www.oracle.com
Open in
urlscan Pro
2a02:26f0:6c00:1bf::a15
Public Scan
Submitted URL: http://www.nessus.org/u?d87d8f4a
Effective URL: https://www.oracle.com/security-alerts/cpujul2016.html
Submission: On April 26 via api from IN — Scanned from DE
Effective URL: https://www.oracle.com/security-alerts/cpujul2016.html
Submission: On April 26 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
Name: u30searchForm — GET /search
<form name="u30searchForm" id="u30searchForm" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="/search">
<input type="hidden" name="Nty" value="1">
<input type="hidden" name="Dy" value="1">
<!--<input type="hidden" name="Ntk" value="SI-Global">-->
<input type="hidden" name="Ntk" value="SI-ALL5">
<input type="hidden" name="cty" value="us">
<input type="hidden" name="lang" value="en">
<input type="hidden" name="NoBstNoRec" value="no">
<div class="u30s1">
<button id="u30closesearch" aria-label="Close Search" type="button">
<span>Close Search</span>
<svg width="9" height="14" viewBox="0 0 9 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M8 13L2 7L8 1" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
<span class="u30input">
<div class="u30inputw1">
<input id="u30input" name="Ntt" value="" type="text" placeholder="Search" autocomplete="off" aria-autocomplete="both" aria-activedescendant="" aria-label="Search Oracle.com" role="combobox" aria-expanded="false" aria-owns="u30autosuggest"
aria-haspopup="listbox">
</div>
<div id="u30searchw3" style="margin-left: -249px; width: calc(100vw - 0px); max-width: 1600px;">
<ul role="listbox" id="u30autosuggest" style="padding-left: 249px; padding-right: 0px;">
</ul>
<div id="u30results" style="padding-left: 0px; padding-right: 0px;">
<button id="u30closeresults" aria-label="Close Results" type="button">
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
<path d="M7,7 L17,17"></path>
<path d="M17,7 L7,17"></path>
</svg>
<span>Close</span>
</button>
<div id="u30resultsw1">
</div>
<div id="u30noresults">
<div class="u30result noresults">
<div>We’re sorry. We could not find a match for your search.</div>
<p>We suggest you try the following to help find what you’re looking for:</p>
<ul class="u30nr1">
<li>Check the spelling of your keyword search.</li>
<li>Use synonyms for the keyword you typed, for example, try "application" instead of "software."</li>
<li>Start a new search.</li>
</ul>
</div>
</div>
<ul id="u30skel" style="left: 0px; right: 0px;">
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</div>
</div>
<span class="u30submit">
<input class="u30searchbttn" type="submit" value="Submit Search">
</span>
<button id="u30clear" type="reset" aria-label="Clear Search">
<span>Clear Search</span>
<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M7 7L13 13M7 13L13 7M19 10C19 14.9706 14.9706 19 10 19C5.02944 19 1 14.9706 1 10C1 5.02944 5.02944 1 10 1C14.9706 1 19 5.02944 19 10Z" stroke="#161513" stroke-width="2"></path>
</svg>
</button>
</span>
</div>
</form>Text Content
* Skip to content
* Click to view our Accessibility Policy
* Products
* Industries
* Resources
* Customers
* Partners
* Developers
* Events
* Company
Close Search
Close
We’re sorry. We could not find a match for your search.
We suggest you try the following to help find what you’re looking for:
* Check the spelling of your keyword search.
* Use synonyms for the keyword you typed, for example, try "application"
instead of "software."
* Start a new search.
*
*
*
*
*
*
*
*
*
*
Clear Search
Search
View Accounts
Back
Cloud Account Sign in to Cloud
Oracle Account
* Sign-In
* Create an Account
* Help
* Sign Out
Contact Sales
Menu Menu
* Security Alerts
ORACLE CRITICAL PATCH UPDATE ADVISORY - JULY 2016
ORACLE CRITICAL PATCH UPDATE ADVISORY - JULY 2016
DESCRIPTION
A Critical Patch Update (CPU) is a collection of patches for multiple security
vulnerabilities. Critical Patch Update patches are usually cumulative, but each
advisory describes only the security fixes added since the previous Critical
Patch Update advisory. Thus, prior Critical Patch Update advisories should be
reviewed for information regarding earlier published security fixes. Please
refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security
Advisories.
Oracle continues to periodically receive reports of attempts to maliciously
exploit vulnerabilities for which Oracle has already released fixes. In some
instances, it has been reported that attackers have been successful because
targeted customers had failed to apply available Oracle patches. Oracle
therefore strongly recommends that customers remain on actively-supported
versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 276 new security fixes across the product
families listed below. Please note that a blog entry summarizing the content of
this Critical Patch Update and other Oracle Software Security Assurance
activities is located at https://blogs.oracle.com/security.
Please note that the vulnerabilities in this Critical Patch Update are scored
using version 3.0 of Common Vulnerability Scoring Standard (CVSS).
This Critical Patch Update advisory is also available in an XML format that
conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More
information about Oracle's use of CVRF is available here.
AFFECTED PRODUCTS AND COMPONENTS
Security vulnerabilities addressed by this Critical Patch Update affect the
products listed in the categories below. The product area of the patches for the
listed versions is shown in the Patch Availability column corresponding to the
specified Products and Versions column. Please click on the link in the Patch
Availability column below to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support
or Extended Support, under the Oracle Lifetime Support Policy is as follows:
PATCH AVAILABILITY
For each administered Oracle product, consult the documentation for patch
availability information and installation instructions referenced from the
following table. For an overview of the Oracle product documentation related to
this Critical Patch Update, please refer to the Oracle Critical Patch Update
July 2016 Documentation Map, My Oracle Support Note.
Affected Products and Versions Patch Availability Application Express,
version(s) prior to 5.0.4 Database Oracle Database Server, version(s) 11.2.0.4,
12.1.0.1, 12.1.0.2 Database Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7
Fusion Middleware Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0,
12.2.1.0.0 Fusion Middleware Oracle Business Intelligence Enterprise Edition,
version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0 Fusion Middleware Oracle Directory
Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0 Fusion Middleware Oracle
Exalogic Infrastructure, version(s) 1.x, 2.x Fusion Middleware Oracle Fusion
Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3,
12.1.3.0, 12.2.1.0 Fusion Middleware Oracle GlassFish Server, version(s) 2.1.1,
3.0.1, 3.1.2 Fusion Middleware Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0
Fusion Middleware Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0,
11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0 Fusion Middleware Oracle Portal, version(s)
11.1.1.6 Fusion Middleware Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0,
12.2.1.1 Fusion Middleware Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0
Fusion Middleware Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0,
12.2.1.0 Fusion Middleware Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
Fusion Middleware Hyperion Financial Reporting, version(s) 11.1.2.4 Fusion
Middleware Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0
Enterprise Manager Enterprise Manager for Fusion Middleware, version(s)
11.1.1.7, 11.1.1.9 Enterprise Manager Enterprise Manager Ops Center, version(s)
12.1.4, 12.2.2, 12.3.2 Enterprise Manager Oracle E-Business Suite, version(s)
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 E-Business Suite Oracle Agile
Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0 Oracle Supply Chain
Products Oracle Agile PLM, version(s) 9.3.4, 9.3.5 Oracle Supply Chain Products
Oracle Demand Planning, version(s) 12.1, 12.2 Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4,
6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1 Oracle Supply Chain Products PeopleSoft
Enterprise FSCM, version(s) 9.1, 9.2 PeopleSoft PeopleSoft Enterprise
PeopleTools, version(s) 8.53, 8.54, 8.55 PeopleSoft JD Edwards EnterpriseOne
Tools, version(s) 9.2.0.5 JD Edwards Oracle Knowledge, version(s) 8.5.x Oracle
Knowledge Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016
Siebel Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10 Fusion
Applications Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3 Oracle
Communications ASAP Oracle Communications Core Session Manager, version(s)
7.2.5, 7.3.5 Oracle Communications Core Session Manager Oracle Communications
EAGLE Application Processor, version(s) 16.0 Oracle Communications EAGLE
Application Processor Oracle Communications Messaging Server, version(s) 6.3,
7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0 Oracle Communications Messaging
Server Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0,
5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network
Charging and Control Oracle Communications Operations Monitor, version(s) prior
to 3.3.92.0.0 Oracle Communications Operations Monitor Oracle Communications
Policy Management, version(s) prior to 9.9.2 Oracle Communications Policy
Management Oracle Communications Session Border Controller, version(s) 7.2.0,
7.3.0 Oracle Communications Session Border Controller Oracle Communications
Unified Session Manager, version(s) 7.2.5, 7.3.5 Oracle Communications Unified
Session Manager Oracle Enterprise Communications Broker, version(s) Prior to PCz
2.0.0m4p1 Oracle Enterprise Communications Broker Oracle Banking Platform,
version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0 Oracle Banking Platform Oracle Financial
Services Lending and Leasing, version(s) 14.1, 14.2 Oracle Financial Services
Applications Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3
Oracle Financial Services Applications Oracle Health Sciences Clinical
Development Center, version(s) 3.1.1.x, 3.1.2.x Health Sciences Oracle Health
Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0 Health
Sciences Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0
Health Sciences Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0,
4.0.1 Health Sciences Oracle Documaker, version(s) prior to 12.5 Oracle
Insurance Applications Oracle Insurance Calculation Engine, version(s) 9.7.1,
10.1.2, 10.2.2 Oracle Insurance Applications Oracle Insurance Policy
Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Oracle Insurance Applications Oracle Insurance Rules Palette, version(s) 9.6.1,
9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2 Oracle Insurance Applications MICROS
Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0,
10.8.1 Retail XBRi Oracle Retail Central, Back Office, Returns Management,
version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0 Retail Point-of-Service
Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Retail Integration Bus Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2,
15.0 Retail Order Broker Oracle Retail Service Backbone, version(s) 13.0, 13.1,
13.2, 14.0, 14.1, 15.0 Retail Service Backbone Oracle Retail Store Inventory
Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 Retail Store Inventory
Management Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0,
4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0 Oracle
Utilities Applications Oracle Utilities Network Management System, version(s)
1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
Oracle Utilities Applications Oracle Utilities Work and Asset Management,
version(s) 1.9.1.2.8 Oracle Utilities Applications Oracle In-Memory Policy
Analytics, version(s) 12.0.1 Oracle Policy Automation Oracle Policy Automation,
version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5,
10.4.6, 12.1.0, 12.1.1 Oracle Policy Automation Oracle Policy Automation
Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4,
10.4.5, 10.4.6 Oracle Policy Automation Oracle Policy Automation for Mobile
Devices, version(s) 12.1.1 Oracle Policy Automation Primavera Contract
Management, version(s) 14.2 Oracle Primavera Products Suite Primavera P6
Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2,
16.1 Oracle Primavera Products Suite Oracle Java SE, version(s) 6u115, 7u101,
8u92 Oracle Java SE Oracle Java SE Embedded, version(s) 8u91 Oracle Java SE
Oracle JRockit, version(s) R28.3.10 Oracle Java SE 40G 10G 72/64 Ethernet
Switch, version(s) 2.0.0 Oracle and Sun Systems Products Suite Fujitsu M10-1,
M10-4, M10-4S Servers, version(s) prior to XCP 2320 Oracle and Sun Systems
Products Suite ILOM, version(s) 3.0, 3.1, 3.2 Oracle and Sun Systems Products
Suite Oracle Switch ES1-24, version(s) 1.3 Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.3 Oracle and Sun Systems Products Suite Solaris
