www.oracle.com
Open in
urlscan Pro
2a02:26f0:1700:388::a15
Public Scan
URL:
https://www.oracle.com/security-alerts/cpuoct2023.html
Submission: On January 04 via api from IN — Scanned from DE
Submission: On January 04 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
Name: u30searchForm — GET https://search.oracle.com/results
<form name="u30searchForm" id="u30searchForm" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="https://search.oracle.com/results">
<div class="u30s1">
<button id="u30closesearch" aria-label="Close Search" type="button">
<span>Close Search</span>
<svg width="9" height="14" viewBox="0 0 9 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M8 13L2 7L8 1" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
<span class="u30input">
<div class="u30inputw1">
<input id="u30input" name="q" value="" type="text" placeholder="Search" autocomplete="off" aria-autocomplete="both" aria-label="Search Oracle.com" role="combobox" aria-expanded="false" aria-haspopup="listbox" aria-controls="u30searchw3">
</div>
<input type="hidden" name="size" value="10">
<input type="hidden" name="page" value="1">
<input type="hidden" name="tab" value="all">
<span id="u30searchw3title" class="u30visually-hidden">Search Oracle.com</span>
<div id="u30searchw3" data-pagestitle="SUGGESTED LINKS" data-autosuggesttitle="SUGGESTED SEARCHES" data-allresultstxt="All results for" data-allsearchpath="https://search.oracle.com/results?q=u30searchterm&size=10&page=1&tab=all"
role="listbox" aria-labelledby="u30searchw3title" style="margin-left: 0px;">
<ul id="u30quicklinks" class="autocomplete-items" role="group" aria-labelledby="u30quicklinks-title">
<li role="presentation" class="u30auto-title" id="u30quicklinks-title">QUICK LINKS</li>
<li role="option"><a href="/cloud/" data-lbl="quick-links:oci">Oracle Cloud Infrastructure</a>
</li>
<li role=" option"><a href="/applications/" data-lbl="quick-links:applications">Oracle Fusion Cloud Applications</a></li>
<li role="option"><a href="/database/technologies/" data-lbl="quick-links:database">Oracle Database</a></li>
<li role="option"><a href="/java/technologies/downloads/" data-lbl="quick-links:download-java">Download Java</a>
</li>
<li role="option"><a href="/careers/" data-lbl="quick-links:careers">Careers at Oracle</a></li>
</ul>
</div>
<span class="u30submit">
<input class="u30searchbttn" type="submit" value="Submit Search">
</span>
<button id="u30clear" type="reset" aria-label="Clear Search">
<svg width="20" height="20" viewBox="0 0 20 20" aria-hidden="true" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M7 7L13 13M7 13L13 7M19 10C19 14.9706 14.9706 19 10 19C5.02944 19 1 14.9706 1 10C1 5.02944 5.02944 1 10 1C14.9706 1 19 5.02944 19 10Z" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
</span>
</div>
</form>Text Content
* Skip to content
* Accessibility Policy
* Products
* Industries
* Resources
* Customers
* Partners
* Developers
* Company
Close Search
Search Oracle.com
* QUICK LINKS
* Oracle Cloud Infrastructure
* Oracle Fusion Cloud Applications
* Oracle Database
* Download Java
* Careers at Oracle
Search
Country
Close
Would you like to visit an Oracle country site closer to you?
Visit Oracle Germany
No thanks, I'll stay here
See this page for a different country/region
View Accounts
Back
Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier
Oracle Account
* Sign-In
* Create an Account
* Help
* Sign Out
Contact Sales
Menu Menu
ORACLE CRITICAL PATCH UPDATE ADVISORY - OCTOBER 2023
DESCRIPTION
A Critical Patch Update is a collection of patches for multiple security
vulnerabilities. These patches address vulnerabilities in Oracle code and in
third party components included in Oracle products. These patches are usually
cumulative, but each advisory describes only the security patches added since
the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier published
security patches. Refer to “Critical Patch Updates, Security Alerts and
Bulletins” for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released security patches.
In some instances, it has been reported that attackers have been successful
because targeted customers had failed to apply available Oracle patches. Oracle
therefore strongly recommends that customers remain on actively-supported
versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 387 new security patches across the product
families listed below. Please note that an MOS note summarizing the content of
this Critical Patch Update and other Oracle Software Security Assurance
activities is located at October 2023 Critical Patch Update: Executive Summary
and Analysis.
AFFECTED PRODUCTS AND PATCH INFORMATION
Security vulnerabilities addressed by this Critical Patch Update affect the
products listed below. The product area is shown in the Patch Availability
Document column.
Please click on the links in the Patch Availability Document column below to
access the documentation for patch availability information and installation
instructions.
Affected Products and Versions Patch Availability Document BI Publisher,
versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 Oracle Analytics GoldenGate Big Data,
versions 21.3-21.10 Database GoldenGate Veridata, versions
12.2.1.4.0-12.2.1.4.230922 Database Hospitality OPERA 5 Property Services,
version 5.6 Oracle Hospitality OPERA 5 Property Services JD Edwards
EnterpriseOne Tools, version 9.2.7 JD Edwards Management Cloud Engine, version
23.1.0.0 Management Cloud Engine MySQL Cluster, versions 8.0.34 and prior, 8.1.0
MySQL MySQL Connectors, versions 8.1.0 and prior MySQL MySQL Enterprise Monitor,
versions 8.0.35 and prior MySQL MySQL Installer, versions prior to 1.6.8 MySQL
MySQL Server, versions 5.7.43 and prior, 8.0.34 and prior, 8.1.0 and prior MySQL
MySQL Shell, versions 8.1.1 and prior MySQL Oracle Access Manager, version
12.2.1.4.0 Fusion Middleware Oracle Agile PLM, version 9.3.6 Oracle Supply Chain
Products Oracle Application Testing Suite, version 13.3.0.1 Oracle Enterprise
Manager Oracle Banking APIs, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 Contact
Support Oracle Banking Branch, versions 14.5-14.7 Contact Support Oracle Banking
Cash Management, versions 14.5-14.7 Contact Support Oracle Banking Corporate
Lending, versions 14.0-14.3, 14.5-14.7 Contact Support Oracle Banking Corporate
Lending Process Management, versions 14.5-14.7 Contact Support Oracle Banking
Credit Facilities Process Management, versions 14.5-14.7 Contact Support Oracle
Banking Deposits and Lines of Credit Servicing, versions 2.7, 2.12 Contact
Support Oracle Banking Digital Experience, versions 18.3, 19.1, 19.2, 21.1,
22.1, 22.2 Contact Support Oracle Banking Electronic Data Exchange for
Corporates, versions 14.5-14.7 Contact Support Oracle Banking Liquidity
Management, versions 14.5-14.7 Contact Support Oracle Banking Loans Servicing,
version 2.12 Oracle Banking Platform Oracle Banking Origination, versions
14.5-14.7 Contact Support Oracle Banking Party Management, version 2.7 Oracle
Banking Platform Oracle Banking Payments, versions 14.0-14.3, 14.5-14.7 Contact
Support Oracle Banking Platform, versions 2.6.2, 2.9.0 Oracle Banking Platform
Oracle Banking Supply Chain Finance, versions 14.5-14.7 Contact Support Oracle
Banking Trade Finance, versions 14.5-14.7 Contact Support Oracle Banking Trade
Finance Process Management, versions 14.5-14.7 Contact Support Oracle Banking
Virtual Account Management, versions 14.5-14.7 Contact Support Oracle Big Data
Spatial and Graph, versions 2.5 and prior Database Oracle Business Intelligence
Enterprise Edition, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle
Commerce Guided Search, version 11.3.2 Oracle Commerce Oracle Communications BRM
- Elastic Charging Engine, versions 12.0.0.4-12.0.0.8 Oracle Communications BRM
- Elastic Charging Engine Oracle Communications Cloud Native Core Binding
Support Function, versions 23.1.0-23.1.8, 23.2.0-23.2.4 Oracle Communications
Cloud Native Core Binding Support Function Oracle Communications Cloud Native
Core Console, versions 23.1.1, 23.1.2, 23.2.1 Oracle Communications Cloud Native
Core Console Oracle Communications Cloud Native Core Network Exposure Function,
versions 23.1.3, 23.3.0 Oracle Communications Cloud Native Core Network Exposure
Function Oracle Communications Cloud Native Core Network Function Cloud Native
Environment, versions 23.2.0, 23.2.2 Oracle Communications Cloud Native Core
Network Function Cloud Native Environment Oracle Communications Cloud Native
Core Network Repository Function, versions 23.1.3, 23.2.1, 23.3.0 Oracle
Communications Cloud Native Core Network Repository Function Oracle
Communications Cloud Native Core Policy, versions 23.1.0-23.1.8, 23.2.0-23.2.4
Oracle Communications Cloud Native Core Policy Oracle Communications Cloud
Native Core Security Edge Protection Proxy, versions 23.1.0, 23.1.3, 23.3.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle
Communications Cloud Native Core Unified Data Repository, version 23.1.2 Oracle
Communications Cloud Native Core Unified Data Repository Oracle Communications
Convergent Charging Controller, version 12.0.6.0 Oracle Communications
Convergent Charging Controller Oracle Communications Diameter Signaling Router,
versions 8.6.0.0, 9.0.0.0 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, versions 9.0.0-9.0.2 Oracle Communications
Element Manager Oracle Communications IP Service Activator, versions 7.4.0,
7.5.0 Oracle Communications IP Service Activator Oracle Communications MetaSolv
Solution, version 6.3.1.0.0 Oracle Communications MetaSolv Solution Oracle
Communications Network Analytics Data Director, version 23.2.0 Oracle
Communications Network Analytics Data Director Oracle Communications Network
Charging and Control, version 12.0.6.0 Oracle Communications Network Charging
and Control Oracle Communications Order and Service Management, versions 7.4.0,
7.4.1 Oracle Communications Order and Service Management Oracle Communications
Policy Management, version 12.6.0.0 Oracle Communications Policy Management
Oracle Communications Session Report Manager, versions 9.0.0-9.0.2 Oracle
Communications Session Report Manager Oracle Communications Unified Assurance,
versions 5.5.0-5.5.17, 6.0.0-6.0.3 Oracle Communications Unified Assurance
Oracle Communications WebRTC Session Controller, versions 7.2.0.0.0, 7.2.1.0.0
Oracle Communications WebRTC Session Controller Oracle Data Integrator, version
12.2.1.4.0 Fusion Middleware Oracle Database Server, versions 19.3-19.20,
21.3-21.11 Database Oracle Documaker, versions 12.6.4-12.7.1 Oracle Insurance
Applications Oracle E-Business Suite, versions 12.2.3-12.2.12, [ECC] 8, [ECC] 9,
[ECC] 10 Oracle E-Business Suite Oracle Enterprise Communications Broker,
versions 3.3, 4.0, 4.1 Oracle Enterprise Communications Broker Oracle Enterprise
Data Quality, version 12.2.1.4.0 Fusion Middleware Oracle Enterprise Manager
Base Platform, version 13.5.0.0 Oracle Enterprise Manager Oracle Enterprise
Manager for Peoplesoft, version 13.5.1.1 Oracle Enterprise Manager Oracle
Enterprise Manager Ops Center, version 12.4.0.0 Oracle Enterprise Manager Oracle
Enterprise Operations Monitor, versions 5.0, 5.1 Oracle Enterprise Operations
Monitor Oracle Enterprise Session Border Controller, versions 9.0-9.2 Oracle
Enterprise Session Border Controller Oracle Essbase, version 21.5.0.0.0 Database
Oracle Financial Services Cash Flow Engine, version 8.1.2.0.0 Contact Support
Oracle Financial Services Model Management and Governance, versions 8.1.2.3,
8.1.2.4 Oracle Financial Services Model Management and Governance Oracle
FLEXCUBE Core Banking, versions 11.6-11.8, 11.10, 11.11 Contact Support Oracle
FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3, 12.4,
14.0-14.3, 14.5-14.7 Contact Support Oracle FLEXCUBE Universal Banking, versions
12.3, 12.4, 14.0-14.3, 14.5-14.7 Contact Support Oracle Fusion Middleware
MapViewer, version 12.2.1.4.0 Fusion Middleware Oracle Global Lifecycle
Management OPatch, versions prior to 12.2.0.1.40 Global Lifecycle Management
Oracle GoldenGate Studio, version 12.2.1.4.0 Database Oracle GraalVM Enterprise
Edition, versions 20.3.11, 21.3.7, 22.3.3 Java SE Oracle GraalVM for JDK,
versions 17.0.8, 21 Java SE Oracle Graph Server and Client, versions 22.4.4 and
prior Database Oracle Healthcare Master Person Index, versions 5.0.0-5.0.6
HealthCare Applications Oracle HTTP Server, version 12.2.1.4.0 Fusion Middleware
Oracle Hyperion Infrastructure Technology, version 11.2.14.0.0 Oracle Enterprise
Performance Management Oracle Identity Manager, version 12.2.1.4.0 Fusion
Middleware Oracle Java SE, versions 8u381, 8u381-perf, 11.0.20, 17.0.8, 21 Java
SE Oracle Life Sciences InForm, version 7.0.0.0 Health Sciences Oracle Life
Sciences InForm Publisher, version 6.3.1.0 Health Sciences Oracle Managed File
Transfer, version 12.2.1.4.0 Fusion Middleware Oracle Middleware Common
Libraries and Tools, version 12.2.1.4.0 Fusion Middleware Oracle Outside In
Technology, version 8.5.6 Fusion Middleware Oracle REST Data Services, versions
prior to 23.2.2 Database Oracle Retail Bulk Data Integration, versions 16.0.3,
19.0.1 Retail Applications Oracle Retail Customer Management and Segmentation
Foundation, versions 18.0.0.13, 19.0.0.7 Retail Applications Oracle Retail
EFTLink, versions 20.0.1, 21.0.0, 22.0.0 Retail Applications Oracle Retail
Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 Retail
Applications Oracle Retail Fiscal Management, version 14.2 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Retail Applications Oracle Retail Merchandising System, version 19.0.1 Retail
Applications Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1,
16.0.3, 19.0.1 Retail Applications Oracle Retail Xstore Point of Service,
versions 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 Retail Applications Oracle
SD-WAN Edge, versions 9.1.1.5.0, 9.1.1.6.0 Oracle SD-WAN Edge Oracle Secure
Backup, versions 18.1.0.1.0, 18.1.0.2.0 Oracle Secure Backup Oracle Service Bus,
version 12.2.1.4.0 Fusion Middleware Oracle SOA Suite, version 12.2.1.4.0 Fusion
Middleware Oracle Solaris, versions 10, 11 Systems Oracle Unified Directory,
version 12.2.1.4.0 Fusion Middleware Oracle Utilities Application Framework,
versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0,
4.5.0.0.0, 4.5.0.0.1, 4.5.0.1.0-4.5.0.1.2 Oracle Utilities Applications Oracle
Utilities Network Management System, versions 2.3.0.2, 2.4.0.1 Oracle Utilities
Applications Oracle VM VirtualBox, versions prior to 7.0.12 Virtualization
Oracle WebCenter Content, version 12.2.1.4.0 Fusion Middleware Oracle WebCenter
Portal, version 12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware PeopleSoft Enterprise CC
Common Application Objects, version 9.2 PeopleSoft PeopleSoft Enterprise HCM
Global Payroll Switzerland, version 9.2 PeopleSoft PeopleSoft Enterprise
PeopleTools, versions 8.59, 8.60 PeopleSoft Primavera Gateway, versions
19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10 Oracle Construction and
Engineering Suite Primavera Unifier, versions 19.12.0-19.12.16,
20.12.0-20.12.16, 21.12.0-21.12.16, 22.12.0-22.12.9 Oracle Construction and
Engineering Suite Siebel Applications, versions 23.8 and prior Siebel Sun ZFS
Storage Appliance, version 8.8.60 Systems TimesTen In-Memory Database, versions
prior to 18.1.4.38.0, prior to 18.1.4.39.0, prior to 22.1.1.18.0 Database
Affected Products and Versions Patch Availability Document BI Publisher,
versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 Oracle Analytics GoldenGate Big Data,
versions 21.3-21.10 Database GoldenGate Veridata, versions
12.2.1.4.0-12.2.1.4.230922 Database Hospitality OPERA 5 Property Services,
version 5.6 Oracle Hospitality OPERA 5 Property Services JD Edwards
EnterpriseOne Tools, version 9.2.7 JD Edwards Management Cloud Engine, version
23.1.0.0 Management Cloud Engine MySQL Cluster, versions 8.0.34 and prior, 8.1.0
MySQL MySQL Connectors, versions 8.1.0 and prior MySQL MySQL Enterprise Monitor,
versions 8.0.35 and prior MySQL MySQL Installer, versions prior to 1.6.8 MySQL
MySQL Server, versions 5.7.43 and prior, 8.0.34 and prior, 8.1.0 and prior MySQL
MySQL Shell, versions 8.1.1 and prior MySQL Oracle Access Manager, version
12.2.1.4.0 Fusion Middleware Oracle Agile PLM, version 9.3.6 Oracle Supply Chain
Products Oracle Application Testing Suite, version 13.3.0.1 Oracle Enterprise
Manager Oracle Banking APIs, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 Contact
Support Oracle Banking Branch, versions 14.5-14.7 Contact Support Oracle Banking
Cash Management, versions 14.5-14.7 Contact Support Oracle Banking Corporate
Lending, versions 14.0-14.3, 14.5-14.7 Contact Support Oracle Banking Corporate
Lending Process Management, versions 14.5-14.7 Contact Support Oracle Banking
Credit Facilities Process Management, versions 14.5-14.7 Contact Support Oracle
Banking Deposits and Lines of Credit Servicing, versions 2.7, 2.12 Contact
Support Oracle Banking Digital Experience, versions 18.3, 19.1, 19.2, 21.1,
22.1, 22.2 Contact Support Oracle Banking Electronic Data Exchange for
Corporates, versions 14.5-14.7 Contact Support Oracle Banking Liquidity
Management, versions 14.5-14.7 Contact Support Oracle Banking Loans Servicing,
version 2.12 Oracle Banking Platform Oracle Banking Origination, versions
14.5-14.7 Contact Support Oracle Banking Party Management, version 2.7 Oracle
