Products Oracle Agile PLM, versions 9.3.5,
9.3.6 Oracle Supply Chain Products Oracle Agile Product Lifecycle Management for
Process, version 6.1 Oracle Supply Chain Products Oracle Application Express
Opportunity Tracker, versions prior to 20.2 Database Oracle Application Express
Survey Builder, versions prior to 20.2 Database Oracle Application Testing
Suite, version 13.3.0.1 Enterprise Manager Oracle Argus Safety, version 8.2.2
Health Sciences Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0,
12.2.1.3.0 Fusion Middleware Oracle Banking Corporate Lending Process
Management, versions 14.1.0, 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle Banking Credit Facilities Process Management, versions
14.1.0, 14.3.0, 14.4.0 Oracle Financial Services Applications Oracle Banking
Extensibility Workbench, versions 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle Banking Liquidity Management, versions 14.0.0-14.4.0 Oracle
Financial Services Applications Oracle Banking Payments, version 14.4.0 Oracle
Financial Services Applications Oracle Banking Platform, versions 2.4.0, 2.4.1,
2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0 Oracle Banking Platform Oracle Banking Supply
Chain Finance, versions 14.2.0-14.4.0 Oracle Financial Services Applications
Oracle Banking Trade Finance Process Management, versions 14.1.0, 14.3.0, 14.4.0
Oracle Financial Services Applications Oracle Banking Virtual Account
Management, versions 14.1.0, 14.3.0, 14.4.0 Oracle Financial Services
Applications Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle Business Intelligence Enterprise Edition,
versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle
Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion
Middleware Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle Communications Application
Session Controller, version 3.9m0p2 Oracle Communications Application Session
Controller Oracle Communications ASAP, version 7.3 Oracle Communications ASAP
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9, 12.0.0.3
Oracle Communications BRM - Elastic Charging Engine Oracle Communications
Calendar Server, version 8.0.0.4.0 Oracle Communications Calendar Server Oracle
Communications Contacts Server, version 8.0.0.5.0 Oracle Communications Contacts
Server Oracle Communications Diameter Signaling Router (DSR), versions
8.0.0-8.2.2 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, versions 8.2.1.0-8.2.2.1 Oracle Communications
Element Manager Oracle Communications MetaSolv Solution, versions 6.3.0-6.3.1
Oracle Communications MetaSolv Solution Oracle Communications Network Charging
and Control, versions 6.0.1, 12.0.2 Oracle Communications Network Charging and
Control Oracle Communications Operations Monitor, versions 3.4, 4.1, 4.2, 4.3
Oracle Communications Operations Monitor Oracle Communications Performance
Intelligence Center (PIC) Software, version 10.4.0.2 Oracle Communications
Performance Intelligence Center (PIC) Software Oracle Communications Session
Report Manager, versions 8.2.1.0-8.2.2.1 Oracle Communications Session Report
Manager Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5.10,
12.1, 12.2 Oracle Supply Chain Products Oracle Configurator, versions 12.1, 12.2
Oracle Supply Chain Products Oracle Data Integrator, versions 11.1.1.9.0,
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Database Server, versions
12.1.0.2, 12.2.0.1, 18c, 19c Database Oracle E-Business Suite, versions
12.1.1-12.1.3, 12.2.3-12.2.10 E-Business Suite Oracle Endeca Information
Discovery Integrator, version 3.2.0.0 Fusion Middleware Oracle Enterprise
Communications Broker, versions 3.1, 3.2 Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, versions 11.1.1.9.0, 12.2.1.3.0 Fusion
Middleware Oracle Enterprise Repository, version 11.1.1.7.0 Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions
8.0.6-8.1.0 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.7, 8.1.0
Oracle Financial Services Asset Liability Management Oracle Financial Services
Data Integration Hub, versions 8.0.3, 8.0.6 Oracle Financial Services Data
Integration Hub Oracle Financial Services Funds Transfer Pricing, versions
8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Funds Transfer Pricing Oracle
Financial Services Market Risk Measurement and Management, version 8.0.6 Oracle
Financial Services Market Risk Measurement and Management Oracle Financial
Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial
Services Profitability Management Oracle Financial Services Revenue Management
and Billing, versions 2.9.0.0, 2.9.0.1 Oracle Financial Services Revenue
Management and Billing Oracle FLEXCUBE Core Banking, versions 11.5.0-11.9.0
Oracle Financial Services Applications Oracle FLEXCUBE Universal Banking,
version 14.4.0 Oracle Financial Services Applications Oracle Fusion Middleware
MapViewer, version 12.2.1.3.0 Fusion Middleware Oracle Global Lifecycle
Management OPatch Fusion Middleware Oracle Global Lifecycle Manager Global
Lifecycle Management Oracle GoldenGate Application Adapters, version 19.1.0.0.0
Fusion Middleware Oracle GraalVM Enterprise Edition, versions 19.3.4, 20.3.0
Oracle GraalVM Enterprise Edition Oracle Health Sciences Information Manager,
version 3.0.1 Health Sciences Oracle Healthcare Master Person Index, version
4.0.2.5 Health Sciences Oracle Hospitality Reporting and Analytics, version
9.1.0 Oracle Hospitality Reporting and Analytics Oracle Hospitality Simphony,
versions 18.2.7.2, 19.1.3 Oracle Hospitality Simphony Oracle Insurance
Allocation Manager for Enterprise Profitability, version 8.1.0 Oracle Insurance
Allocation Manager for Enterprise Profitability Oracle Insurance Insbridge
Rating and Underwriting, versions 5.0.0.20, 5.1.1.3 Oracle Insurance
Applications Oracle Insurance Policy Administration, versions 10.2.0, 10.2.4,
11.0.2, 11.1.0-11.3.0 Oracle Insurance Applications Oracle Insurance Rules
Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 Oracle Insurance
Applications Oracle Java SE, versions 7u281, 8u271 Java SE Oracle Java SE
Embedded, version 8u271 Java SE Oracle Managed File Transfer, versions
12.2.1.3.0, 12.2.1.4.0 Fusion Middleware Oracle Outside In Technology, versions
8.5.4, 8.5.5 Fusion Middleware Oracle Real-Time Decision Server, version 3.2.1.0
Fusion Middleware Oracle Retail Assortment Planning, version 16.0.3 Retail
Applications Oracle Retail Bulk Data Integration, versions 15.0.3, 16.0.3 Retail
Applications Oracle Retail Customer Management and Segmentation Foundation,
versions 16.0, 17.0, 18.0, 19.0 Retail Applications Oracle Retail Extract
Transform and Load, versions 13.2.5, 13.2.8 Retail Applications Oracle Retail
Financial Integration, versions 14.1.3, 15.0.3, 16.0.3 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3, 15.0.3, 16.0.3 Retail
Applications Oracle Retail Invoice Matching, versions 13.2, 14.0, 14.1 Retail
Applications Oracle Retail Merchandising System, version 15.0 Retail
Applications Oracle Retail Order Broker, versions 15.0, 16.0 Retail Applications
Oracle Retail Order Broker Cloud Service, version 15.0 Retail Applications
Oracle Retail Sales Audit, version 14.1 Retail Applications Oracle Retail
Service Backbone, versions 14.1.3, 15.0.3, 16.0.3 Retail Applications Oracle
Retail Store Inventory Management, versions 14.0.4.0, 14.1.3.0, 14.1.3.9,
15.0.3.0, 16.0.3.0 Retail Applications Oracle SD-WAN Edge, version 9.0 Oracle
SD-WAN Edge Oracle Secure Backup Oracle Secure Backup Oracle Transportation
Management, version 1.4.3 Oracle Supply Chain Products Oracle Utilities
Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0,
4.4.0.2.0 Oracle Utilities Applications Oracle VM VirtualBox, versions prior to
6.1.18 Virtualization Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle WebCenter Sites, versions 12.2.1.3.0,
12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions 10.3.6.0.0,
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle ZFS
Storage Appliance Kit, version 8.8 Systems PeopleSoft Enterprise FIN Payables,
version 9.2 PeopleSoft PeopleSoft Enterprise HCM Human Resources, version 9.2
PeopleSoft PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
PeopleSoft Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.9,
18.8.0-18.8.10, 19.12.0-19.12.10 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0-16.2.20,
17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10 Oracle Construction and
Engineering Suite Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8,
19.12, 20.12 Oracle Construction and Engineering Suite Siebel Applications,
versions 20.12 and prior Siebel StorageTek Tape Analytics SW Tool, version 2.3.1
Systems
NOTE:
* Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware
may affect Oracle Fusion Applications, so Oracle customers should refer to
Oracle Fusion Applications Critical Patch Update Knowledge Document, My
Oracle Support Note 1967316.1 for information on patches to be applied to
Fusion Application environments.
* Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle
customers should refer to the Oracle and Sun Systems Product Suite Critical
Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for
information on minimum revisions of security patches required to resolve
ZFSSA issues published in Critical Patch Updates and Solaris Third Party
bulletins.
* Solaris Third Party Bulletins are used to announce security patches for third
party software distributed with Oracle Solaris. Solaris 10 customers should
refer to the latest patch-sets which contain critical security fixes and
detailed in Systems Patch Availability Document. Please see Reference Index
of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more
information.
* Users running Java SE with a browser can download the latest release from
https://java.com. Users on the Windows and Mac OS X platforms can also use
automatic updates to get the latest release.
RISK MATRIX CONTENT
Risk matrices list only security vulnerabilities that are newly addressed by the
patches associated with this advisory. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories and Alerts. An
English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. Each vulnerability is identified by a CVE# which is its unique
identifier. A vulnerability that affects multiple products will appear with the
same CVE# in all risk matrices. A CVE# shown in italics indicates that this
vulnerability impacts a different product, but also has impact on the product
where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a
Critical Patch Update. Oracle does not disclose detailed information about this
security analysis to customers, but the resulting Risk Matrix and associated
documentation provide information about the type of vulnerability, the
conditions required to exploit it, and the potential impact of a successful
exploit. Oracle provides this information, in part, so that customers may
conduct their own risk analysis based on the particulars of their product usage.
For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third-party components
which are not exploitable in the context of their inclusion in their respective
Oracle product beneath the product's risk matrix.
The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.
WORKAROUNDS
Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply Critical Patch Update security patches as soon as possible.
Until you apply the Critical Patch Update patches, it may be possible to reduce
the risk of successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages from
users that do not need the privileges may help reduce the risk of successful
attack. Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems. Neither
approach should be considered a long-term solution as neither corrects the
underlying problem.
SKIPPED CRITICAL PATCH UPDATES
Oracle strongly recommends that customers apply security patches as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security patches announced in this
Critical Patch Update, please review previous Critical Patch Update advisories
to determine appropriate actions.
CRITICAL PATCH UPDATE SUPPORTED PRODUCTS AND VERSIONS
Patches released through the Critical Patch Update program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. Oracle recommends that customers plan
product upgrades to ensure that patches released through the Critical Patch
Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities. As a result, Oracle recommends that
customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched
in accordance with the Software Error Correction Support Policy explained in My
Oracle Support Note 209768.1. Please review the Technical Support Policies for
further guidelines regarding support policies and phases of support.