Cluster, version(s) 3.3, 4.3 Oracle and Sun Systems Products Suite SPARC
Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP
1121 Oracle and Sun Systems Products Suite Sun Blade 6000 Ethernet Switched NEM
24P 10GE, version(s) 1.2 Oracle and Sun Systems Products Suite Sun Data Center
InfiniBand Switch 36, version(s) prior to 2.2.2 Oracle and Sun Systems Products
Suite Sun Network 10GE Switch 72p, version(s) 1.2 Oracle and Sun Systems
Products Suite Sun Network QDR InfiniBand Gateway Switch, version(s) prior to
2.2.2 Oracle and Sun Systems Products Suite Oracle Secure Global Desktop,
version(s) 4.63, 4.71, 5.2 Oracle Linux and Virtualization Oracle VM VirtualBox,
version(s) prior to 5.0.26 Oracle Linux and Virtualization MySQL Server,
version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior Oracle MySQL
Product Suite
Affected Products and Versions Patch Availability Application Express,
version(s) prior to 5.0.4 Database Oracle Database Server, version(s) 11.2.0.4,
12.1.0.1, 12.1.0.2 Database Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7
Fusion Middleware Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0,
12.2.1.0.0 Fusion Middleware Oracle Business Intelligence Enterprise Edition,
version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0 Fusion Middleware Oracle Directory
Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0 Fusion Middleware Oracle
Exalogic Infrastructure, version(s) 1.x, 2.x Fusion Middleware Oracle Fusion
Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3,
12.1.3.0, 12.2.1.0 Fusion Middleware Oracle GlassFish Server, version(s) 2.1.1,
3.0.1, 3.1.2 Fusion Middleware Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0
Fusion Middleware Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0,
11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0 Fusion Middleware Oracle Portal, version(s)
11.1.1.6 Fusion Middleware Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0,
12.2.1.1 Fusion Middleware Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0
Fusion Middleware Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0,
12.2.1.0 Fusion Middleware Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
Fusion Middleware Hyperion Financial Reporting, version(s) 11.1.2.4 Fusion
Middleware Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0
Enterprise Manager Enterprise Manager for Fusion Middleware, version(s)
11.1.1.7, 11.1.1.9 Enterprise Manager Enterprise Manager Ops Center, version(s)
12.1.4, 12.2.2, 12.3.2 Enterprise Manager Oracle E-Business Suite, version(s)
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 E-Business Suite Oracle Agile
Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0 Oracle Supply Chain
Products Oracle Agile PLM, version(s) 9.3.4, 9.3.5 Oracle Supply Chain Products
Oracle Demand Planning, version(s) 12.1, 12.2 Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4,
6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1 Oracle Supply Chain Products PeopleSoft
Enterprise FSCM, version(s) 9.1, 9.2 PeopleSoft PeopleSoft Enterprise
PeopleTools, version(s) 8.53, 8.54, 8.55 PeopleSoft JD Edwards EnterpriseOne
Tools, version(s) 9.2.0.5 JD Edwards Oracle Knowledge, version(s) 8.5.x Oracle
Knowledge Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016
Siebel Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10 Fusion
Applications Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3 Oracle
Communications ASAP Oracle Communications Core Session Manager, version(s)
7.2.5, 7.3.5 Oracle Communications Core Session Manager Oracle Communications
EAGLE Application Processor, version(s) 16.0 Oracle Communications EAGLE
Application Processor Oracle Communications Messaging Server, version(s) 6.3,
7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0 Oracle Communications Messaging
Server Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0,
5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network
Charging and Control Oracle Communications Operations Monitor, version(s) prior
to 3.3.92.0.0 Oracle Communications Operations Monitor Oracle Communications
Policy Management, version(s) prior to 9.9.2 Oracle Communications Policy
Management Oracle Communications Session Border Controller, version(s) 7.2.0,
7.3.0 Oracle Communications Session Border Controller Oracle Communications
Unified Session Manager, version(s) 7.2.5, 7.3.5 Oracle Communications Unified
Session Manager Oracle Enterprise Communications Broker, version(s) Prior to PCz
2.0.0m4p1 Oracle Enterprise Communications Broker Oracle Banking Platform,
version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0 Oracle Banking Platform Oracle Financial
Services Lending and Leasing, version(s) 14.1, 14.2 Oracle Financial Services
Applications Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3
Oracle Financial Services Applications Oracle Health Sciences Clinical
Development Center, version(s) 3.1.1.x, 3.1.2.x Health Sciences Oracle Health
Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0 Health
Sciences Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0
Health Sciences Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0,
4.0.1 Health Sciences Oracle Documaker, version(s) prior to 12.5 Oracle
Insurance Applications Oracle Insurance Calculation Engine, version(s) 9.7.1,
10.1.2, 10.2.2 Oracle Insurance Applications Oracle Insurance Policy
Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Oracle Insurance Applications Oracle Insurance Rules Palette, version(s) 9.6.1,
9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2 Oracle Insurance Applications MICROS
Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0,
10.8.1 Retail XBRi Oracle Retail Central, Back Office, Returns Management,
version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0 Retail Point-of-Service
Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Retail Integration Bus Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2,
15.0 Retail Order Broker Oracle Retail Service Backbone, version(s) 13.0, 13.1,
13.2, 14.0, 14.1, 15.0 Retail Service Backbone Oracle Retail Store Inventory
Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 Retail Store Inventory
Management Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0,
4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0 Oracle
Utilities Applications Oracle Utilities Network Management System, version(s)
1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
Oracle Utilities Applications Oracle Utilities Work and Asset Management,
version(s) 1.9.1.2.8 Oracle Utilities Applications Oracle In-Memory Policy
Analytics, version(s) 12.0.1 Oracle Policy Automation Oracle Policy Automation,
version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5,
10.4.6, 12.1.0, 12.1.1 Oracle Policy Automation Oracle Policy Automation
Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4,
10.4.5, 10.4.6 Oracle Policy Automation Oracle Policy Automation for Mobile
Devices, version(s) 12.1.1 Oracle Policy Automation Primavera Contract
Management, version(s) 14.2 Oracle Primavera Products Suite Primavera P6
Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2,
16.1 Oracle Primavera Products Suite Oracle Java SE, version(s) 6u115, 7u101,
8u92 Oracle Java SE Oracle Java SE Embedded, version(s) 8u91 Oracle Java SE
Oracle JRockit, version(s) R28.3.10 Oracle Java SE 40G 10G 72/64 Ethernet
Switch, version(s) 2.0.0 Oracle and Sun Systems Products Suite Fujitsu M10-1,
M10-4, M10-4S Servers, version(s) prior to XCP 2320 Oracle and Sun Systems
Products Suite ILOM, version(s) 3.0, 3.1, 3.2 Oracle and Sun Systems Products
Suite Oracle Switch ES1-24, version(s) 1.3 Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.3 Oracle and Sun Systems Products Suite Solaris
Cluster, version(s) 3.3, 4.3 Oracle and Sun Systems Products Suite SPARC
Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP
1121 Oracle and Sun Systems Products Suite Sun Blade 6000 Ethernet Switched NEM
24P 10GE, version(s) 1.2 Oracle and Sun Systems Products Suite Sun Data Center
InfiniBand Switch 36, version(s) prior to 2.2.2 Oracle and Sun Systems Products
Suite Sun Network 10GE Switch 72p, version(s) 1.2 Oracle and Sun Systems
Products Suite Sun Network QDR InfiniBand Gateway Switch, version(s) prior to
2.2.2 Oracle and Sun Systems Products Suite Oracle Secure Global Desktop,
version(s) 4.63, 4.71, 5.2 Oracle Linux and Virtualization Oracle VM VirtualBox,
version(s) prior to 5.0.26 Oracle Linux and Virtualization MySQL Server,
version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior Oracle MySQL
Product Suite
NOTE:
* Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may
affect Oracle Fusion Applications, so Oracle customers should refer to Oracle
Fusion Applications Critical Patch Update Knowledge Document, My Oracle
Support Note 1967316.1 for information on patches to be applied to Fusion
Application environments.
* Users running Java SE with a browser can download the latest release from
http://java.com. Users on the Windows and Mac OS X platforms can also use
automatic updates to get the latest release.
* Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle
customers should refer to the Oracle and Sun Systems Product Suite Critical
Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for
information on minimum revisions of security fixes required to resolve ZFSSA
issues published in Critical Patch Updates (CPUs) and Solaris Third Party
bulletins.
RISK MATRIX CONTENT
Risk matrices list only security vulnerabilities that are newly fixed by the
patches associated with this advisory. Risk matrices for previous security fixes
can be found in previous Critical Patch Update advisories. An English text
version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. Each vulnerability is identified by a CVE# which is a unique
identifier for a vulnerability. A vulnerability that affects multiple products
will appear with the same CVE# in all risk matrices. A CVE# shown in italics
indicates that this vulnerability impacts a different product, but also has
impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.0).
Oracle conducts an analysis of each security vulnerability addressed by a
Critical Patch Update (CPU). Oracle does not disclose information about the
security analysis, but the resulting Risk Matrix and associated documentation
provide information about the type of vulnerability, the conditions required to
exploit it, and the potential impact of a successful exploit. Oracle provides
this information, in part, so that customers may conduct their own risk analysis
based on the particulars of their product usage. For more information, see
Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.
WORKAROUNDS
Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it
may be possible to reduce the risk of successful attack by blocking network
protocols required by an attack. For attacks that require certain privileges or
access to certain packages, removing the privileges or the ability to access the
packages from users that do not need the privileges may help reduce the risk of
successful attack. Both approaches may break application functionality, so
Oracle strongly recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term solution as neither
corrects the underlying problem.
SKIPPED CRITICAL PATCH UPDATES
Oracle strongly recommends that customers apply security fixes as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security fixes announced in this
CPU, please review previous Critical Patch Update advisories to determine
appropriate actions.
PRODUCT DEPENDENCIES
Oracle products may have dependencies on other Oracle products. Hence security
vulnerability fixes announced in this Critical Patch Update may affect one or
more dependent Oracle products. For details regarding these dependencies and how
to apply patches to dependent products, please refer to Patch Set Update and
Critical Patch Update July 2016 Availability Document, My Oracle Support Note
2136219.1.
CRITICAL PATCH UPDATE SUPPORTED PRODUCTS AND VERSIONS
Patches released through the Critical Patch Update program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. We recommend that customers plan product
upgrades to ensure that patches released through the Critical Patch Update
program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities. As a result, Oracle recommends that
customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform
(formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite
products are patched in accordance with the Software Error Correction Support
Policy explained in My Oracle Support Note 209768.1. Please review the Technical
Support Policies for further guidelines regarding support policies and phases of
support.
PRODUCTS IN EXTENDED SUPPORT
Patches released through the Critical Patch Update program are available to
customers who have Extended Support under the Lifetime Support Policy. Customers
must have a valid Extended Support service contract to download patches released
through the Critical Patch Update program for products in the Extended Support
Phase.