Banking Platform Oracle Banking Payments, versions 14.0-14.3, 14.5-14.7 Contact
Support Oracle Banking Platform, versions 2.6.2, 2.9.0 Oracle Banking Platform
Oracle Banking Supply Chain Finance, versions 14.5-14.7 Contact Support Oracle
Banking Trade Finance, versions 14.5-14.7 Contact Support Oracle Banking Trade
Finance Process Management, versions 14.5-14.7 Contact Support Oracle Banking
Virtual Account Management, versions 14.5-14.7 Contact Support Oracle Big Data
Spatial and Graph, versions 2.5 and prior Database Oracle Business Intelligence
Enterprise Edition, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware Oracle
Commerce Guided Search, version 11.3.2 Oracle Commerce Oracle Communications BRM
- Elastic Charging Engine, versions 12.0.0.4-12.0.0.8 Oracle Communications BRM
- Elastic Charging Engine Oracle Communications Cloud Native Core Binding
Support Function, versions 23.1.0-23.1.8, 23.2.0-23.2.4 Oracle Communications
Cloud Native Core Binding Support Function Oracle Communications Cloud Native
Core Console, versions 23.1.1, 23.1.2, 23.2.1 Oracle Communications Cloud Native
Core Console Oracle Communications Cloud Native Core Network Exposure Function,
versions 23.1.3, 23.3.0 Oracle Communications Cloud Native Core Network Exposure
Function Oracle Communications Cloud Native Core Network Function Cloud Native
Environment, versions 23.2.0, 23.2.2 Oracle Communications Cloud Native Core
Network Function Cloud Native Environment Oracle Communications Cloud Native
Core Network Repository Function, versions 23.1.3, 23.2.1, 23.3.0 Oracle
Communications Cloud Native Core Network Repository Function Oracle
Communications Cloud Native Core Policy, versions 23.1.0-23.1.8, 23.2.0-23.2.4
Oracle Communications Cloud Native Core Policy Oracle Communications Cloud
Native Core Security Edge Protection Proxy, versions 23.1.0, 23.1.3, 23.3.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy Oracle
Communications Cloud Native Core Unified Data Repository, version 23.1.2 Oracle
Communications Cloud Native Core Unified Data Repository Oracle Communications
Convergent Charging Controller, version 12.0.6.0 Oracle Communications
Convergent Charging Controller Oracle Communications Diameter Signaling Router,
versions 8.6.0.0, 9.0.0.0 Oracle Communications Diameter Signaling Router Oracle
Communications Element Manager, versions 9.0.0-9.0.2 Oracle Communications
Element Manager Oracle Communications IP Service Activator, versions 7.4.0,
7.5.0 Oracle Communications IP Service Activator Oracle Communications MetaSolv
Solution, version 6.3.1.0.0 Oracle Communications MetaSolv Solution Oracle
Communications Network Analytics Data Director, version 23.2.0 Oracle
Communications Network Analytics Data Director Oracle Communications Network
Charging and Control, version 12.0.6.0 Oracle Communications Network Charging
and Control Oracle Communications Order and Service Management, versions 7.4.0,
7.4.1 Oracle Communications Order and Service Management Oracle Communications
Policy Management, version 12.6.0.0 Oracle Communications Policy Management
Oracle Communications Session Report Manager, versions 9.0.0-9.0.2 Oracle
Communications Session Report Manager Oracle Communications Unified Assurance,
versions 5.5.0-5.5.17, 6.0.0-6.0.3 Oracle Communications Unified Assurance
Oracle Communications WebRTC Session Controller, versions 7.2.0.0.0, 7.2.1.0.0
Oracle Communications WebRTC Session Controller Oracle Data Integrator, version
12.2.1.4.0 Fusion Middleware Oracle Database Server, versions 19.3-19.20,
21.3-21.11 Database Oracle Documaker, versions 12.6.4-12.7.1 Oracle Insurance
Applications Oracle E-Business Suite, versions 12.2.3-12.2.12, [ECC] 8, [ECC] 9,
[ECC] 10 Oracle E-Business Suite Oracle Enterprise Communications Broker,
versions 3.3, 4.0, 4.1 Oracle Enterprise Communications Broker Oracle Enterprise
Data Quality, version 12.2.1.4.0 Fusion Middleware Oracle Enterprise Manager
Base Platform, version 13.5.0.0 Oracle Enterprise Manager Oracle Enterprise
Manager for Peoplesoft, version 13.5.1.1 Oracle Enterprise Manager Oracle
Enterprise Manager Ops Center, version 12.4.0.0 Oracle Enterprise Manager Oracle
Enterprise Operations Monitor, versions 5.0, 5.1 Oracle Enterprise Operations
Monitor Oracle Enterprise Session Border Controller, versions 9.0-9.2 Oracle
Enterprise Session Border Controller Oracle Essbase, version 21.5.0.0.0 Database
Oracle Financial Services Cash Flow Engine, version 8.1.2.0.0 Contact Support
Oracle Financial Services Model Management and Governance, versions 8.1.2.3,
8.1.2.4 Oracle Financial Services Model Management and Governance Oracle
FLEXCUBE Core Banking, versions 11.6-11.8, 11.10, 11.11 Contact Support Oracle
FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3, 12.4,
14.0-14.3, 14.5-14.7 Contact Support Oracle FLEXCUBE Universal Banking, versions
12.3, 12.4, 14.0-14.3, 14.5-14.7 Contact Support Oracle Fusion Middleware
MapViewer, version 12.2.1.4.0 Fusion Middleware Oracle Global Lifecycle
Management OPatch, versions prior to 12.2.0.1.40 Global Lifecycle Management
Oracle GoldenGate Studio, version 12.2.1.4.0 Database Oracle GraalVM Enterprise
Edition, versions 20.3.11, 21.3.7, 22.3.3 Java SE Oracle GraalVM for JDK,
versions 17.0.8, 21 Java SE Oracle Graph Server and Client, versions 22.4.4 and
prior Database Oracle Healthcare Master Person Index, versions 5.0.0-5.0.6
HealthCare Applications Oracle HTTP Server, version 12.2.1.4.0 Fusion Middleware
Oracle Hyperion Infrastructure Technology, version 11.2.14.0.0 Oracle Enterprise
Performance Management Oracle Identity Manager, version 12.2.1.4.0 Fusion
Middleware Oracle Java SE, versions 8u381, 8u381-perf, 11.0.20, 17.0.8, 21 Java
SE Oracle Life Sciences InForm, version 7.0.0.0 Health Sciences Oracle Life
Sciences InForm Publisher, version 6.3.1.0 Health Sciences Oracle Managed File
Transfer, version 12.2.1.4.0 Fusion Middleware Oracle Middleware Common
Libraries and Tools, version 12.2.1.4.0 Fusion Middleware Oracle Outside In
Technology, version 8.5.6 Fusion Middleware Oracle REST Data Services, versions
prior to 23.2.2 Database Oracle Retail Bulk Data Integration, versions 16.0.3,
19.0.1 Retail Applications Oracle Retail Customer Management and Segmentation
Foundation, versions 18.0.0.13, 19.0.0.7 Retail Applications Oracle Retail
EFTLink, versions 20.0.1, 21.0.0, 22.0.0 Retail Applications Oracle Retail
Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 Retail
Applications Oracle Retail Fiscal Management, version 14.2 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Retail Applications Oracle Retail Merchandising System, version 19.0.1 Retail
Applications Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1,
16.0.3, 19.0.1 Retail Applications Oracle Retail Xstore Point of Service,
versions 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 Retail Applications Oracle
SD-WAN Edge, versions 9.1.1.5.0, 9.1.1.6.0 Oracle SD-WAN Edge Oracle Secure
Backup, versions 18.1.0.1.0, 18.1.0.2.0 Oracle Secure Backup Oracle Service Bus,
version 12.2.1.4.0 Fusion Middleware Oracle SOA Suite, version 12.2.1.4.0 Fusion
Middleware Oracle Solaris, versions 10, 11 Systems Oracle Unified Directory,
version 12.2.1.4.0 Fusion Middleware Oracle Utilities Application Framework,
versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0,
4.5.0.0.0, 4.5.0.0.1, 4.5.0.1.0-4.5.0.1.2 Oracle Utilities Applications Oracle
Utilities Network Management System, versions 2.3.0.2, 2.4.0.1 Oracle Utilities
Applications Oracle VM VirtualBox, versions prior to 7.0.12 Virtualization
Oracle WebCenter Content, version 12.2.1.4.0 Fusion Middleware Oracle WebCenter
Portal, version 12.2.1.4.0 Fusion Middleware Oracle WebLogic Server, versions
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware PeopleSoft Enterprise CC
Common Application Objects, version 9.2 PeopleSoft PeopleSoft Enterprise HCM
Global Payroll Switzerland, version 9.2 PeopleSoft PeopleSoft Enterprise
PeopleTools, versions 8.59, 8.60 PeopleSoft Primavera Gateway, versions
19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10 Oracle Construction and
Engineering Suite Primavera Unifier, versions 19.12.0-19.12.16,
20.12.0-20.12.16, 21.12.0-21.12.16, 22.12.0-22.12.9 Oracle Construction and
Engineering Suite Siebel Applications, versions 23.8 and prior Siebel Sun ZFS
Storage Appliance, version 8.8.60 Systems TimesTen In-Memory Database, versions
prior to 18.1.4.38.0, prior to 18.1.4.39.0, prior to 22.1.1.18.0 Database
RISK MATRIX CONTENT
Risk matrices list only security vulnerabilities that are newly addressed by the
patches associated with this advisory. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories and Alerts. An
English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. Each vulnerability is identified by a CVE ID. A vulnerability that
affects multiple products will appear with the same CVE ID in all risk matrices.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a
Critical Patch Update. Oracle does not disclose detailed information about this
security analysis to customers, but the resulting Risk Matrix and associated
documentation provide information about the type of vulnerability, the
conditions required to exploit it, and the potential impact of a successful
exploit. Oracle provides this information, in part, so that customers may
conduct their own risk analysis based on the particulars of their product usage.
For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third party components that
are not exploitable in the context of their inclusion in their respective Oracle
product beneath the product's risk matrix. Starting with the July 2023 Critical
Patch Update, a VEX justification is also provided.
The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.
WORKAROUNDS
Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply Critical Patch Update security patches as soon as possible.
Until you apply the Critical Patch Update patches, it may be possible to reduce
the risk of successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to certain
packages, removing the privileges or the ability to access the packages from
users that do not need the privileges may help reduce the risk of successful
attack. Both approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems. Neither
approach should be considered a long-term solution as neither corrects the
underlying problem.
SKIPPED CRITICAL PATCH UPDATES
Oracle strongly recommends that customers apply security patches as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security patches announced in this
Critical Patch Update, please review previous Critical Patch Update advisories
to determine appropriate actions.
CRITICAL PATCH UPDATE SUPPORTED PRODUCTS AND VERSIONS
Patches released through the Critical Patch Update program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. Oracle recommends that customers plan
product upgrades to ensure that patches released through the Critical Patch
Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities. As a result, Oracle recommends that
customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched
in accordance with the Software Error Correction Support Policy explained in My
Oracle Support Note 209768.1. Please review the Technical Support Policies for
further guidelines regarding support policies and phases of support.
CREDIT STATEMENT
The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle:
* Aamir Rehman: CVE-2023-22126
* Alan Jose: CVE-2023-22019
* Andrejs Macnevs: CVE-2023-22071
* Andy Nguyen of Google: CVE-2023-22098, CVE-2023-22099, CVE-2023-22100
* AnhNH of Sacombank: CVE-2023-22082
* aw0yo of Cyber KunLun: CVE-2023-22086
* bluE0 and Qing Xu: CVE-2023-22069, CVE-2023-22086, CVE-2023-22089
* Carter Kozak: CVE-2023-22025
* ChauUHM of Sacombank: CVE-2023-22082
* Emad Al-Mousa of Saudi Aramco: CVE-2023-22074, CVE-2023-22075, CVE-2023-22077
* hosch3n of MoreSec Zhuri Lab: CVE-2023-22072
* Jeffrey McClure: CVE-2023-22029
* Jie Liang of WingTecher Lab of Tsinghua University: CVE-2023-22032,
CVE-2023-22114
* Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2023-22032,
CVE-2023-22095, CVE-2023-22114
* Liboheng: CVE-2023-22108
* lilifeng: CVE-2023-22108
* Liu Ming: CVE-2023-22086
* milCERT AT: CVE-2023-22083
* Moritz Bechler of SySS GmbH: CVE-2023-22101
* Nikos Tziris of PwC: CVE-2023-22118
* Nils Putnins of NATO Cyber Security Centre (NCSC): CVE-2023-22107
* ninh.0x4c of sacombank: CVE-2023-22109
* Paul Gerste with Sonar: CVE-2023-22102
* Sharique Raza: CVE-2023-22076
* Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.:
CVE-2023-22088
* sw0rd1ight: CVE-2023-22069
* thiscodecc of MoyunSec TopBreaker Labs and Bing of MoyunSec: CVE-2023-22067
* Tmotfl: CVE-2023-22094
* TungHT of Sacombank: CVE-2023-22082
* v3geb1rd: CVE-2023-22069
* Wenhui Wang of State Grid: CVE-2023-22069
* X1r0z: CVE-2023-22086
* Xiao Lei: CVE-2023-22100
* Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2023-22032,
CVE-2023-22114
* Zu-Ming Jiang: CVE-2023-22028, CVE-2023-22112
SECURITY-IN-DEPTH CONTRIBUTORS
Oracle acknowledges people who have contributed to our Security-In-Depth program
(see FAQ). People are acknowledged for Security-In-Depth contributions if they
provide information, observations or suggestions pertaining to security
vulnerability issues that result in significant modification of Oracle code or
documentation in future releases, but are not of such a critical nature that
they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions
to Oracle's Security-In-Depth program:
* bluE0 and Qing Xu
* Eduardo Maragno
* Emad Al-Mousa of Saudi Aramco
* Luigi Gubello
* m1yuu of the SU security team
* Xiao Lei
* Yebo Cao
ON-LINE PRESENCE SECURITY CONTRIBUTORS
Oracle acknowledges people who have contributed to our On-Line Presence Security
program (see FAQ). People are acknowledged for contributions relating to
Oracle's on-line presence if they provide information, observations or
suggestions pertaining to security-related issues that result in significant
modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle's
On-Line Presence Security program:
* Abdlallah Mohammed
* Anti-Fraud Command Center
* ar1fshaikh
* Badrinath Sivanantham
* Biswajeet Ray
* Chinmoy Mukherjee
* Devanir Silva
* Dzianis Skliar
* Gaston Traberg of Onapsis
* Georgi Angelov
* GiangVQ of VNG Security Response Center at VNG Corporation
* Hannu Forsten [6 reports]
* Hudson Rock a Cybercrime Intelligence Company
* Ivan Andres Valdivieso Castillo
* james198247
* Karan Salunke
* KYND Cyber
* Meet Narkhede
* Mohan Kumar
* Muhesh K
* Nahuel D. Sánchez of Onapsis
* Praveeen Das [2 reports]
* Ramesh Yadav
* Ratnadip Gajbhiye
* Sambardhan Khanal
* Sean Burford of Rokt
* Shivam Sharma
* surprise
* Tirth A Patel
* Vidhun k
* Vinicius Fortino
CRITICAL PATCH UPDATE SCHEDULE
Critical Patch Updates are released on the third Tuesday of January, April,
July, and October. The next four dates are:
* 16 January 2024
* 16 April 2024
* 16 July 2024
* 15 October 2024
REFERENCES
* Oracle Critical Patch Updates, Security Alerts and Bulletins
* Critical Patch Update - October 2023 Documentation Map
* Oracle Critical Patch Updates and Security Alerts - Frequently Asked
Questions
* Risk Matrix Definitions
* Use of Common Vulnerability Scoring System (CVSS) by Oracle
* English text version of the risk matrices
* CVRF XML version of the risk matrices
* CSAF JSON version of the risk matrices
* Map of CVE to Advisory/Alert
* Oracle Lifetime support Policy
* JEP 290 Reference Blocklist Filter
MODIFICATION HISTORY
Date Note 2023-December-8 Rev 5. CVSS Score change for CVE-2023-22098
2023-November-7 Rev 4. GraalVM affected version changes; Weblogic affected
version changes 2023-October-31 Rev 3. CVSS changes for VirtualBox
CVE-2023-22099 2023-October-19 Rev 2. Credit added for CVE-2023-22086; Java and
GraalVM Version updates 2023-October-17 Rev 1. Initial Release.
Date Note 2023-December-8 Rev 5. CVSS Score change for CVE-2023-22098
2023-November-7 Rev 4. GraalVM affected version changes; Weblogic affected
version changes 2023-October-31 Rev 3. CVSS changes for VirtualBox
CVE-2023-22099 2023-October-19 Rev 2. Credit added for CVE-2023-22086; Java and
GraalVM Version updates 2023-October-17 Rev 1. Initial Release.
ORACLE DATABASE PRODUCTS RISK MATRICES
This Critical Patch Update contains 20 new security patches for Oracle Database
Products divided as follows:
* 10 new security patches for Oracle Database Products
* No new security patches for Oracle Big Data Spatial and Graph, but third
party patches are provided
* 1 new security patch for Oracle Essbase
* No new security patches for Oracle Global Lifecycle Management, but third
party patches are provided
* 6 new security patches for Oracle GoldenGate
* No new security patches for Oracle Graph Server and Client, but third party
patches are provided
* 1 new security patch for Oracle REST Data Services
* 1 new security patch for Oracle Secure Backup
* 1 new security patch for Oracle TimesTen In-Memory Database
ORACLE DATABASE SERVER RISK MATRIX
This Critical Patch Update contains 10 new security patches, plus additional
third party patches noted below, for Oracle Database Products. 2 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. None of these
patches are applicable to client-only installations, i.e., installations that do
not have the Oracle Database Server installed. The English text form of this
Risk Matrix can be found here.
CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-38039 Oracle Spatial and Graph (cURL) Authenticated User HTTP
No 6.5 Network Low Low None Un-
changed None None High 19.3-19.20, 21.3-21.11 CVE-2022-44729 Oracle Spatial
and Graph (Apache Batik) Authenticated User HTTP No 6.0 Local Low High None Un-
changed High None High 19.3-19.20, 21.3-21.11 CVE-2022-23491 OML4Py
(cryptography) None HTTP Yes 5.9 Network High None None Un-
changed None High None 21.3-21.11 CVE-2023-22071 PL/SQL Create Session,
Execute on sys.utl_http Oracle Net No 5.9 Network Low High Required Changed Low
Low Low 19.3-19.20, 21.3-21.11 CVE-2023-22077 Oracle Database Recovery Manager
DBA account Oracle Net No 4.9 Network Low High None Un-
changed None None High 19.3-19.20, 21.3-21.11 CVE-2023-22096 Java VM Create
Session, Create Procedure Oracle Net No 4.3 Network Low Low None Un-
changed None Low None 19.3-19.20, 21.3-21.11 CVE-2023-22073 Oracle
Notification Server None TLS Yes 4.3 Adjacent
Network Low None None Un-
changed Low None None 19.3-19.20, 21.3-21.11 CVE-2023-35116 Oracle Database
Fleet Patching and Provisioning (jackson-databind) Authenticated User HTTP No
3.1 Network High Low None Un-
changed None None Low 19.3-19.20, 21.3-21.11 CVE-2023-22075 Oracle Database
Sharding Create Session, Create Any View, Select Any Table Oracle Net No 2.4
Network Low High Required Un-
changed None None Low 19.3-19.20, 21.3-21.11 CVE-2023-22074 Oracle Database
Sharding Create Session, Select Any Dictionary Oracle Net No 2.4 Network Low
High Required Un-
changed None None Low 19.3-19.20, 21.3-21.11
CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-38039 Oracle Spatial and Graph (cURL) Authenticated User HTTP
No 6.5 Network Low Low None Un-
changed None None High 19.3-19.20, 21.3-21.11 CVE-2022-44729 Oracle Spatial
and Graph (Apache Batik) Authenticated User HTTP No 6.0 Local Low High None Un-
changed High None High 19.3-19.20, 21.3-21.11 CVE-2022-23491 OML4Py
(cryptography) None HTTP Yes 5.9 Network High None None Un-
changed None High None 21.3-21.11 CVE-2023-22071 PL/SQL Create Session,
Execute on sys.utl_http Oracle Net No 5.9 Network Low High Required Changed Low
Low Low 19.3-19.20, 21.3-21.11 CVE-2023-22077 Oracle Database Recovery Manager
DBA account Oracle Net No 4.9 Network Low High None Un-
changed None None High 19.3-19.20, 21.3-21.11 CVE-2023-22096 Java VM Create
Session, Create Procedure Oracle Net No 4.3 Network Low Low None Un-
changed None Low None 19.3-19.20, 21.3-21.11 CVE-2023-22073 Oracle
Notification Server None TLS Yes 4.3 Adjacent
Network Low None None Un-
changed Low None None 19.3-19.20, 21.3-21.11 CVE-2023-35116 Oracle Database
Fleet Patching and Provisioning (jackson-databind) Authenticated User HTTP No
3.1 Network High Low None Un-
changed None None Low 19.3-19.20, 21.3-21.11 CVE-2023-22075 Oracle Database
Sharding Create Session, Create Any View, Select Any Table Oracle Net No 2.4
Network Low High Required Un-
changed None None Low 19.3-19.20, 21.3-21.11 CVE-2023-22074 Oracle Database
Sharding Create Session, Select Any Dictionary Oracle Net No 2.4 Network Low
High Required Un-
changed None None Low 19.3-19.20, 21.3-21.11
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-23491 also addresses CVE-2022-40896, CVE-2022-40897,
and CVE-2023-38325.
* The patch for CVE-2023-38039 also addresses CVE-2023-28320, CVE-2023-28321,
and CVE-2023-28322.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Database Core (Zstandard): CVE-2021-24031 and CVE-2022-4899 [VEX
Justification: vulnerable_code_not_in_execute_path].
* Oracle Database Fleet Patching and Provisioning (Apache Mina SSHD):
CVE-2023-35887 [VEX Justification: vulnerable_code_not_in_execute_path].
* Oracle Database Workload Manager (jackson-databind): CVE-2022-42004,
CVE-2020-25649, CVE-2020-36518 and CVE-2022-42003 [VEX Justification:
vulnerable_code_not_in_execute_path].
* Oracle Spatial and Graph (Google Guava): CVE-2023-2976 [VEX Justification:
vulnerable_code_not_in_execute_path].
* Oracle Spatial and Graph (SQLite): CVE-2022-46908 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* SQLcl (Google Guava): CVE-2023-2976 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE BIG DATA SPATIAL AND GRAPH RISK MATRIX
This Critical Patch Update contains no new security patches for exploitable
vulnerabilities but does include third party patches, noted below, for the
following non-exploitable third party CVEs for Oracle Big Data Spatial and
Graph. Please refer to previous Critical Patch Update Advisories if the last
Critical Patch Update was not applied for Oracle Big Data Spatial and Graph.
The English text form of this Risk Matrix can be found here.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Big Data Spatial and Graph
* Big Data Graph (Apache Tomcat): CVE-2023-28709, CVE-2023-34981 and
CVE-2023-41080 [VEX Justification: vulnerable_code_not_in_execute_path].
ORACLE ESSBASE RISK MATRIX
This Critical Patch Update contains 1 new security patch, plus additional third
party patches noted below, for Oracle Essbase. This vulnerability is remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-2650 Oracle Essbase Essbase Web Platform (OpenSSL) Multiple Yes
6.5 Network Low None Required Un-
changed None None High 21.5.0.0.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-2650 Oracle Essbase Essbase Web Platform (OpenSSL) Multiple Yes
6.5 Network Low None Required Un-
changed None None High 21.5.0.0.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-2650 also addresses CVE-2023-0464, CVE-2023-0465, and
CVE-2023-0466.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Essbase
* Infrastructure (curl): CVE-2023-28319, CVE-2023-28320, CVE-2023-28321 and
CVE-2023-28322 [VEX Justification: vulnerable_code_not_in_execute_path].
ORACLE GLOBAL LIFECYCLE MANAGEMENT RISK MATRIX
This Critical Patch Update contains no new security patches for exploitable
vulnerabilities but does include third party patches, noted below, for the
following non-exploitable third party CVEs for Oracle Global Lifecycle
Management. Please refer to previous Critical Patch Update Advisories if the
last Critical Patch Update was not applied for Oracle Global Lifecycle
Management. The English text form of this Risk Matrix can be found here.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Global Lifecycle Management OPatch
* Patch Installer (Apache Commons Compress): CVE-2023-42503 [VEX
Justification: vulnerable_code_not_in_execute_path].
* Patch Installer (jackson-databind): CVE-2023-35116 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE GOLDENGATE RISK MATRIX
This Critical Patch Update contains 6 new security patches, plus additional
third party patches noted below, for Oracle GoldenGate. 3 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-1436 Oracle GoldenGate Studio GoldenGate Studio (Jettison) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-1370 Oracle GoldenGate Studio
GoldenGate Studio (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-30535 GoldenGate Big Data
Application Adapters (Snowflake JDBC) HTTP No 6.8 Network Low High Required Un-
changed High High High 21.3-21.10 CVE-2022-3171 GoldenGate Veridata Veridata
(Google Protobuf-Java) HTTP Yes 6.5 Adjacent
Network Low None None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922 CVE-2023-1436 GoldenGate
Veridata Veridata (Jettison) HTTP No 5.7 Adjacent
Network Low Low None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922 CVE-2023-1370 GoldenGate
Veridata Veridata (json-smart) HTTP No 5.7 Adjacent
Network Low Low None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-1436 Oracle GoldenGate Studio GoldenGate Studio (Jettison) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-1370 Oracle GoldenGate Studio
GoldenGate Studio (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-30535 GoldenGate Big Data
Application Adapters (Snowflake JDBC) HTTP No 6.8 Network Low High Required Un-
changed High High High 21.3-21.10 CVE-2022-3171 GoldenGate Veridata Veridata
(Google Protobuf-Java) HTTP Yes 6.5 Adjacent
Network Low None None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922 CVE-2023-1436 GoldenGate
Veridata Veridata (Jettison) HTTP No 5.7 Adjacent
Network Low Low None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922 CVE-2023-1370 GoldenGate
Veridata Veridata (json-smart) HTTP No 5.7 Adjacent
Network Low Low None Un-
changed None None High 12.2.1.4.0-12.2.1.4.230922
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* GoldenGate Veridata
* Veridata (Apache Batik): CVE-2022-42890 and CVE-2022-41704 [VEX
Justification: vulnerable_code_cannot_be_controlled_by_adversary].
* Veridata (Apache Commons FileUpload): CVE-2023-24998 [VEX Justification:
vulnerable_code_not_in_execute_path].
* Veridata (NekoHTML): CVE-2022-24839 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Veridata (Spring Framework): CVE-2023-20863 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Veridata (Apache Commons BCEL): CVE-2022-42920 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle GoldenGate Studio
* GoldenGate Studio (Google Protobuf-Java): CVE-2022-3171 [VEX Justification:
vulnerable_code_not_in_execute_path].
* Golden Gate Studio (Java HTML Sanitizer): CVE-2021-42575 [VEX
Justification: vulnerable_code_not_in_execute_path].
* GoldenGate Studio (Apache Commons BCEL): CVE-2022-42920 [VEX Justification:
vulnerable_code_not_in_execute_path].
* GoldenGate Studio (Apache Commons FileUpload): CVE-2023-24998 [VEX
Justification: vulnerable_code_not_in_execute_path].
* GoldenGate Studio (JSON-java): CVE-2022-45688 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* GoldenGate Studio (NekoHTML): CVE-2022-24839 [VEX Justification:
vulnerable_code_not_in_execute_path].
* GoldenGate Studio (Spring Framework): CVE-2023-20863 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* GoldenGate Studio (jsoup): CVE-2022-36033 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE GRAPH SERVER AND CLIENT RISK MATRIX
This Critical Patch Update contains no new security patches for exploitable
vulnerabilities but does include third party patches, noted below, for the
following non-exploitable third party CVEs for Oracle Graph Server and Client.
Please refer to previous Critical Patch Update Advisories if the last Critical
Patch Update was not applied for the Oracle Graph Server and Client. The
English text form of this Risk Matrix can be found here.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Graph Server and Client
* Packaging (Apache Tomcat): CVE-2023-34981 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Packaging (Google Guava): CVE-2023-2976 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE REST DATA SERVICES RISK MATRIX
This Critical Patch Update contains 1 new security patch, plus additional third
party patches noted below, for Oracle REST Data Services. This vulnerability is
remotely exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials. The English text form of this Risk
Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-26049 Oracle REST Data Services ORDS (Eclipse Jetty) HTTP Yes
5.3 Network Low None None Un-
changed Low None None Prior to 23.2.2
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-26049 Oracle REST Data Services ORDS (Eclipse Jetty) HTTP Yes
5.3 Network Low None None Un-
changed Low None None Prior to 23.2.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-26049 also addresses CVE-2023-26048.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle REST Data Services
* ORDS (Google Guava): CVE-2023-2976 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE SECURE BACKUP RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Secure
Backup. This vulnerability is not remotely exploitable without authentication,
i.e., may not be exploited over a network without requiring user credentials.
The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-0568 Oracle Secure Backup Oracle Secure Backup (PHP) HTTP No
7.5 Network High Low None Un-
changed High High High 18.1.0.1.0, 18.1.0.2.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-0568 Oracle Secure Backup Oracle Secure Backup (PHP) HTTP No
7.5 Network High Low None Un-
changed High High High 18.1.0.1.0, 18.1.0.2.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-0568 also addresses CVE-2023-0567 and CVE-2023-0662.
ORACLE TIMESTEN IN-MEMORY DATABASE RISK MATRIX
This Critical Patch Update contains 1 new security patch, plus additional third
party patches noted below, for Oracle TimesTen In-Memory Database. This
vulnerability is not remotely exploitable without authentication, i.e., may not
be exploited over a network without requiring user credentials. The English
text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34462 TimesTen In-Memory Database EM TimesTen plug-in (Netty)
HTTP No 5.3 Network High Low None Un-
changed None None High Prior to 22.1.1.18.0, Prior to 18.1.4.39.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34462 TimesTen In-Memory Database EM TimesTen plug-in (Netty)
HTTP No 5.3 Network High Low None Un-
changed None None High Prior to 22.1.1.18.0, Prior to 18.1.4.39.0
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* TimesTen In-Memory Database
* EM TimesTen plug-in (Golang Go): CVE-2023-29404, CVE-2023-29402,
CVE-2023-29403 and CVE-2023-29405 [VEX Justification:
vulnerable_code_not_present].
ORACLE COMMERCE RISK MATRIX
This Critical Patch Update contains 6 new security patches for Oracle Commerce.
5 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-41966 Oracle Commerce Guided Search Endeca Application
Controller (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2 CVE-2023-28709 Oracle Commerce Guided Search
Workbench, Endeca Application Controller, Content Acquisition System (Apache
Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2 CVE-2021-37533 Oracle Commerce Guided Search
Content Acquisition System (Apache Commons Net) HTTP Yes 6.5 Network Low None
Required Un-
changed High None None 11.3.2 CVE-2023-20863 Oracle Commerce Guided Search
Workbench, Endeca Application Controller, Content Acquisition System (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 11.3.2 CVE-2023-22029 Oracle Commerce Guided Search
Workbench HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.2
CVE-2023-22043 Oracle Commerce Guided Search Content Acquisition System (Oracle
Java SE) HTTP Yes 5.9 Network High None None Un-
changed None High None 11.3.2
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-41966 Oracle Commerce Guided Search Endeca Application
Controller (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2 CVE-2023-28709 Oracle Commerce Guided Search
Workbench, Endeca Application Controller, Content Acquisition System (Apache
Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.3.2 CVE-2021-37533 Oracle Commerce Guided Search
Content Acquisition System (Apache Commons Net) HTTP Yes 6.5 Network Low None
Required Un-
changed High None None 11.3.2 CVE-2023-20863 Oracle Commerce Guided Search
Workbench, Endeca Application Controller, Content Acquisition System (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 11.3.2 CVE-2023-22029 Oracle Commerce Guided Search
Workbench HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.2
CVE-2023-22043 Oracle Commerce Guided Search Content Acquisition System (Oracle
Java SE) HTTP Yes 5.9 Network High None None Un-
changed None High None 11.3.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-41966 also addresses CVE-2022-40151.
* The patch for CVE-2023-20863 also addresses CVE-2023-20860 and
CVE-2023-20861.
* The patch for CVE-2023-28709 also addresses CVE-2022-4225 and CVE-2023-28708.