CREDIT STATEMENT
The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle:
* 0rich1 of Ant Security FG Lab: CVE-2021-2109
* 0xfoxone: CVE-2021-2068
* Alessandro Bosco of TIM S.p.A: CVE-2021-2005
* Alves Christopher of Telecom Nancy: CVE-2021-2006, CVE-2021-2010,
CVE-2021-2011
* Amey Anekar of CyberCube Services: CVE-2021-2052
* Amy Tran: CVE-2021-2026, CVE-2021-2027
* Andrej Simko of Accenture: CVE-2021-2077, CVE-2021-2078, CVE-2021-2079,
CVE-2021-2080, CVE-2021-2082, CVE-2021-2083, CVE-2021-2084, CVE-2021-2085,
CVE-2021-2090, CVE-2021-2091, CVE-2021-2092, CVE-2021-2093, CVE-2021-2094,
CVE-2021-2096, CVE-2021-2097, CVE-2021-2098, CVE-2021-2099, CVE-2021-2100,
CVE-2021-2101, CVE-2021-2102, CVE-2021-2103, CVE-2021-2104, CVE-2021-2105,
CVE-2021-2106, CVE-2021-2107, CVE-2021-2114, CVE-2021-2115, CVE-2021-2118
* Antonin B. of NCIA / NCSC: CVE-2021-2017
* Bui Duong from Viettel Cyber Security: CVE-2021-2013, CVE-2021-2049,
CVE-2021-2050, CVE-2021-2051
* ChauUHM from Sacombank: CVE-2021-2062
* ChenNan Of Chaitin Security Research Lab: CVE-2021-2086, CVE-2021-2111,
CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2125,
CVE-2021-2126, CVE-2021-2129, CVE-2021-2131
* Chi Tran: CVE-2021-2026, CVE-2021-2027
* Chris Barnabo: CVE-2021-2128
* Cl0und Syclover Security Team: CVE-2020-14756
* Codeplutos of AntGroup FG Security Lab: CVE-2020-14756, CVE-2021-2075
* DoHyun Lee of VirtualBoBs: CVE-2021-2086
* Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2021-2035, CVE-2021-2054
* Edoardo Predieri of TIM S.p.A: CVE-2021-2005
* Emad Al-Mousa working with Trend Micro Zero Day Initiative: CVE-2021-2054
* Esteban Montes Morales of Accenture: CVE-2021-2089
* Fabio Minarelli of TIM S.p.A: CVE-2021-2005
* Francesco Russo of TIM S.p.A: CVE-2021-2005
* Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab:
CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2123, CVE-2021-2130
* Girlelecta: CVE-2021-2066, CVE-2021-2067, CVE-2021-2069
* Glassy of Alibaba Cloud Security Group: CVE-2021-2109
* Hangfan Zhang: CVE-2021-2030
* Julien Zhan of Telecom Nancy: CVE-2021-2006, CVE-2021-2010, CVE-2021-2011
* JungHyun Kim (jidoc01) of VirtualBoBs: CVE-2021-2124
* JunYoung Park and DongJun Shin of VirtualBoBs: CVE-2021-2127
* Khuyen Nguyen of secgit.com: CVE-2021-2023
* Kun Yang of Chaitin Security Research Lab: CVE-2021-2086, CVE-2021-2111,
CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2125,
CVE-2021-2126, CVE-2021-2129, CVE-2021-2131
* Longofo of Knownsec 404 Team: CVE-2021-2109
* Luca Di Giuseppe of TIM S.p.A: CVE-2021-2005
* Lukasz Plonka: CVE-2021-2063
* Lukasz Rupala of ING Tech Poland: CVE-2021-2003
* Maciej Grabiec of ING Tech Poland: CVE-2021-2063
* Massimiliano Brolli of TIM S.p.A: CVE-2021-2005
* Nam HaBach of NightSt0rm: CVE-2021-2034
* Omur Ugur of Turk Telekom: CVE-2021-2003
* Pawel Gocyla of ING Tech Poland: CVE-2021-2063
* Philippe Antoine of Telecom Nancy: CVE-2021-2006, CVE-2021-2010,
CVE-2021-2011
* r00t4dm at Cloud-Penetrating Arrow Lab: CVE-2021-2109
* Roberto Suggi Liverani of NCIA / NCSC: CVE-2021-2017
* Rui Zhong: CVE-2021-2030
* Rémi Badonnel of Telecom Nancy: CVE-2021-2010, CVE-2021-2011
* Shimizu Kawasaki of DiDiGlobal Security Product Technology Department (Basic
Security): CVE-2021-2109
* Thiscodecc: CVE-2021-2047
* Trung Le: CVE-2021-2026, CVE-2021-2027
* Tuan Anh Nguyen of Viettel Cyber Security: CVE-2021-2025, CVE-2021-2029
* Ved Prabhu: CVE-2021-2116, CVE-2021-2117
* Xiayu Zhang of Tencent Keen Security Lab: CVE-2021-2064
* Xingwei Lin of Ant Security Light-Year Lab: CVE-2021-2073, CVE-2021-2074,
CVE-2021-2086, CVE-2021-2123, CVE-2021-2130
* Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2021-2109
* Yakov Shafranovich of T. Rowe Price Associates, Inc.: CVE-2021-2018
* Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-2055
* Yongheng Chen: CVE-2021-2030
* Yu Wang of BMH Security Team: CVE-2021-2108
* Zhangyanyu of Chaitin Security Research Lab: CVE-2021-2131
* Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2021-2006, CVE-2021-2010,
CVE-2021-2011
SECURITY-IN-DEPTH CONTRIBUTORS
Oracle acknowledges people who have contributed to our Security-In-Depth program
(see FAQ). People are acknowledged for Security-In-Depth contributions if they
provide information, observations or suggestions pertaining to security
vulnerability issues that result in significant modification of Oracle code or
documentation in future releases, but are not of such a critical nature that
they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions
to Oracle's Security-In-Depth program.:
* Markus Loewe [2 reports]
* Salini Reus of Fiji Roads Authority
ON-LINE PRESENCE SECURITY CONTRIBUTORS
Oracle acknowledges people who have contributed to our On-Line Presence Security
program (see FAQ). People are acknowledged for contributions relating to
Oracle's on-line presence if they provide information, observations or
suggestions pertaining to security-related issues that result in significant
modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle's
On-Line Presence Security program:
* Aakash Adhikari (dark_haxor)
* Adam Willard [2 reports]
* Ahlan S
* Ahmed Alwardani
* Ahmed Ouahabi
* Anas Rahmani
* Ayushmaan Banerjee
* Boo
* Bradley Baker
* Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp)
* Bui Duc Anh Khoa aka khoabda of Zalo Security Team (VNG Corp)
* Christopher Hanlon
* Fabien B
* Flaviu Popescu
* Hamoud Al-Helmani [2 reports]
* Harpreet Singh
* Harshal S. Sharma
* Mahmoud ElSayed
* Marwan Albahar [6 reports]
* Matt Bushey
* Mohammad Hosein Askari
* Phan Quan of VNPT Information Security Center (VNPT ISC)
* Prabharoop C.C. [2 reports]
* Prashant Saini
* Pratik Khalane
* Purbasha Ghosh
* Quan Doan of R&D Center - VinCSS LLC (a member of Vingroup) [5 reports]
* Ram Kumar
* Ratnadip Gajbhiye
* Robert Kulig
* Robert Lee Dick
* Sarwar Abbas
* Saurabh Dilip Mhatre
* Shailesh Kumavat
* Shivam Pandey
* Tuan Anh Nguyen of Viettel Cyber Security
* Virendra Singh Rathore
CRITICAL PATCH UPDATE SCHEDULE
Critical Patch Updates are released on the Tuesday closest to the 17th day of
January, April, July and October. The next four dates are:
* 20 April 2021
* 20 July 2021
* 19 October 2021
* 18 January 2022
REFERENCES
* Oracle Critical Patch Updates, Security Alerts and Bulletins
* Critical Patch Update - January 2021 Documentation Map
* Oracle Critical Patch Updates and Security Alerts - Frequently Asked
Questions
* Risk Matrix Definitions
* Use of Common Vulnerability Scoring System (CVSS) by Oracle
* English text version of the risk matrices
* CVRF XML version of the risk matrices
* Map of CVE to Advisory/Alert
* Software Error Correction Support Policy
* Oracle Lifetime support Policy
* JEP 290 Reference Blocklist Filter
MODIFICATION HISTORY
Date Note 2021-February-22 Rev 3. Updated the affected versions for
CVE-2021-2047 2021-January-25 Rev 2. Update to Credit Statements.
2021-January-19 Rev 1. Initial Release.
Date Note 2021-February-22 Rev 3. Updated the affected versions for
CVE-2021-2047 2021-January-25 Rev 2. Update to Credit Statements.
2021-January-19 Rev 1. Initial Release.
ORACLE DATABASE SERVER RISK MATRIX
This Critical Patch Update contains 8 new security patches plus additional third
party patches noted below for Oracle Database Products. 1 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. None of these
patches are applicable to client-only installations, i.e., installations that do
not have the Oracle Database Server installed. The English text form of this
Risk Matrix can be found here.
CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2035 RDBMS Scheduler Export Full Database Oracle Net No 8.8
Network Low Low None Un-
changed High High High 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2018 Advanced
Networking Option None Oracle Net Yes 8.3 Network High None Required Changed
High High High 18c, 19c See Note 1 CVE-2021-2054 RDBMS Sharding Create Any
Procedure, Create Any View, Create Any Trigger Oracle Net No 7.2 Network Low
High None Un-
changed High High High 12.2.0.1, 18c, 19c CVE-2021-2116 Oracle Application
Express Opportunity Tracker Valid User Account HTTP No 5.4 Network Low Low
Required Changed Low Low None Prior to 20.2 CVE-2021-2117 Oracle Application
Express Survey Builder Valid User Account HTTP No 5.4 Network Low Low Required
Changed Low Low None Prior to 20.2 CVE-2021-1993 Java VM Create Session Oracle
Net No 4.8 Network High Low Required Un-
changed None High None 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2045 Oracle Text
Create Session Oracle Net No 3.1 Network High Low None Un-
changed None None Low 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2000 Unified Audit
SYS Account Oracle Net No 2.4 Network Low High Required Un-
changed None Low None 12.1.0.2, 12.2.0.1, 18c, 19c
CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2035 RDBMS Scheduler Export Full Database Oracle Net No 8.8
Network Low Low None Un-
changed High High High 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2018 Advanced
Networking Option None Oracle Net Yes 8.3 Network High None Required Changed
High High High 18c, 19c See Note 1 CVE-2021-2054 RDBMS Sharding Create Any
Procedure, Create Any View, Create Any Trigger Oracle Net No 7.2 Network Low
High None Un-
changed High High High 12.2.0.1, 18c, 19c CVE-2021-2116 Oracle Application
Express Opportunity Tracker Valid User Account HTTP No 5.4 Network Low Low
Required Changed Low Low None Prior to 20.2 CVE-2021-2117 Oracle Application
Express Survey Builder Valid User Account HTTP No 5.4 Network Low Low Required
Changed Low Low None Prior to 20.2 CVE-2021-1993 Java VM Create Session Oracle
Net No 4.8 Network High Low Required Un-
changed None High None 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2045 Oracle Text
Create Session Oracle Net No 3.1 Network High Low None Un-
changed None None Low 12.1.0.2, 12.2.0.1, 18c, 19c CVE-2021-2000 Unified Audit
SYS Account Oracle Net No 2.4 Network Low High Required Un-
changed None Low None 12.1.0.2, 12.2.0.1, 18c, 19c
NOTES:
1. CVE-2021-2018 affects Windows platform only.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Perl: CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.
ORACLE GLOBAL LIFECYCLE MANAGEMENT RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle Global Lifecycle Management. Please
refer to previous Critical Patch Update Advisories if the last Critical Patch
Update was not applied for Oracle Global Lifecycle Management. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Global Lifecycle Manager
* Patch Installer (Apache Commons Compress): CVE-2019-12402.
ORACLE SECURE BACKUP RISK MATRIX
This Critical Patch Update contains no new security patches but does include
third party patches noted below for Oracle Secure Backup. Please refer to
previous Critical Patch Update Advisories if the last Critical Patch Update was
not applied for Oracle Secure Backup. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability
There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Secure Backup
* User Interface (PHP): CVE-2020-7064.
* Web Server (Apache HTTP Server): CVE-2020-11984, CVE-2020-11993 and
CVE-2020-9490.
ORACLE COMMUNICATIONS APPLICATIONS RISK MATRIX
This Critical Patch Update contains 8 new security patches for Oracle
Communications Applications. 6 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14195 Oracle Communications Calendar Server REST API
(jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 8.0.0.4.0 CVE-2020-14195 Oracle Communications Contacts
Server REST API (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 8.0.0.5.0 CVE-2019-17566 Oracle Communications MetaSolv
Solution Print Preview (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 6.3.0-6.3.1 CVE-2020-13871 Oracle Communications
Network Charging and Control Common (SQLite) SQL Yes 7.5 Network Low None None
Un-
changed None None High 6.0.1, 12.0.2 CVE-2019-10086 Oracle Communications BRM
- Elastic Charging Engine Coherence Query (Apache Commons BeanUtils) TCP/IP Yes
7.3 Network Low None None Un-
changed Low Low Low 11.3.0.9, 12.0.0.3 CVE-2019-10086 Oracle Communications
MetaSolv Solution Online Help (Apache Commons BeanUtils) HTTP Yes 7.3 Network
Low None None Un-
changed Low Low Low 6.3.0-6.3.1 CVE-2020-5421 Oracle Communications BRM -
Elastic Charging Engine Orchestration, Processor and Messages (Spring Framework)
TCP/IP No 6.5 Network High Low Required Changed Low High None 11.3.0.9, 12.0.0.3
CVE-2020-1945 Oracle Communications ASAP Core (Apache Ant) None No 6.2 Local
Low None None Un-
changed High None None 7.3
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14195 Oracle Communications Calendar Server REST API
(jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 8.0.0.4.0 CVE-2020-14195 Oracle Communications Contacts
Server REST API (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 8.0.0.5.0 CVE-2019-17566 Oracle Communications MetaSolv
Solution Print Preview (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 6.3.0-6.3.1 CVE-2020-13871 Oracle Communications
Network Charging and Control Common (SQLite) SQL Yes 7.5 Network Low None None
Un-
changed None None High 6.0.1, 12.0.2 CVE-2019-10086 Oracle Communications BRM
- Elastic Charging Engine Coherence Query (Apache Commons BeanUtils) TCP/IP Yes
7.3 Network Low None None Un-
changed Low Low Low 11.3.0.9, 12.0.0.3 CVE-2019-10086 Oracle Communications
MetaSolv Solution Online Help (Apache Commons BeanUtils) HTTP Yes 7.3 Network
Low None None Un-
changed Low Low Low 6.3.0-6.3.1 CVE-2020-5421 Oracle Communications BRM -
Elastic Charging Engine Orchestration, Processor and Messages (Spring Framework)
TCP/IP No 6.5 Network High Low Required Changed Low High None 11.3.0.9, 12.0.0.3
CVE-2020-1945 Oracle Communications ASAP Core (Apache Ant) None No 6.2 Local
Low None None Un-
changed High None None 7.3
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-13871 also addresses CVE-2020-15358.
* The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061
and CVE-2020-14062.
* The patch for CVE-2020-1945 also addresses CVE-2017-5645.