CREDIT STATEMENT
The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle: Accenture TVM Prague; Adam
Willard of Raytheon Foreground Security; Alexander Kornbrust of Red Database
Security; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of
Hewlett Packard Enterprise; Alvaro Munoz of Trend Micro's Zero Day Initiative;
Ben Lincoln of NCC Group; Brian Martin of Tenable Network Security; Bruno
Cirone; Christian Schneider; David Litchfield of Google; Devin Rosenbauer of
Identity Works LLC; Aleksandar Nikolic of Cisco Talos; Jack Fei of FINRA; Juan
Manuel Fernández Torres of Telefonica.com; Kasper Andersen; Matias Mevied of
Onapsis; Matthias Kaiser of Code White; Matthias-Christian Ott; Nicholas
Lemonias of Advanced Information Security Corporation; Nicolas Collignon of
synacktiv; Reno Robert; Spyridon Chatzimichail of OTE Hellenic
Telecommunications Organization S.A.; Stephan Borosh of Veris Group, LLC;
Stephen Kost of Integrigy; Steven Seeley working with Beyond Security's SSD
program; Sven Blumenstein of Google; Teemu Kääriäinen; Ubais PK; and XOR19 of
Trend Micro's Zero Day Initiative.
SECURITY-IN-DEPTH CONTRIBUTORS
Oracle acknowledges people who have contributed to our Security-In-Depth program
(see FAQ). People are acknowledged for Security-In-Depth contributions if they
provide information, observations or suggestions pertaining to security
vulnerability issues that result in significant modification of Oracle code or
documentation in future releases, but are not of such a critical nature that
they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of
ERPScan; David Litchfield of Google; Paul M. Wright; and Quan Nguyen of Google
for contributions to Oracle's Security-In-Depth program.
ON-LINE PRESENCE SECURITY CONTRIBUTORS
Oracle provides acknowledges people who have contributed to our On-Line Presence
Security program (see FAQ). People are acknowledged for contributions relating
to Oracle's on-line presence if they provide information, observations or
suggestions pertaining to security-related issues that result in significant
modification to Oracle's on-line external-facing systems.
For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground
Security; Cameron Dawe of Spam404.com; Jubaer Al Nazi - ServerGhosts Bangladesh;
Karim Rahal; Latish Danawale of Pristine Infosolutions; Othmane Tamagart -
APPBOX; Ramal Hajataliyev; Rodolfo Godalle Jr.; Shawar Khan; Tayyab Qadir; Vikas
Khanna; and Winnye Jakeson for contributions to Oracle's On-Line Presence
Security program.
CRITICAL PATCH UPDATE SCHEDULE
Critical Patch Updates are released on the Tuesday closest to the 17th day of
January, April, July and October. The next four dates are:
* 18 October 2016
* 17 January 2017
* 18 April 2017
* 18 July 2017
REFERENCES
* Oracle Critical Patch Updates and Security Alerts main page [ Oracle
Technology Network ]
* Critical Patch Update - July 2016 Documentation Map [ My Oracle Support
Note ]
* Oracle Critical Patch Updates and Security Alerts - Frequently Asked
Questions [ CPU FAQ ]
* Risk Matrix definitions [ Risk Matrix Definitions ]
* Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS
Scoring ]
* English text version of the risk matrices [ Oracle Technology Network ]
* CVRF XML version of the risk matrices [ Oracle Technology Network ]
* The Oracle Software Security Assurance Blog [ The Oracle Software Security
Assurance Blog ]
* List of public vulnerabilities fixed in Critical Patch Updates and Security
Alerts [ Oracle Technology Network ]
* Software Error Correction Support Policy [ My Oracle Support Note 209768.1
]
MODIFICATION HISTORY
Date Note 2016-October-18 Rev 2. Updated score for CVE-2016-3504 and associated
it with CVE-2016-5019. 2016-July-19 Rev 1. Initial Release.
Date Note 2016-October-18 Rev 2. Updated score for CVE-2016-3504 and associated
it with CVE-2016-5019. 2016-July-19 Rev 1. Initial Release.
APPENDIX - ORACLE DATABASE SERVER
ORACLE DATABASE SERVER EXECUTIVE SUMMARY
This Critical Patch Update contains 9 new security fixes for the Oracle Database
Server. 5 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. 2 of these fixes are applicable to client-only
installations, i.e., installations that do not have the Oracle Database Server
installed. The English text form of this Risk Matrix can be found here.
ORACLE DATABASE SERVER RISK MATRIX
CVE# Component Package and/or Privilege Required Protocol Remote Exploit without
Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact
Scope Confidentiality Integrity Availability CVE-2016-3609 OJVM Create
Session Multiple No 9.0 Network Low Low Required Changed High High High
11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1 CVE-2016-3506 JDBC None Oracle Net Yes
8.1 Network High None None Un changed High High High 11.2.0.4, 12.1.0.1,
12.1.0.2 CVE-2016-3479 Portable Clusterware None Oracle Net Yes 7.5 Network
Low None None Un changed None None High 11.2.0.4, 12.1.0.2 CVE-2016-3489 Data
Pump Import Index on SYS.INCVID Oracle Net No 6.7 Local Low High None Un changed
High High High 11.2.0.4, 12.1.0.1, 12.1.0.2 CVE-2016-3448 Application Express
None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 5.0.4
CVE-2016-3467 Application Express None HTTP Yes 5.8 Network Low None None
Changed None None Low Prior to 5.0.4 CVE-2015-0204 RDBMS HTTPS Listener HTTPS
Yes 5.3 Network High None Required Un changed None High None 12.1.0.1, 12.1.0.2
CVE-2016-3488 DB Sharding Execute on gsmadmin_internal Oracle Net No 4.4 Local
Low High None Un changed None High None 12.1.0.2 CVE-2016-3484 Database Vault
Create Public Synonym Oracle Net No 3.4 Local Low High None Un changed Low Low
None 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE# Component Package and/or Privilege Required Protocol Remote Exploit without
Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact
Scope Confidentiality Integrity Availability CVE-2016-3609 OJVM Create
Session Multiple No 9.0 Network Low Low Required Changed High High High
11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1 CVE-2016-3506 JDBC None Oracle Net Yes
8.1 Network High None None Un changed High High High 11.2.0.4, 12.1.0.1,
12.1.0.2 CVE-2016-3479 Portable Clusterware None Oracle Net Yes 7.5 Network
Low None None Un changed None None High 11.2.0.4, 12.1.0.2 CVE-2016-3489 Data
Pump Import Index on SYS.INCVID Oracle Net No 6.7 Local Low High None Un changed
High High High 11.2.0.4, 12.1.0.1, 12.1.0.2 CVE-2016-3448 Application Express
None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 5.0.4
CVE-2016-3467 Application Express None HTTP Yes 5.8 Network Low None None
Changed None None Low Prior to 5.0.4 CVE-2015-0204 RDBMS HTTPS Listener HTTPS
Yes 5.3 Network High None Required Un changed None High None 12.1.0.1, 12.1.0.2
CVE-2016-3488 DB Sharding Execute on gsmadmin_internal Oracle Net No 4.4 Local
Low High None Un changed None High None 12.1.0.2 CVE-2016-3484 Database Vault
Create Public Synonym Oracle Net No 3.4 Local Low High None Un changed Low Low
None 11.2.0.4, 12.1.0.1, 12.1.0.2
NOTES:
1. The score 9.0 is for Windows platform. On Linux platform the score is 8.0.
ORACLE DATABASE SERVER CLIENT-ONLY INSTALLATIONS
The following Oracle Database Server vulnerabilities included in this Critical
Patch Update affect client-only installations: CVE-2016-3506 and CVE-2015-0204.
APPENDIX - ORACLE FUSION MIDDLEWARE
ORACLE FUSION MIDDLEWARE EXECUTIVE SUMMARY
This Critical Patch Update contains 40 new security fixes for Oracle Fusion
Middleware. 35 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. The English text form of this Risk Matrix can be found
here.
ORACLE FUSION MIDDLEWARE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7182 Oracle Directory Server
Enterprise Edition Admin Server HTTPS Yes 9.8 Network Low None None Un changed
High High High 7.0, 11.1.1.7.0 CVE-2016-3607 Oracle GlassFish Server Web
Container HTTP Yes 9.8 Network Low None None Un changed High High High 3.0.1,
3.1.2 CVE-2016-3510 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8
Network Low None None Un changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3586 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8 Network
Low None None Un changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3499 Oracle WebLogic Server Web Container HTTP Yes 9.8 Network Low None
None Un changed High High High 12.1.3.0, 12.2.1.0 CVE-2016-3504 Oracle
JDeveloper ADF Faces HTTP Yes 9.8 Network Low None None Un changed High High
High 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0 CVE-2016-3574
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3575 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3576 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3577 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3578 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3579 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low
None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3580
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3581 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3582 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3583 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3590 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3591 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low
None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3592
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3593 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3594 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3595 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3596 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3446 Oracle Business Intelligence Enterprise Edition Analytics Web
Administration HTTP Yes 8.3 Network Low None None Changed Low Low Low
11.1.1.7.0, 11.1.1.9.0 CVE-2016-1181 Oracle Portal User and Group Security
HTTP Yes 8.1 Network High None None Un changed High High High 11.1.1.6 See
Note 2 CVE-2016-3564 Oracle TopLink JPA-RS HTTP Yes 8.1 Network High None None
Un changed High High High 12.1.3.0, 12.2.1.0, 12.2.1.1 CVE-2016-3487 Oracle
WebCenter Sites WebCenter Sites HTTP Yes 8.1 Network High None None Un changed
High High High 11.1.1.8, 12.2.1.0 CVE-2016-3544 Oracle Business Intelligence
Enterprise Edition Analytics Web General HTTP No 7.6 Network Low Low Required
Changed High Low None 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0 CVE-2016-1548 Oracle
Exalogic Infrastructure Base Image Multiple Yes 6.5 Network Low None None Un
changed None Low Low 1.x, 2.x CVE-2015-3237 Oracle GlassFish Server
Administration HTTP Yes 6.5 Network Low None None Un changed Low None Low 3.0.1,
3.1.2 CVE-2016-3502 Oracle WebCenter Sites WebCenter Sites HTTP No 6.5 Network
Low Low Required Changed Low Low Low 11.1.1.8, 12.2.1.0 CVE-2016-2107 Oracle
Access Manager Web Server Plugin HTTPS Yes 5.9 Network High None None Un changed
High None None 10.1.4.x, 11.1.1.7 CVE-2016-2107 Oracle Exalogic Infrastructure
Base Image Multiple Yes 5.9 Network High None None Un changed High None None