ORACLE COMMUNICATIONS APPLICATIONS RISK MATRIX
This Critical Patch Update contains 9 new security patches for Oracle
Communications Applications. 4 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Communications MetaSolv Solution Print Preview
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.3.1.0.0 CVE-2022-42920 Oracle Communications Order
and Service Management General (Apache Commons BCEL) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 7.4.0, 7.4.1 CVE-2023-34981 Oracle Communications
Unified Assurance Core (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 5.5.0-5.5.17, 6.0.0-6.0.2 CVE-2023-34462 Oracle
Communications BRM - Elastic Charging Engine HTTPGW (Netty) HTTP No 6.5 Network
Low Low None Un-
changed None None High 12.0.0.4-12.0.0.8 CVE-2023-34462 Oracle Communications
Convergent Charging Controller Common fns (Netty) HTTP No 6.5 Network Low Low
None Un-
changed None None High 12.0.6.0 CVE-2021-37533 Oracle Communications IP
Service Activator Network Processor (Apache Commons Net) Multiple Yes 6.5
Network Low None Required Un-
changed High None None 7.4.0, 7.5.0 CVE-2023-34462 Oracle Communications
Network Charging and Control Common fns (Netty) HTTP No 6.5 Network Low Low None
Un-
changed None None High 12.0.6.0 CVE-2023-22088 Oracle Communications Order and
Service Management User Management HTTP No 4.3 Network Low Low None Un-
changed Low None None 7.4.0, 7.4.1 CVE-2023-3247 Oracle Communications Unified
Assurance Core (PHP) HTTP No 4.3 Network Low Low None Un-
changed Low None None 6.0.0-6.0.3
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Communications MetaSolv Solution Print Preview
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.3.1.0.0 CVE-2022-42920 Oracle Communications Order
and Service Management General (Apache Commons BCEL) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 7.4.0, 7.4.1 CVE-2023-34981 Oracle Communications
Unified Assurance Core (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 5.5.0-5.5.17, 6.0.0-6.0.2 CVE-2023-34462 Oracle
Communications BRM - Elastic Charging Engine HTTPGW (Netty) HTTP No 6.5 Network
Low Low None Un-
changed None None High 12.0.0.4-12.0.0.8 CVE-2023-34462 Oracle Communications
Convergent Charging Controller Common fns (Netty) HTTP No 6.5 Network Low Low
None Un-
changed None None High 12.0.6.0 CVE-2021-37533 Oracle Communications IP
Service Activator Network Processor (Apache Commons Net) Multiple Yes 6.5
Network Low None Required Un-
changed High None None 7.4.0, 7.5.0 CVE-2023-34462 Oracle Communications
Network Charging and Control Common fns (Netty) HTTP No 6.5 Network Low Low None
Un-
changed None None High 12.0.6.0 CVE-2023-22088 Oracle Communications Order and
Service Management User Management HTTP No 4.3 Network Low Low None Un-
changed Low None None 7.4.0, 7.4.1 CVE-2023-3247 Oracle Communications Unified
Assurance Core (PHP) HTTP No 4.3 Network Low Low None Un-
changed Low None None 6.0.0-6.0.3
ORACLE COMMUNICATIONS RISK MATRIX
This Critical Patch Update contains 91 new security patches, plus additional
third party patches noted below, for Oracle Communications. 60 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34034 Oracle Communications Cloud Native Core Binding Support
Function Install/Upgrade (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-38408 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-34034 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Spring
Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 23.1.3 CVE-2023-34034 Oracle Communications Cloud
Native Core Network Repository Function Install/Upgrade (Spring Security) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 23.1.3, 23.2.1, 23.3.0 CVE-2023-34034 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Spring Security) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34034 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 23.1.3, 23.3.0 CVE-2023-3824 Oracle Communications
Diameter Signaling Router Platform (PHP) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0.0 CVE-2023-38408 Oracle Communications Diameter
Signaling Router Platform (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0 CVE-2022-42920 Oracle Communications Policy
Management CMP (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2022-36944 Oracle Communications Policy
Management CMP (Scala) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2023-38408 Oracle Communications Policy
Management CMP (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2023-38408 Oracle Enterprise Operations
Monitor Infrastructure (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 5.0, 5.1 CVE-2021-41945 Oracle Communications Cloud
Native Core Policy Install/Upgrade (HTTPX) HTTP Yes 9.1 Network Low None None
Un-
changed High High None 23.2.0-23.2.2 CVE-2022-24834 Oracle Communications
Cloud Native Core Network Repository Function Install/Upgrade (Redis) HTTP No
8.8 Network Low Low None Un-
changed High High High 23.1.3, 23.3.0 CVE-2022-24834 Oracle Enterprise
Operations Monitor Fraud Detection Monitor (Redis) HTTP No 8.8 Network Low Low
None Un-
changed High High High 5.0, 5.1 CVE-2023-29491 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (NCURSES) None No 7.8 Local
Low Low None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-35788 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Oracle Linux Software Collections) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2603 Oracle
Communications Cloud Native Core Network Exposure Function Oracle Linux (libcap)
None No 7.8 Local Low Low None Un-
changed High High High 23.1.3 CVE-2023-26604 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (systemd) None No 7.8 Local
Low Low None Un-
changed High High High 23.1.3 CVE-2023-29491 Oracle Communications Cloud
Native Core Policy Install/Upgrade (NCURSES) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-35788 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Oracle Linux Software
Collections) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34981 Management
Cloud Engine BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 23.1.0.0 CVE-2023-34981 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Apache Tomcat) HTTP Yes
7.5 Network Low None None Un-
changed High None None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-3635 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade (Okio)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20883 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2022-4492 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Undertow) HTTP Yes 7.5 Network Low None None Un-
changed None High None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20883 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Spring
Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.3 CVE-2022-45061 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (Python)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.2.0 CVE-2023-20883 Oracle Communications Cloud
Native Core Policy Alarms, KPI, and Measurements (Spring Boot) HTTP Yes 7.5
Network Low None None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-3635 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Okio) HTTP Yes 7.5
Network Low None None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2022-4492 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Undertow) HTTP Yes 7.5
Network Low None None Un-
changed None High None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-20883 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Signaling
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.3 CVE-2023-20883 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (Spring Boot) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.1.2 CVE-2020-7760 Oracle Communications Diameter
Signaling Router Diameter Custom Application (CodeMirror) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 9.0.0.0 CVE-2023-34981 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.6.0.0 CVE-2023-20883 Oracle Communications Network
Analytics Data Director Third Party (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 23.2.0 CVE-2023-34396 Oracle Communications Policy
Management CMP (Apache Struts) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0 CVE-2022-45688 Oracle Communications Policy
Management CMP (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0 CVE-2022-45688 Oracle Communications WebRTC
Session Controller Security (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 7.2.0.0.0, 7.2.1.0.0 CVE-2023-30861 Oracle Enterprise
Operations Monitor Mediation Engine (Flask) HTTP Yes 7.5 Network Low None None
Un-
changed High None None 5.1 CVE-2023-20883 Oracle SD-WAN Edge Internal Tools
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.6.0 CVE-2022-4899 Oracle SD-WAN Edge Internal
Tools (Zstandard) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.5.0 CVE-2022-45688 Oracle SD-WAN Edge Management
(JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.6.0 CVE-2023-34981 Oracle SD-WAN Edge Platform
(Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 9.1.1.6.0 CVE-2023-0361 Oracle Enterprise Operations
Monitor SSL Module (GnuTLS) TLS Yes 7.4 Network High None None Un-
changed High High None 5.0, 5.1 CVE-2023-2976 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2976 Oracle
Communications Cloud Native Core Console Configuration (Google Guava) None No
7.1 Local Low Low None Un-
changed High High None 23.1.2, 23.2.1 CVE-2023-2976 Oracle Communications
Cloud Native Core Network Exposure Function Platform (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.1.3 CVE-2023-2976 Oracle Communications Cloud Native
Core Network Repository Function Install/Upgrade (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.2.1, 23.1.3 CVE-2023-2976 Oracle Communications
Cloud Native Core Policy Alarms, KPI, and Measurements (Google Guava) None No
7.1 Local Low Low None Un-
changed High High None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-2976 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 23.1.3 CVE-2023-2976 Oracle Communications Cloud Native
Core Unified Data Repository Signaling (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 23.1.2 CVE-2023-2976 Oracle Communications Element
Manager General (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 9.0.0-9.0.2 CVE-2023-2976 Oracle Communications Policy
Management CMP (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 12.6.0.0 CVE-2023-2976 Oracle Communications Session
Report Manager General (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Netty) HTTP No 6.5 Network
Low Low None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20863 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2283 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(libssh) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-28484 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(libxml2) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-34462 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Netty) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.3 CVE-2022-40982 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (GCC) None No 6.5 Local Low
Low None Changed High None None 23.1.3, 23.3.0 CVE-2023-23931 Oracle
Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (Cryptography) HTTP Yes 6.5 Network Low None None Un-
changed None Low Low 23.2.0 CVE-2023-28484 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment Configuration (libxml2) HTTP Yes
6.5 Network Low None Required Un-
changed None None High 23.2.2 CVE-2023-34462 Oracle Communications Cloud
Native Core Policy Install/Upgrade (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-20863 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Spring Framework) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-28484 Oracle
Communications Cloud Native Core Policy Install/Upgrade (libxml2) HTTP Yes 6.5
Network Low None Required Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34462 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.3 CVE-2023-20863 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Configuration (Spring Framework) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.0 CVE-2022-25147 Oracle Communications Diameter
Signaling Router Platform (Apache Portable Runtime Utility) HTTP Yes 6.5 Network
Low None None Un-
changed None Low Low 9.0.0.0 CVE-2021-37533 Oracle Communications Element
Manager BEServer (Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 9.0.0-9.0.2 CVE-2023-20863 Oracle Communications
Element Manager Security (Spring Framework) LDAP No 6.5 Network Low Low None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications
Network Analytics Data Director Third Party (Netty) HTTP No 6.5 Network Low Low
None Un-
changed None None High 23.2.0 CVE-2023-2283 Oracle Communications Network
Analytics Data Director Platform (libssh) SSH Yes 6.5 Network Low None None Un-
changed Low Low None 23.2.0 CVE-2021-37533 Oracle Communications Session
Report Manager BEServer (Apache Commons Net) HTTP Yes 6.5 Network Low None
Required Un-
changed High None None 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications
Session Report Manager General (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-20863 Oracle Communications
Session Report Manager Security (Spring Framework) LDAP No 6.5 Network Low Low
None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-20863 Oracle SD-WAN Edge
Management (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.5.0 CVE-2023-41080 Oracle Communications Element
Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 9.0.0-9.0.2 CVE-2023-41080 Oracle Communications Policy
Management CMP (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 12.6.0.0 CVE-2023-41080 Oracle Communications Session Report
Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 9.0.0-9.0.2 CVE-2023-26049 Oracle Communications Cloud Native
Core Console Configuration (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 23.1.1 CVE-2022-24329 Oracle Communications Cloud Native
Core Policy Install/Upgrade (JetBrains Kotlin) HTTP Yes 5.3 Network Low None
None Un-
changed None Low None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-26048 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Signaling
(Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None None Low 23.1.3 CVE-2023-40167 Oracle Communications Element
Manager General (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.0.0-9.0.2 CVE-2023-33201 Oracle Communications Element
Manager General (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 9.0.0-9.0.2 CVE-2023-40167 Oracle Communications Session
Report Manager General (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.0.0-9.0.2 CVE-2023-33201 Oracle Communications Session
Report Manager General (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low
None None Un-
changed Low None None 9.0.0-9.0.2 CVE-2023-4039 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (GCC Arm Aarch64 binary)
HTTP Yes 4.8 Network High None None Un-
changed Low Low None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-4039 Oracle
Communications Cloud Native Core Policy Install/Upgrade (GCC Arm Aarch64 binary)
HTTP Yes 4.8 Network High None None Un-
changed Low Low None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-22083 Oracle
Enterprise Communications Broker Web UI HTTPS Yes 4.3 Network Low None Required
Un-
changed Low None None 3.3, 4.0, 4.1 CVE-2023-22083 Oracle Enterprise Session
Border Controller Web UI HTTPS Yes 4.3 Network Low None Required Un-
changed Low None None 9.0-9.2
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34034 Oracle Communications Cloud Native Core Binding Support
Function Install/Upgrade (Spring Security) HTTP Yes 9.8 Network Low None None
Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-38408 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-34034 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Spring
Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 23.1.3 CVE-2023-34034 Oracle Communications Cloud
Native Core Network Repository Function Install/Upgrade (Spring Security) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 23.1.3, 23.2.1, 23.3.0 CVE-2023-34034 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Spring Security) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34034 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Spring Security) HTTP Yes 9.8 Network Low None None Un-
changed High High High 23.1.3, 23.3.0 CVE-2023-3824 Oracle Communications
Diameter Signaling Router Platform (PHP) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.0.0.0 CVE-2023-38408 Oracle Communications Diameter
Signaling Router Platform (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 8.6.0.0 CVE-2022-42920 Oracle Communications Policy
Management CMP (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2022-36944 Oracle Communications Policy
Management CMP (Scala) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2023-38408 Oracle Communications Policy
Management CMP (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 12.6.0.0 CVE-2023-38408 Oracle Enterprise Operations
Monitor Infrastructure (OpenSSH) HTTPS Yes 9.8 Network Low None None Un-
changed High High High 5.0, 5.1 CVE-2021-41945 Oracle Communications Cloud
Native Core Policy Install/Upgrade (HTTPX) HTTP Yes 9.1 Network Low None None
Un-
changed High High None 23.2.0-23.2.2 CVE-2022-24834 Oracle Communications
Cloud Native Core Network Repository Function Install/Upgrade (Redis) HTTP No
8.8 Network Low Low None Un-
changed High High High 23.1.3, 23.3.0 CVE-2022-24834 Oracle Enterprise
Operations Monitor Fraud Detection Monitor (Redis) HTTP No 8.8 Network Low Low
None Un-
changed High High High 5.0, 5.1 CVE-2023-29491 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (NCURSES) None No 7.8 Local
Low Low None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-35788 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Oracle Linux Software Collections) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2603 Oracle
Communications Cloud Native Core Network Exposure Function Oracle Linux (libcap)
None No 7.8 Local Low Low None Un-
changed High High High 23.1.3 CVE-2023-26604 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (systemd) None No 7.8 Local
Low Low None Un-
changed High High High 23.1.3 CVE-2023-29491 Oracle Communications Cloud
Native Core Policy Install/Upgrade (NCURSES) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-35788 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Oracle Linux Software
Collections) None No 7.8 Local Low Low None Un-
changed High High High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34981 Management
Cloud Engine BEServer (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 23.1.0.0 CVE-2023-34981 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Apache Tomcat) HTTP Yes
7.5 Network Low None None Un-
changed High None None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-3635 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade (Okio)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20883 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2022-4492 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Undertow) HTTP Yes 7.5 Network Low None None Un-
changed None High None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20883 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Spring
Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.3 CVE-2022-45061 Oracle Communications Cloud
Native Core Network Function Cloud Native Environment Configuration (Python)
HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.2.0 CVE-2023-20883 Oracle Communications Cloud
Native Core Policy Alarms, KPI, and Measurements (Spring Boot) HTTP Yes 7.5
Network Low None None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-3635 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Okio) HTTP Yes 7.5
Network Low None None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2022-4492 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Undertow) HTTP Yes 7.5
Network Low None None Un-
changed None High None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-20883 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Signaling
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 23.1.3 CVE-2023-20883 Oracle Communications Cloud
Native Core Unified Data Repository Signaling (Spring Boot) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.1.2 CVE-2020-7760 Oracle Communications Diameter
Signaling Router Diameter Custom Application (CodeMirror) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 9.0.0.0 CVE-2023-34981 Oracle Communications Diameter
Signaling Router Platform (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 8.6.0.0 CVE-2023-20883 Oracle Communications Network
Analytics Data Director Third Party (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 23.2.0 CVE-2023-34396 Oracle Communications Policy
Management CMP (Apache Struts) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0 CVE-2022-45688 Oracle Communications Policy
Management CMP (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.6.0.0 CVE-2022-45688 Oracle Communications WebRTC
Session Controller Security (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 7.2.0.0.0, 7.2.1.0.0 CVE-2023-30861 Oracle Enterprise
Operations Monitor Mediation Engine (Flask) HTTP Yes 7.5 Network Low None None
Un-
changed High None None 5.1 CVE-2023-20883 Oracle SD-WAN Edge Internal Tools
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.6.0 CVE-2022-4899 Oracle SD-WAN Edge Internal
Tools (Zstandard) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.5.0 CVE-2022-45688 Oracle SD-WAN Edge Management
(JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 9.1.1.6.0 CVE-2023-34981 Oracle SD-WAN Edge Platform
(Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed High None None 9.1.1.6.0 CVE-2023-0361 Oracle Enterprise Operations
Monitor SSL Module (GnuTLS) TLS Yes 7.4 Network High None None Un-
changed High High None 5.0, 5.1 CVE-2023-2976 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2976 Oracle
Communications Cloud Native Core Console Configuration (Google Guava) None No
7.1 Local Low Low None Un-
changed High High None 23.1.2, 23.2.1 CVE-2023-2976 Oracle Communications
Cloud Native Core Network Exposure Function Platform (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.1.3 CVE-2023-2976 Oracle Communications Cloud Native
Core Network Repository Function Install/Upgrade (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 23.2.1, 23.1.3 CVE-2023-2976 Oracle Communications
Cloud Native Core Policy Alarms, KPI, and Measurements (Google Guava) None No
7.1 Local Low Low None Un-
changed High High None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-2976 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 23.1.3 CVE-2023-2976 Oracle Communications Cloud Native
Core Unified Data Repository Signaling (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 23.1.2 CVE-2023-2976 Oracle Communications Element
Manager General (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 9.0.0-9.0.2 CVE-2023-2976 Oracle Communications Policy
Management CMP (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 12.6.0.0 CVE-2023-2976 Oracle Communications Session
Report Manager General (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (Netty) HTTP No 6.5 Network
Low Low None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-20863 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-2283 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(libssh) HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-28484 Oracle
Communications Cloud Native Core Binding Support Function Install/Upgrade
(libxml2) HTTP Yes 6.5 Network Low None Required Un-
changed None None High 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-34462 Oracle
Communications Cloud Native Core Network Exposure Function Platform (Netty) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.3 CVE-2022-40982 Oracle Communications Cloud
Native Core Network Exposure Function Oracle Linux (GCC) None No 6.5 Local Low
Low None Changed High None None 23.1.3, 23.3.0 CVE-2023-23931 Oracle
Communications Cloud Native Core Network Function Cloud Native Environment
Configuration (Cryptography) HTTP Yes 6.5 Network Low None None Un-
changed None Low Low 23.2.0 CVE-2023-28484 Oracle Communications Cloud Native
Core Network Function Cloud Native Environment Configuration (libxml2) HTTP Yes
6.5 Network Low None Required Un-
changed None None High 23.2.2 CVE-2023-34462 Oracle Communications Cloud
Native Core Policy Install/Upgrade (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-20863 Oracle
Communications Cloud Native Core Policy Install/Upgrade (Spring Framework) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-28484 Oracle
Communications Cloud Native Core Policy Install/Upgrade (libxml2) HTTP Yes 6.5
Network Low None Required Un-
changed None None High 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-34462 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Configuration
(Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 23.1.3 CVE-2023-20863 Oracle Communications Cloud
Native Core Security Edge Protection Proxy Configuration (Spring Framework) HTTP
No 6.5 Network Low Low None Un-
changed None None High 23.1.0 CVE-2022-25147 Oracle Communications Diameter
Signaling Router Platform (Apache Portable Runtime Utility) HTTP Yes 6.5 Network
Low None None Un-
changed None Low Low 9.0.0.0 CVE-2021-37533 Oracle Communications Element
Manager BEServer (Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 9.0.0-9.0.2 CVE-2023-20863 Oracle Communications
Element Manager Security (Spring Framework) LDAP No 6.5 Network Low Low None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications
Network Analytics Data Director Third Party (Netty) HTTP No 6.5 Network Low Low
None Un-
changed None None High 23.2.0 CVE-2023-2283 Oracle Communications Network
Analytics Data Director Platform (libssh) SSH Yes 6.5 Network Low None None Un-
changed Low Low None 23.2.0 CVE-2021-37533 Oracle Communications Session
Report Manager BEServer (Apache Commons Net) HTTP Yes 6.5 Network Low None
Required Un-
changed High None None 9.0.0-9.0.2 CVE-2023-34462 Oracle Communications
Session Report Manager General (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-20863 Oracle Communications
Session Report Manager Security (Spring Framework) LDAP No 6.5 Network Low Low
None Un-
changed None None High 9.0.0-9.0.2 CVE-2023-20863 Oracle SD-WAN Edge
Management (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 9.1.1.5.0 CVE-2023-41080 Oracle Communications Element
Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 9.0.0-9.0.2 CVE-2023-41080 Oracle Communications Policy
Management CMP (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 12.6.0.0 CVE-2023-41080 Oracle Communications Session Report
Manager BEServer (Apache Tomcat) HTTP Yes 6.1 Network Low None Required Changed
Low Low None 9.0.0-9.0.2 CVE-2023-26049 Oracle Communications Cloud Native
Core Console Configuration (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 23.1.1 CVE-2022-24329 Oracle Communications Cloud Native
Core Policy Install/Upgrade (JetBrains Kotlin) HTTP Yes 5.3 Network Low None
None Un-
changed None Low None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-26048 Oracle
Communications Cloud Native Core Security Edge Protection Proxy Signaling
(Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None None Low 23.1.3 CVE-2023-40167 Oracle Communications Element
Manager General (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.0.0-9.0.2 CVE-2023-33201 Oracle Communications Element
Manager General (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 9.0.0-9.0.2 CVE-2023-40167 Oracle Communications Session
Report Manager General (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.0.0-9.0.2 CVE-2023-33201 Oracle Communications Session
Report Manager General (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low
None None Un-
changed Low None None 9.0.0-9.0.2 CVE-2023-4039 Oracle Communications Cloud
Native Core Binding Support Function Install/Upgrade (GCC Arm Aarch64 binary)
HTTP Yes 4.8 Network High None None Un-
changed Low Low None 23.1.0-23.1.7, 23.2.0-23.2.2 CVE-2023-4039 Oracle
Communications Cloud Native Core Policy Install/Upgrade (GCC Arm Aarch64 binary)
HTTP Yes 4.8 Network High None None Un-
changed Low Low None 23.1.0-23.1.8, 23.2.0-23.2.4 CVE-2023-22083 Oracle
Enterprise Communications Broker Web UI HTTPS Yes 4.3 Network Low None Required
Un-
changed Low None None 3.3, 4.0, 4.1 CVE-2023-22083 Oracle Enterprise Session
Border Controller Web UI HTTPS Yes 4.3 Network Low None Required Un-
changed Low None None 9.0-9.2
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-24329 also addresses CVE-2020-29582.