ORACLE COMMUNICATIONS RISK MATRIX
This Critical Patch Update contains 12 new security patches for Oracle
Communications. 7 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-7164 Oracle Communications Operations Monitor ORMB DB Query in
VSP (SQLAlchemy) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2, 4.3 CVE-2020-24750 Oracle Communications Diameter
Signaling Router (DSR) IDIH (jackson-databind) HTTP Yes 8.1 Network High None
None Un-
changed High High High 8.0.0-8.2.2 CVE-2020-27216 Oracle Communications
Application Session Controller Core (Eclipse Jetty) None No 7.8 Local Low Low
None Un-
changed High High High 3.9m0p2 CVE-2020-27216 Oracle Communications Element
Manager REST API (Eclipse Jetty) None No 7.8 Local Low Low None Un-
changed High High High 8.2.1.0-8.2.2.1 CVE-2020-14147 Oracle Communications
Operations Monitor In-Memeory DB for FDP/VSP (Redis) HTTP No 7.7 Network Low Low
None Changed None None High 3.4, 4.1, 4.2, 4.3 CVE-2019-17566 Oracle
Communications Application Session Controller Core (Apache Batik) HTTP Yes 7.5
Network Low None None Un-
changed None High None 3.9m0p2 CVE-2020-11080 Oracle Enterprise Communications
Broker System (nghttp2) HTTP Yes 7.5 Network Low None None Un-
changed None None High 3.1, 3.2 CVE-2019-10086 Oracle Communications Diameter
Signaling Router (DSR) IDIH (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.0-8.2.2 CVE-2019-10086 Oracle SD-WAN Edge Management
(Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 9.0 CVE-2020-10723 Oracle Enterprise Communications Broker
System (DPDK) None No 6.7 Local Low High None Un-
changed High High High 3.1, 3.2 CVE-2020-5421 Oracle Communications Session
Report Manager Core (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 8.2.1.0-8.2.2.1 CVE-2019-1559 Oracle Communications
Performance Intelligence Center (PIC) Software Security (OpenSSL) HTTPS Yes 5.9
Network High None None Un-
changed High None None 10.4.0.2
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-7164 Oracle Communications Operations Monitor ORMB DB Query in
VSP (SQLAlchemy) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2, 4.3 CVE-2020-24750 Oracle Communications Diameter
Signaling Router (DSR) IDIH (jackson-databind) HTTP Yes 8.1 Network High None
None Un-
changed High High High 8.0.0-8.2.2 CVE-2020-27216 Oracle Communications
Application Session Controller Core (Eclipse Jetty) None No 7.8 Local Low Low
None Un-
changed High High High 3.9m0p2 CVE-2020-27216 Oracle Communications Element
Manager REST API (Eclipse Jetty) None No 7.8 Local Low Low None Un-
changed High High High 8.2.1.0-8.2.2.1 CVE-2020-14147 Oracle Communications
Operations Monitor In-Memeory DB for FDP/VSP (Redis) HTTP No 7.7 Network Low Low
None Changed None None High 3.4, 4.1, 4.2, 4.3 CVE-2019-17566 Oracle
Communications Application Session Controller Core (Apache Batik) HTTP Yes 7.5
Network Low None None Un-
changed None High None 3.9m0p2 CVE-2020-11080 Oracle Enterprise Communications
Broker System (nghttp2) HTTP Yes 7.5 Network Low None None Un-
changed None None High 3.1, 3.2 CVE-2019-10086 Oracle Communications Diameter
Signaling Router (DSR) IDIH (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.0-8.2.2 CVE-2019-10086 Oracle SD-WAN Edge Management
(Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 9.0 CVE-2020-10723 Oracle Enterprise Communications Broker
System (DPDK) None No 6.7 Local Low High None Un-
changed High High High 3.1, 3.2 CVE-2020-5421 Oracle Communications Session
Report Manager Core (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 8.2.1.0-8.2.2.1 CVE-2019-1559 Oracle Communications
Performance Intelligence Center (PIC) Software Security (OpenSSL) HTTPS Yes 5.9
Network High None None Un-
changed High None None 10.4.0.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-1559 also addresses CVE-2018-0732.
* The patch for CVE-2019-7164 also addresses CVE-2019-7548.
* The patch for CVE-2020-10723 also addresses CVE-2020-10722, CVE-2020-10724,
CVE-2020-10725 and CVE-2020-10726.
* The patch for CVE-2020-11080 also addresses CVE-2019-9511 and CVE-2019-9513.
* The patch for CVE-2020-24750 also addresses CVE-2020-24616 and CVE-2020-9546.
ORACLE CONSTRUCTION AND ENGINEERING RISK MATRIX
This Critical Patch Update contains 7 new security patches for Oracle
Construction and Engineering. 5 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-25020 Primavera Unifier Platform (MPXJ) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-17566 Instantis EnterpriseTrack Dashboard module (Apache Batik) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 17.1-17.3 CVE-2020-11979 Primavera Gateway Admin
(Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 16.2.0-16.2.11, 17.12.0-17.12.9 CVE-2020-11979
Primavera Unifier Core, Config (Apache Ant) HTTP Yes 7.5 Network Low None None
Un-
changed None High None 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-10086 Primavera Unifier Core (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12 CVE-2020-5421
Primavera Gateway Admin (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10,
19.12.0-19.12.10 CVE-2020-5421 Primavera P6 Enterprise Project Portfolio
Management Web access (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21,
19.12.0-19.12.10
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-25020 Primavera Unifier Platform (MPXJ) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-17566 Instantis EnterpriseTrack Dashboard module (Apache Batik) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 17.1-17.3 CVE-2020-11979 Primavera Gateway Admin
(Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 16.2.0-16.2.11, 17.12.0-17.12.9 CVE-2020-11979
Primavera Unifier Core, Config (Apache Ant) HTTP Yes 7.5 Network Low None None
Un-
changed None High None 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-10086 Primavera Unifier Core (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12 CVE-2020-5421
Primavera Gateway Admin (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10,
19.12.0-19.12.10 CVE-2020-5421 Primavera P6 Enterprise Project Portfolio
Management Web access (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21,
19.12.0-19.12.10
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-25020 also addresses CVE-2020-35460.
ORACLE E-BUSINESS SUITE RISK MATRIX
This Critical Patch Update contains 31 new security patches for Oracle
E-Business Suite. 29 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
E-Business Suite products is dependent on the Oracle Database and Oracle Fusion
Middleware versions being used. Oracle Database and Oracle Fusion Middleware
security updates are not listed in the Oracle E-Business Suite risk matrix.
However, since vulnerabilities affecting Oracle Database and Oracle Fusion
Middleware versions may affect Oracle E-Business Suite products, Oracle
recommends that customers apply the January 2021 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Oracle E-Business
Suite. For information on what patches need to be applied to your environments,
refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge
Document (January 2021), My Oracle Support Note 2737201.1.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2029 Oracle Scripting Miscellaneous HTTP Yes 9.8 Network Low
None None Un-
changed High High High 12.1.1-12.1.3, 12.2.3-12.2.8 CVE-2021-2100 Oracle
One-to-One Fulfillment Print Server HTTP Yes 9.1 Network Low None None Un-
changed High High None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2101 Oracle
One-to-One Fulfillment Print Server HTTP Yes 9.1 Network Low None None Un-
changed High High None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2093 Oracle
Common Applications CRM User Management Framework HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2114
Oracle Common Applications Calendar Applications Calendar HTTP Yes 8.2 Network
Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2034 Oracle Common Applications Calendar Tasks HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.1.1-12.1.3 CVE-2021-2084 Oracle CRM
Technical Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed
High Low None 12.1.3, 12.2.3-12.2.10 CVE-2021-2085 Oracle CRM Technical
Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed High Low
None 12.1.3, 12.2.3-12.2.10 CVE-2021-2092 Oracle CRM Technical Foundation
Preferences HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3,
12.2.3-12.2.10 CVE-2021-2099 Oracle CRM Technical Foundation Preferences HTTP
Yes 8.2 Network Low None Required Changed High Low None 12.2.3-12.2.10
CVE-2021-2105 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2106 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2107 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2090 Oracle Email Center Message Display HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2098
Oracle Email Center Message Display HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2089 Oracle
iStore Runtime Catalog HTTP Yes 8.2 Network Low None Required Changed High Low
None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2077 Oracle iStore Shopping Cart
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3,
12.2.3-12.2.10 CVE-2021-2082 Oracle iStore Shopping Cart HTTP Yes 8.2 Network
Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2096 Oracle iStore Shopping Cart HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2097 Oracle
iSupport Profile HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2083 Oracle iSupport User
Responsibilities HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2026 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2027 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2118 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2094 Oracle One-to-One Fulfillment
Print Server HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2091 Oracle Scripting Miscellaneous
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3,
12.2.3-12.2.10 CVE-2021-2015 Oracle Workflow Worklist HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.2.3-12.2.10 CVE-2021-2115 Oracle Common
Applications Calendar Tasks HTTP No 7.6 Network Low Low Required Changed High
Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2059 Oracle iStore Web
interface HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2023 Oracle
Installed Base APIs HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1-12.1.3, 12.2.3-12.2.9 CVE-2021-2017 Oracle User Management Proxy User
Delegation HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.1.3, 12.2.3-12.2.10
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2029 Oracle Scripting Miscellaneous HTTP Yes 9.8 Network Low
None None Un-
changed High High High 12.1.1-12.1.3, 12.2.3-12.2.8 CVE-2021-2100 Oracle
One-to-One Fulfillment Print Server HTTP Yes 9.1 Network Low None None Un-
changed High High None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2101 Oracle
One-to-One Fulfillment Print Server HTTP Yes 9.1 Network Low None None Un-
changed High High None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2093 Oracle
Common Applications CRM User Management Framework HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2114
Oracle Common Applications Calendar Applications Calendar HTTP Yes 8.2 Network
Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2034 Oracle Common Applications Calendar Tasks HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.1.1-12.1.3 CVE-2021-2084 Oracle CRM
Technical Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed
High Low None 12.1.3, 12.2.3-12.2.10 CVE-2021-2085 Oracle CRM Technical
Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed High Low
None 12.1.3, 12.2.3-12.2.10 CVE-2021-2092 Oracle CRM Technical Foundation
Preferences HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3,
12.2.3-12.2.10 CVE-2021-2099 Oracle CRM Technical Foundation Preferences HTTP
Yes 8.2 Network Low None Required Changed High Low None 12.2.3-12.2.10
CVE-2021-2105 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2106 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2107 Oracle Customer Interaction History Outcome-Result HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2090 Oracle Email Center Message Display HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2098
Oracle Email Center Message Display HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2089 Oracle
iStore Runtime Catalog HTTP Yes 8.2 Network Low None Required Changed High Low
None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2077 Oracle iStore Shopping Cart
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3,
12.2.3-12.2.10 CVE-2021-2082 Oracle iStore Shopping Cart HTTP Yes 8.2 Network
Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2096 Oracle iStore Shopping Cart HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2097 Oracle
iSupport Profile HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2083 Oracle iSupport User
Responsibilities HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2026 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2027 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2118 Oracle Marketing Marketing
Administration HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2094 Oracle One-to-One Fulfillment
Print Server HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2091 Oracle Scripting Miscellaneous
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3,
12.2.3-12.2.10 CVE-2021-2015 Oracle Workflow Worklist HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.2.3-12.2.10 CVE-2021-2115 Oracle Common
Applications Calendar Tasks HTTP No 7.6 Network Low Low Required Changed High
Low None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2059 Oracle iStore Web
interface HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.1.1-12.1.3, 12.2.3-12.2.10 CVE-2021-2023 Oracle
Installed Base APIs HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1-12.1.3, 12.2.3-12.2.9 CVE-2021-2017 Oracle User Management Proxy User
Delegation HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.1.3, 12.2.3-12.2.10
ORACLE ENTERPRISE MANAGER RISK MATRIX
This Critical Patch Update contains 8 new security patches for Oracle Enterprise
Manager. All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. None of these patches are applicable to client-only installations,
i.e., installations that do not have Oracle Enterprise Manager installed. The
English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
Enterprise Manager products is dependent on the Oracle Database and Oracle
Fusion Middleware versions being used. Oracle Database and Oracle Fusion
Middleware security updates are not listed in the Oracle Enterprise Manager risk
matrix. However, since vulnerabilities affecting Oracle Database and Oracle
Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle
recommends that customers apply the January 2021 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Enterprise Manager.
For information on what patches need to be applied to your environments, refer
to Critical Patch Update January 2021 Patch Availability Document for Oracle
Products, My Oracle Support Note 2725756.1.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-13990 Enterprise Manager Base Platform Connector Framework
(Quartz) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.2.1.0 CVE-2020-11973 Enterprise Manager Base
Platform Reporting Framework (Apache Camel) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 13.3.0.0, 13.4.0.0 CVE-2016-1000031 Enterprise Manager
Base Platform Reporting Framework (Apache Commons FileUpload) HTTP Yes 9.8
Network Low None None Un-
changed High High High 13.3.0.0, 13.4.0.0 CVE-2020-11984 Enterprise Manager
Ops Center Control Proxy (Apache HTTP Server) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.4.0.0 CVE-2020-10683 Oracle Application Testing
Suite Load Testing for Web Apps (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.3.0.1 CVE-2018-15756 Enterprise Manager for Fusion
Applications Topology Viewer (Spring Framework) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 13.3.0.0 CVE-2020-11022 Oracle Application Testing
Suite Load Testing for Web Apps (jQuery) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 13.3.0.1 CVE-2015-4000 Enterprise Manager Ops Center User
Interface (OpenSSL) HTTPS Yes 3.7 Network High None None Un-
changed None Low None 12.4.0.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-13990 Enterprise Manager Base Platform Connector Framework
(Quartz) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.2.1.0 CVE-2020-11973 Enterprise Manager Base
Platform Reporting Framework (Apache Camel) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 13.3.0.0, 13.4.0.0 CVE-2016-1000031 Enterprise Manager
Base Platform Reporting Framework (Apache Commons FileUpload) HTTP Yes 9.8
Network Low None None Un-
changed High High High 13.3.0.0, 13.4.0.0 CVE-2020-11984 Enterprise Manager
Ops Center Control Proxy (Apache HTTP Server) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.4.0.0 CVE-2020-10683 Oracle Application Testing
Suite Load Testing for Web Apps (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 13.3.0.1 CVE-2018-15756 Enterprise Manager for Fusion
Applications Topology Viewer (Spring Framework) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 13.3.0.0 CVE-2020-11022 Oracle Application Testing
Suite Load Testing for Web Apps (jQuery) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 13.3.0.1 CVE-2015-4000 Enterprise Manager Ops Center User
Interface (OpenSSL) HTTPS Yes 3.7 Network High None None Un-
changed None Low None 12.4.0.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2016-1000031 also addresses CVE-2018-11775 and
CVE-2019-0188.