1.x, 2.x CVE-2016-3608 Oracle GlassFish Server Administration HTTP Yes 5.8
Network Low None None Changed Low None None 3.0.1 CVE-2016-5477 Oracle
GlassFish Server Administration HTTP Yes 5.8 Network Low None None Changed Low
None None 2.1.1, 3.0.1 CVE-2016-3432 BI Publisher (formerly XML Publisher) Web
Server HTTP No 5.4 Network Low Low Required Changed Low Low None 11.1.1.7.0,
11.1.1.9.0 CVE-2016-3433 Oracle Business Intelligence Enterprise Edition
Analytics Web Administration HTTP No 5.4 Network Low Low Required Changed Low
Low None 11.1.1.7.0, 11.1.1.9.0 CVE-2016-3445 Oracle WebLogic Server Web
Container HTTP Yes 5.3 Network Low None None Un changed None None Low 10.3.6.0,
12.1.3.0 CVE-2016-3474 BI Publisher (formerly XML Publisher) Security HTTP Yes
3.7 Network High None None Un changed Low None None 11.1.1.7.0, 11.1.1.9.0,
12.2.1.0.0 CVE-2016-3482 Oracle HTTP Server SSL/TLS Module HTTPS Yes 3.7
Network High None None Un changed Low None None 11.1.1.9, 12.1.3.0
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7182 Oracle Directory Server
Enterprise Edition Admin Server HTTPS Yes 9.8 Network Low None None Un changed
High High High 7.0, 11.1.1.7.0 CVE-2016-3607 Oracle GlassFish Server Web
Container HTTP Yes 9.8 Network Low None None Un changed High High High 3.0.1,
3.1.2 CVE-2016-3510 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8
Network Low None None Un changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3586 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8 Network
Low None None Un changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3499 Oracle WebLogic Server Web Container HTTP Yes 9.8 Network Low None
None Un changed High High High 12.1.3.0, 12.2.1.0 CVE-2016-3504 Oracle
JDeveloper ADF Faces HTTP Yes 9.8 Network Low None None Un changed High High
High 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0 CVE-2016-3574
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3575 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3576 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3577 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3578 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3579 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low
None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3580
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3581 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3582 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3583 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3590 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3591 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low
None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3592
Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un
changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3593 Outside In
Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High
Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3594 Outside In Technology
Outside In Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low
8.5.0, 8.5.1, 8.5.2 See Note 1 CVE-2016-3595 Outside In Technology Outside In
Filters HTTP Yes 8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1,
8.5.2 See Note 1 CVE-2016-3596 Outside In Technology Outside In Filters HTTP Yes
8.6 Network Low None None Un changed High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3446 Oracle Business Intelligence Enterprise Edition Analytics Web
Administration HTTP Yes 8.3 Network Low None None Changed Low Low Low
11.1.1.7.0, 11.1.1.9.0 CVE-2016-1181 Oracle Portal User and Group Security
HTTP Yes 8.1 Network High None None Un changed High High High 11.1.1.6 See
Note 2 CVE-2016-3564 Oracle TopLink JPA-RS HTTP Yes 8.1 Network High None None
Un changed High High High 12.1.3.0, 12.2.1.0, 12.2.1.1 CVE-2016-3487 Oracle
WebCenter Sites WebCenter Sites HTTP Yes 8.1 Network High None None Un changed
High High High 11.1.1.8, 12.2.1.0 CVE-2016-3544 Oracle Business Intelligence
Enterprise Edition Analytics Web General HTTP No 7.6 Network Low Low Required
Changed High Low None 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0 CVE-2016-1548 Oracle
Exalogic Infrastructure Base Image Multiple Yes 6.5 Network Low None None Un
changed None Low Low 1.x, 2.x CVE-2015-3237 Oracle GlassFish Server
Administration HTTP Yes 6.5 Network Low None None Un changed Low None Low 3.0.1,
3.1.2 CVE-2016-3502 Oracle WebCenter Sites WebCenter Sites HTTP No 6.5 Network
Low Low Required Changed Low Low Low 11.1.1.8, 12.2.1.0 CVE-2016-2107 Oracle
Access Manager Web Server Plugin HTTPS Yes 5.9 Network High None None Un changed
High None None 10.1.4.x, 11.1.1.7 CVE-2016-2107 Oracle Exalogic Infrastructure
Base Image Multiple Yes 5.9 Network High None None Un changed High None None
1.x, 2.x CVE-2016-3608 Oracle GlassFish Server Administration HTTP Yes 5.8
Network Low None None Changed Low None None 3.0.1 CVE-2016-5477 Oracle
GlassFish Server Administration HTTP Yes 5.8 Network Low None None Changed Low
None None 2.1.1, 3.0.1 CVE-2016-3432 BI Publisher (formerly XML Publisher) Web
Server HTTP No 5.4 Network Low Low Required Changed Low Low None 11.1.1.7.0,
11.1.1.9.0 CVE-2016-3433 Oracle Business Intelligence Enterprise Edition
Analytics Web Administration HTTP No 5.4 Network Low Low Required Changed Low
Low None 11.1.1.7.0, 11.1.1.9.0 CVE-2016-3445 Oracle WebLogic Server Web
Container HTTP Yes 5.3 Network Low None None Un changed None None Low 10.3.6.0,
12.1.3.0 CVE-2016-3474 BI Publisher (formerly XML Publisher) Security HTTP Yes
3.7 Network High None None Un changed Low None None 11.1.1.7.0, 11.1.1.9.0,
12.2.1.0.0 CVE-2016-3482 Oracle HTTP Server SSL/TLS Module HTTPS Yes 3.7
Network High None None Un changed Low None None 11.1.1.9, 12.1.3.0
NOTES:
1. Outside In Technology is a suite of software development kits (SDKs). The
protocol and CVSS score depend on the software that uses the Outside In
Technology code. The CVSS score assumes that the software passes data
received over a network directly to Outside In Technology code, but if data
is not received over a network the CVSS score may be lower.
2. Please refer to My Oracle Support Note 2155256.1 for instructions on how to
address this issue.
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2015-7182 also addresses CVE-2015-2721, CVE-2015-4000,
CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
* The fix for CVE-2016-1181 also addresses CVE-2016-1182.
* The fix for CVE-2016-1548 also addresses CVE-2015-7979, CVE-2016-1547,
CVE-2016-1550, CVE-2016-2108, CVE-2016-2518, CVE-2016-4051, CVE-2016-4052,
and CVE-2016-4053.
* The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106,
CVE-2016-2109, and CVE-2016-2176.
* The fix for CVE-2016-3504 also addresses CVE-2016-5019.
APPENDIX - ORACLE HYPERION
ORACLE HYPERION EXECUTIVE SUMMARY
This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This
vulnerability is remotely exploitable without authentication, i.e., may be
exploited over a network without the need for a username and password. The
English text form of this Risk Matrix can be found here.
ORACLE HYPERION RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3493 Hyperion Financial
Reporting Security Models HTTP Yes 9.8 Network Low None None Un changed High
High High 11.1.2.4
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3493 Hyperion Financial
Reporting Security Models HTTP Yes 9.8 Network Low None None Un changed High
High High 11.1.2.4
APPENDIX - ORACLE ENTERPRISE MANAGER GRID CONTROL
ORACLE ENTERPRISE MANAGER GRID CONTROL EXECUTIVE SUMMARY
This Critical Patch Update contains 10 new security fixes for Oracle Enterprise
Manager Grid Control. 7 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. None of these fixes are applicable to client-only
installations, i.e., installations that do not have Oracle Enterprise Manager
Grid Control installed. The English text form of this Risk Matrix can be found
here.
ORACLE ENTERPRISE MANAGER GRID CONTROL RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Enterprise Manager Ops
Center Enterprise Controller Install HTTP No 8.8 Network Low Low None Un changed
High High High 12.1.4, 12.2.2, 12.3.2 CVE-2016-0635 Enterprise Manager Ops
Center Framework HTTP No 8.8 Network Low Low None Un changed High High High
12.1.4, 12.2.2, 12.3.2 CVE-2015-3237 Enterprise Manager Ops Center Networking
HTTP Yes 6.5 Network Low None None Un changed Low None Low 12.1.4, 12.2.2,
12.3.2 CVE-2016-3494 Enterprise Manager Ops Center OS Provisioning HTTP Yes
6.5 Adjacent Network Low None None Un changed None None High 12.1.4, 12.2.2,
12.3.2 CVE-2016-3563 Enterprise Manager Base Platform Security Framework None
No 6.3 Local Low High Required Changed Low High None 12.1.0.5 CVE-2016-2107
Enterprise Manager Base Platform Discovery Framework HTTP Yes 5.9 Network High
None None Un changed High None None 12.1.0.5, 13.1.0.0 CVE-2015-3197
Enterprise Manager Ops Center Networking SSL/TLS Yes 5.9 Network High None None
Un changed High None None 12.1.4, 12.2.2, 12.3.2 CVE-2016-3496 Enterprise
Manager for Fusion Middleware SOA Topology Viewer HTTP Yes 4.7 Network Low None
Required Changed Low None None 11.1.1.7, 11.1.1.9 CVE-2016-3540 Enterprise
Manager Base Platform UI Framework HTTP Yes 4.3 Network Low None Required Un
changed Low None None 12.1.0.5, 13.1.0.0 CVE-2015-0228 Enterprise Manager Ops
Center Update Provisioning HTTP Yes 4.3 Network Low None Required Un changed
None None Low 12.1.4, 12.2.2, 12.3.2
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Enterprise Manager Ops
Center Enterprise Controller Install HTTP No 8.8 Network Low Low None Un changed
High High High 12.1.4, 12.2.2, 12.3.2 CVE-2016-0635 Enterprise Manager Ops
Center Framework HTTP No 8.8 Network Low Low None Un changed High High High
12.1.4, 12.2.2, 12.3.2 CVE-2015-3237 Enterprise Manager Ops Center Networking
HTTP Yes 6.5 Network Low None None Un changed Low None Low 12.1.4, 12.2.2,
12.3.2 CVE-2016-3494 Enterprise Manager Ops Center OS Provisioning HTTP Yes
6.5 Adjacent Network Low None None Un changed None None High 12.1.4, 12.2.2,
12.3.2 CVE-2016-3563 Enterprise Manager Base Platform Security Framework None
No 6.3 Local Low High Required Changed Low High None 12.1.0.5 CVE-2016-2107
Enterprise Manager Base Platform Discovery Framework HTTP Yes 5.9 Network High
None None Un changed High None None 12.1.0.5, 13.1.0.0 CVE-2015-3197
Enterprise Manager Ops Center Networking SSL/TLS Yes 5.9 Network High None None
Un changed High None None 12.1.4, 12.2.2, 12.3.2 CVE-2016-3496 Enterprise
Manager for Fusion Middleware SOA Topology Viewer HTTP Yes 4.7 Network Low None
Required Changed Low None None 11.1.1.7, 11.1.1.9 CVE-2016-3540 Enterprise
Manager Base Platform UI Framework HTTP Yes 4.3 Network Low None Required Un
changed Low None None 12.1.0.5, 13.1.0.0 CVE-2015-0228 Enterprise Manager Ops
Center Update Provisioning HTTP Yes 4.3 Network Low None Required Un changed
None None Low 12.1.4, 12.2.2, 12.3.2
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2015-3237 also addresses CVE-2015-3236.