* The patch for CVE-2022-24834 also addresses CVE-2023-36824.
* The patch for CVE-2022-45061 also addresses CVE-2022-37454 and
CVE-2022-42919.
* The patch for CVE-2023-26048 also addresses CVE-2023-26049.
* The patch for CVE-2023-26049 also addresses CVE-2023-26048.
* The patch for CVE-2023-28484 also addresses CVE-2023-29469.
* The patch for CVE-2023-34034 also addresses CVE-2023-34035.
* The patch for CVE-2023-34396 also addresses CVE-2023-34149.
* The patch for CVE-2023-35788 also addresses CVE-2023-2002, CVE-2023-20593,
CVE-2023-3090, CVE-2023-3390, CVE-2023-35001, CVE-2023-3776, and
CVE-2023-4004.
* The patch for CVE-2023-3824 also addresses CVE-2023-3823.
* The patch for CVE-2023-40167 also addresses CVE-2023-36479 and
CVE-2023-41900.
* The patch for CVE-2023-4039 also addresses CVE-2022-40982.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Communications Cloud Native Core Policy
* Install/Upgrade (Spring Boot): CVE-2023-20873 [VEX Justification:
vulnerable_code_not_present].
* Oracle SD-WAN Edge
* Management (Spring Security): CVE-2023-34034 and CVE-2023-34035 [VEX
Justification: vulnerable_code_not_present].
ORACLE CONSTRUCTION AND ENGINEERING RISK MATRIX
This Critical Patch Update contains 4 new security patches, plus additional
third party patches noted below, for Oracle Construction and Engineering. 1 of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
may be exploited over a network without requiring user credentials. The English
text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45688 Primavera Gateway Admin (JSON-java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10
CVE-2023-2976 Primavera Gateway Admin (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10
CVE-2022-31160 Primavera Unifier User Interface (jQueryUI) HTTP No 3.5 Network
Low Low Required Un-
changed Low None None 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.16,
22.12.0-22.12.9 CVE-2022-41954 Primavera Unifier Platform (MPXJ) None No 3.3
Local Low Low None Un-
changed Low None None 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.16,
22.12.0-22.12.9
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-45688 Primavera Gateway Admin (JSON-java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10
CVE-2023-2976 Primavera Gateway Admin (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10
CVE-2022-31160 Primavera Unifier User Interface (jQueryUI) HTTP No 3.5 Network
Low Low Required Un-
changed Low None None 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.16,
22.12.0-22.12.9 CVE-2022-41954 Primavera Unifier Platform (MPXJ) None No 3.3
Local Low Low None Un-
changed Low None None 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.16,
22.12.0-22.12.9
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Primavera Gateway
* Admin (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_not_in_execute_path].
ORACLE E-BUSINESS SUITE RISK MATRIX
This Critical Patch Update contains 4 new security patches for Oracle E-Business
Suite. 3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
E-Business Suite products is dependent on the Oracle Database and Oracle Fusion
Middleware versions being used. Oracle Database and Oracle Fusion Middleware
security updates are not listed in the Oracle E-Business Suite risk matrix.
However, since vulnerabilities affecting Oracle Database and Oracle Fusion
Middleware versions may affect Oracle E-Business Suite products, Oracle
recommends that customers apply the October 2023 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Oracle E-Business
Suite. For information on what patches need to be applied to your environments,
refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge
Document (October 2023), My Oracle Support Note 2484000.1.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22106 Oracle Enterprise Command Center Framework API HTTP No
6.5 Network Low Low None Un-
changed High None None ECC: 8, 9, 10 CVE-2023-22093 Oracle iRecruitment
Requisition and Vacancy HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 12.2.3-12.2.12 CVE-2023-22076 Oracle Applications
Framework Personalization HTTP Yes 6.1 Network Low None Required Changed Low Low
None 12.2.3-12.2.12 CVE-2023-22107 Oracle Enterprise Command Center Framework
UI Components HTTP Yes 6.1 Network Low None Required Changed Low Low None ECC:
8, 9, 10
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22106 Oracle Enterprise Command Center Framework API HTTP No
6.5 Network Low Low None Un-
changed High None None ECC: 8, 9, 10 CVE-2023-22093 Oracle iRecruitment
Requisition and Vacancy HTTP Yes 6.5 Network Low None None Un-
changed Low Low None 12.2.3-12.2.12 CVE-2023-22076 Oracle Applications
Framework Personalization HTTP Yes 6.1 Network Low None Required Changed Low Low
None 12.2.3-12.2.12 CVE-2023-22107 Oracle Enterprise Command Center Framework
UI Components HTTP Yes 6.1 Network Low None Required Changed Low Low None ECC:
8, 9, 10
ORACLE ENTERPRISE MANAGER RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle Enterprise
Manager. All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. None of these patches are applicable to client-only installations,
i.e., installations that do not have Oracle Enterprise Manager installed. The
English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle
Enterprise Manager products is dependent on the Oracle Database and Oracle
Fusion Middleware versions being used. Oracle Database and Oracle Fusion
Middleware security updates are not listed in the Oracle Enterprise Manager risk
matrix. However, since vulnerabilities affecting Oracle Database and Oracle
Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle
recommends that customers apply the October 2023 Critical Patch Update to the
Oracle Database and Oracle Fusion Middleware components of Enterprise Manager.
For information on what patches need to be applied to your environments, refer
to Critical Patch Update October 2023 Patch Availability Document for Oracle
Products, My Oracle Support Note 2966414.1.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-23914 Oracle Enterprise Manager Ops Center Networking (curl)
Multiple Yes 9.1 Network Low None None Un-
changed High High None 12.4.0.0 CVE-2022-25647 Oracle Application Testing
Suite Load Testing for Web Apps (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 13.3.0.1 CVE-2022-43680 Oracle Enterprise Manager Base
Platform Enterprise Manager Install (LibExpat) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 13.5.0.0 CVE-2020-36518 Oracle Enterprise Manager Base
Platform Event Management (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 13.5.0.0 CVE-2021-40690 Oracle Enterprise Manager for
Peoplesoft PSEM Plugin (Apache Santuario XML Security For Java) HTTP Yes 7.5
Network Low None None Un-
changed High None None 13.5.1.1
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-23914 Oracle Enterprise Manager Ops Center Networking (curl)
Multiple Yes 9.1 Network Low None None Un-
changed High High None 12.4.0.0 CVE-2022-25647 Oracle Application Testing
Suite Load Testing for Web Apps (Google Gson) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 13.3.0.1 CVE-2022-43680 Oracle Enterprise Manager Base
Platform Enterprise Manager Install (LibExpat) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 13.5.0.0 CVE-2020-36518 Oracle Enterprise Manager Base
Platform Event Management (jackson-databind) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 13.5.0.0 CVE-2021-40690 Oracle Enterprise Manager for
Peoplesoft PSEM Plugin (Apache Santuario XML Security For Java) HTTP Yes 7.5
Network Low None None Un-
changed High None None 13.5.1.1
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2022-43680 also addresses CVE-2022-23990.
* The patch for CVE-2023-23914 also addresses CVE-2022-27778, CVE-2022-27779,
CVE-2022-27780, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115,
CVE-2022-42915, CVE-2022-43551, CVE-2023-23915, CVE-2023-23916,
CVE-2023-27533, CVE-2023-27534, CVE-2023-28319, CVE-2023-28320,
CVE-2023-28321, and CVE-2023-28322.
ORACLE FINANCIAL SERVICES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 103 new security patches, plus additional
third party patches noted below, for Oracle Financial Services Applications. 49
of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22946 Oracle Financial Services Model Management and Governance
Installer (Apache Spark) HTTP No 9.9 Network Low Low None Changed High High High
8.1.2.3, 8.1.2.4 CVE-2022-1471 Oracle Financial Services Model Management and
Governance Installer (SnakeYAML) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1.2.3, 8.1.2.4 CVE-2023-20873 Oracle Financial
Services Model Management and Governance Utility (Spring Boot) HTTP Yes 9.8
Network Low None None Un-
changed High High High 8.1.2.3, 8.1.2.4 CVE-2023-20883 Oracle Banking APIs IDM
- Authentication (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20883 Oracle Banking Branch
Reports (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Cash Management
Accessibility (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Credit
Facilities Process Management Core (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 14.5-14.7 CVE-2022-42003 Oracle Banking Deposits and
Lines of Credit Servicing UI (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 2.7, 2.12 CVE-2022-45688 Oracle Banking Digital
Experience UI (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2022-41966
Oracle Banking Digital Experience UI (XStream) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20883 Oracle Banking
Electronic Data Exchange for Corporates Reports (Spring Boot) HTTP Yes 7.5
Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Liquidity
Management Common (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Origination
Onboarding Batch Processes (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Payments Core
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.0-14.3, 14.5-14.7 CVE-2022-3171 Oracle Banking
Platform Security (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.9.0 CVE-2022-41881 Oracle Banking Platform Security
(Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.6.2 CVE-2023-20883 Oracle Banking Supply Chain
Finance Security (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Trade Finance
Process Management Dashboard (Spring Boot) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5-14.7 CVE-2023-24998 Oracle Financial Services
Model Management and Governance Installer (Apache Commons FileUpload) HTTP Yes
7.5 Network Low None None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2023-34981 Oracle Financial
Services Model Management and Governance Installer (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed High None None 8.1.2.3, 8.1.2.4 CVE-2023-1370 Oracle Financial
Services Model Management and Governance Installer (json-smart) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2023-24998 Oracle FLEXCUBE Core
Banking Security (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 11.6-11.8, 11.10, 11.11 CVE-2023-1436 Oracle FLEXCUBE
Core Banking Security (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.6-11.8, 11.10, 11.11 CVE-2023-20883 Oracle FLEXCUBE
Universal Banking Infrastructure (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 14.5-14.7 CVE-2022-48285 Oracle Financial Services
Model Management and Governance Installer (JSZip) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 8.1.2.3, 8.1.2.4 CVE-2022-33980 Oracle Banking Deposits
and Lines of Credit Servicing UI (Apache Commons Configuration) HTTP No 7.2
Network Low High None Un-
changed High High High 2.7 CVE-2022-1471 Oracle Banking Deposits and Lines of
Credit Servicing UI (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.7, 2.12 CVE-2022-1471 Oracle Banking Loans Servicing
UI (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.12 CVE-2022-1471 Oracle Banking Party Management UI
(SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.7 CVE-2022-1471 Oracle FLEXCUBE Core Banking
Securities (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 11.10, 11.11 CVE-2023-2976 Oracle Banking APIs IDM -
Authentication (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-2976 Oracle
Banking Branch Reports (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Cash Management
Accessibility (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Corporate
Lending Core (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.0-14.3, 14.5-14.7 CVE-2023-2976 Oracle Banking
Corporate Lending Process Management Core (Google Guava) None No 7.1 Local Low
Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Credit
Facilities Process Management Common (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Digital
Experience UI (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-2976 Oracle
Banking Liquidity Management Common (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Origination
Onboarding Batch Processes (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Payments Core
(Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.0-14.3, 14.5-14.7 CVE-2023-2976 Oracle Banking
Supply Chain Finance Security (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Trade Finance
Process Management Dashboard (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle FLEXCUBE Enterprise
Limits and Collateral Management Infrastructure (Google Guava) None No 7.1 Local
Low Low None Un-
changed High High None 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-20863 Oracle
Banking APIs IDM - Authentication (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20863 Oracle Banking Branch
Reports (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Cash Management
Accessibility (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Cash Management
Accessibility (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Corporate
Lending Core (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Credit
Facilities Process Management Common (Netty) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Credit
Facilities Process Management Common (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Deposits and
Lines of Credit Servicing UI (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 2.7 CVE-2023-34462 Oracle Banking Digital Experience UI
(Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-20863
Oracle Banking Digital Experience UI (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-34462 Oracle Banking
Electronic Data Exchange for Corporates Reports (Netty) HTTP No 6.5 Network Low
Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Electronic Data
Exchange for Corporates Reports (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Liquidity
Management Common (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Liquidity
Management Common (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Origination
Onboarding Batch Processes (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Origination
Onboarding Batch Processes (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Party
Management UI (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 2.7 CVE-2023-34462 Oracle Banking Supply Chain Finance
Security (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Supply Chain
Finance Security (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Trade Finance
Process Management Dashboard (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Trade Finance
Process Management Dashboard (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Virtual Account
Management Common Core (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Virtual Account
Management Common Core (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2021-37533 Oracle Financial Services
Model Management and Governance Installer (Apache Commons Net) HTTP Yes 6.5
Network Low None Required Un-
changed High None None 8.1.2.3, 8.1.2.4 CVE-2023-20863 Oracle Financial
Services Model Management and Governance Installer (Spring Framework) HTTP No
6.5 Network Low Low None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2021-37533 Oracle FLEXCUBE Core
Banking Security (Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 11.6-11.8, 11.10, 11.11 CVE-2023-22118 Oracle FLEXCUBE
Universal Banking Infrastructure HTTP No 6.5 Network Low Low Required Changed
Low Low Low 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-34462 Oracle FLEXCUBE
Universal Banking Infrastructure (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle FLEXCUBE Universal
Banking Infrastructure (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20862 Oracle Financial Services
Model Management and Governance Installer (Spring Security) HTTP No 6.3 Network
Low Low None Un-
changed Low Low Low 8.1.2.3, 8.1.2.4 CVE-2022-29577 Oracle Banking Deposits
and Lines of Credit Servicing UI (AntiSamy) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 2.7, 2.12 CVE-2023-28439 Oracle Banking Deposits
and Lines of Credit Servicing UI (CKEditor) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 2.7 CVE-2022-36033 Oracle Financial Services
Model Management and Governance Installer (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.1.2.3,8.1.2.4 CVE-2023-22122 Oracle Banking
Trade Finance Infrastructure HTTP No 5.9 Network High Low Required Un-
changed High Low Low 14.5-14.7 CVE-2023-22119 Oracle FLEXCUBE Universal
Banking Infrastructure HTTP No 5.9 Network High Low Required Un-
changed High Low Low 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2021-41165 Oracle
Banking Party Management UI (CKEditor) HTTP No 5.4 Network Low Low Required
Changed Low Low None 2.7 CVE-2023-22121 Oracle Banking Trade Finance
Infrastructure HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.5-14.7 CVE-2023-22123 Oracle Banking Trade Finance
Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None
14.5-14.7 CVE-2023-22124 Oracle Banking Trade Finance Infrastructure HTTP No
5.4 Network Low Low Required Changed Low Low None 14.5-14.7 CVE-2023-22125
Oracle Banking Trade Finance Infrastructure HTTP No 5.4 Network Low Low Required
Changed Low Low None 14.5-14.7 CVE-2023-22117 Oracle FLEXCUBE Universal
Banking Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None
12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-33201 Oracle Banking APIs IDM -
Authentication (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-33201 Oracle
Banking Branch Reports (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low
None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Cash Management
Accessibility (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Cash Management
Accessibility (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Credit
Facilities Process Management Common (Eclipse Jetty) HTTP Yes 5.3 Network Low
None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Credit
Facilities Process Management Common (Bouncy Castle Java Library) HTTPS Yes 5.3
Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Digital
Experience UI (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-26049 Oracle
Banking Electronic Data Exchange for Corporates Reports (Eclipse Jetty) HTTP Yes
5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Electronic Data
Exchange for Corporates Reports (Bouncy Castle Java Library) HTTPS Yes 5.3
Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Liquidity
Management Common (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Liquidity
Management Common (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None
None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Origination
Onboarding Batch Processes (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Origination
Onboarding Batch Processes (Bouncy Castle Java Library) HTTPS Yes 5.3 Network
Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Supply Chain
Finance Security (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Supply Chain
Finance Security (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None
None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Trade Finance
Process Management Dashboard (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Trade Finance
Process Management Dashboard (Bouncy Castle Java Library) HTTPS Yes 5.3 Network
Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Virtual Account
Management Common Core (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Financial Services Model
Management and Governance Installer (Eclipse Jetty) HTTP Yes 5.3 Network Low
None None Un-
changed Low None None 8.1.2.3, 8.1.2.4
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22946 Oracle Financial Services Model Management and Governance
Installer (Apache Spark) HTTP No 9.9 Network Low Low None Changed High High High
8.1.2.3, 8.1.2.4 CVE-2022-1471 Oracle Financial Services Model Management and
Governance Installer (SnakeYAML) HTTP Yes 9.8 Network Low None None Un-
changed High High High 8.1.2.3, 8.1.2.4 CVE-2023-20873 Oracle Financial
Services Model Management and Governance Utility (Spring Boot) HTTP Yes 9.8
Network Low None None Un-
changed High High High 8.1.2.3, 8.1.2.4 CVE-2023-20883 Oracle Banking APIs IDM
- Authentication (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20883 Oracle Banking Branch
Reports (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Cash Management
Accessibility (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Credit
Facilities Process Management Core (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 14.5-14.7 CVE-2022-42003 Oracle Banking Deposits and
Lines of Credit Servicing UI (jackson-databind) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 2.7, 2.12 CVE-2022-45688 Oracle Banking Digital
Experience UI (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2022-41966
Oracle Banking Digital Experience UI (XStream) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20883 Oracle Banking
Electronic Data Exchange for Corporates Reports (Spring Boot) HTTP Yes 7.5
Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Liquidity
Management Common (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Origination
Onboarding Batch Processes (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Payments Core
(Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.0-14.3, 14.5-14.7 CVE-2022-3171 Oracle Banking
Platform Security (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.9.0 CVE-2022-41881 Oracle Banking Platform Security
(Netty) HTTP Yes 7.5 Network Low None None Un-
changed None None High 2.6.2 CVE-2023-20883 Oracle Banking Supply Chain
Finance Security (Spring Boot) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.5-14.7 CVE-2023-20883 Oracle Banking Trade Finance
Process Management Dashboard (Spring Boot) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 14.5-14.7 CVE-2023-24998 Oracle Financial Services
Model Management and Governance Installer (Apache Commons FileUpload) HTTP Yes
7.5 Network Low None None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2023-34981 Oracle Financial
Services Model Management and Governance Installer (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed High None None 8.1.2.3, 8.1.2.4 CVE-2023-1370 Oracle Financial
Services Model Management and Governance Installer (json-smart) HTTP Yes 7.5
Network Low None None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2023-24998 Oracle FLEXCUBE Core
Banking Security (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 11.6-11.8, 11.10, 11.11 CVE-2023-1436 Oracle FLEXCUBE