* The patch for CVE-2018-15756 also addresses CVE-2018-1258.
* The patch for CVE-2019-13990 also addresses CVE-2019-5427.
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-11973 also addresses CVE-2019-0188, CVE-2020-11971 and
CVE-2020-11972.
* The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490.
ORACLE FINANCIAL SERVICES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 50 new security patches for Oracle Financial
Services Applications. 41 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11612 Oracle Banking Corporate Lending Process Management Core
(Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking
Credit Facilities Process Management Core (Netty) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2019-10744 Oracle Banking
Extensibility Workbench Core (Lodash) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.3.0, 14.4.0 CVE-2020-8174 Oracle Banking
Extensibility Workbench Core (Node.js) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking Liquidity
Management Common (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.0.0-14.4.0 CVE-2020-11612 Oracle Banking Payments
Payments Core (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4.0 CVE-2020-11612 Oracle Banking Supply Chain
Finance Core (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.2.0-14.4.0 CVE-2020-11612 Oracle Banking Trade
Finance Process Management Dashboard (Netty) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking
Virtual Account Management Common Core (Netty) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2019-3773 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Spring Web
Services) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.0.6-8.1.0 CVE-2019-0230 Oracle Financial Services
Data Integration Hub User Interface (Apache Struts) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 8.0.3, 8.0.6 CVE-2019-0230 Oracle Financial Services
Market Risk Measurement and Management User Interface (Apache Struts) HTTP Yes
9.8 Network Low None None Un-
changed High High High 8.0.6 CVE-2020-11612 Oracle FLEXCUBE Universal Banking
Infrastructure (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4.0 CVE-2020-1945 Oracle Banking Liquidity
Management Common (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 14.0.0-14.4.0 CVE-2020-27216 Oracle FLEXCUBE Core
Banking Securities (Eclipse Jetty) None No 7.8 Local Low Low None Un-
changed High High High 11.5.0-11.9.0 CVE-2019-12399 Oracle Banking Corporate
Lending Process Management Core (Apache Kafka) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Credit Facilities Process Management Core (Apache Kafka) HTTP Yes 7.5 Network
Low None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Liquidity Management Common (Apache Kafka) HTTP Yes 7.5 Network Low None None
Un-
changed High None None 14.0.0-14.4.0 CVE-2019-12399 Oracle Banking Payments
Payments Core (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.4.0 CVE-2020-11979 Oracle Banking Platform Installer
(Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0 CVE-2019-12402
Oracle Banking Platform Party, Financials (Apache Commons Compress) HTTP Yes 7.5
Network Low None None Un-
changed None None High 2.6.2, 2.7.0, 2.8.0, 2.9.0 CVE-2019-12399 Oracle
Banking Platform Product Manufacturing (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 2.7.0 CVE-2019-12399 Oracle Banking Supply Chain
Finance Core (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.2.0-14.4.0 CVE-2019-12399 Oracle Banking Trade
Finance Process Management Dashboard (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Virtual Account Management Common Core (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-11979 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Apache Ant) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 8.0.6-8.1.0 CVE-2019-12399 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Kafka) HTTP Yes
7.5 Network Low None None Un-
changed High None None 8.0.6-8.1.0 CVE-2019-12399 Oracle FLEXCUBE Universal
Banking Infrastructure (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.4.0 CVE-2019-10086 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.0.6-8.1.0 CVE-2019-10086 Oracle Financial Services Asset
Liability Management Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.7, 8.1.0 CVE-2019-10086 Oracle Financial Services
Funds Transfer Pricing Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.6, 8.0.7, 8.1.0 CVE-2019-10086 Oracle Financial
Services Market Risk Measurement and Management Core (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.0.6 CVE-2019-10086 Oracle Financial Services
Profitability Management Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network
Low None None Un-
changed Low Low Low 8.0.6, 8.0.7, 8.1.0 CVE-2019-10086 Oracle Insurance
Allocation Manager for Enterprise Profitability Core (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.1.0 CVE-2020-5408 Oracle Banking Corporate Lending
Process Management Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Credit Facilities Process Management Core (Spring Security) HTTP No 6.5 Network
Low Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Liquidity Management Common (Spring Security) HTTP No 6.5 Network Low Low None
Un-
changed High None None 14.0.0-14.4.0 CVE-2020-5408 Oracle Banking Supply Chain
Finance Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed High None None 14.2.0-14.4.0 CVE-2020-5408 Oracle Banking Trade
Finance Process Management Dashboard (Spring Security) HTTP No 6.5 Network Low
Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Virtual Account Management Common Core (Spring Security) HTTP No 6.5 Network Low
Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5421 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Spring
Framework) HTTP No 6.5 Network High Low Required Changed Low High None
8.0.6-8.1.0 CVE-2019-11269 Oracle Banking Corporate Lending Process Management
Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Credit Facilities Process Management Core (Spring Security Oauth) HTTP Yes 5.4
Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Liquidity Management Common (Spring Security Oauth) HTTP Yes 5.4 Network Low
None Required Un-
changed Low Low None 14.0.0-14.4.0 CVE-2019-11269 Oracle Banking Payments
Payments Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.4.0 CVE-2019-11269 Oracle Banking Supply Chain Finance
Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.2.0-14.4.0 CVE-2019-11269 Oracle Banking Trade Finance
Process Management Dashboard (Spring Security Oauth) HTTP Yes 5.4 Network Low
None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Virtual Account Management Common Core (Spring Security Oauth) HTTP Yes 5.4
Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle FLEXCUBE
Universal Banking Infrastructure (Spring Security Oauth) HTTP Yes 5.4 Network
Low None Required Un-
changed Low Low None 14.4.0 CVE-2021-2113 Oracle Financial Services Revenue
Management and Billing On Demand Billing HTTP No 4.3 Network Low Low None Un-
changed None Low None 2.9.0.0, 2.9.0.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11612 Oracle Banking Corporate Lending Process Management Core
(Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking
Credit Facilities Process Management Core (Netty) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2019-10744 Oracle Banking
Extensibility Workbench Core (Lodash) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.3.0, 14.4.0 CVE-2020-8174 Oracle Banking
Extensibility Workbench Core (Node.js) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking Liquidity
Management Common (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.0.0-14.4.0 CVE-2020-11612 Oracle Banking Payments
Payments Core (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4.0 CVE-2020-11612 Oracle Banking Supply Chain
Finance Core (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.2.0-14.4.0 CVE-2020-11612 Oracle Banking Trade
Finance Process Management Dashboard (Netty) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2020-11612 Oracle Banking
Virtual Account Management Common Core (Netty) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 14.1.0, 14.3.0, 14.4.0 CVE-2019-3773 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Spring Web
Services) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.0.6-8.1.0 CVE-2019-0230 Oracle Financial Services
Data Integration Hub User Interface (Apache Struts) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 8.0.3, 8.0.6 CVE-2019-0230 Oracle Financial Services
Market Risk Measurement and Management User Interface (Apache Struts) HTTP Yes
9.8 Network Low None None Un-
changed High High High 8.0.6 CVE-2020-11612 Oracle FLEXCUBE Universal Banking
Infrastructure (Netty) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.4.0 CVE-2020-1945 Oracle Banking Liquidity
Management Common (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 14.0.0-14.4.0 CVE-2020-27216 Oracle FLEXCUBE Core
Banking Securities (Eclipse Jetty) None No 7.8 Local Low Low None Un-
changed High High High 11.5.0-11.9.0 CVE-2019-12399 Oracle Banking Corporate
Lending Process Management Core (Apache Kafka) HTTP Yes 7.5 Network Low None
None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Credit Facilities Process Management Core (Apache Kafka) HTTP Yes 7.5 Network
Low None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Liquidity Management Common (Apache Kafka) HTTP Yes 7.5 Network Low None None
Un-
changed High None None 14.0.0-14.4.0 CVE-2019-12399 Oracle Banking Payments
Payments Core (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.4.0 CVE-2020-11979 Oracle Banking Platform Installer
(Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0 CVE-2019-12402
Oracle Banking Platform Party, Financials (Apache Commons Compress) HTTP Yes 7.5
Network Low None None Un-
changed None None High 2.6.2, 2.7.0, 2.8.0, 2.9.0 CVE-2019-12399 Oracle
Banking Platform Product Manufacturing (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 2.7.0 CVE-2019-12399 Oracle Banking Supply Chain
Finance Core (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.2.0-14.4.0 CVE-2019-12399 Oracle Banking Trade
Finance Process Management Dashboard (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2019-12399 Oracle Banking
Virtual Account Management Common Core (Apache Kafka) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-11979 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Apache Ant) HTTP
Yes 7.5 Network Low None None Un-
changed None High None 8.0.6-8.1.0 CVE-2019-12399 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Kafka) HTTP Yes
7.5 Network Low None None Un-
changed High None None 8.0.6-8.1.0 CVE-2019-12399 Oracle FLEXCUBE Universal
Banking Infrastructure (Apache Kafka) HTTP Yes 7.5 Network Low None None Un-
changed High None None 14.4.0 CVE-2019-10086 Oracle Financial Services
Analytical Applications Infrastructure Infrastructure (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.0.6-8.1.0 CVE-2019-10086 Oracle Financial Services Asset
Liability Management Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.7, 8.1.0 CVE-2019-10086 Oracle Financial Services
Funds Transfer Pricing Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.6, 8.0.7, 8.1.0 CVE-2019-10086 Oracle Financial
Services Market Risk Measurement and Management Core (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.0.6 CVE-2019-10086 Oracle Financial Services
Profitability Management Core (Apache Commons BeanUtils) HTTP Yes 7.3 Network
Low None None Un-
changed Low Low Low 8.0.6, 8.0.7, 8.1.0 CVE-2019-10086 Oracle Insurance
Allocation Manager for Enterprise Profitability Core (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 8.1.0 CVE-2020-5408 Oracle Banking Corporate Lending
Process Management Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Credit Facilities Process Management Core (Spring Security) HTTP No 6.5 Network
Low Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Liquidity Management Common (Spring Security) HTTP No 6.5 Network Low Low None
Un-
changed High None None 14.0.0-14.4.0 CVE-2020-5408 Oracle Banking Supply Chain
Finance Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed High None None 14.2.0-14.4.0 CVE-2020-5408 Oracle Banking Trade
Finance Process Management Dashboard (Spring Security) HTTP No 6.5 Network Low
Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5408 Oracle Banking
Virtual Account Management Common Core (Spring Security) HTTP No 6.5 Network Low
Low None Un-
changed High None None 14.1.0, 14.3.0, 14.4.0 CVE-2020-5421 Oracle Financial
Services Analytical Applications Infrastructure Infrastructure (Spring
Framework) HTTP No 6.5 Network High Low Required Changed Low High None
8.0.6-8.1.0 CVE-2019-11269 Oracle Banking Corporate Lending Process Management
Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Credit Facilities Process Management Core (Spring Security Oauth) HTTP Yes 5.4
Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Liquidity Management Common (Spring Security Oauth) HTTP Yes 5.4 Network Low
None Required Un-
changed Low Low None 14.0.0-14.4.0 CVE-2019-11269 Oracle Banking Payments
Payments Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.4.0 CVE-2019-11269 Oracle Banking Supply Chain Finance
Core (Spring Security Oauth) HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.2.0-14.4.0 CVE-2019-11269 Oracle Banking Trade Finance
Process Management Dashboard (Spring Security Oauth) HTTP Yes 5.4 Network Low
None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle Banking
Virtual Account Management Common Core (Spring Security Oauth) HTTP Yes 5.4
Network Low None Required Un-
changed Low Low None 14.1.0, 14.3.0, 14.4.0 CVE-2019-11269 Oracle FLEXCUBE
Universal Banking Infrastructure (Spring Security Oauth) HTTP Yes 5.4 Network
Low None Required Un-
changed Low Low None 14.4.0 CVE-2021-2113 Oracle Financial Services Revenue
Management and Billing On Demand Billing HTTP No 4.3 Network Low Low None Un-
changed None Low None 2.9.0.0, 2.9.0.1
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-0230 also addresses CVE-2019-0233 and CVE-2020-17530.
* The patch for CVE-2019-11269 also addresses CVE-2019-3778.
* The patch for CVE-2020-1945 also addresses CVE-2020-11979.
* The patch for CVE-2020-5408 also addresses CVE-2020-5407.
* The patch for CVE-2020-8174 also addresses CVE-2020-10531, CVE-2020-11080 and
CVE-2020-8172.