APPENDIX - ORACLE APPLICATIONS
ORACLE E-BUSINESS SUITE EXECUTIVE SUMMARY
This Critical Patch Update contains 23 new security fixes for the Oracle
E-Business Suite. 21 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE E-BUSINESS SUITE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3546 Oracle Advanced
Collections Report JSPs HTTP Yes 9.1 Network Low None None Un changed High High
None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3541 Oracle Common Applications Calendar
Notes HTTP Yes 9.1 Network Low None None Un changed High High None 12.1.1,
12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3543 Oracle Common
Applications Calendar Tasks HTTP Yes 9.1 Network Low None None Un changed High
High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3532 Oracle
Advanced Inbound Telephony SDK client integration HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3535 Oracle CRM
Technical Foundation Remote Launch HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.3 CVE-2016-3491 Oracle CRM Technical Foundation
Wireless Framework HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.3 CVE-2016-3512 Oracle Customer Interaction History Function Security
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2,
12.1.3 CVE-2016-3536 Oracle Marketing Deliverables HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3522
Oracle Web Applications Desktop Integrator Application Service HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3528 Oracle Internet Expenses Expenses Admin Utilities HTTP Yes 7.5
Network Low None None Un changed None None High 12.1.1, 12.1.2, 12.1.3, 12.2.3,
12.2.4, 12.2.5 CVE-2016-3524 Oracle Applications Technology Stack
Configuration HTTP Yes 6.5 Network Low None None Un changed Low Low None 12.1.3,
12.2.3, 12.2.4, 12.2.5 CVE-2016-3542 Oracle Knowledge Management Search,
Browse HTTP No 6.5 Network Low High None Un changed High High None 12.1.1,
12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3525 Oracle Applications
Manager Cookie Management HTTP Yes 5.9 Network High None None Un changed High
None None 12.1.3 CVE-2016-3545 Oracle Application Object Library Web based
help screens HTTP Yes 5.3 Network Low None None Un changed Low None None 12.1.3,
12.2.3, 12.2.4, 12.2.5 CVE-2016-3549 Oracle E-Business Suite Secure Enterprise
Search Search Integration Engine HTTP Yes 5.3 Network Low None None Un changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3548 Oracle Marketing
Marketing activity collateral HTTP Yes 5.3 Network Low None None Un changed Low
None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3547 Oracle
One-to-One Fulfillment Content Manager HTTP Yes 5.3 Network Low None None Un
changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3520 Oracle Application Object Library AOL Diagnostic tests HTTP No 4.9
Network Low High None Un changed High None None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3558 Oracle Email Center Email Center Agent Console HTTP Yes 4.7
Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3,
12.2.4, 12.2.5 CVE-2016-3559 Oracle Email Center Email Center Agent Console
HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3534 Oracle Installed Base Engineering
Change Order HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3533 Oracle Knowledge
Management Search HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3523 Oracle Web
Applications Desktop Integrator Application Service HTTP Yes 4.7 Network Low
None Required Changed None Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3546 Oracle Advanced
Collections Report JSPs HTTP Yes 9.1 Network Low None None Un changed High High
None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3541 Oracle Common Applications Calendar
Notes HTTP Yes 9.1 Network Low None None Un changed High High None 12.1.1,
12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3543 Oracle Common
Applications Calendar Tasks HTTP Yes 9.1 Network Low None None Un changed High
High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3532 Oracle
Advanced Inbound Telephony SDK client integration HTTP Yes 8.2 Network Low None
Required Changed High Low None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3535 Oracle CRM
Technical Foundation Remote Launch HTTP Yes 8.2 Network Low None Required
Changed High Low None 12.1.3 CVE-2016-3491 Oracle CRM Technical Foundation
Wireless Framework HTTP Yes 8.2 Network Low None Required Changed High Low None
12.1.3 CVE-2016-3512 Oracle Customer Interaction History Function Security
HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2,
12.1.3 CVE-2016-3536 Oracle Marketing Deliverables HTTP Yes 8.2 Network Low
None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3 CVE-2016-3522
Oracle Web Applications Desktop Integrator Application Service HTTP Yes 8.2
Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3528 Oracle Internet Expenses Expenses Admin Utilities HTTP Yes 7.5
Network Low None None Un changed None None High 12.1.1, 12.1.2, 12.1.3, 12.2.3,
12.2.4, 12.2.5 CVE-2016-3524 Oracle Applications Technology Stack
Configuration HTTP Yes 6.5 Network Low None None Un changed Low Low None 12.1.3,
12.2.3, 12.2.4, 12.2.5 CVE-2016-3542 Oracle Knowledge Management Search,
Browse HTTP No 6.5 Network Low High None Un changed High High None 12.1.1,
12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3525 Oracle Applications
Manager Cookie Management HTTP Yes 5.9 Network High None None Un changed High
None None 12.1.3 CVE-2016-3545 Oracle Application Object Library Web based
help screens HTTP Yes 5.3 Network Low None None Un changed Low None None 12.1.3,
12.2.3, 12.2.4, 12.2.5 CVE-2016-3549 Oracle E-Business Suite Secure Enterprise
Search Search Integration Engine HTTP Yes 5.3 Network Low None None Un changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3548 Oracle Marketing
Marketing activity collateral HTTP Yes 5.3 Network Low None None Un changed Low
None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3547 Oracle
One-to-One Fulfillment Content Manager HTTP Yes 5.3 Network Low None None Un
changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3520 Oracle Application Object Library AOL Diagnostic tests HTTP No 4.9
Network Low High None Un changed High None None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3558 Oracle Email Center Email Center Agent Console HTTP Yes 4.7
Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3,
12.2.4, 12.2.5 CVE-2016-3559 Oracle Email Center Email Center Agent Console
HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3534 Oracle Installed Base Engineering
Change Order HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3533 Oracle Knowledge
Management Search HTTP Yes 4.7 Network Low None Required Changed None Low None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 CVE-2016-3523 Oracle Web
Applications Desktop Integrator Application Service HTTP Yes 4.7 Network Low
None Required Changed None Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5
ORACLE SUPPLY CHAIN PRODUCTS SUITE EXECUTIVE SUMMARY
This Critical Patch Update contains 25 new security fixes for the Oracle Supply
Chain Products Suite. 13 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE SUPPLY CHAIN PRODUCTS SUITE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3468 Oracle Agile Engineering
Data Management Install HTPP Yes 9.8 Network Low None None Un changed High High
High 6.1.3.0, 6.2.0.0 CVE-2016-3556 Oracle Agile PLM EM Integration HTTP Yes
9.8 Network Low None None Un changed High High High 9.3.4, 9.3.5 CVE-2016-3527
Oracle Demand Planning ODPDA Servlet HTTP Yes 9.1 Network Low None None Un
changed High High None 12.1, 12.2 CVE-2016-3554 Oracle Agile PLM PC / BOM,
MCAD, Design HTTP No 8.8 Network Low Low None Un changed High High High 9.3.4,
9.3.5 CVE-2015-7501 Oracle Transportation Management Web Container HTTP No 8.8
Network Low Low None Un changed High High High 6.3.0, 6.3.1, 6.3.2, 6.3.3,
6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1 CVE-2016-3526 Oracle Agile PLM SDK
HTTP Yes 7.5 Network Low None None Un changed High None None 9.3.4, 9.3.5
CVE-2016-3561 Oracle Agile PLM SDK HTTP Yes 7.3 Network Low None None Un changed
Low Low Low 9.3.4, 9.3.5 CVE-2016-3538 Oracle Agile PLM File Folders /
Attachment HTTP No 7.1 Network Low Low None Un changed None High Low 9.3.4,
9.3.5 CVE-2016-3539 Oracle Agile PLM File Folders / Attachment HTTP No 7.1
Network Low Low None Un changed None High Low 9.3.4, 9.3.5 CVE-2016-3530
Oracle Agile PLM PGC / Import HTTP No 7.1 Network Low Low None Un changed None
High Low 9.3.4, 9.3.5 CVE-2016-3470 Oracle Transportation Management Install
HTTP No 7.1 Network Low Low None Un changed High Low None 6.4.1 CVE-2016-3537
Oracle Agile PLM File Folders / Attachment HTTP No 6.5 Network Low Low None Un
changed High None None 9.3.4, 9.3.5 CVE-2016-3557 Oracle Agile PLM File Load
HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.4, 9.3.5
CVE-2016-3519 Oracle Agile PLM PC / Get Shortcut HTTP Yes 6.1 Network Low None
Required Changed Low Low None 9.3.4, 9.3.5 CVE-2016-3555 Oracle Agile PLM PGC
/ Excel Plugin HTTP Yes 6.1 Network Low None Required Changed Low Low None
9.3.4, 9.3.5 CVE-2016-2107 Oracle Agile Engineering Data Management Install
HTTP Yes 5.9 Network High None None Un changed High None None 6.1.3.0, 6.2.0.0
CVE-2016-3529 Oracle Agile PLM SDK HTTP Yes 5.8 Network Low None None Changed
Low None None 9.3.4, 9.3.5 CVE-2016-3509 Oracle Agile PLM File Folders / URL
Attachment HTTP No 5.4 Network Low Low Required Changed Low Low None 9.3.4,
9.3.5 CVE-2016-3553 Oracle Agile PLM PC Core HTTP No 5.4 Network Low Low None
Un changed Low Low None 9.3.4, 9.3.5 CVE-2016-3560 Oracle Agile PLM SDK HTTP
Yes 5.3 Network Low None None Un changed Low None None 9.3.4, 9.3.5
CVE-2016-3517 Oracle Agile PLM PC / Get Shortcut HTTP Yes 4.3 Network Low None
Required Un changed None Low None 9.3.4, 9.3.5 CVE-2016-3507 Oracle Agile PLM
WebClient / Admin HTTP Yes 4.3 Network Low None Required Un changed None Low
None 9.3.4, 9.3.5 CVE-2016-3531 Oracle Agile PLM PC / Notification HTTP No 3.5
Network Low Low Required Un changed Low None None 9.3.4, 9.3.5 CVE-2016-5473
Oracle Agile PLM File Folders / Attachment HTTP No 3.1 Network High Low None Un
changed Low None None 9.3.4, 9.3.5 CVE-2016-3490 Oracle Transportation
Management Database HTTP No 3.0 Network High Low Required Changed Low None None
6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3468 Oracle Agile Engineering
Data Management Install HTPP Yes 9.8 Network Low None None Un changed High High
High 6.1.3.0, 6.2.0.0 CVE-2016-3556 Oracle Agile PLM EM Integration HTTP Yes
9.8 Network Low None None Un changed High High High 9.3.4, 9.3.5 CVE-2016-3527
Oracle Demand Planning ODPDA Servlet HTTP Yes 9.1 Network Low None None Un
changed High High None 12.1, 12.2 CVE-2016-3554 Oracle Agile PLM PC / BOM,
MCAD, Design HTTP No 8.8 Network Low Low None Un changed High High High 9.3.4,
9.3.5 CVE-2015-7501 Oracle Transportation Management Web Container HTTP No 8.8
Network Low Low None Un changed High High High 6.3.0, 6.3.1, 6.3.2, 6.3.3,
6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1 CVE-2016-3526 Oracle Agile PLM SDK
HTTP Yes 7.5 Network Low None None Un changed High None None 9.3.4, 9.3.5
CVE-2016-3561 Oracle Agile PLM SDK HTTP Yes 7.3 Network Low None None Un changed
Low Low Low 9.3.4, 9.3.5 CVE-2016-3538 Oracle Agile PLM File Folders /
Attachment HTTP No 7.1 Network Low Low None Un changed None High Low 9.3.4,
9.3.5 CVE-2016-3539 Oracle Agile PLM File Folders / Attachment HTTP No 7.1
Network Low Low None Un changed None High Low 9.3.4, 9.3.5 CVE-2016-3530
Oracle Agile PLM PGC / Import HTTP No 7.1 Network Low Low None Un changed None
High Low 9.3.4, 9.3.5 CVE-2016-3470 Oracle Transportation Management Install
HTTP No 7.1 Network Low Low None Un changed High Low None 6.4.1 CVE-2016-3537
Oracle Agile PLM File Folders / Attachment HTTP No 6.5 Network Low Low None Un
changed High None None 9.3.4, 9.3.5 CVE-2016-3557 Oracle Agile PLM File Load
HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.4, 9.3.5
CVE-2016-3519 Oracle Agile PLM PC / Get Shortcut HTTP Yes 6.1 Network Low None
Required Changed Low Low None 9.3.4, 9.3.5 CVE-2016-3555 Oracle Agile PLM PGC
/ Excel Plugin HTTP Yes 6.1 Network Low None Required Changed Low Low None
9.3.4, 9.3.5 CVE-2016-2107 Oracle Agile Engineering Data Management Install
HTTP Yes 5.9 Network High None None Un changed High None None 6.1.3.0, 6.2.0.0
CVE-2016-3529 Oracle Agile PLM SDK HTTP Yes 5.8 Network Low None None Changed
Low None None 9.3.4, 9.3.5 CVE-2016-3509 Oracle Agile PLM File Folders / URL
Attachment HTTP No 5.4 Network Low Low Required Changed Low Low None 9.3.4,
9.3.5 CVE-2016-3553 Oracle Agile PLM PC Core HTTP No 5.4 Network Low Low None
Un changed Low Low None 9.3.4, 9.3.5 CVE-2016-3560 Oracle Agile PLM SDK HTTP
Yes 5.3 Network Low None None Un changed Low None None 9.3.4, 9.3.5
CVE-2016-3517 Oracle Agile PLM PC / Get Shortcut HTTP Yes 4.3 Network Low None
Required Un changed None Low None 9.3.4, 9.3.5 CVE-2016-3507 Oracle Agile PLM
WebClient / Admin HTTP Yes 4.3 Network Low None Required Un changed None Low
None 9.3.4, 9.3.5 CVE-2016-3531 Oracle Agile PLM PC / Notification HTTP No 3.5
Network Low Low Required Un changed Low None None 9.3.4, 9.3.5 CVE-2016-5473
Oracle Agile PLM File Folders / Attachment HTTP No 3.1 Network High Low None Un
changed Low None None 9.3.4, 9.3.5 CVE-2016-3490 Oracle Transportation
Management Database HTTP No 3.0 Network High Low Required Changed Low None None
6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
ORACLE PEOPLESOFT PRODUCTS EXECUTIVE SUMMARY
This Critical Patch Update contains 7 new security fixes for Oracle PeopleSoft
Products. 5 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. The English text form of this Risk Matrix can be found
here.