Core Banking Security (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 11.6-11.8, 11.10, 11.11 CVE-2023-20883 Oracle FLEXCUBE
Universal Banking Infrastructure (Spring Boot) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 14.5-14.7 CVE-2022-48285 Oracle Financial Services
Model Management and Governance Installer (JSZip) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 8.1.2.3, 8.1.2.4 CVE-2022-33980 Oracle Banking Deposits
and Lines of Credit Servicing UI (Apache Commons Configuration) HTTP No 7.2
Network Low High None Un-
changed High High High 2.7 CVE-2022-1471 Oracle Banking Deposits and Lines of
Credit Servicing UI (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.7, 2.12 CVE-2022-1471 Oracle Banking Loans Servicing
UI (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.12 CVE-2022-1471 Oracle Banking Party Management UI
(SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 2.7 CVE-2022-1471 Oracle FLEXCUBE Core Banking
Securities (SnakeYAML) HTTP No 7.2 Network Low High None Un-
changed High High High 11.10, 11.11 CVE-2023-2976 Oracle Banking APIs IDM -
Authentication (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-2976 Oracle
Banking Branch Reports (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Cash Management
Accessibility (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Corporate
Lending Core (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.0-14.3, 14.5-14.7 CVE-2023-2976 Oracle Banking
Corporate Lending Process Management Core (Google Guava) None No 7.1 Local Low
Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Credit
Facilities Process Management Common (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Digital
Experience UI (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-2976 Oracle
Banking Liquidity Management Common (Google Guava) None No 7.1 Local Low Low
None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Origination
Onboarding Batch Processes (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Payments Core
(Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.0-14.3, 14.5-14.7 CVE-2023-2976 Oracle Banking
Supply Chain Finance Security (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle Banking Trade Finance
Process Management Dashboard (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 14.5-14.7 CVE-2023-2976 Oracle FLEXCUBE Enterprise
Limits and Collateral Management Infrastructure (Google Guava) None No 7.1 Local
Low Low None Un-
changed High High None 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-20863 Oracle
Banking APIs IDM - Authentication (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-20863 Oracle Banking Branch
Reports (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Cash Management
Accessibility (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Cash Management
Accessibility (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Corporate
Lending Core (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Credit
Facilities Process Management Common (Netty) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Credit
Facilities Process Management Common (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Deposits and
Lines of Credit Servicing UI (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 2.7 CVE-2023-34462 Oracle Banking Digital Experience UI
(Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-20863
Oracle Banking Digital Experience UI (Spring Framework) HTTP No 6.5 Network Low
Low None Un-
changed None None High 21.1, 22.1, 22.2 CVE-2023-34462 Oracle Banking
Electronic Data Exchange for Corporates Reports (Netty) HTTP No 6.5 Network Low
Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Electronic Data
Exchange for Corporates Reports (Spring Framework) HTTP No 6.5 Network Low Low
None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Liquidity
Management Common (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Liquidity
Management Common (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Origination
Onboarding Batch Processes (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Origination
Onboarding Batch Processes (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Party
Management UI (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 2.7 CVE-2023-34462 Oracle Banking Supply Chain Finance
Security (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Supply Chain
Finance Security (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Trade Finance
Process Management Dashboard (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Trade Finance
Process Management Dashboard (Spring Framework) HTTP No 6.5 Network Low Low None
Un-
changed None None High 14.5-14.7 CVE-2023-34462 Oracle Banking Virtual Account
Management Common Core (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle Banking Virtual Account
Management Common Core (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2021-37533 Oracle Financial Services
Model Management and Governance Installer (Apache Commons Net) HTTP Yes 6.5
Network Low None Required Un-
changed High None None 8.1.2.3, 8.1.2.4 CVE-2023-20863 Oracle Financial
Services Model Management and Governance Installer (Spring Framework) HTTP No
6.5 Network Low Low None Un-
changed None None High 8.1.2.3, 8.1.2.4 CVE-2021-37533 Oracle FLEXCUBE Core
Banking Security (Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 11.6-11.8, 11.10, 11.11 CVE-2023-22118 Oracle FLEXCUBE
Universal Banking Infrastructure HTTP No 6.5 Network Low Low Required Changed
Low Low Low 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-34462 Oracle FLEXCUBE
Universal Banking Infrastructure (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20863 Oracle FLEXCUBE Universal
Banking Infrastructure (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.5-14.7 CVE-2023-20862 Oracle Financial Services
Model Management and Governance Installer (Spring Security) HTTP No 6.3 Network
Low Low None Un-
changed Low Low Low 8.1.2.3, 8.1.2.4 CVE-2022-29577 Oracle Banking Deposits
and Lines of Credit Servicing UI (AntiSamy) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 2.7, 2.12 CVE-2023-28439 Oracle Banking Deposits
and Lines of Credit Servicing UI (CKEditor) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 2.7 CVE-2022-36033 Oracle Financial Services
Model Management and Governance Installer (jsoup) HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.1.2.3,8.1.2.4 CVE-2023-22122 Oracle Banking
Trade Finance Infrastructure HTTP No 5.9 Network High Low Required Un-
changed High Low Low 14.5-14.7 CVE-2023-22119 Oracle FLEXCUBE Universal
Banking Infrastructure HTTP No 5.9 Network High Low Required Un-
changed High Low Low 12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2021-41165 Oracle
Banking Party Management UI (CKEditor) HTTP No 5.4 Network Low Low Required
Changed Low Low None 2.7 CVE-2023-22121 Oracle Banking Trade Finance
Infrastructure HTTP Yes 5.4 Network Low None Required Un-
changed Low Low None 14.5-14.7 CVE-2023-22123 Oracle Banking Trade Finance
Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None
14.5-14.7 CVE-2023-22124 Oracle Banking Trade Finance Infrastructure HTTP No
5.4 Network Low Low Required Changed Low Low None 14.5-14.7 CVE-2023-22125
Oracle Banking Trade Finance Infrastructure HTTP No 5.4 Network Low Low Required
Changed Low Low None 14.5-14.7 CVE-2023-22117 Oracle FLEXCUBE Universal
Banking Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None
12.3, 12.4, 14.0-14.3, 14.5-14.7 CVE-2023-33201 Oracle Banking APIs IDM -
Authentication (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-33201 Oracle
Banking Branch Reports (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low
None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Cash Management
Accessibility (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Cash Management
Accessibility (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Credit
Facilities Process Management Common (Eclipse Jetty) HTTP Yes 5.3 Network Low
None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Credit
Facilities Process Management Common (Bouncy Castle Java Library) HTTPS Yes 5.3
Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Digital
Experience UI (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None
Un-
changed Low None None 18.3, 19.1, 19.2, 21.1, 22.1, 22.2 CVE-2023-26049 Oracle
Banking Electronic Data Exchange for Corporates Reports (Eclipse Jetty) HTTP Yes
5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Electronic Data
Exchange for Corporates Reports (Bouncy Castle Java Library) HTTPS Yes 5.3
Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Liquidity
Management Common (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Liquidity
Management Common (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None
None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Origination
Onboarding Batch Processes (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Origination
Onboarding Batch Processes (Bouncy Castle Java Library) HTTPS Yes 5.3 Network
Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Supply Chain
Finance Security (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Supply Chain
Finance Security (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None
None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Trade Finance
Process Management Dashboard (Eclipse Jetty) HTTP Yes 5.3 Network Low None None
Un-
changed Low None None 14.5-14.7 CVE-2023-33201 Oracle Banking Trade Finance
Process Management Dashboard (Bouncy Castle Java Library) HTTPS Yes 5.3 Network
Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Banking Virtual Account
Management Common Core (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed Low None None 14.5-14.7 CVE-2023-26049 Oracle Financial Services Model
Management and Governance Installer (Eclipse Jetty) HTTP Yes 5.3 Network Low
None None Un-
changed Low None None 8.1.2.3, 8.1.2.4
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-41165 also addresses CVE-2021-41164.
* The patch for CVE-2022-41881 also addresses CVE-2022-41915.
* The patch for CVE-2022-41966 also addresses CVE-2022-40151.
* The patch for CVE-2022-42003 also addresses CVE-2022-42004.
* The patch for CVE-2023-26049 also addresses CVE-2023-26048.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Banking Branch
* Reports (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Cash Management
* Accessibility (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Credit Facilities Process Management
* Common (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Electronic Data Exchange for Corporates
* Reports (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Liquidity Management
* Common (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Origination
* Onboarding Batch Processes (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Supply Chain Finance
* Security (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Banking Trade Finance Process Management
* Dashboard (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
* Oracle Financial Services Cash Flow Engine
* Cash Flow Engine (Scala): CVE-2022-36944 [VEX Justification:
vulnerable_code_cannot_be_controlled_by_adversary].
ORACLE FUSION MIDDLEWARE RISK MATRIX
This Critical Patch Update contains 46 new security patches, plus additional
third party patches noted below, for Oracle Fusion Middleware. 35 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
To get the full list of current and previously released Critical Patch Update
patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID
2806740.2.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Enterprise Data Quality General (Apache Commons
BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2022-42920 Oracle WebCenter Portal
Discussion Forums (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2023-39022 Oracle WebCenter Portal
Discussion Forums (OSCORE) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2022-42920 Oracle WebLogic Server Core
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2022-29599 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Maven Shared Utils) Multiple Yes 9.8
Network Low None None Un-
changed High High High 14.1.1.0.0 CVE-2023-22069 Oracle WebLogic Server Core
T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22072 Oracle WebLogic
Server Core T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0 CVE-2023-22089 Oracle WebLogic Server Core
T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22101 Oracle WebLogic
Server Core T3, IIOP Yes 8.1 Network High None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2021-37136 Oracle Access
Manager Centralized Thirdparty Jars (Netty) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle Business Process
Management Suite Runtime Engine (Apache Commons FileUpload) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-45688 Oracle Business Process
Management Suite Runtime Engine (JSON-java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle Fusion Middleware
MapViewer Install (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-22019 Oracle HTTP Server Web
Listener HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0 CVE-2023-1436 Oracle Identity Manager Third
Party (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-1436 Oracle Middleware Common
Libraries and Tools Third Party (Jettison) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2022-24839 Oracle Middleware Common
Libraries and Tools Third Party (NekoHTML) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2022-45688 Oracle Service Bus
Centralized Thirdparty Jars (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle SOA Suite Centralized
Thirdparty Jars (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2021-28165 Oracle Unified Directory OUD
Core (Eclipse Jetty) TLS Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2021-37714 Oracle WebCenter Portal
Portal Core (jsoup) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-45690 Oracle WebCenter Portal
Security Framework (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-42004 Oracle WebCenter Portal
Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-29546 Oracle WebLogic Server
Centralized Thirdparty Jars (NekoHTML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.1.1.0.0 CVE-2022-23491 Oracle WebLogic Server
Centralized Thirdparty Jars (Python) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.1.0.0 CVE-2023-22086 Oracle WebLogic Server Core
T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22108 Oracle WebLogic
Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2019-10086 Oracle Identity
Manager Third Party (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 12.2.1.4.0 CVE-2019-10086 Oracle WebCenter Content ADF UCM
Application (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.1.4.0 CVE-2023-2976 Oracle Fusion Middleware
MapViewer Install (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 12.2.1.4.0 CVE-2022-44729 Oracle Middleware Common
Libraries and Tools Third Party (Apache Batik) None No 7.1 Local Low None
Required Un-
changed High None High 12.2.1.4.0 CVE-2022-44729 Oracle WebLogic Server
Centralized Thirdparty Jars (Apache Batik) None No 7.1 Local Low None Required
Un-
changed High None High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-2976 Oracle WebLogic
Server Centralized Thirdparty Jars (Google Guava) None No 7.1 Local Low Low None
Un-
changed High High None 12.2.1.4.0, 14.1.1.0.0 CVE-2023-34462 Oracle Coherence
Third Party (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.1.1.0.0, 12.2.1.4.0 CVE-2023-20863 Oracle Enterprise
Data Quality General (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 12.2.1.4.0 CVE-2023-2650 Oracle HTTP Server SSL Module
(OpenSSL) HTTPS Yes 6.5 Network Low None Required Un-
changed None None High 12.2.1.4.0 CVE-2023-28484 Oracle HTTP Server SSL Module
(libxml2) HTTPS Yes 6.5 Network Low None Required Un-
changed None None High 12.2.1.4.0 CVE-2023-34462 Oracle WebCenter Portal
Security Framework (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 12.2.1.4.0 CVE-2023-22127 Oracle Outside In Technology
Content Access SDK, Image Export SDK, PDF Export SDK, HTML Export SDK HTTP No
6.3 Network Low Low None Un-
changed Low Low Low 8.5.6 CVE-2021-36374 Oracle WebLogic Server Centralized
Thirdparty Jars (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 14.1.1.0.0 CVE-2022-37436 Oracle HTTP Server SSL Module
(Apache HTTP Server) HTTPS Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.4.0 CVE-2023-22126 Oracle WebCenter Content
Content Server HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.4.0 CVE-2020-13956 Oracle WebLogic Server
Centralized Thirdparty Jars (Apache HttpClient) HTTP Yes 5.3 Network Low None
None Un-
changed None Low None 14.1.1.0.0 CVE-2023-35116 Oracle WebLogic Server
Centralized Thirdparty Jars (jackson-databind) None No 4.7 Local High Low None
Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-35887 Oracle Enterprise
Data Quality General (Apache Mina SSHD) HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.1.4.0 CVE-2023-28708 Oracle Managed File Transfer
MFT Runtime Server (Apache Tomcat) HTTP Yes 4.3 Network Low None Required Un-
changed Low None None 12.2.1.4.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Enterprise Data Quality General (Apache Commons
BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2022-42920 Oracle WebCenter Portal
Discussion Forums (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2023-39022 Oracle WebCenter Portal
Discussion Forums (OSCORE) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0 CVE-2022-42920 Oracle WebLogic Server Core
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2022-29599 Oracle WebLogic
Server Centralized Thirdparty Jars (Apache Maven Shared Utils) Multiple Yes 9.8
Network Low None None Un-
changed High High High 14.1.1.0.0 CVE-2023-22069 Oracle WebLogic Server Core
T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22072 Oracle WebLogic
Server Core T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.3.0 CVE-2023-22089 Oracle WebLogic Server Core
T3, IIOP Yes 9.8 Network Low None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22101 Oracle WebLogic
Server Core T3, IIOP Yes 8.1 Network High None None Un-
changed High High High 12.2.1.4.0, 14.1.1.0.0 CVE-2021-37136 Oracle Access
Manager Centralized Thirdparty Jars (Netty) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle Business Process
Management Suite Runtime Engine (Apache Commons FileUpload) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-45688 Oracle Business Process
Management Suite Runtime Engine (JSON-java) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle Fusion Middleware
MapViewer Install (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2023-22019 Oracle HTTP Server Web
Listener HTTP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0 CVE-2023-1436 Oracle Identity Manager Third
Party (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-1436 Oracle Middleware Common
Libraries and Tools Third Party (Jettison) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2022-24839 Oracle Middleware Common
Libraries and Tools Third Party (NekoHTML) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2022-45688 Oracle Service Bus
Centralized Thirdparty Jars (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2023-24998 Oracle SOA Suite Centralized
Thirdparty Jars (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 12.2.1.4.0 CVE-2021-28165 Oracle Unified Directory OUD
Core (Eclipse Jetty) TLS Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2021-37714 Oracle WebCenter Portal
Portal Core (jsoup) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-45690 Oracle WebCenter Portal
Security Framework (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-42004 Oracle WebCenter Portal
Security Framework (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed None None High 12.2.1.4.0 CVE-2022-29546 Oracle WebLogic Server
Centralized Thirdparty Jars (NekoHTML) HTTP Yes 7.5 Network Low None None Un-
changed None None High 14.1.1.0.0 CVE-2022-23491 Oracle WebLogic Server
Centralized Thirdparty Jars (Python) HTTP Yes 7.5 Network Low None None Un-
changed None High None 14.1.1.0.0 CVE-2023-22086 Oracle WebLogic Server Core
T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2023-22108 Oracle WebLogic
Server Core T3, IIOP Yes 7.5 Network Low None None Un-
changed High None None 12.2.1.4.0, 14.1.1.0.0 CVE-2019-10086 Oracle Identity
Manager Third Party (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None
None Un-
changed Low Low Low 12.2.1.4.0 CVE-2019-10086 Oracle WebCenter Content ADF UCM
Application (Apache Commons BeanUtils) HTTP Yes 7.3 Network Low None None Un-
changed Low Low Low 12.2.1.4.0 CVE-2023-2976 Oracle Fusion Middleware
MapViewer Install (Google Guava) None No 7.1 Local Low Low None Un-
changed High High None 12.2.1.4.0 CVE-2022-44729 Oracle Middleware Common
Libraries and Tools Third Party (Apache Batik) None No 7.1 Local Low None
Required Un-
changed High None High 12.2.1.4.0 CVE-2022-44729 Oracle WebLogic Server
Centralized Thirdparty Jars (Apache Batik) None No 7.1 Local Low None Required
Un-
changed High None High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-2976 Oracle WebLogic
Server Centralized Thirdparty Jars (Google Guava) None No 7.1 Local Low Low None
Un-
changed High High None 12.2.1.4.0, 14.1.1.0.0 CVE-2023-34462 Oracle Coherence
Third Party (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.1.1.0.0, 12.2.1.4.0 CVE-2023-20863 Oracle Enterprise
Data Quality General (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 12.2.1.4.0 CVE-2023-2650 Oracle HTTP Server SSL Module
(OpenSSL) HTTPS Yes 6.5 Network Low None Required Un-
changed None None High 12.2.1.4.0 CVE-2023-28484 Oracle HTTP Server SSL Module
(libxml2) HTTPS Yes 6.5 Network Low None Required Un-
changed None None High 12.2.1.4.0 CVE-2023-34462 Oracle WebCenter Portal
Security Framework (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 12.2.1.4.0 CVE-2023-22127 Oracle Outside In Technology
Content Access SDK, Image Export SDK, PDF Export SDK, HTML Export SDK HTTP No
6.3 Network Low Low None Un-
changed Low Low Low 8.5.6 CVE-2021-36374 Oracle WebLogic Server Centralized
Thirdparty Jars (Apache Ant) None No 5.5 Local Low None Required Un-
changed None None High 14.1.1.0.0 CVE-2022-37436 Oracle HTTP Server SSL Module
(Apache HTTP Server) HTTPS Yes 5.3 Network Low None None Un-
changed None Low None 12.2.1.4.0 CVE-2023-22126 Oracle WebCenter Content
Content Server HTTP Yes 5.3 Network Low None None Un-
changed Low None None 12.2.1.4.0 CVE-2020-13956 Oracle WebLogic Server
Centralized Thirdparty Jars (Apache HttpClient) HTTP Yes 5.3 Network Low None
None Un-
changed None Low None 14.1.1.0.0 CVE-2023-35116 Oracle WebLogic Server
Centralized Thirdparty Jars (jackson-databind) None No 4.7 Local High Low None
Un-
changed None None High 12.2.1.4.0, 14.1.1.0.0 CVE-2023-35887 Oracle Enterprise
Data Quality General (Apache Mina SSHD) HTTP No 4.3 Network Low Low None Un-
changed Low None None 12.2.1.4.0 CVE-2023-28708 Oracle Managed File Transfer
MFT Runtime Server (Apache Tomcat) HTTP Yes 4.3 Network Low None Required Un-
changed Low None None 12.2.1.4.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2021-36374 also addresses CVE-2021-36373.