ORACLE FOOD AND BEVERAGE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle Food and
Beverage Applications. 1 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2018-1285 Oracle Hospitality Simphony Simphony Server (Apache
log4net) HTTP Yes 9.8 Network Low None None Un-
changed High High High 18.2.7.2, 19.1.3 CVE-2021-1997 Oracle Hospitality
Reporting and Analytics Report HTTP No 8.1 Network Low Low None Un-
changed High High None 9.1.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2018-1285 Oracle Hospitality Simphony Simphony Server (Apache
log4net) HTTP Yes 9.8 Network Low None None Un-
changed High High High 18.2.7.2, 19.1.3 CVE-2021-1997 Oracle Hospitality
Reporting and Analytics Report HTTP No 8.1 Network Low Low None Un-
changed High High None 9.1.0
ORACLE FUSION MIDDLEWARE RISK MATRIX
This Critical Patch Update contains 60 new security patches plus additional
third party patches noted below for Oracle Fusion Middleware. 47 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
Please note that the Security Alert patches for Oracle WebLogic Server:
CVE-2020-14750 are included in this Critical Patch Update. Customers are
strongly advised to apply this Critical Patch Update.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-10173 Oracle BAM (Business Activity Monitoring) General
(Xstream) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-10683 Oracle Business
Process Management Suite Installer (dom4j) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-14756 Oracle Coherence
Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2015-8965 Oracle Data Integrator Install, config, upgrade (Rogue Wave
JViews) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-10683 Oracle Data
Integrator Runtime Java agent for ODI (dom4j) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2016-1000031 Oracle
Enterprise Data Quality General (Apache Commons FileUpload) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 11.1.1.9.0 CVE-2020-10683 Oracle Enterprise Data
Quality General (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-11998 Oracle Enterprise
Repository Security Subsystem (Apache ActiveMQ) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 11.1.1.7.0 CVE-2020-10683 Oracle WebCenter Portal
Portlet Services (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0 CVE-2019-17195 Oracle WebLogic Server Core
Components (Connect2id Nimbus JOSE+JWT) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-1994 Oracle WebLogic
Server Web Services HTTP Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0 CVE-2021-2047 Oracle WebLogic
Server Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 CVE-2021-2064 Oracle
WebLogic Server Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 12.1.3.0.0 CVE-2021-2108 Oracle WebLogic Server Core
Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 12.1.3.0.0 CVE-2021-2075 Oracle WebLogic Server Samples
IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,
14.1.1.0.0 CVE-2020-1945 Oracle Real-Time Decision Server Decision Studio
(Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 3.2.1.0 CVE-2020-5421 Oracle Endeca Information
Discovery Integrator Integrator ETL (Spring Framework) HTTP No 8.8 Network Low
Low None Un-
changed High High High 3.2.0.0 CVE-2021-2066 Oracle Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2067 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2068 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2069 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2025 Oracle Business
Intelligence Enterprise Edition Analytics Web General HTTP Yes 8.2 Network Low
None Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 CVE-2021-2041 Oracle Business Intelligence Enterprise Edition
Installation HTTP Yes 8.1 Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2049 Oracle BI
Publisher Administration HTTP No 7.6 Network Low Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2013 Oracle BI Publisher BI Publisher Security HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2050 Oracle BI Publisher E-Business Suite - XDO HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2051 Oracle BI Publisher E-Business Suite - XDO HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2062 Oracle BI Publisher Web Server HTTP No 7.6 Network Low Low
Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359 Oracle Data Integrator Runtime Java agent for ODI (Bouncy Castle
Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2017-12626 Oracle Enterprise Data
Quality General (Apache POI) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-11979 Oracle Enterprise
Repository Security Subsystem (Apache Ant) HTTP Yes 7.5 Network Low None None
Un-
changed None High None 11.1.1.7.0 CVE-2019-17566 Oracle Enterprise Repository
Security Subsystem (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 11.1.1.7.0 CVE-2020-11994 Oracle Enterprise Repository
Security Subsystem (Apache Camel) HTTP Yes 7.5 Network Low None None Un-
changed High None None 11.1.1.7.0 CVE-2020-13935 Oracle Managed File Transfer
MFT Runtime Server (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2019-0227 Oracle Real-Time
Decision Server Platform Installation (Apache Axis) HTTP Yes 7.5 Adjacent
Network High None None Un-
changed High High High 3.2.1.0 CVE-2019-10086 Oracle Data Integrator Install,
config, upgrade (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None
Un-
changed Low Low Low 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2019-10086 Oracle
Endeca Information Discovery Integrator Integrator ETL (Apache Commons
BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 3.2.0.0 CVE-2019-10086 Oracle Fusion Middleware MapViewer
Install (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.1.3.0 CVE-2019-10086 Oracle Real-Time Decision Server
Platform Installation (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 3.2.1.0 CVE-2019-10086 Oracle WebCenter Portal Security
Framework (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2019-10086 Oracle
WebLogic Server Console (Apache Commons Beanutils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2109 Oracle WebLogic Server Console HTTP No 7.2 Network Low High None
Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,
14.1.1.0.0 CVE-2018-2587 Oracle Adaptive Access Manager Install and Config
HTTP Yes 6.5 Network High None None Un-
changed Low High None 11.1.2.3.0 CVE-2018-9019 Oracle Data Integrator Rest
Service (Dolibarr) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2020-5421 Oracle
GoldenGate Application Adapters Application Adapters (Spring Framework) HTTP No
6.5 Network High Low Required Changed Low High None 19.1.0.0.0 CVE-2020-5421
Oracle WebLogic Server Sample apps (Spring Framework) HTTP No 6.5 Network High
Low Required Changed Low High None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0, 14.1.1.0.0 CVE-2021-1995 Oracle WebLogic Server Web Services HTTP
No 6.5 Network Low Low None Un-
changed None High None 10.3.6.0.0, 12.1.3.0.0 CVE-2019-14862 Oracle Business
Intelligence Enterprise Edition Analytics Server (Knockout) HTTP Yes 6.1 Network
Low None Required Changed Low Low None 5.5.0.0.0 CVE-2019-17091 Oracle
Enterprise Data Quality General (Eclipse Mojarra) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.3.0 CVE-2020-11022 Oracle WebCenter Sites
WebCenter Sites (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-11022 Oracle WebLogic Server Sample apps
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0,
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2016-5725 Oracle Data Integrator
Install, config, upgrade (JCraft JSch) SFTP Yes 5.9 Network High None None Un-
changed None High None 11.1.1.9.0, 12.2.1.3.0 CVE-2018-10237 Oracle WebLogic
Server Centralized Thirdparty Jars (Google Guava) HTTP Yes 5.9 Network High None
None Un-
changed None None High 12.2.1.3.0 CVE-2021-2003 Business Intelligence
Enterprise Edition Analytics Web Dashboards HTTP No 5.4 Network Low Low Required
Changed Low Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247 Oracle Data Integrator Centralized Thirdparty Jars (Eclipse
Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2005 Oracle Business
Intelligence Enterprise Edition BI Platform Security HTTP Yes 4.7 Network Low
None Required Changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2033
Oracle WebLogic Server Core Components HTTP No 4.3 Network Low Low None Un-
changed None None Low 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488 Oracle Data Integrator Install, config, upgrade (Apache Log4j)
HTTP Yes 3.7 Network High None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-9488 Oracle GoldenGate
Application Adapters Application Adapters (Apache Log4j) HTTP Yes 3.7 Network
High None None Un-
changed Low None None 19.1.0.0.0 CVE-2021-1996 Oracle WebLogic Server Web
Services HTTP No 2.4 Network Low High Required Un-
changed Low None None 10.3.6.0.0, 12.1.3.0.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-10173 Oracle BAM (Business Activity Monitoring) General
(Xstream) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-10683 Oracle Business
Process Management Suite Installer (dom4j) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-14756 Oracle Coherence
Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2015-8965 Oracle Data Integrator Install, config, upgrade (Rogue Wave
JViews) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2020-10683 Oracle Data
Integrator Runtime Java agent for ODI (dom4j) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2016-1000031 Oracle
Enterprise Data Quality General (Apache Commons FileUpload) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 11.1.1.9.0 CVE-2020-10683 Oracle Enterprise Data
Quality General (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-11998 Oracle Enterprise
Repository Security Subsystem (Apache ActiveMQ) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 11.1.1.7.0 CVE-2020-10683 Oracle WebCenter Portal
Portlet Services (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.1.9.0 CVE-2019-17195 Oracle WebLogic Server Core
Components (Connect2id Nimbus JOSE+JWT) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-1994 Oracle WebLogic
Server Web Services HTTP Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0 CVE-2021-2047 Oracle WebLogic
Server Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 CVE-2021-2064 Oracle
WebLogic Server Core Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 12.1.3.0.0 CVE-2021-2108 Oracle WebLogic Server Core
Components IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 12.1.3.0.0 CVE-2021-2075 Oracle WebLogic Server Samples
IIOP, T3 Yes 9.8 Network Low None None Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,
14.1.1.0.0 CVE-2020-1945 Oracle Real-Time Decision Server Decision Studio
(Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 3.2.1.0 CVE-2020-5421 Oracle Endeca Information
Discovery Integrator Integrator ETL (Spring Framework) HTTP No 8.8 Network Low
Low None Un-
changed High High High 3.2.0.0 CVE-2021-2066 Oracle Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2067 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2068 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2069 Oracle Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed Low High Low 8.5.4, 8.5.5 See Note 1 CVE-2021-2025 Oracle Business
Intelligence Enterprise Edition Analytics Web General HTTP Yes 8.2 Network Low
None Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0,
12.2.1.4.0 CVE-2021-2041 Oracle Business Intelligence Enterprise Edition
Installation HTTP Yes 8.1 Network High None None Un-
changed High High High 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2049 Oracle BI
Publisher Administration HTTP No 7.6 Network Low Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2013 Oracle BI Publisher BI Publisher Security HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2050 Oracle BI Publisher E-Business Suite - XDO HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2051 Oracle BI Publisher E-Business Suite - XDO HTTP No 7.6 Network Low
Low None Un-
changed High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2062 Oracle BI Publisher Web Server HTTP No 7.6 Network Low Low
Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359 Oracle Data Integrator Runtime Java agent for ODI (Bouncy Castle
Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2017-12626 Oracle Enterprise Data
Quality General (Apache POI) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.1.1.9.0, 12.2.1.3.0 CVE-2020-11979 Oracle Enterprise
Repository Security Subsystem (Apache Ant) HTTP Yes 7.5 Network Low None None
Un-
changed None High None 11.1.1.7.0 CVE-2019-17566 Oracle Enterprise Repository
Security Subsystem (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 11.1.1.7.0 CVE-2020-11994 Oracle Enterprise Repository
Security Subsystem (Apache Camel) HTTP Yes 7.5 Network Low None None Un-
changed High None None 11.1.1.7.0 CVE-2020-13935 Oracle Managed File Transfer
MFT Runtime Server (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.3.0, 12.2.1.4.0 CVE-2019-0227 Oracle Real-Time
Decision Server Platform Installation (Apache Axis) HTTP Yes 7.5 Adjacent
Network High None None Un-
changed High High High 3.2.1.0 CVE-2019-10086 Oracle Data Integrator Install,
config, upgrade (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None
Un-
changed Low Low Low 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2019-10086 Oracle
Endeca Information Discovery Integrator Integrator ETL (Apache Commons
BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 3.2.0.0 CVE-2019-10086 Oracle Fusion Middleware MapViewer
Install (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.1.3.0 CVE-2019-10086 Oracle Real-Time Decision Server
Platform Installation (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 3.2.1.0 CVE-2019-10086 Oracle WebCenter Portal Security
Framework (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2019-10086 Oracle
WebLogic Server Console (Apache Commons Beanutils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2109 Oracle WebLogic Server Console HTTP No 7.2 Network Low High None
Un-
changed High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0,
14.1.1.0.0 CVE-2018-2587 Oracle Adaptive Access Manager Install and Config
HTTP Yes 6.5 Network High None None Un-
changed Low High None 11.1.2.3.0 CVE-2018-9019 Oracle Data Integrator Rest
Service (Dolibarr) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 CVE-2020-5421 Oracle
GoldenGate Application Adapters Application Adapters (Spring Framework) HTTP No
6.5 Network High Low Required Changed Low High None 19.1.0.0.0 CVE-2020-5421
Oracle WebLogic Server Sample apps (Spring Framework) HTTP No 6.5 Network High
Low Required Changed Low High None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0, 14.1.1.0.0 CVE-2021-1995 Oracle WebLogic Server Web Services HTTP
No 6.5 Network Low Low None Un-
changed None High None 10.3.6.0.0, 12.1.3.0.0 CVE-2019-14862 Oracle Business
Intelligence Enterprise Edition Analytics Server (Knockout) HTTP Yes 6.1 Network
Low None Required Changed Low Low None 5.5.0.0.0 CVE-2019-17091 Oracle
Enterprise Data Quality General (Eclipse Mojarra) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 12.2.1.3.0 CVE-2020-11022 Oracle WebCenter Sites
WebCenter Sites (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-11022 Oracle WebLogic Server Sample apps
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0,
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 CVE-2016-5725 Oracle Data Integrator
Install, config, upgrade (JCraft JSch) SFTP Yes 5.9 Network High None None Un-
changed None High None 11.1.1.9.0, 12.2.1.3.0 CVE-2018-10237 Oracle WebLogic
Server Centralized Thirdparty Jars (Google Guava) HTTP Yes 5.9 Network High None
None Un-
changed None None High 12.2.1.3.0 CVE-2021-2003 Business Intelligence
Enterprise Edition Analytics Web Dashboards HTTP No 5.4 Network Low Low Required
Changed Low Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247 Oracle Data Integrator Centralized Thirdparty Jars (Eclipse
Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2005 Oracle Business
Intelligence Enterprise Edition BI Platform Security HTTP Yes 4.7 Network Low
None Required Changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2021-2033
Oracle WebLogic Server Core Components HTTP No 4.3 Network Low Low None Un-
changed None None Low 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488 Oracle Data Integrator Install, config, upgrade (Apache Log4j)
HTTP Yes 3.7 Network High None None Un-
changed Low None None 12.2.1.3.0, 12.2.1.4.0 CVE-2020-9488 Oracle GoldenGate
Application Adapters Application Adapters (Apache Log4j) HTTP Yes 3.7 Network
High None None Un-
changed Low None None 19.1.0.0.0 CVE-2021-1996 Oracle WebLogic Server Web
Services HTTP No 2.4 Network Low High Required Un-
changed Low None None 10.3.6.0.0, 12.1.3.0.0
NOTES:
1. Outside In Technology is a suite of software development kits (SDKs). The
protocol and CVSS score depend on the software that uses the Outside In
Technology code. The CVSS score assumes that the software passes data
received over a network directly to Outside In Technology code, but if data
is not received over a network the CVSS score may be lower.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2018-9019 also addresses CVE-2017-5611 and CVE-2018-7318.