ORACLE PEOPLESOFT PRODUCTS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5465 PeopleSoft Enterprise
PeopleTools Panel Processor HTTP Yes 8.2 Network Low None Required Changed High
Low None 8.53, 8.54, 8.55 CVE-2016-5472 PeopleSoft Enterprise PeopleTools
Install and Packaging None No 7.8 Local Low Low None Un changed High High High
8.54, 8.55 CVE-2016-3483 PeopleSoft Enterprise PeopleTools File Processing
HTTP Yes 7.2 Network Low None None Changed Low None Low 8.53, 8.54, 8.55
CVE-2016-5470 PeopleSoft Enterprise PeopleTools Application Designer HTTP Yes
6.5 Network Low None Required Un changed High None None 8.54, 8.55
CVE-2016-3478 PeopleSoft Enterprise PeopleTools File Processing HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.53, 8.54, 8.55 CVE-2016-2107
PeopleSoft Enterprise PeopleTools Security HTTP Yes 5.9 Network High None None
Un changed High None None 8.53, 8.54, 8.55 CVE-2016-5467 PeopleSoft Enterprise
FSCM eProcurement HTTP No 5.4 Network Low Low None Un changed Low Low None 9.1,
9.2
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5465 PeopleSoft Enterprise
PeopleTools Panel Processor HTTP Yes 8.2 Network Low None Required Changed High
Low None 8.53, 8.54, 8.55 CVE-2016-5472 PeopleSoft Enterprise PeopleTools
Install and Packaging None No 7.8 Local Low Low None Un changed High High High
8.54, 8.55 CVE-2016-3483 PeopleSoft Enterprise PeopleTools File Processing
HTTP Yes 7.2 Network Low None None Changed Low None Low 8.53, 8.54, 8.55
CVE-2016-5470 PeopleSoft Enterprise PeopleTools Application Designer HTTP Yes
6.5 Network Low None Required Un changed High None None 8.54, 8.55
CVE-2016-3478 PeopleSoft Enterprise PeopleTools File Processing HTTP Yes 6.1
Network Low None Required Changed Low Low None 8.53, 8.54, 8.55 CVE-2016-2107
PeopleSoft Enterprise PeopleTools Security HTTP Yes 5.9 Network High None None
Un changed High None None 8.53, 8.54, 8.55 CVE-2016-5467 PeopleSoft Enterprise
FSCM eProcurement HTTP No 5.4 Network Low Low None Un changed Low Low None 9.1,
9.2
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106,
CVE-2016-2109, and CVE-2016-2176.
ORACLE JD EDWARDS PRODUCTS EXECUTIVE SUMMARY
This Critical Patch Update contains 1 new security fix for Oracle JD Edwards
Products. This vulnerability is remotely exploitable without authentication,
i.e., may be exploited over a network without the need for a username and
password. The English text form of this Risk Matrix can be found here.
ORACLE JD EDWARDS PRODUCTS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-3197 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure SEC HTTP Yes 5.9 Network High None None Un
changed High None None 9.2.0.5
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-3197 JD Edwards EnterpriseOne
Tools Enterprise Infrastructure SEC HTTP Yes 5.9 Network High None None Un
changed High None None 9.2.0.5
ORACLE SIEBEL CRM EXECUTIVE SUMMARY
This Critical Patch Update contains 16 new security fixes for Oracle Siebel CRM.
6 of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without the need for a username and
password. The English text form of this Risk Matrix can be found here.
ORACLE SIEBEL CRM RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5451 Siebel UI Framework EAI
HTTP No 8.1 Network Low Low None Un changed High High None 8.1.1, 8.2.2, IP2014,
IP2015, IP2016 CVE-2016-3476 Oracle Knowledge Information Manager Console HTTP
Yes 6.5 Network Low None None Un changed Low Low None 8.5.x CVE-2016-5461
Siebel Core - Server Framework Object Manager HTTP No 6.5 Network Low Low None
Un changed High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-3472
Siebel Engineering - Installer and Deployment Web Server HTTP No 5.7 Network Low
Low Required Un changed High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5468 Siebel UI Framework EAI HTTP No 5.4 Network Low Low None Un
changed Low Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5456 Siebel
Core - Server Framework Services HTTP No 5.3 Network High Low None Un changed
High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5459 Siebel Core
- Common Components iHelp HTTP Yes 4.7 Network Low None Required Changed None
Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5450 Siebel UI
Framework UIF Open UI HTTP Yes 4.7 Network Low None Required Changed None Low
None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-3475 Oracle Knowledge
Information Manager Console HTTP No 4.3 Network Low Low None Un changed Low None
None 8.5.x CVE-2016-5463 Siebel UI Framework SWSE Server HTTP No 4.1 Network
Low Low Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5464 Siebel UI Framework SWSE Server HTTP No 4.1 Network Low Low
Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3450 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5460 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5466 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3469 Siebel Core - Server Framework Services None No 3.3 Local Low Low
None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5462 Siebel Core - Server Framework Workspaces HTTP No 2.7 Network Low
High None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5451 Siebel UI Framework EAI
HTTP No 8.1 Network Low Low None Un changed High High None 8.1.1, 8.2.2, IP2014,
IP2015, IP2016 CVE-2016-3476 Oracle Knowledge Information Manager Console HTTP
Yes 6.5 Network Low None None Un changed Low Low None 8.5.x CVE-2016-5461
Siebel Core - Server Framework Object Manager HTTP No 6.5 Network Low Low None
Un changed High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-3472
Siebel Engineering - Installer and Deployment Web Server HTTP No 5.7 Network Low
Low Required Un changed High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5468 Siebel UI Framework EAI HTTP No 5.4 Network Low Low None Un
changed Low Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5456 Siebel
Core - Server Framework Services HTTP No 5.3 Network High Low None Un changed
High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5459 Siebel Core
- Common Components iHelp HTTP Yes 4.7 Network Low None Required Changed None
Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-5450 Siebel UI
Framework UIF Open UI HTTP Yes 4.7 Network Low None Required Changed None Low
None 8.1.1, 8.2.2, IP2014, IP2015, IP2016 CVE-2016-3475 Oracle Knowledge
Information Manager Console HTTP No 4.3 Network Low Low None Un changed Low None
None 8.5.x CVE-2016-5463 Siebel UI Framework SWSE Server HTTP No 4.1 Network
Low Low Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5464 Siebel UI Framework SWSE Server HTTP No 4.1 Network Low Low
Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3450 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5460 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5466 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High
None None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3469 Siebel Core - Server Framework Services None No 3.3 Local Low Low
None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5462 Siebel Core - Server Framework Workspaces HTTP No 2.7 Network Low
High None Un changed Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016
APPENDIX - ORACLE COMMUNICATIONS APPLICATIONS
ORACLE COMMUNICATIONS APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 16 new security fixes for Oracle
Communications Applications. 10 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without the need for a username and password. The English text form of this Risk
Matrix can be found here.
ORACLE COMMUNICATIONS APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-0235 Oracle Communications
EAGLE Application Processor Other HTTP Yes 9.8 Network Low None None Un changed
High High High 16.0 CVE-2015-7182 Oracle Communications Messaging Server
Security HTTP Yes 9.8 Network Low None None Un changed High High High Prior to
7.0.5.37.0 and 8.0.1.1.0 CVE-2015-7501 Oracle Communications ASAP Service
request translator T3 No 8.8 Network Low Low None Un changed High High High 7.0,
7.2, 7.3 CVE-2014-3571 Oracle Communications Core Session Manager Routing TLS
Yes 7.5 Network Low None None Un changed None None High 7.2.5, 7.3.5
CVE-2016-3515 Oracle Enterprise Communications Broker Crash, network, system,
admin HTTP Yes 7.5 Network Low None None Un changed High None None Prior to PCz
2.0.0m4p1 CVE-2016-3513 Oracle Communications Operations Monitor
Infrastructure HTTPS No 6.5 Network Low Low None Un changed High None None Prior
to 3.3.92.0.0 CVE-2016-3514 Oracle Enterprise Communications Broker GUI HTTP
No 6.5 Network Low Low None Un changed High None None Prior to PCz 2.0.0m4p1
CVE-2016-5458 Oracle Communications EAGLE Application Processor APPL HTTP No 6.4
Network Low Low None Changed Low Low None 16.0 CVE-2015-3197 Oracle
Communications Network Charging and Control DAP, OSD, PI TLS/SSL Yes 5.9 Network
High None None Un changed High None None 5.0.2.0.0, 5.0.1.0.0, 5.0.0.2.0,
5.0.0.1.0, 4.4.1.5.0 CVE-2016-2107 Oracle Communications Unified Session
Manager Routing TLS Yes 5.9 Network High None None Un changed High None None
7.2.5, 7.3.5 CVE-2016-5455 Oracle Communications Messaging Server Multiplexor
HTTP Yes 5.3 Network Low None None Un changed Low None None 6.3, 7.0, 8.0
CVE-2014-9708 Oracle Enterprise Communications Broker GUI HTTP Yes 5.3 Network
Low None None Un changed None None Low Prior to PCz 2.0.0m4p1 CVE-2016-0702
Oracle Communications Session Border Controller Encryption TLS Yes 4.8 Network
High None None Un changed Low Low None 7.2.0, 7.3.0 CVE-2015-2808 Oracle
Communications Policy Management Security HTTP Yes 3.7 Network High None None Un
changed Low None None Prior to 9.9.2 CVE-2015-5300 Oracle Communications
Session Border Controller System NTP No 3.7 Adjacent Network High Low None Un
changed Low None Low 7.2.0, 7.3.0 CVE-2016-3516 Oracle Enterprise
Communications Broker GUI HTTP No 3.1 Network High Low None Un changed Low None
None Prior to PCz 2.0.0m4p1
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-0235 Oracle Communications
EAGLE Application Processor Other HTTP Yes 9.8 Network Low None None Un changed
High High High 16.0 CVE-2015-7182 Oracle Communications Messaging Server
Security HTTP Yes 9.8 Network Low None None Un changed High High High Prior to
7.0.5.37.0 and 8.0.1.1.0 CVE-2015-7501 Oracle Communications ASAP Service
request translator T3 No 8.8 Network Low Low None Un changed High High High 7.0,
7.2, 7.3 CVE-2014-3571 Oracle Communications Core Session Manager Routing TLS
Yes 7.5 Network Low None None Un changed None None High 7.2.5, 7.3.5
CVE-2016-3515 Oracle Enterprise Communications Broker Crash, network, system,
admin HTTP Yes 7.5 Network Low None None Un changed High None None Prior to PCz
2.0.0m4p1 CVE-2016-3513 Oracle Communications Operations Monitor
Infrastructure HTTPS No 6.5 Network Low Low None Un changed High None None Prior
to 3.3.92.0.0 CVE-2016-3514 Oracle Enterprise Communications Broker GUI HTTP
No 6.5 Network Low Low None Un changed High None None Prior to PCz 2.0.0m4p1
CVE-2016-5458 Oracle Communications EAGLE Application Processor APPL HTTP No 6.4
Network Low Low None Changed Low Low None 16.0 CVE-2015-3197 Oracle
Communications Network Charging and Control DAP, OSD, PI TLS/SSL Yes 5.9 Network
High None None Un changed High None None 5.0.2.0.0, 5.0.1.0.0, 5.0.0.2.0,
5.0.0.1.0, 4.4.1.5.0 CVE-2016-2107 Oracle Communications Unified Session
Manager Routing TLS Yes 5.9 Network High None None Un changed High None None
7.2.5, 7.3.5 CVE-2016-5455 Oracle Communications Messaging Server Multiplexor
HTTP Yes 5.3 Network Low None None Un changed Low None None 6.3, 7.0, 8.0
CVE-2014-9708 Oracle Enterprise Communications Broker GUI HTTP Yes 5.3 Network
Low None None Un changed None None Low Prior to PCz 2.0.0m4p1 CVE-2016-0702
Oracle Communications Session Border Controller Encryption TLS Yes 4.8 Network
High None None Un changed Low Low None 7.2.0, 7.3.0 CVE-2015-2808 Oracle
Communications Policy Management Security HTTP Yes 3.7 Network High None None Un
changed Low None None Prior to 9.9.2 CVE-2015-5300 Oracle Communications
Session Border Controller System NTP No 3.7 Adjacent Network High Low None Un
changed Low None Low 7.2.0, 7.3.0 CVE-2016-3516 Oracle Enterprise
Communications Broker GUI HTTP No 3.1 Network High Low None Un changed Low None
None Prior to PCz 2.0.0m4p1
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2014-3571 also addresses CVE-2014-3569, CVE-2014-3570,
CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and
CVE-2015-0206.