* The patch for CVE-2021-37714 also addresses CVE-2022-36033.
* The patch for CVE-2022-23491 also addresses CVE-2019-20907 and
CVE-2019-20916.
* The patch for CVE-2022-42004 also addresses CVE-2022-42003.
* The patch for CVE-2022-44729 also addresses CVE-2022-44730.
* The patch for CVE-2023-2650 also addresses CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, and CVE-2023-1255.
* The patch for CVE-2023-28484 also addresses CVE-2023-29469.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Data Integrator
* Users, roles, credentials, security (Google Guava): CVE-2023-2976 [VEX
Justification: vulnerable_code_cannot_be_controlled_by_adversary].
ORACLE ANALYTICS RISK MATRIX
This Critical Patch Update contains 16 new security patches, plus additional
third party patches noted below, for Oracle Analytics. 11 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22946 Oracle Business Intelligence Enterprise Edition Analytics
Server (Apache Spark) HTTP No 9.9 Network Low Low None Changed High High High
6.4.0.0.0 CVE-2022-26612 Oracle Business Intelligence Enterprise Edition
Analytics Server (Apache Hadoop) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0 CVE-2022-33980 Oracle Business Intelligence
Enterprise Edition Content Storage Service (Apache Commons Configuration) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0, 7.0.0.0.0 CVE-2023-30535 Oracle Business
Intelligence Enterprise Edition Analytics Server (jsoup) HTTP Yes 8.8 Network
Low None Required Un-
changed High High High 6.4.0.0.0 CVE-2020-11988 Oracle Business Intelligence
Enterprise Edition Presentation Services (Apache XmlGraphics Commons) HTTP Yes
8.2 Network Low None None Un-
changed High Low None 6.4.0.0.0, 12.2.1.4.0 CVE-2022-40152 BI Publisher
Development Operations (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 6.4.0.0.0 CVE-2021-43045 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache Avro) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.4.0.0.0 CVE-2022-41409 Oracle Business Intelligence
Enterprise Edition Analytics Server (PCRE2) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 6.4.0.0.0, 7.0.0.0.0 CVE-2023-30861 Oracle Business
Intelligence Enterprise Edition Visual Analyzer (Flask) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 6.4.0.0.0 CVE-2019-10086 Oracle Business Intelligence
Enterprise Edition BI Platform Security (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 12.2.1.4.0 CVE-2023-34462 Oracle Business Intelligence
Enterprise Edition Analytics Server (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 6.4.0.0.0 CVE-2020-11023 BI Publisher Mobile Service
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0
CVE-2022-31160 BI Publisher Mobile Service (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 12.2.1.4.0 CVE-2023-22105 BI Publisher Web
Server HTTP No 5.4 Network Low Low Required Changed Low Low None 6.4.0.0.0,
7.0.0.0.0 CVE-2023-22082 Oracle Business Intelligence Enterprise Edition Pod
Admin HTTP No 5.4 Network Low Low Required Changed Low Low None 6.4.0.0.0,
7.0.0.0.0 CVE-2023-22109 Oracle Business Intelligence Enterprise Edition
Analytics Web Dashboards HTTP No 4.6 Network Low Low Required Un-
changed Low Low None 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22946 Oracle Business Intelligence Enterprise Edition Analytics
Server (Apache Spark) HTTP No 9.9 Network Low Low None Changed High High High
6.4.0.0.0 CVE-2022-26612 Oracle Business Intelligence Enterprise Edition
Analytics Server (Apache Hadoop) HTTP Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0 CVE-2022-33980 Oracle Business Intelligence
Enterprise Edition Content Storage Service (Apache Commons Configuration) HTTP
Yes 9.8 Network Low None None Un-
changed High High High 6.4.0.0.0, 7.0.0.0.0 CVE-2023-30535 Oracle Business
Intelligence Enterprise Edition Analytics Server (jsoup) HTTP Yes 8.8 Network
Low None Required Un-
changed High High High 6.4.0.0.0 CVE-2020-11988 Oracle Business Intelligence
Enterprise Edition Presentation Services (Apache XmlGraphics Commons) HTTP Yes
8.2 Network Low None None Un-
changed High Low None 6.4.0.0.0, 12.2.1.4.0 CVE-2022-40152 BI Publisher
Development Operations (XStream) HTTP Yes 7.5 Network Low None None Un-
changed None None High 6.4.0.0.0 CVE-2021-43045 Oracle Business Intelligence
Enterprise Edition Analytics Server (Apache Avro) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 6.4.0.0.0 CVE-2022-41409 Oracle Business Intelligence
Enterprise Edition Analytics Server (PCRE2) HTTP Yes 7.5 Network Low None None
Un-
changed None None High 6.4.0.0.0, 7.0.0.0.0 CVE-2023-30861 Oracle Business
Intelligence Enterprise Edition Visual Analyzer (Flask) HTTP Yes 7.5 Network Low
None None Un-
changed High None None 6.4.0.0.0 CVE-2019-10086 Oracle Business Intelligence
Enterprise Edition BI Platform Security (Apache Commons BeanUtils) HTTP Yes 7.3
Network Low None None Un-
changed Low Low Low 12.2.1.4.0 CVE-2023-34462 Oracle Business Intelligence
Enterprise Edition Analytics Server (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 6.4.0.0.0 CVE-2020-11023 BI Publisher Mobile Service
(jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0
CVE-2022-31160 BI Publisher Mobile Service (jQueryUI) HTTP Yes 6.1 Network Low
None Required Changed Low Low None 12.2.1.4.0 CVE-2023-22105 BI Publisher Web
Server HTTP No 5.4 Network Low Low Required Changed Low Low None 6.4.0.0.0,
7.0.0.0.0 CVE-2023-22082 Oracle Business Intelligence Enterprise Edition Pod
Admin HTTP No 5.4 Network Low Low Required Changed Low Low None 6.4.0.0.0,
7.0.0.0.0 CVE-2023-22109 Oracle Business Intelligence Enterprise Edition
Analytics Web Dashboards HTTP No 4.6 Network Low Low Required Un-
changed Low Low None 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2020-11023 also addresses CVE-2019-11358 and
CVE-2020-11022.
* The patch for CVE-2021-43045 also addresses CVE-2020-28493.
* The patch for CVE-2022-26612 also addresses CVE-2020-9492, CVE-2021-33036,
CVE-2021-37404, and CVE-2022-25168.
* The patch for CVE-2022-31160 also addresses CVE-2021-41182, CVE-2021-41183,
and CVE-2021-41184.
* The patch for CVE-2022-33980 also addresses CVE-2020-1953.
* The patch for CVE-2023-30535 also addresses CVE-2022-36033.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Business Intelligence Enterprise Edition
* Analytics Web Answers (Google Guava): CVE-2023-2976 [VEX Justification:
vulnerable_code_not_present].
ORACLE HEALTH SCIENCES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle Health
Sciences Applications. Both of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without requiring user credentials. The English text form of this Risk Matrix
can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-17498 Oracle Life Sciences InForm InForm Publisher (libssh2)
TLS Yes 8.1 Network Low None Required Un-
changed High None High 7.0.0.0 CVE-2019-17498 Oracle Life Sciences InForm
Publisher Publishing (libssh2) TLS Yes 8.1 Network Low None Required Un-
changed High None High 6.3.1.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2019-17498 Oracle Life Sciences InForm InForm Publisher (libssh2)
TLS Yes 8.1 Network Low None Required Un-
changed High None High 7.0.0.0 CVE-2019-17498 Oracle Life Sciences InForm
Publisher Publishing (libssh2) TLS Yes 8.1 Network Low None Required Un-
changed High None High 6.3.1.0
ORACLE HEALTHCARE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle HealthCare
Applications. This vulnerability is not remotely exploitable without
authentication, i.e., may not be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-20863 Oracle Healthcare Master Person Index Internal Operations
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 5.0.0-5.0.6
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-20863 Oracle Healthcare Master Person Index Internal Operations
(Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 5.0.0-5.0.6
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-20863 also addresses CVE-2023-20860 and
CVE-2023-20861.
ORACLE HOSPITALITY APPLICATIONS RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle
Hospitality Applications. Neither of these vulnerabilities may be remotely
exploitable without authentication, i.e., neither may be exploited over a
network without requiring user credentials. The English text form of this Risk
Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22085 Hospitality OPERA 5 Property Services Opera HTTP No 8.8
Network Low Low None Un-
changed High High High 5.6 CVE-2023-22087 Hospitality OPERA 5 Property
Services Opera HTTP No 8.8 Network Low Low None Un-
changed High High High 5.6
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22085 Hospitality OPERA 5 Property Services Opera HTTP No 8.8
Network Low Low None Un-
changed High High High 5.6 CVE-2023-22087 Hospitality OPERA 5 Property
Services Opera HTTP No 8.8 Network Low Low None Un-
changed High High High 5.6
ORACLE HYPERION RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle Hyperion.
1 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-25690 Oracle Hyperion Infrastructure Technology Installation
and Configuration (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.2.14.0.000 CVE-2023-27534 Oracle Hyperion
Infrastructure Technology Infrastructure (curl) SFTP No 8.8 Network Low Low None
Un-
changed High High High 11.2.14.0.000
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-25690 Oracle Hyperion Infrastructure Technology Installation
and Configuration (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed High High High 11.2.14.0.000 CVE-2023-27534 Oracle Hyperion
Infrastructure Technology Infrastructure (curl) SFTP No 8.8 Network Low Low None
Un-
changed High High High 11.2.14.0.000
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-25690 also addresses CVE-2023-27522.
* The patch for CVE-2023-27534 also addresses CVE-2023-27533.
ORACLE INSURANCE APPLICATIONS RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Insurance
Applications. This vulnerability is remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Documaker Development Tools (Apache Commons BCEL)
HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.4-12.7.1
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Documaker Development Tools (Apache Commons BCEL)
HTTP Yes 9.8 Network Low None None Un-
changed High High High 12.6.4-12.7.1
ORACLE JAVA SE RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle Java SE.
All of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start
application has administrator privileges (typical on Windows). When the user
does not run with administrator privileges (typical on Solaris and Linux), the
corresponding CVSS impact scores for Confidentiality, Integrity, and
Availability are "Low" instead of "High", lowering the CVSS Base Score. For
example, a Base Score of 9.6 becomes 7.1.
Java Management Service, available to all users, can help you find vulnerable
Java versions in your systems. Java SE Subscribers and customers running in
Oracle Cloud can use Java Management Service to update Java Runtimes and to do
further security reviews like identifying potentially vulnerable third party
libraries used by your Java programs. Existing Java Management Service user
click here to log in to your dashboard. The Java Management Service
Documentation provides a list of features available to everyone and those
available only to customers. Learn more about using Java Management Service to
monitor and secure your Java Installations.
Users running Java SE with a browser can download the latest release from
https://java.com. Users on the Windows and Mac OS X platforms can also use
automatic updates to get the latest release.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-30589 Oracle GraalVM for JDK Node (Node.js) HTTP Yes 7.5
Network Low None None Un-
changed None High None Oracle GraalVM for JDK: 17.0.8; Oracle GraalVM Enterprise
Edition: 22.3.3 CVE-2023-22067 Oracle Java SE CORBA CORBA Yes 5.3 Network Low
None None Un-
changed None Low None Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM
Enterprise Edition: 20.3.11, 21.3.7 See Note 1 CVE-2023-22081 Oracle Java SE,
Oracle GraalVM for JDK JSSE HTTPS Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21;
Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11,
21.3.7, 22.3.3 See Note 2 CVE-2023-22091 Oracle GraalVM for JDK Compiler
Multiple Yes 4.8 Network High None None Un-
changed Low Low None Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM
Enterprise Edition: 20.3.11, 21.3.7, 22.3.3 CVE-2023-22025 Oracle Java SE,
Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK Hotspot Multiple Yes
3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for
JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7, 22.3.3 See Note 3
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-30589 Oracle GraalVM for JDK Node (Node.js) HTTP Yes 7.5
Network Low None None Un-
changed None High None Oracle GraalVM for JDK: 17.0.8; Oracle GraalVM Enterprise
Edition: 22.3.3 CVE-2023-22067 Oracle Java SE CORBA CORBA Yes 5.3 Network Low
None None Un-
changed None Low None Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM
Enterprise Edition: 20.3.11, 21.3.7 See Note 1 CVE-2023-22081 Oracle Java SE,
Oracle GraalVM for JDK JSSE HTTPS Yes 5.3 Network Low None None Un-
changed None None Low Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21;
Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11,
21.3.7, 22.3.3 See Note 2 CVE-2023-22091 Oracle GraalVM for JDK Compiler
Multiple Yes 4.8 Network High None None Un-
changed Low Low None Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM
Enterprise Edition: 20.3.11, 21.3.7, 22.3.3 CVE-2023-22025 Oracle Java SE,
Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK Hotspot Multiple Yes
3.7 Network High None None Un-
changed None Low None Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for
JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7, 22.3.3 See Note 3
NOTES:
1. This vulnerability can only be exploited by supplying data to APIs in the
specified Component without using Untrusted Java Web Start applications or
Untrusted Java applets, such as through a web service.
2. This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on
the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator).
3. This vulnerability can be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. This
vulnerability also applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on
the Java sandbox for security.
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-30589 also addresses CVE-2023-30585, CVE-2023-30588,
and CVE-2023-30590.
ORACLE JD EDWARDS RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle JD Edwards.