* The patch for CVE-2019-0227 also addresses CVE-2018-8032.
* The patch for CVE-2019-10247 also addresses CVE-2019-10246.
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-13935 also addresses CVE-2020-13934.
* The patch for CVE-2021-2041 also addresses CVE-2019-2697.
ADDITIONAL PATCHES ARE INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES IN THIS ORACLE PRODUCT FAMILY:
* Oracle Global Lifecycle Management OPatch
* Patch Installer (Apache Commons Compress): CVE-2019-12402 and
CVE-2012-2098.
ORACLE GRAALVM RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle GraalVM.
Both of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-8277 Oracle GraalVM Enterprise Edition Node (Node.js) HTTP Yes
7.5 Network Low None None Un-
changed None None High 19.3.4, 20.3.0 CVE-2020-14803 Oracle GraalVM Enterprise
Edition Java Multiple Yes 5.3 Network High None Required Un-
changed None High None 19.3.4, 20.3.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-8277 Oracle GraalVM Enterprise Edition Node (Node.js) HTTP Yes
7.5 Network Low None None Un-
changed None None High 19.3.4, 20.3.0 CVE-2020-14803 Oracle GraalVM Enterprise
Edition Java Multiple Yes 5.3 Network High None Required Un-
changed None High None 19.3.4, 20.3.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-8277 also addresses CVE-2020-1971, CVE-2020-8265 and
CVE-2020-8287.
ORACLE HEALTH SCIENCES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle Health
Sciences Applications. 3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Health Sciences Information Manager Recordlocator,
DSUB (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 3.0.1 CVE-2020-5421 Oracle Healthcare Master Person
Index MDM Module (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 4.0.2.5 CVE-2021-2040 Oracle Argus Safety Case Form,
Local Affiliate Form HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.2.2 CVE-2021-2110 Oracle Argus Safety Letters HTTP No 5.0 Network Low Low
None Changed Low None None 8.2.2 CVE-2020-9488 Oracle Health Sciences
Information Manager Recordlocator, DSUB (Apache Log4j) HTTP Yes 3.7 Network High
None None Un-
changed Low None None 3.0.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Health Sciences Information Manager Recordlocator,
DSUB (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 3.0.1 CVE-2020-5421 Oracle Healthcare Master Person
Index MDM Module (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 4.0.2.5 CVE-2021-2040 Oracle Argus Safety Case Form,
Local Affiliate Form HTTP Yes 6.1 Network Low None Required Changed Low Low None
8.2.2 CVE-2021-2110 Oracle Argus Safety Letters HTTP No 5.0 Network Low Low
None Changed Low None None 8.2.2 CVE-2020-9488 Oracle Health Sciences
Information Manager Recordlocator, DSUB (Apache Log4j) HTTP Yes 3.7 Network High
None None Un-
changed Low None None 3.0.1
ORACLE HYPERION RISK MATRIX
This Critical Patch Update contains 7 new security patches for Oracle Hyperion.
5 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-13990 Hyperion Infrastructure Technology Common Security
(Quartz) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.2.4 CVE-2020-11984 Hyperion Infrastructure
Technology Installation and Configuration (Apache HTTP Server) HTTP Yes 9.8
Network Low None None Un-
changed High High High 11.1.2.4 CVE-2019-17563 Hyperion Infrastructure
Technology Common Security (Apache Tomcat) HTTP Yes 7.5 Network High None
Required Un-
changed High High High 11.1.2.4 See Note 1 CVE-2019-12402 Hyperion
Infrastructure Technology Installation and Configuration (Apache Commons
Compress) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.1.2.4 CVE-2020-5421 Hyperion Infrastructure
Technology Installation and Configuration (Spring Framework) HTTP No 6.5 Network
High Low Required Changed Low High None 11.1.2.4 CVE-2020-11022 Hyperion
Financial Reporting Installation (jQuery) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 11.1.2.4 See Note 2 CVE-2019-12415 Hyperion Infrastructure
Technology Common Security (Apache POI) None No 5.5 Local Low Low None Un-
changed High None None 11.1.2.4
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-13990 Hyperion Infrastructure Technology Common Security
(Quartz) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.1.2.4 CVE-2020-11984 Hyperion Infrastructure
Technology Installation and Configuration (Apache HTTP Server) HTTP Yes 9.8
Network Low None None Un-
changed High High High 11.1.2.4 CVE-2019-17563 Hyperion Infrastructure
Technology Common Security (Apache Tomcat) HTTP Yes 7.5 Network High None
Required Un-
changed High High High 11.1.2.4 See Note 1 CVE-2019-12402 Hyperion
Infrastructure Technology Installation and Configuration (Apache Commons
Compress) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.1.2.4 CVE-2020-5421 Hyperion Infrastructure
Technology Installation and Configuration (Spring Framework) HTTP No 6.5 Network
High Low Required Changed Low High None 11.1.2.4 CVE-2020-11022 Hyperion
Financial Reporting Installation (jQuery) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 11.1.2.4 See Note 2 CVE-2019-12415 Hyperion Infrastructure
Technology Common Security (Apache POI) None No 5.5 Local Low Low None Un-
changed High None None 11.1.2.4
NOTES:
1. This CVE is not exploitable in Hyperion Infrastructure Technology. The CVSS
v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is
9.5. Tomcat is removed in Hyperion Infrastructure Technology with the
January 2021 Critical Patch Update.
2. This CVE is not exploitable in Hyperion Financial Reporting. The CVSS v3.1
Base Score for this CVE in the National Vulnerability Database (NVD) is 6.1.
jQuery is removed from Hyperion Financial Reporting with the January 2021
Critical Patch Update.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-13990 also addresses CVE-2019-5427.
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490.
ORACLE INSURANCE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 3 new security patches for Oracle Insurance
Applications. 1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-5421 Oracle Insurance Policy Administration Architecture
(Spring Framework) HTTP No 6.5 Network High Low Required Changed Low High None
10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 CVE-2020-5421 Oracle Insurance Rules
Palette Architecture (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 CVE-2019-11358
Oracle Insurance Insbridge Rating and Underwriting Framework Administrator IBFA
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 5.0.0.20,
5.1.1.03
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-5421 Oracle Insurance Policy Administration Architecture
(Spring Framework) HTTP No 6.5 Network High Low Required Changed Low High None
10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 CVE-2020-5421 Oracle Insurance Rules
Palette Architecture (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0 CVE-2019-11358
Oracle Insurance Insbridge Rating and Underwriting Framework Administrator IBFA
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 5.0.0.20,
5.1.1.03
ORACLE JAVA SE RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Java SE.
This vulnerability is remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3
Network Low None None Un-
changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271 See Note 1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3
Network Low None None Un-
changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271 See Note 1
NOTES:
1. This vulnerability applies to Java deployments that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java sandbox
for security.
ORACLE JD EDWARDS RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle JD
Edwards. All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-1967 JD Edwards EnterpriseOne Tools Enterprise Infrastructure
SEC (OpenSSL) JDENET Yes 7.5 Network Low None None Un-
changed None None High Prior to 9.2.5.0 CVE-2020-11022 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jQuery) HTTP Yes 6.1
Network Low None Required Changed Low Low None Prior to 9.2.5.0 CVE-2020-11022
JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (jQuery) HTTP Yes
6.1 Network Low None Required Changed Low Low None Prior to 9.2.5.0
CVE-2020-11022 JD Edwards EnterpriseOne Tools Web Runtime (jQuery) HTTP Yes 6.1
Network Low None Required Changed Low Low None Prior to 9.2.5.0 CVE-2021-2052
JD Edwards EnterpriseOne Orchestrator E1 IOT Orchestrator Security HTTP Yes 5.8
Network Low None None Changed Low None None Prior to 9.2.5.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-1967 JD Edwards EnterpriseOne Tools Enterprise Infrastructure
SEC (OpenSSL) JDENET Yes 7.5 Network Low None None Un-
changed None None High Prior to 9.2.5.0 CVE-2020-11022 JD Edwards
EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jQuery) HTTP Yes 6.1
Network Low None Required Changed Low Low None Prior to 9.2.5.0 CVE-2020-11022
JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (jQuery) HTTP Yes
6.1 Network Low None Required Changed Low Low None Prior to 9.2.5.0
CVE-2020-11022 JD Edwards EnterpriseOne Tools Web Runtime (jQuery) HTTP Yes 6.1
Network Low None Required Changed Low Low None Prior to 9.2.5.0 CVE-2021-2052
JD Edwards EnterpriseOne Orchestrator E1 IOT Orchestrator Security HTTP Yes 5.8
Network Low None None Changed Low None None Prior to 9.2.5.1
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-1967 also addresses CVE-2019-1551.