* The fix for CVE-2015-5300 also addresses CVE-2015-7704, and CVE-2015-8138.
* The fix for CVE-2015-7182 also addresses CVE-2015-7181, CVE-2015-7183, and
CVE-2015-7575.
* The fix for CVE-2016-0702 also addresses CVE-2016-0705, CVE-2016-0797,
CVE-2016-0798, CVE-2016-0799, and CVE-2016-0800.
* The fix for CVE-2016-5455 also addresses CVE-2015-7181, CVE-2015-7183,
CVE-2015-7575, CVE-2016-1938, and CVE-2016-1978.
APPENDIX - ORACLE FINANCIAL SERVICES APPLICATIONS
ORACLE FINANCIAL SERVICES APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 4 new security fixes for Oracle Financial
Services Applications. 3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE FINANCIAL SERVICES APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Banking Platform
Rules collections HTTP No 8.8 Network Low Low None Un changed High High High
2.3.0, 2.4.0, 2.4.1 CVE-2014-0224 Oracle Financial Services Lending and
Leasing Admin and setup HTTP Yes 7.3 Network Low None None Un changed Low Low
Low 14.1 , 14.2 CVE-2016-3589 Oracle FLEXCUBE Direct Banking Base HTTP Yes 6.1
Network Low None Required Changed Low Low None 12.0.1, 12.0.2, 12.0.3
CVE-2016-1181 Oracle Banking Platform OPS HTTP Yes 3.1 Network High None
Required Un changed None Low None 2.3.0, 2.4.0, 2.4.1, 2.5.0
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Banking Platform
Rules collections HTTP No 8.8 Network Low Low None Un changed High High High
2.3.0, 2.4.0, 2.4.1 CVE-2014-0224 Oracle Financial Services Lending and
Leasing Admin and setup HTTP Yes 7.3 Network Low None None Un changed Low Low
Low 14.1 , 14.2 CVE-2016-3589 Oracle FLEXCUBE Direct Banking Base HTTP Yes 6.1
Network Low None Required Changed Low Low None 12.0.1, 12.0.2, 12.0.3
CVE-2016-1181 Oracle Banking Platform OPS HTTP Yes 3.1 Network High None
Required Un changed None Low None 2.3.0, 2.4.0, 2.4.1, 2.5.0
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2016-1181 also addresses CVE-2016-1182.
APPENDIX - ORACLE HEALTH SCIENCES APPLICATIONS
ORACLE HEALTH SCIENCES APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 5 new security fixes for Oracle Health
Sciences Applications. 1 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE HEALTH SCIENCES APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-3253 Oracle Health Sciences
Clinical Development Center Installation and configuration HTTP Yes 9.8 Network
Low None None Un changed High High High 3.1.1.x, 3.1.2.x CVE-2015-7501 Oracle
Health Sciences Clinical Development Center Installation and configuration HTTP
No 8.8 Network Low Low None Un changed High High High 3.1.1.x, 3.1.2.x
CVE-2016-0635 Oracle Health Sciences Information Manager Health Policy Monitor
TLS, UDP No 8.8 Network Low Low None Un changed High High High 1.2.8.3, 2.0.2.3,
3.0.1.0 CVE-2015-7501 Oracle Healthcare Analytics Data Integration Self
Service Analytics HTTP No 8.8 Network Low Low None Un changed High High High
3.1.0.0.0 CVE-2016-0635 Oracle Healthcare Master Person Index Internal
operations HTTP No 8.8 Network Low Low None Un changed High High High 2.0.12,
3.0.0, 4.0.1
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-3253 Oracle Health Sciences
Clinical Development Center Installation and configuration HTTP Yes 9.8 Network
Low None None Un changed High High High 3.1.1.x, 3.1.2.x CVE-2015-7501 Oracle
Health Sciences Clinical Development Center Installation and configuration HTTP
No 8.8 Network Low Low None Un changed High High High 3.1.1.x, 3.1.2.x
CVE-2016-0635 Oracle Health Sciences Information Manager Health Policy Monitor
TLS, UDP No 8.8 Network Low Low None Un changed High High High 1.2.8.3, 2.0.2.3,
3.0.1.0 CVE-2015-7501 Oracle Healthcare Analytics Data Integration Self
Service Analytics HTTP No 8.8 Network Low Low None Un changed High High High
3.1.0.0.0 CVE-2016-0635 Oracle Healthcare Master Person Index Internal
operations HTTP No 8.8 Network Low Low None Un changed High High High 2.0.12,
3.0.0, 4.0.1
APPENDIX - ORACLE INSURANCE APPLICATIONS
ORACLE INSURANCE APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 8 new security fixes for Oracle Insurance
Applications. None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without the need for
a username and password. The English text form of this Risk Matrix can be found
here.
ORACLE INSURANCE APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Documaker
Development tools HTTP No 8.8 Network Low Low None Un changed High High High
Prior to 12.5 CVE-2016-0635 Oracle Documaker Development tools HTTP No 8.8
Network Low Low None Un changed High High High Prior to 12.5 CVE-2015-7501
Oracle Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low
None Un changed High High High 9.7.1, 10.1.2, 10.2.2 CVE-2016-0635 Oracle
Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low None Un
changed High High High 9.7.1, 10.1.2, 10.2.2 CVE-2015-7501 Oracle Insurance
Policy Administration J2EE Architecture HTTP No 8.8 Network Low Low None Un
changed High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635 Oracle Insurance Policy Administration J2EE Architecture HTTP No
8.8 Network Low Low None Un changed High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2,
10.2.0, 10.2.2 CVE-2015-7501 Oracle Insurance Rules Palette Architecture HTTP
No 8.8 Network Low Low None Un changed High High High 9.6.1, 9.7.1, 10.0.1,
10.1.2, 10.2.0, 10.2.2 CVE-2016-0635 Oracle Insurance Rules Palette
Architecture HTTP No 8.8 Network Low Low None Un changed High High High 9.6.1,
9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Documaker
Development tools HTTP No 8.8 Network Low Low None Un changed High High High
Prior to 12.5 CVE-2016-0635 Oracle Documaker Development tools HTTP No 8.8
Network Low Low None Un changed High High High Prior to 12.5 CVE-2015-7501
Oracle Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low
None Un changed High High High 9.7.1, 10.1.2, 10.2.2 CVE-2016-0635 Oracle
Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low None Un
changed High High High 9.7.1, 10.1.2, 10.2.2 CVE-2015-7501 Oracle Insurance
Policy Administration J2EE Architecture HTTP No 8.8 Network Low Low None Un
changed High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635 Oracle Insurance Policy Administration J2EE Architecture HTTP No
8.8 Network Low Low None Un changed High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2,
10.2.0, 10.2.2 CVE-2015-7501 Oracle Insurance Rules Palette Architecture HTTP
No 8.8 Network Low Low None Un changed High High High 9.6.1, 9.7.1, 10.0.1,
10.1.2, 10.2.0, 10.2.2 CVE-2016-0635 Oracle Insurance Rules Palette
Architecture HTTP No 8.8 Network Low Low None Un changed High High High 9.6.1,
9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
APPENDIX - ORACLE RETAIL APPLICATIONS
ORACLE RETAIL APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 16 new security fixes for Oracle Retail
Applications. 6 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. The English text form of this Risk Matrix can be found
here.