This vulnerability is remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-13956 JD Edwards EnterpriseOne Tools Deployment SEC (Apache
HttpClient) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.2.7
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2020-13956 JD Edwards EnterpriseOne Tools Deployment SEC (Apache
HttpClient) HTTP Yes 5.3 Network Low None None Un-
changed None Low None 9.2.7
ORACLE MYSQL RISK MATRIX
This Critical Patch Update contains 37 new security patches, plus additional
third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities
may be remotely exploitable without authentication, i.e., may be exploited over
a network without requiring user credentials. The English text form of this
Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34034 MySQL Enterprise Monitor Monitoring: General (Spring
Security) Multiple Yes 9.8 Network Low None None Un-
changed High High High 8.0.35 and prior CVE-2022-42898 MySQL Cluster Cluster:
General (Kerberos) Multiple No 8.8 Network Low Low None Un-
changed High High High 8.0.34 and prior, 8.1.0 CVE-2023-22102 MySQL Connectors
Connector/J MySQL Protocol Yes 8.3 Network High None Required Changed High High
High 8.1.0 and prior CVE-2023-22094 MySQL Installer Installer: General None No
7.9 Local Low Low Required Changed None High High Prior to 1.6.8 See Note 1
CVE-2023-34396 MySQL Enterprise Monitor Monitoring: General (Apache Struts)
Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.34 and prior CVE-2023-38545 MySQL Server Server:
Compiling (curl) MySQL Protocol Yes 7.5 Network High None Required Un-
changed High High High 5.7.43 and prior, 8.0.34 and prior, 8.1.0 CVE-2023-2976
MySQL Enterprise Monitor Monitoring: General (Google Guava) Multiple No 7.1
Local Low Low None Un-
changed High High None 8.0.35 and prior CVE-2023-20863 MySQL Enterprise
Monitor Monitoring: General (Spring Framework) Multiple No 6.5 Network Low Low
None Un-
changed None None High 8.0.35 and prior CVE-2023-22059 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22079 MySQL Server
Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.34 and prior CVE-2023-22095 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.1.0 CVE-2023-2650 MySQL Server Server: Packaging
(OpenSSL) MySQL Protocol Yes 6.5 Network Low None Required Un-
changed None None High 5.7.42 and prior, 8.0.33 and prior CVE-2023-41080 MySQL
Enterprise Monitor Monitoring: General (Apache Tomcat) Multiple Yes 6.1 Network
Low None Required Changed Low Low None 8.0.35 and prior CVE-2023-3817 MySQL
Connectors Connector/C++ (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None
Un-
changed None None Low 8.1.0 and prior CVE-2023-3817 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed None None Low 8.1.0 and prior CVE-2023-3817 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed None None Low 8.0.35 and prior CVE-2023-22097 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22066 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22068 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22104 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior CVE-2023-22114 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22084 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.43 and prior, 8.0.34 and prior, 8.1.0
CVE-2023-22115 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High
None Un-
changed None None High 8.0.33 and prior CVE-2023-22015 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.42 and prior, 8.0.31 and prior CVE-2023-22026 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.42 and prior, 8.0.31 and prior CVE-2023-22028 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.43 and prior, 8.0.31 and prior CVE-2023-22032 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22064 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22065 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22070 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22103 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22110 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22112 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22078 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22092 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22111 MySQL Server Server:
UDF MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22113 MySQL Server Server:
Security: Encryption MySQL Protocol No 2.7 Network Low High None Un-
changed Low None None 8.0.33 and prior
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34034 MySQL Enterprise Monitor Monitoring: General (Spring
Security) Multiple Yes 9.8 Network Low None None Un-
changed High High High 8.0.35 and prior CVE-2022-42898 MySQL Cluster Cluster:
General (Kerberos) Multiple No 8.8 Network Low Low None Un-
changed High High High 8.0.34 and prior, 8.1.0 CVE-2023-22102 MySQL Connectors
Connector/J MySQL Protocol Yes 8.3 Network High None Required Changed High High
High 8.1.0 and prior CVE-2023-22094 MySQL Installer Installer: General None No
7.9 Local Low Low Required Changed None High High Prior to 1.6.8 See Note 1
CVE-2023-34396 MySQL Enterprise Monitor Monitoring: General (Apache Struts)
Multiple Yes 7.5 Network Low None None Un-
changed None None High 8.0.34 and prior CVE-2023-38545 MySQL Server Server:
Compiling (curl) MySQL Protocol Yes 7.5 Network High None Required Un-
changed High High High 5.7.43 and prior, 8.0.34 and prior, 8.1.0 CVE-2023-2976
MySQL Enterprise Monitor Monitoring: General (Google Guava) Multiple No 7.1
Local Low Low None Un-
changed High High None 8.0.35 and prior CVE-2023-20863 MySQL Enterprise
Monitor Monitoring: General (Spring Framework) Multiple No 6.5 Network Low Low
None Un-
changed None None High 8.0.35 and prior CVE-2023-22059 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22079 MySQL Server
Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.0.34 and prior CVE-2023-22095 MySQL Server Server:
Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed None None High 8.1.0 CVE-2023-2650 MySQL Server Server: Packaging
(OpenSSL) MySQL Protocol Yes 6.5 Network Low None Required Un-
changed None None High 5.7.42 and prior, 8.0.33 and prior CVE-2023-41080 MySQL
Enterprise Monitor Monitoring: General (Apache Tomcat) Multiple Yes 6.1 Network
Low None Required Changed Low Low None 8.0.35 and prior CVE-2023-3817 MySQL
Connectors Connector/C++ (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None
Un-
changed None None Low 8.1.0 and prior CVE-2023-3817 MySQL Connectors
Connector/ODBC (OpenSSL) MySQL Protocol Yes 5.3 Network Low None None Un-
changed None None Low 8.1.0 and prior CVE-2023-3817 MySQL Enterprise Monitor
Monitoring: General (OpenSSL) Multiple Yes 5.3 Network Low None None Un-
changed None None Low 8.0.35 and prior CVE-2023-22097 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22066 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22068 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22104 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.32 and prior CVE-2023-22114 MySQL Server InnoDB
MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22084 MySQL Server
InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.43 and prior, 8.0.34 and prior, 8.1.0
CVE-2023-22115 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High
None Un-
changed None None High 8.0.33 and prior CVE-2023-22015 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.42 and prior, 8.0.31 and prior CVE-2023-22026 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.42 and prior, 8.0.31 and prior CVE-2023-22028 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 5.7.43 and prior, 8.0.31 and prior CVE-2023-22032 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22064 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22065 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22070 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22103 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22110 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22112 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22078 MySQL Server Server:
Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior, 8.1.0 CVE-2023-22092 MySQL Server
Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.34 and prior CVE-2023-22111 MySQL Server Server:
UDF MySQL Protocol No 4.9 Network Low High None Un-
changed None None High 8.0.33 and prior CVE-2023-22113 MySQL Server Server:
Security: Encryption MySQL Protocol No 2.7 Network Low High None Un-
changed Low None None 8.0.33 and prior
NOTES:
1. This patch is used in MySQL Server bundled version 8.0.35 and 5.7.44
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-2650 also addresses CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, and CVE-2023-1255.
* The patch for CVE-2023-34396 also addresses CVE-2023-34149.
* The patch for CVE-2023-3817 also addresses CVE-2023-2975 and CVE-2023-3446.
* The patch for CVE-2023-38545 also addresses CVE-2023-38546.
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* MySQL Server
* Server: Packaging (Cyrus SASL): CVE-2022-24407 [VEX Justification:
vulnerable_code_not_in_execute_path].
* Server: Packaging (Kerberos): CVE-2022-42898 [VEX Justification:
vulnerable_code_not_in_execute_path].
* MySQL Shell
* Shell: Core Client (Cryptography): CVE-2023-38325 [VEX Justification:
vulnerable_code_not_present].
ORACLE PEOPLESOFT RISK MATRIX
This Critical Patch Update contains 5 new security patches for Oracle
PeopleSoft. 3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 PeopleSoft Enterprise HCM Global Payroll Switzerland XML
CHE (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.2 CVE-2022-45688 PeopleSoft Enterprise PeopleTools
Cloud Manager (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.59, 8.60 CVE-2023-22090 PeopleSoft Enterprise CC
Common Application Objects Events & Notifications HTTP No 6.5 Network Low Low
None Un-
changed High None None 9.2 CVE-2023-34462 PeopleSoft Enterprise PeopleTools
Elastic Search (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.59, 8.60 CVE-2023-22080 PeopleSoft Enterprise
PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.59, 8.60
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 PeopleSoft Enterprise HCM Global Payroll Switzerland XML
CHE (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 9.2 CVE-2022-45688 PeopleSoft Enterprise PeopleTools
Cloud Manager (JSON-java) HTTP Yes 7.5 Network Low None None Un-
changed None None High 8.59, 8.60 CVE-2023-22090 PeopleSoft Enterprise CC
Common Application Objects Events & Notifications HTTP No 6.5 Network Low Low
None Un-
changed High None None 9.2 CVE-2023-34462 PeopleSoft Enterprise PeopleTools
Elastic Search (Netty) HTTP No 6.5 Network Low Low None Un-
changed None None High 8.59, 8.60 CVE-2023-22080 PeopleSoft Enterprise
PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.59, 8.60
ORACLE RETAIL APPLICATIONS RISK MATRIX
This Critical Patch Update contains 15 new security patches for Oracle Retail
Applications. 9 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Retail Bulk Data Integration BDI Job Scheduler
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0.3, 19.0.1 CVE-2023-39017 Oracle Retail Customer
Management and Segmentation Foundation Operations (Quartz) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 18.0.0.13, 19.0.0.7 CVE-2022-42920 Oracle Retail
Financial Integration PeopleSoft Integration Bugs (Apache Commons BCEL) HTTP Yes
9.8 Network Low None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-42920
Oracle Retail Integration Bus RIB (Apache Commons BCEL) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-42920
Oracle Retail Merchandising System Foundation (Apache Commons BCEL) HTTP Yes 9.8
Network Low None None Un-
changed High High High 19.0.1 CVE-2022-42920 Oracle Retail Service Backbone
Installation (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-1471 Oracle
Retail Xstore Point of Service Xenvironment (SnakeYAML) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.0.0 CVE-2023-24998 Oracle Retail Xstore Point of
Service Xenvironment (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 CVE-2023-2976
Oracle Retail Customer Management and Segmentation Foundation Security (Google
Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.0.0.13, 19.0.0.7 CVE-2023-2976 Oracle Retail
Financial Integration PeopleSoft Integration Bugs (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2023-2976 Oracle
Retail Integration Bus RIB Kernal (Google Guava) None No 7.1 Local Low Low None
Un-
changed High High None 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2023-20863
Oracle Retail Customer Management and Segmentation Foundation Security (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.0.13, 19.0.0.7 CVE-2023-20863 Oracle Retail Fiscal
Management RTIL (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.2 CVE-2023-20863 Oracle Retail Xstore Point of
Service Xenvironment (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 CVE-2023-26049
Oracle Retail EFTLink Installation (Eclipse Jetty) HTTP Yes 5.3 Network Low None
None Un-
changed Low None None 20.0.1, 21.0.0, 22.0.0
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Retail Bulk Data Integration BDI Job Scheduler
(Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 16.0.3, 19.0.1 CVE-2023-39017 Oracle Retail Customer
Management and Segmentation Foundation Operations (Quartz) HTTP Yes 9.8 Network
Low None None Un-
changed High High High 18.0.0.13, 19.0.0.7 CVE-2022-42920 Oracle Retail
Financial Integration PeopleSoft Integration Bugs (Apache Commons BCEL) HTTP Yes
9.8 Network Low None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-42920
Oracle Retail Integration Bus RIB (Apache Commons BCEL) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-42920
Oracle Retail Merchandising System Foundation (Apache Commons BCEL) HTTP Yes 9.8
Network Low None None Un-
changed High High High 19.0.1 CVE-2022-42920 Oracle Retail Service Backbone
Installation (Apache Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2022-1471 Oracle
Retail Xstore Point of Service Xenvironment (SnakeYAML) HTTP Yes 9.8 Network Low
None None Un-
changed High High High 22.0.0 CVE-2023-24998 Oracle Retail Xstore Point of
Service Xenvironment (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None
None Un-
changed None None High 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 CVE-2023-2976
Oracle Retail Customer Management and Segmentation Foundation Security (Google
Guava) None No 7.1 Local Low Low None Un-
changed High High None 18.0.0.13, 19.0.0.7 CVE-2023-2976 Oracle Retail
Financial Integration PeopleSoft Integration Bugs (Google Guava) None No 7.1
Local Low Low None Un-
changed High High None 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2023-2976 Oracle
Retail Integration Bus RIB Kernal (Google Guava) None No 7.1 Local Low Low None
Un-
changed High High None 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 CVE-2023-20863
Oracle Retail Customer Management and Segmentation Foundation Security (Spring
Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.0.13, 19.0.0.7 CVE-2023-20863 Oracle Retail Fiscal
Management RTIL (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 14.2 CVE-2023-20863 Oracle Retail Xstore Point of
Service Xenvironment (Spring Framework) HTTP No 6.5 Network Low Low None Un-
changed None None High 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0 CVE-2023-26049
Oracle Retail EFTLink Installation (Eclipse Jetty) HTTP Yes 5.3 Network Low None
None Un-
changed Low None None 20.0.1, 21.0.0, 22.0.0
ADDITIONAL CVES ADDRESSED ARE:
* The patch for CVE-2023-26049 also addresses CVE-2023-26048.
ORACLE SIEBEL CRM RISK MATRIX
This Critical Patch Update contains 2 new security patches for Oracle Siebel
CRM. Both of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-1370 Siebel CRM EAI - Open UI (JSON-java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.8 and prior CVE-2021-37533 Siebel Apps Marketing
(Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 23.8 and prior
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-1370 Siebel CRM EAI - Open UI (JSON-java) HTTP Yes 7.5 Network
Low None None Un-
changed None None High 23.8 and prior CVE-2021-37533 Siebel Apps Marketing
(Apache Commons Net) HTTP Yes 6.5 Network Low None Required Un-
changed High None None 23.8 and prior
ORACLE SUPPLY CHAIN RISK MATRIX
This Critical Patch Update contains 1 new security patch for Oracle Supply
Chain. This vulnerability is remotely exploitable without authentication, i.e.,
may be exploited over a network without requiring user credentials. The English
text form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34981 Oracle Agile PLM Security (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed High None None 9.3.6
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-34981 Oracle Agile PLM Security (Apache Tomcat) HTTP Yes 7.5
Network Low None None Un-
changed High None None 9.3.6
ORACLE SYSTEMS RISK MATRIX
This Critical Patch Update contains 3 new security patches for Oracle Systems.
2 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle
customers should refer to the Oracle and Sun Systems Product Suite Critical
Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for
information on minimum revisions of security patches required to resolve ZFSSA
issues published in Critical Patch Updates and Solaris Third Party Bulletins.
Solaris Third Party Bulletins are used to announce security patches for third
party software distributed with Oracle Solaris. Solaris 10 customers should
refer to the latest patch-sets which contain critical security patches detailed
in Systems Patch Availability Document. Please see Reference Index of CVE IDs
and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22130 Sun ZFS Storage Appliance Core HTTP Yes 5.9 Network High
None None Un-
changed None None High 8.8.60 CVE-2023-22129 Oracle Solaris Kernel None No 5.5
Local Low Low None Un-
changed None None High 11 See Note 1 CVE-2023-22128 Oracle Solaris Filesystem
rquota Yes 3.1 Network High None Required Un-
changed Low None None 10, 11
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22130 Sun ZFS Storage Appliance Core HTTP Yes 5.9 Network High
None None Un-
changed None None High 8.8.60 CVE-2023-22129 Oracle Solaris Kernel None No 5.5
Local Low Low None Un-
changed None None High 11 See Note 1 CVE-2023-22128 Oracle Solaris Filesystem
rquota Yes 3.1 Network High None Required Un-
changed Low None None 10, 11
NOTES:
1. This vunlerability only affects SPARC Systems
ORACLE UTILITIES APPLICATIONS RISK MATRIX
This Critical Patch Update contains 3 new security patches, plus additional
third party patches noted below, for Oracle Utilities Applications. 2 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials. The English text
form of this Risk Matrix can be found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Utilities Application Framework General (Apache
Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2022-31129 Oracle Utilities Application Framework General (Moment.js) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2023-21829 Oracle Utilities Application Framework General (JDBC) HTTP No 6.3
Network Low Low Required Un-
changed Low High None 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0, 4.5.0.0.1, 4.5.0.1.0- 4.5.0.1.2
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2022-42920 Oracle Utilities Application Framework General (Apache
Commons BCEL) HTTP Yes 9.8 Network Low None None Un-
changed High High High 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2022-31129 Oracle Utilities Application Framework General (Moment.js) HTTP
Yes 7.5 Network Low None None Un-
changed None None High 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
CVE-2023-21829 Oracle Utilities Application Framework General (JDBC) HTTP No 6.3
Network Low Low Required Un-
changed Low High None 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0,
4.4.0.3.0, 4.5.0.0.0, 4.5.0.0.1, 4.5.0.1.0- 4.5.0.1.2
ADDITIONAL PATCHES INCLUDED IN THIS CRITICAL PATCH UPDATE FOR THE FOLLOWING
NON-EXPLOITABLE CVES FOR THIS ORACLE PRODUCT FAMILY:
* Oracle Utilities Network Management System
* SW- System Wide (Apache Ant): CVE-2021-36374 and CVE-2021-36373 [VEX
Justification: vulnerable_code_cannot_be_controlled_by_adversary].
ORACLE VIRTUALIZATION RISK MATRIX
This Critical Patch Update contains 3 new security patches for Oracle
Virtualization. None of these vulnerabilities may be remotely exploitable
without authentication, i.e., none may be exploited over a network without
requiring user credentials. The English text form of this Risk Matrix can be
found here.
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22098 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 7.0.12 See Note 1 CVE-2023-22099 Oracle VM
VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to
7.0.12 See Note 1 CVE-2023-22100 Oracle VM VirtualBox Core None No 7.9 Local Low
High None Changed High None High Prior to 7.0.12 See Note 1
CVE ID Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2023-22098 Oracle VM VirtualBox Core None No 8.2 Local Low High None
Changed High High High Prior to 7.0.12 See Note 1 CVE-2023-22099 Oracle VM
VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to
7.0.12 See Note 1 CVE-2023-22100 Oracle VM VirtualBox Core None No 7.9 Local Low
High None Changed High None High Prior to 7.0.12 See Note 1
NOTES:
1. Only applicable to 7.0.x platform.
RESOURCES FOR
* Careers
* Developers
* Investors
* Partners
* Researchers
* Students and Educators
WHY ORACLE
* Analyst Reports
* Best cloud-based ERP
* Cloud Economics
* Corporate Responsibility
* Diversity and Inclusion
* Security Practices
LEARN
* What is cloud computing?
* What is CRM?
* What is Docker?
* What is Kubernetes?
* What is Python?
* What is SaaS?
NEWS AND EVENTS
* News
* Oracle CloudWorld
* Oracle CloudWorld Tour
* Oracle Health Conference
* DevLive Level Up
* Search all events
CONTACT US
* DE Sales +49 6103 397 003
* US Sales: +1.800.633.0738
* How can we help?
* Subscribe to emails
* Integrity Helpline
--------------------------------------------------------------------------------
*
* © 2024 Oracle
* Privacy/Do Not Sell My Info
* Cookie-Einstellungen
* Ad Choices
* Careers
*
*
*
*