ORACLE MYSQL RISK MATRIX
This Critical Patch Update contains 43 new security patches for Oracle MySQL. 5
of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-13871 MySQL Workbench Workbench (SQLite) MySQL Workbench Yes
7.5 Network Low None None Un-
changed None None High 8.0.22 and prior CVE-2019-10086 MySQL Enterprise
Monitor Service Manager (Apache Commons BeanUtils) HTTPS Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.22 and prior CVE-2021-2046 MySQL Server Server: Stored
Procedure MySQL Protocol No 6.8 Network Low High None Changed None None High
8.0.22 and prior CVE-2020-5421 MySQL Enterprise Monitor Service Manager
(Spring Framework) HTTPS No 6.5 Network High Low Required Changed Low High None
8.0.22 and prior CVE-2020-5408 MySQL Enterprise Monitor Service Manager
(Spring Security) HTTPS No 6.5 Network Low Low None Un-
changed High None None 8.0.22 and prior CVE-2021-2020 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.20 and prior CVE-2021-2024 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.22 and prior CVE-2021-2011 MySQL Client C API MySQL
Protocol Yes 5.9 Network High None None Un-
changed None None High 5.7.32 and prior, 8.0.22 and prior CVE-2020-1971 MySQL
Workbench MySQL Workbench (OpenSSL) MySQL Workbench Yes 5.9 Network High None
None Un-
changed None None High 8.0.22 and prior CVE-2021-2006 MySQL Client C API MySQL
Protocol No 5.3 Network High Low None Un-
changed None None High 8.0.19 and prior CVE-2021-2048 MySQL Server InnoDB
MySQL Protocol No 5.0 Network High High None Un-
changed None Low High 8.0.22 and prior CVE-2021-2028 MySQL Server InnoDB MySQL
Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2122 MySQL Server Server: DDL
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2058 MySQL Server Server:
Locking MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2001 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.6.50 and prior, 5.7.30 and prior, 8.0.17 and prior
CVE-2021-2016 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low
High None Un-
changed None None High 8.0.19 and prior CVE-2021-2021 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2030 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2031 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2036 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2055 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2060 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2070 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low
High None Un-
changed None None High 8.0.22 and prior CVE-2021-2076 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2065 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2014 MySQL Server Server: PAM
Auth Plugin MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.32 and prior CVE-2021-2002 MySQL Server Server:
Replication MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2012 MySQL Server Server:
Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.20 and prior CVE-2021-2009 MySQL Server Server:
Security: Roles MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.19 and prior CVE-2021-2072 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2081 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2022 MySQL Server InnoDB
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2038 MySQL Server Server: Components Services MySQL Protocol No 4.4
Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2061 MySQL Server Server: DDL
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2056 MySQL Server Server: DML
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2087 MySQL Server Server: DML
MySQL Protocol No 4.4 Local Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2088 MySQL Server Server: DML
MySQL Protocol No 4.4 Local Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2032 MySQL Server Information
Schema MySQL Protocol No 4.3 Network Low Low None Un-
changed Low None None 5.7.32 and prior, 8.0.22 and prior CVE-2021-2010 MySQL
Client C API MySQL Protocol No 4.2 Network High Low None Un-
changed None Low Low 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-1998 MySQL Server Server: Optimizer MySQL Protocol No 3.8 Network Low
High None Un-
changed None Low Low 8.0.20 and prior CVE-2021-2007 MySQL Client C API MySQL
Protocol Yes 3.7 Network High None None Un-
changed Low None None 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2021-2019 MySQL Server Server: Security: Privileges MySQL Protocol No 2.7
Network Low High None Un-
changed Low None None 8.0.19 and prior CVE-2021-2042 MySQL Server InnoDB MySQL
Protocol No 2.3 Local Low High None Un-
changed Low None None 8.0.21 and prior
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-13871 MySQL Workbench Workbench (SQLite) MySQL Workbench Yes
7.5 Network Low None None Un-
changed None None High 8.0.22 and prior CVE-2019-10086 MySQL Enterprise
Monitor Service Manager (Apache Commons BeanUtils) HTTPS Yes 7.3 Network Low
None None Un-
changed Low Low Low 8.0.22 and prior CVE-2021-2046 MySQL Server Server: Stored
Procedure MySQL Protocol No 6.8 Network Low High None Changed None None High
8.0.22 and prior CVE-2020-5421 MySQL Enterprise Monitor Service Manager
(Spring Framework) HTTPS No 6.5 Network High Low Required Changed Low High None
8.0.22 and prior CVE-2020-5408 MySQL Enterprise Monitor Service Manager
(Spring Security) HTTPS No 6.5 Network Low Low None Un-
changed High None None 8.0.22 and prior CVE-2021-2020 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.20 and prior CVE-2021-2024 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.22 and prior CVE-2021-2011 MySQL Client C API MySQL
Protocol Yes 5.9 Network High None None Un-
changed None None High 5.7.32 and prior, 8.0.22 and prior CVE-2020-1971 MySQL
Workbench MySQL Workbench (OpenSSL) MySQL Workbench Yes 5.9 Network High None
None Un-
changed None None High 8.0.22 and prior CVE-2021-2006 MySQL Client C API MySQL
Protocol No 5.3 Network High Low None Un-
changed None None High 8.0.19 and prior CVE-2021-2048 MySQL Server InnoDB
MySQL Protocol No 5.0 Network High High None Un-
changed None Low High 8.0.22 and prior CVE-2021-2028 MySQL Server InnoDB MySQL
Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2122 MySQL Server Server: DDL
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2058 MySQL Server Server:
Locking MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2001 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.6.50 and prior, 5.7.30 and prior, 8.0.17 and prior
CVE-2021-2016 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low
High None Un-
changed None None High 8.0.19 and prior CVE-2021-2021 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2030 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2031 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2036 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2055 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.21 and prior CVE-2021-2060 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2070 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low
High None Un-
changed None None High 8.0.22 and prior CVE-2021-2076 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2065 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2014 MySQL Server Server: PAM
Auth Plugin MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.32 and prior CVE-2021-2002 MySQL Server Server:
Replication MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2012 MySQL Server Server:
Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.20 and prior CVE-2021-2009 MySQL Server Server:
Security: Roles MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.19 and prior CVE-2021-2072 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2081 MySQL Server Server:
Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2022 MySQL Server InnoDB
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2038 MySQL Server Server: Components Services MySQL Protocol No 4.4
Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2061 MySQL Server Server: DDL
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2056 MySQL Server Server: DML
MySQL Protocol No 4.4 Network High High None Un-
changed None None High 8.0.22 and prior CVE-2021-2087 MySQL Server Server: DML
MySQL Protocol No 4.4 Local Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2088 MySQL Server Server: DML
MySQL Protocol No 4.4 Local Low High None Un-
changed None None High 8.0.22 and prior CVE-2021-2032 MySQL Server Information
Schema MySQL Protocol No 4.3 Network Low Low None Un-
changed Low None None 5.7.32 and prior, 8.0.22 and prior CVE-2021-2010 MySQL
Client C API MySQL Protocol No 4.2 Network High Low None Un-
changed None Low Low 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-1998 MySQL Server Server: Optimizer MySQL Protocol No 3.8 Network Low
High None Un-
changed None Low Low 8.0.20 and prior CVE-2021-2007 MySQL Client C API MySQL
Protocol Yes 3.7 Network High None None Un-
changed Low None None 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2021-2019 MySQL Server Server: Security: Privileges MySQL Protocol No 2.7
Network Low High None Un-
changed Low None None 8.0.19 and prior CVE-2021-2042 MySQL Server InnoDB MySQL
Protocol No 2.3 Local Low High None Un-
changed Low None None 8.0.21 and prior
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-13871 also addresses CVE-2020-11655, CVE-2020-11656,
CVE-2020-15358 and CVE-2020-9327.
* The patch for CVE-2020-5408 also addresses CVE-2020-5407.
ORACLE PEOPLESOFT RISK MATRIX
This Critical Patch Update contains 8 new security patches for Oracle
PeopleSoft. 6 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2063 PeopleSoft Enterprise PeopleTools Portal None No 8.4 Local
Low None None Un-
changed High High High 8.56, 8.57, 8.58 CVE-2021-2071 PeopleSoft Enterprise
PeopleTools Elastic Search HTTP Yes 8.1 Network High None None Un-
changed High High High 8.56, 8.57, 8.58 CVE-2019-0227 PeopleSoft Enterprise
HCM Human Resources Global Payroll for Switzerland (Apache Axis) HTTP Yes 7.5
Adjacent
Network High None None Un-
changed High High High 9.2 CVE-2021-2044 PeopleSoft Enterprise FIN Payables
Financial Sanctions HTTP No 6.5 Network Low Low None Un-
changed High None None 9.2 CVE-2020-11022 PeopleSoft Enterprise HCM Human
Resources Company Dir / Org Chart Viewer, Employee Snapshot (jQuery) HTTP Yes
6.1 Network Low None Required Changed Low Low None 9.2 CVE-2021-2043
PeopleSoft Enterprise PeopleTools Portal HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.56, 8.57, 8.58 CVE-2020-9281 PeopleSoft Enterprise
PeopleTools Rich Text Editor (CKEditor) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.56, 8.57, 8.58 CVE-2020-1968 PeopleSoft Enterprise
PeopleTools Security (OpenSSL) HTTPS Yes 3.7 Network High None None Un-
changed Low None None 8.56, 8.57, 8.58
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2063 PeopleSoft Enterprise PeopleTools Portal None No 8.4 Local
Low None None Un-
changed High High High 8.56, 8.57, 8.58 CVE-2021-2071 PeopleSoft Enterprise
PeopleTools Elastic Search HTTP Yes 8.1 Network High None None Un-
changed High High High 8.56, 8.57, 8.58 CVE-2019-0227 PeopleSoft Enterprise
HCM Human Resources Global Payroll for Switzerland (Apache Axis) HTTP Yes 7.5
Adjacent
Network High None None Un-
changed High High High 9.2 CVE-2021-2044 PeopleSoft Enterprise FIN Payables
Financial Sanctions HTTP No 6.5 Network Low Low None Un-
changed High None None 9.2 CVE-2020-11022 PeopleSoft Enterprise HCM Human
Resources Company Dir / Org Chart Viewer, Employee Snapshot (jQuery) HTTP Yes
6.1 Network Low None Required Changed Low Low None 9.2 CVE-2021-2043
PeopleSoft Enterprise PeopleTools Portal HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.56, 8.57, 8.58 CVE-2020-9281 PeopleSoft Enterprise
PeopleTools Rich Text Editor (CKEditor) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.56, 8.57, 8.58 CVE-2020-1968 PeopleSoft Enterprise
PeopleTools Security (OpenSSL) HTTPS Yes 3.7 Network High None None Un-
changed Low None None 8.56, 8.57, 8.58
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-0227 also addresses CVE-2018-8032.
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
ORACLE RETAIL APPLICATIONS RISK MATRIX
This Critical Patch Update contains 32 new security patches for Oracle Retail
Applications. 20 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Retail Customer Management and Segmentation
Foundation Segment (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0, 17.0, 18.0, 19.0 CVE-2020-9546 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 15.0 CVE-2020-9546 Oracle Retail Sales Audit Rule
Wizards (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1 CVE-2020-1945 Oracle Retail Extract Transform and
Load Mathematical Operators (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 13.2.5, 13.2.8 CVE-2020-5421 Oracle Retail Order Broker
System Administration (Spring Framework) HTTP No 8.8 Network Low Low None Un-
changed High High High 15.0, 16.0 CVE-2017-8028 Oracle Retail Invoice Matching
Posting (Spring-LDAP) HTTP Yes 8.1 Network High None None Un-
changed High High High 13.2, 14.0, 14.1 CVE-2020-5398 Oracle Retail Bulk Data
Integration BDI Job Scheduler (Spring Framework) HTTP Yes 7.5 Network High None
Required Un-
changed High High High 16.0.3 CVE-2020-11979 Oracle Retail Financial
Integration PeopleSoft Integration (Apache Ant) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2020-11979 Oracle Retail
Integration Bus RIB Kernal (Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2019-17566 Oracle Retail
Integration Bus RIB Kernal (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 15.0.3 CVE-2019-17566 Oracle Retail Order Broker System
Administration (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 15.0, 16.0 CVE-2020-11979 Oracle Retail Service
Backbone RSB kernel (Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2020-11979 Oracle Retail
Store Inventory Management SIM Integration (Apache Ant) HTTP Yes 7.5 Network Low
None None Un-
changed None High None 14.1.3.9, 15.0.3.0, 16.0.3.0 CVE-2019-10086 Oracle
Retail Financial Integration PeopleSoft Integration (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2019-10086 Oracle Retail
Integration Bus RIB Kernal (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2019-10086 Oracle Retail Order
Broker System Administration (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 15.0 CVE-2019-10086 Oracle Retail Service Backbone RSB
kernel (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2020-9484 Oracle Retail Order
Broker System Administration (Apache Tomcat) None No 7.0 Local High Low None Un-
changed High High High 15.0 CVE-2020-5421 Oracle Retail Assortment Planning
Application Core (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.0.3 CVE-2020-5421 Oracle Retail Financial Integration
PeopleSoft Integration (Spring Framework) HTTP No 6.5 Network High Low Required
Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2020-5421 Oracle Retail
Integration Bus RIB Kernal (Spring Framework) HTTP No 6.5 Network High Low
Required Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2020-5421 Oracle
Retail Invoice Matching Security (Spring Framework) HTTP No 6.5 Network High Low
Required Changed High Low None 14.0, 14.1 CVE-2020-5421 Oracle Retail Service
Backbone RSB kernel (Spring Framework) HTTP No 6.5 Network High Low Required
Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2021-2057 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations HTTP No 6.3
Network Low Low None Un-
changed Low Low Low 19.0 CVE-2019-17091 Oracle Retail Bulk Data Integration
BDI Job Scheduler (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 16.0.3 CVE-2020-13954 Oracle Retail Order Broker Cloud
Service Supplier Direct Fulfillment (Apache CXF) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 15.0 CVE-2019-17091 Oracle Retail Store
Inventory Management SIM Integration (Eclipse Mojarra) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 14.0.4.0, 14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-17521 Oracle Retail Bulk Data Integration BDI Job Scheduler (Apache
Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Financial
Integration PeopleSoft Integration Bugs (Apache Groovy) None No 5.5 Local Low
Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Integration
Bus RIB Kernal (Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Service
Backbone RSB kernel (Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-9488 Oracle Retail Customer
Management and Segmentation Foundation Promotions (Apache Log4j) HTTP Yes 3.7
Network High None None Un-
changed Low None None 16.0, 17.0, 18.0, 19.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-10683 Oracle Retail Customer Management and Segmentation
Foundation Segment (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0, 17.0, 18.0, 19.0 CVE-2020-9546 Oracle Retail
Merchandising System Foundation (jackson-databind) HTTP Yes 9.8 Network Low None
None Un-
changed High High High 15.0 CVE-2020-9546 Oracle Retail Sales Audit Rule
Wizards (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1 CVE-2020-1945 Oracle Retail Extract Transform and
Load Mathematical Operators (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed High High None 13.2.5, 13.2.8 CVE-2020-5421 Oracle Retail Order Broker
System Administration (Spring Framework) HTTP No 8.8 Network Low Low None Un-
changed High High High 15.0, 16.0 CVE-2017-8028 Oracle Retail Invoice Matching
Posting (Spring-LDAP) HTTP Yes 8.1 Network High None None Un-
changed High High High 13.2, 14.0, 14.1 CVE-2020-5398 Oracle Retail Bulk Data
Integration BDI Job Scheduler (Spring Framework) HTTP Yes 7.5 Network High None
Required Un-
changed High High High 16.0.3 CVE-2020-11979 Oracle Retail Financial
Integration PeopleSoft Integration (Apache Ant) HTTP Yes 7.5 Network Low None
None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2020-11979 Oracle Retail
Integration Bus RIB Kernal (Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2019-17566 Oracle Retail
Integration Bus RIB Kernal (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 15.0.3 CVE-2019-17566 Oracle Retail Order Broker System
Administration (Apache Batik) HTTP Yes 7.5 Network Low None None Un-
changed None High None 15.0, 16.0 CVE-2020-11979 Oracle Retail Service
Backbone RSB kernel (Apache Ant) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.3, 15.0.3, 16.0.3 CVE-2020-11979 Oracle Retail
Store Inventory Management SIM Integration (Apache Ant) HTTP Yes 7.5 Network Low
None None Un-
changed None High None 14.1.3.9, 15.0.3.0, 16.0.3.0 CVE-2019-10086 Oracle
Retail Financial Integration PeopleSoft Integration (Apache Commons BeanUtils)
HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2019-10086 Oracle Retail
Integration Bus RIB Kernal (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2019-10086 Oracle Retail Order
Broker System Administration (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low
None None Un-
changed Low Low Low 15.0 CVE-2019-10086 Oracle Retail Service Backbone RSB
kernel (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 14.1.3, 15.0.3, 16.0.3 CVE-2020-9484 Oracle Retail Order
Broker System Administration (Apache Tomcat) None No 7.0 Local High Low None Un-
changed High High High 15.0 CVE-2020-5421 Oracle Retail Assortment Planning
Application Core (Spring Framework) HTTP No 6.5 Network High Low Required
Changed Low High None 16.0.3 CVE-2020-5421 Oracle Retail Financial Integration
PeopleSoft Integration (Spring Framework) HTTP No 6.5 Network High Low Required
Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2020-5421 Oracle Retail
Integration Bus RIB Kernal (Spring Framework) HTTP No 6.5 Network High Low
Required Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2020-5421 Oracle
Retail Invoice Matching Security (Spring Framework) HTTP No 6.5 Network High Low
Required Changed High Low None 14.0, 14.1 CVE-2020-5421 Oracle Retail Service
Backbone RSB kernel (Spring Framework) HTTP No 6.5 Network High Low Required
Changed High Low None 14.1.3, 15.0.3, 16.0.3 CVE-2021-2057 Oracle Retail
Customer Management and Segmentation Foundation Internal Operations HTTP No 6.3
Network Low Low None Un-
changed Low Low Low 19.0 CVE-2019-17091 Oracle Retail Bulk Data Integration
BDI Job Scheduler (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required
Changed Low Low None 16.0.3 CVE-2020-13954 Oracle Retail Order Broker Cloud
Service Supplier Direct Fulfillment (Apache CXF) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 15.0 CVE-2019-17091 Oracle Retail Store
Inventory Management SIM Integration (Eclipse Mojarra) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 14.0.4.0, 14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-17521 Oracle Retail Bulk Data Integration BDI Job Scheduler (Apache
Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Financial
Integration PeopleSoft Integration Bugs (Apache Groovy) None No 5.5 Local Low
Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Integration
Bus RIB Kernal (Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-17521 Oracle Retail Service
Backbone RSB kernel (Apache Groovy) None No 5.5 Local Low Low None Un-
changed High None None 15.0.3, 16.0.3 CVE-2020-9488 Oracle Retail Customer
Management and Segmentation Foundation Promotions (Apache Log4j) HTTP Yes 3.7
Network High None None Un-
changed Low None None 16.0, 17.0, 18.0, 19.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-1945 also addresses CVE-2017-5645.
* The patch for CVE-2020-5398 also addresses CVE-2020-5421.
* The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672,
CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111,
CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547
and CVE-2020-9548.
ORACLE SIEBEL CRM RISK MATRIX
This Critical Patch Update contains 4 new security patches for Oracle Siebel
CRM. 1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2039 Siebel Core - Server Framework Search HTTP No 7.6 Network
Low Low Required Changed High Low None 20.12 and prior CVE-2020-9484 Siebel UI
Framework EAI (Apache Tomcat) None No 7.0 Local High Low None Un-
changed High High High 20.12 and prior CVE-2020-11022 Siebel Mobile App Open
UI (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 20.12
and prior CVE-2021-2004 Siebel Core - Server BizLogic Script Integration -
Scripting HTTP No 4.3 Network Low Low None Un-
changed Low None None 20.12 and prior
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2039 Siebel Core - Server Framework Search HTTP No 7.6 Network
Low Low Required Changed High Low None 20.12 and prior CVE-2020-9484 Siebel UI
Framework EAI (Apache Tomcat) None No 7.0 Local High Low None Un-
changed High High High 20.12 and prior CVE-2020-11022 Siebel Mobile App Open
UI (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 20.12
and prior CVE-2021-2004 Siebel Core - Server BizLogic Script Integration -
Scripting HTTP No 4.3 Network Low Low None Un-
changed Low None None 20.12 and prior
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-9484 also addresses CVE-2020-11996, CVE-2020-13934,
CVE-2020-13935, CVE-2020-1935 and CVE-2020-9488.
ORACLE SUPPLY CHAIN RISK MATRIX
This Critical Patch Update contains 11 new security patches for Oracle Supply
Chain. All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2102 Oracle Complex Maintenance, Repair, and Overhaul Dialog
Box HTTP Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1,
12.2 CVE-2021-2103 Oracle Complex Maintenance, Repair, and Overhaul Dialog Box
HTTP Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1, 12.2
CVE-2021-2104 Oracle Complex Maintenance, Repair, and Overhaul Dialog Box HTTP
Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1, 12.2
CVE-2021-2078 Oracle Configurator UI Servlet HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1, 12.2 CVE-2021-2079 Oracle Configurator UI
Servlet HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1, 12.2
CVE-2021-2080 Oracle Configurator UI Servlet HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1, 12.2 CVE-2020-14195 Oracle Agile PLM
Security (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 9.3.6 CVE-2019-17563 Oracle Agile Engineering Data
Management Install (Apache Tomcat) HTTP Yes 7.5 Network High None Required Un-
changed High High High 6.2.1.0 CVE-2020-9281 Oracle Agile PLM Security
(CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5,
9.3.6 CVE-2019-11358 Oracle Agile Product Lifecycle Management for Process
Installation (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 6.1 CVE-2019-11358 Oracle Transportation Management Install (jQuery) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 1.4.3
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2102 Oracle Complex Maintenance, Repair, and Overhaul Dialog
Box HTTP Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1,
12.2 CVE-2021-2103 Oracle Complex Maintenance, Repair, and Overhaul Dialog Box
HTTP Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1, 12.2
CVE-2021-2104 Oracle Complex Maintenance, Repair, and Overhaul Dialog Box HTTP
Yes 8.2 Network Low None Required Changed High Low None 11.5.10, 12.1, 12.2
CVE-2021-2078 Oracle Configurator UI Servlet HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1, 12.2 CVE-2021-2079 Oracle Configurator UI
Servlet HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1, 12.2
CVE-2021-2080 Oracle Configurator UI Servlet HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1, 12.2 CVE-2020-14195 Oracle Agile PLM
Security (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed High High High 9.3.6 CVE-2019-17563 Oracle Agile Engineering Data
Management Install (Apache Tomcat) HTTP Yes 7.5 Network High None Required Un-
changed High High High 6.2.1.0 CVE-2020-9281 Oracle Agile PLM Security
(CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5,
9.3.6 CVE-2019-11358 Oracle Agile Product Lifecycle Management for Process
Installation (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low
None 6.1 CVE-2019-11358 Oracle Transportation Management Install (jQuery) HTTP
Yes 6.1 Network Low None Required Changed Low Low None 1.4.3
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2019-11358 also addresses CVE-2020-11022 and
CVE-2020-11023.
* The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935,
CVE-2020-1938 and CVE-2020-9484.
* The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672,
CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111,
CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061,
CVE-2020-14062, CVE-2020-24616, CVE-2020-24750, CVE-2020-9546, CVE-2020-9547
and CVE-2020-9548.
ORACLE SYSTEMS RISK MATRIX
This Critical Patch Update contains 4 new security patches for Oracle Systems.
3 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11984 Oracle ZFS Storage Appliance Kit Operating System Image
Multiple Yes 9.8 Network Low None None Un-
changed High High High 8.8 CVE-2020-11022 StorageTek Tape Analytics SW Tool
Software (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None
2.3.1 CVE-2021-1999 Oracle ZFS Storage Appliance Kit RAS subsystems None No
5.0 Local High High Required Changed None High None 8.8 CVE-2020-9488
StorageTek Tape Analytics SW Tool Software (Apache Log4j) HTTP Yes 3.7 Network
High None None Un-
changed Low None None 2.3.1
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-11984 Oracle ZFS Storage Appliance Kit Operating System Image
Multiple Yes 9.8 Network Low None None Un-
changed High High High 8.8 CVE-2020-11022 StorageTek Tape Analytics SW Tool
Software (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None
2.3.1 CVE-2021-1999 Oracle ZFS Storage Appliance Kit RAS subsystems None No
5.0 Local High High Required Changed None High None 8.8 CVE-2020-9488
StorageTek Tape Analytics SW Tool Software (Apache Log4j) HTTP Yes 3.7 Network
High None None Un-
changed Low None None 2.3.1
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-11022 also addresses CVE-2020-11023.
* The patch for CVE-2020-11984 also addresses CVE-2018-20781, CVE-2019-11135,
CVE-2019-20892, CVE-2019-20907, CVE-2020-11985, CVE-2020-11993,
CVE-2020-13254, CVE-2020-13596, CVE-2020-13871, CVE-2020-14422,
CVE-2020-15025, CVE-2020-15358, CVE-2020-17498, CVE-2020-24583,
CVE-2020-24584, CVE-2020-25862, CVE-2020-25863, CVE-2020-25866,
CVE-2020-26575, CVE-2020-9490 and CVE-2021-1999.
ORACLE UTILITIES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Utilities
Applications. This vulnerability is remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-2555 Oracle Utilities Framework General (Oracle Coherence) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0,
4.4.0.2.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-2555 Oracle Utilities Framework General (Oracle Coherence) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0,
4.4.0.2.0
ORACLE VIRTUALIZATION RISK MATRIX
This Critical Patch Update contains 17 new security patches for Oracle
Virtualization. None of these vulnerabilities may be remotely exploitable
without authentication, i.e., none may be exploited over a network without
requiring user credentials. The English text form of this Risk Matrix can be
found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2074 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 6.1.18 CVE-2021-2129 Oracle VM VirtualBox Core
None No 7.9 Local Low High None Changed High High None Prior to 6.1.18
CVE-2021-2128 Oracle VM VirtualBox Core None No 6.5 Local Low Low None Changed
High None None Prior to 6.1.18 CVE-2021-2086 Oracle VM VirtualBox Core None No
6.0 Local Low High None Changed None None High Prior to 6.1.18 CVE-2021-2111
Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed None None High
Prior to 6.1.18 CVE-2021-2112 Oracle VM VirtualBox Core None No 6.0 Local Low
High None Changed None None High Prior to 6.1.18 CVE-2021-2121 Oracle VM
VirtualBox Core None No 6.0 Local Low High None Changed None None High Prior to
6.1.18 CVE-2021-2124 Oracle VM VirtualBox Core None No 6.0 Local Low High None
Changed None None High Prior to 6.1.18 CVE-2021-2119 Oracle VM VirtualBox Core
None No 6.0 Local Low High None Changed High None None Prior to 6.1.18
CVE-2021-2120 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed
High None None Prior to 6.1.18 CVE-2021-2126 Oracle VM VirtualBox Core None No
6.0 Local Low High None Changed None High None Prior to 6.1.18 CVE-2021-2131
Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed None High None
Prior to 6.1.18 CVE-2021-2125 Oracle VM VirtualBox Core None No 4.6 Local Low
High None Changed Low Low None Prior to 6.1.18 CVE-2021-2073 Oracle VM
VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2127 Oracle VM VirtualBox Core
None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2130 Oracle VM VirtualBox Core
None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2123 Oracle VM VirtualBox Core
None No 3.2 Local Low High None Changed Low None None Prior to 6.1.18
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-2074 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 6.1.18 CVE-2021-2129 Oracle VM VirtualBox Core
None No 7.9 Local Low High None Changed High High None Prior to 6.1.18
CVE-2021-2128 Oracle VM VirtualBox Core None No 6.5 Local Low Low None Changed
High None None Prior to 6.1.18 CVE-2021-2086 Oracle VM VirtualBox Core None No
6.0 Local Low High None Changed None None High Prior to 6.1.18 CVE-2021-2111
Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed None None High
Prior to 6.1.18 CVE-2021-2112 Oracle VM VirtualBox Core None No 6.0 Local Low
High None Changed None None High Prior to 6.1.18 CVE-2021-2121 Oracle VM
VirtualBox Core None No 6.0 Local Low High None Changed None None High Prior to
6.1.18 CVE-2021-2124 Oracle VM VirtualBox Core None No 6.0 Local Low High None
Changed None None High Prior to 6.1.18 CVE-2021-2119 Oracle VM VirtualBox Core
None No 6.0 Local Low High None Changed High None None Prior to 6.1.18
CVE-2021-2120 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed
High None None Prior to 6.1.18 CVE-2021-2126 Oracle VM VirtualBox Core None No
6.0 Local Low High None Changed None High None Prior to 6.1.18 CVE-2021-2131
Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed None High None
Prior to 6.1.18 CVE-2021-2125 Oracle VM VirtualBox Core None No 4.6 Local Low
High None Changed Low Low None Prior to 6.1.18 CVE-2021-2073 Oracle VM
VirtualBox Core None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2127 Oracle VM VirtualBox Core
None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2130 Oracle VM VirtualBox Core
None No 4.4 Local Low High None Un-
changed None None High Prior to 6.1.18 CVE-2021-2123 Oracle VM VirtualBox Core
None No 3.2 Local Low High None Changed Low None None Prior to 6.1.18
RESOURCES FOR
* Careers
* Developers
* Investors
* Partners
* Researchers
* Students and Educators
WHY ORACLE
* Analyst Reports
* Best cloud-based ERP
* Cloud Economics
* Corporate Responsibility
* Diversity and Inclusion
* Security Practices
LEARN
* What is cloud computing?
* What is CRM?
* What is Docker?
* What is Kubernetes?
* What is Python?
* What is SaaS?
WHAT’S NEW
* News
* Oracle Applications Platform
* Oracle Supports Ukraine
* Oracle Red Bull Racing
* Oracle Sustainability
* Employee Experience Platform
CONTACT US
* US Sales: +1.800.633.0738
* How can we help?
* Subscribe to emails
* Events
* Blogs
--------------------------------------------------------------------------------
* Country/Region
*
* © 2023 Oracle
* Privacy/Do Not Sell My Info
* Cookie-Präferenzen
* Ad Choices
* Careers
*
*
*
*