ORACLE RETAIL APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3444 Oracle Retail
Integration Bus Install HTTP Yes 9.8 Network Low None None Un changed High High
High 13.0, 13.1, 13.2, 14.0, 14.1, 15.0 CVE-2015-3253 Oracle Retail Order
Broker System Administration HTTP Yes 9.8 Network Low None None Un changed High
High High 4.1, 5.1, 5.2, 15.0 CVE-2015-3253 Oracle Retail Service Backbone
Install HTTP Yes 9.8 Network Low None None Un changed High High High 13.0, 13.1,
13.2, 14.0, 14.1, 15.0 CVE-2015-3253 Oracle Retail Store Inventory Management
SIMINT HTTP Yes 9.8 Network Low None None Un changed High High High 13.2, 14.0,
14.1 CVE-2015-7501 MICROS Retail XBRi Loss Prevention Retail HTTP No 8.8
Network Low Low None Un changed High High High 10.0.1, 10.5.0, 10.6.0, 10.7.0,
10.8.0, 10.8.1 CVE-2015-7501 Oracle Retail Central, Back Office, Returns
Management Install HTTP No 8.8 Network Low Low None Un changed High High High
12.0 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1 CVE-2016-0635 Oracle Retail
Integration Bus Install HTTP No 8.8 Network Low Low None Un changed High High
High 15.0 CVE-2016-0635 Oracle Retail Order Broker Order Broker Foundation
HTTP No 8.8 Network Low Low None Un changed High High High 5.1, 5.2, 15.0
CVE-2015-7501 Oracle Retail Service Backbone Install HTTP No 8.8 Network Low Low
None Un changed High High High 15.0 CVE-2016-5474 Oracle Retail Service
Backbone RSB Kernel HTTP No 8.8 Network Low Low None Un changed High High High
14.0, 14.1, 15.0 CVE-2016-3081 MICROS Retail XBRi Loss Prevention Retail HTTP
Yes 8.1 Network High None None Un changed High High High 10.0.1, 10.5.0, 10.6.0,
10.7.0, 10.8.0, 10.8.1 CVE-2016-5476 Oracle Retail Integration Bus Install
HTTP No 7.6 Network Low Low None Un changed High Low Low 13.0, 13.1, 13.2, 14.0,
14.1, 15.0 CVE-2016-3565 Oracle Retail Order Broker System Administration HTTP
No 7.6 Network Low Low None Un changed Low High Low 5.1, 5.2 CVE-2016-5475
Oracle Retail Service Backbone Install HTTP No 7.6 Network Low Low None Un
changed High Low Low 14.0, 14.1, 15.0 CVE-2015-7501 Oracle Retail Store
Inventory Management SIMINT HTTP No 6.3 Network Low Low None Un changed Low Low
Low 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 CVE-2016-3611 Oracle Retail Order
Broker System Administration HTTP Yes 5.4 Network Low None Required Un changed
Low Low None 15.0
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3444 Oracle Retail
Integration Bus Install HTTP Yes 9.8 Network Low None None Un changed High High
High 13.0, 13.1, 13.2, 14.0, 14.1, 15.0 CVE-2015-3253 Oracle Retail Order
Broker System Administration HTTP Yes 9.8 Network Low None None Un changed High
High High 4.1, 5.1, 5.2, 15.0 CVE-2015-3253 Oracle Retail Service Backbone
Install HTTP Yes 9.8 Network Low None None Un changed High High High 13.0, 13.1,
13.2, 14.0, 14.1, 15.0 CVE-2015-3253 Oracle Retail Store Inventory Management
SIMINT HTTP Yes 9.8 Network Low None None Un changed High High High 13.2, 14.0,
14.1 CVE-2015-7501 MICROS Retail XBRi Loss Prevention Retail HTTP No 8.8
Network Low Low None Un changed High High High 10.0.1, 10.5.0, 10.6.0, 10.7.0,
10.8.0, 10.8.1 CVE-2015-7501 Oracle Retail Central, Back Office, Returns
Management Install HTTP No 8.8 Network Low Low None Un changed High High High
12.0 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1 CVE-2016-0635 Oracle Retail
Integration Bus Install HTTP No 8.8 Network Low Low None Un changed High High
High 15.0 CVE-2016-0635 Oracle Retail Order Broker Order Broker Foundation
HTTP No 8.8 Network Low Low None Un changed High High High 5.1, 5.2, 15.0
CVE-2015-7501 Oracle Retail Service Backbone Install HTTP No 8.8 Network Low Low
None Un changed High High High 15.0 CVE-2016-5474 Oracle Retail Service
Backbone RSB Kernel HTTP No 8.8 Network Low Low None Un changed High High High
14.0, 14.1, 15.0 CVE-2016-3081 MICROS Retail XBRi Loss Prevention Retail HTTP
Yes 8.1 Network High None None Un changed High High High 10.0.1, 10.5.0, 10.6.0,
10.7.0, 10.8.0, 10.8.1 CVE-2016-5476 Oracle Retail Integration Bus Install
HTTP No 7.6 Network Low Low None Un changed High Low Low 13.0, 13.1, 13.2, 14.0,
14.1, 15.0 CVE-2016-3565 Oracle Retail Order Broker System Administration HTTP
No 7.6 Network Low Low None Un changed Low High Low 5.1, 5.2 CVE-2016-5475
Oracle Retail Service Backbone Install HTTP No 7.6 Network Low Low None Un
changed High Low Low 14.0, 14.1, 15.0 CVE-2015-7501 Oracle Retail Store
Inventory Management SIMINT HTTP No 6.3 Network Low Low None Un changed Low Low
Low 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 CVE-2016-3611 Oracle Retail Order
Broker System Administration HTTP Yes 5.4 Network Low None Required Un changed
Low Low None 15.0
APPENDIX - ORACLE UTILITIES APPLICATIONS
ORACLE UTILITIES APPLICATIONS EXECUTIVE SUMMARY
This Critical Patch Update contains 3 new security fixes for Oracle Utilities
Applications. None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without the need for
a username and password. The English text form of this Risk Matrix can be found
here.
ORACLE UTILITIES APPLICATIONS RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Utilities
Framework System wide HTTP No 8.8 Network Low Low None Un changed High High High
2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0,
4.3.0.2.0 CVE-2015-7501 Oracle Utilities Network Management System System wide
HTTP No 8.8 Network Low Low None Un changed High High High 1.10.0.6.27,
1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5 CVE-2015-7501
Oracle Utilities Work and Asset Management Integrations HTTP No 8.8 Network Low
Low None Un changed High High High 1.9.1.2.8
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle Utilities
Framework System wide HTTP No 8.8 Network Low Low None Un changed High High High
2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0,
4.3.0.2.0 CVE-2015-7501 Oracle Utilities Network Management System System wide
HTTP No 8.8 Network Low Low None Un changed High High High 1.10.0.6.27,
1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5 CVE-2015-7501
Oracle Utilities Work and Asset Management Integrations HTTP No 8.8 Network Low
Low None Un changed High High High 1.9.1.2.8
APPENDIX - ORACLE POLICY AUTOMATION
ORACLE POLICY AUTOMATION EXECUTIVE SUMMARY
This Critical Patch Update contains 4 new security fixes for Oracle Policy
Automation. None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without the need for
a username and password. The English text form of this Risk Matrix can be found
here.
ORACLE POLICY AUTOMATION RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle In-Memory Policy
Analytics Analysis Server HTTP No 8.8 Network Low Low None Un changed High High
High 12.0.1 CVE-2015-7501 Oracle Policy Automation Determinations Engine HTTP
No 8.8 Network Low Low None Un changed High High High 10.3.0, 10.3.1, 10.4.0,
10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1 CVE-2015-7501
Oracle Policy Automation Connector for Siebel Determinations Server HTTP No 8.8
Network Low Low None Un changed High High High 10.3.0, 10.4.0, 10.4.1, 10.4.2,
10.4.3, 10.4.4, 10.4.5, 10.4.6 CVE-2015-7501 Oracle Policy Automation for
Mobile Devices Mobile Application HTTP No 8.8 Network Low Low None Un changed
High High High 12.1.1
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Oracle In-Memory Policy
Analytics Analysis Server HTTP No 8.8 Network Low Low None Un changed High High
High 12.0.1 CVE-2015-7501 Oracle Policy Automation Determinations Engine HTTP
No 8.8 Network Low Low None Un changed High High High 10.3.0, 10.3.1, 10.4.0,
10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1 CVE-2015-7501
Oracle Policy Automation Connector for Siebel Determinations Server HTTP No 8.8
Network Low Low None Un changed High High High 10.3.0, 10.4.0, 10.4.1, 10.4.2,
10.4.3, 10.4.4, 10.4.5, 10.4.6 CVE-2015-7501 Oracle Policy Automation for
Mobile Devices Mobile Application HTTP No 8.8 Network Low Low None Un changed
High High High 12.1.1
APPENDIX - ORACLE PRIMAVERA PRODUCTS SUITE
ORACLE PRIMAVERA PRODUCTS SUITE EXECUTIVE SUMMARY
This Critical Patch Update contains 15 new security fixes for the Oracle
Primavera Products Suite. 8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE PRIMAVERA PRODUCTS SUITE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Primavera Contract
Management PCM application HTTP No 8.8 Network Low Low None Un changed High High
High 14.2 CVE-2016-0635 Primavera Contract Management PCM web services HTTP No
8.8 Network Low Low None Un changed High High High 14.2 CVE-2015-7501
Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 8.8
Network Low Low None Un changed High High High 8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-0635 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP No 8.8 Network Low Low None Un changed High High High 8.2, 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2015-1791 Primavera P6 Enterprise Project Portfolio Management
Project manager HTTP Yes 6.5 Network High None None Changed Low Low Low 8.3,
8.4, 15.1 CVE-2016-3572 Primavera P6 Enterprise Project Portfolio Management
Web Access HTTP No 6.4 Network Low Low None Changed Low Low None 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2012-3137 Primavera P6 Enterprise Project Portfolio Management
Web access HTTP No 6.3 Network Low Low None Un changed Low Low Low 8.2, 8.3, 8.4
CVE-2016-3566 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2016-3568 Primavera P6 Enterprise Project Portfolio Management
Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4,
15.1, 15.2, 16.1 CVE-2016-3569 Primavera P6 Enterprise Project Portfolio
Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low
None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3570 Primavera P6 Enterprise Project
Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3571 Primavera P6 Enterprise
Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3573 Primavera P6
Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2015-3197
Primavera P6 Enterprise Project Portfolio Management Project manager HTTP Yes
5.9 Network High None None Un changed High None None 8.3, 8.4, 15.1, 15.2
CVE-2016-3567 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP No 5.4 Network Low Low Required Changed Low Low None 8.3, 8.4, 15.1, 15.2,
16.1
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2015-7501 Primavera Contract
Management PCM application HTTP No 8.8 Network Low Low None Un changed High High
High 14.2 CVE-2016-0635 Primavera Contract Management PCM web services HTTP No
8.8 Network Low Low None Un changed High High High 14.2 CVE-2015-7501
Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 8.8
Network Low Low None Un changed High High High 8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-0635 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP No 8.8 Network Low Low None Un changed High High High 8.2, 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2015-1791 Primavera P6 Enterprise Project Portfolio Management
Project manager HTTP Yes 6.5 Network High None None Changed Low Low Low 8.3,
8.4, 15.1 CVE-2016-3572 Primavera P6 Enterprise Project Portfolio Management
Web Access HTTP No 6.4 Network Low Low None Changed Low Low None 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2012-3137 Primavera P6 Enterprise Project Portfolio Management
Web access HTTP No 6.3 Network Low Low None Un changed Low Low Low 8.2, 8.3, 8.4
CVE-2016-3566 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1,
15.2, 16.1 CVE-2016-3568 Primavera P6 Enterprise Project Portfolio Management
Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4,
15.1, 15.2, 16.1 CVE-2016-3569 Primavera P6 Enterprise Project Portfolio
Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low
None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3570 Primavera P6 Enterprise Project
Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed
Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3571 Primavera P6 Enterprise
Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required
Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2016-3573 Primavera P6
Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None
Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2015-3197
Primavera P6 Enterprise Project Portfolio Management Project manager HTTP Yes
5.9 Network High None None Un changed High None None 8.3, 8.4, 15.1, 15.2
CVE-2016-3567 Primavera P6 Enterprise Project Portfolio Management Web access
HTTP No 5.4 Network Low Low Required Changed Low Low None 8.3, 8.4, 15.1, 15.2,
16.1
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789,
CVE-2015-1790, and CVE-2015-1792.
* The fix for CVE-2015-3197 also addresses CVE-2015-3193, CVE-2015-3194,
CVE-2015-3195, and CVE-2016-0701.
APPENDIX - ORACLE JAVA SE
ORACLE JAVA SE EXECUTIVE SUMMARY
This Critical Patch Update contains 13 new security fixes for Oracle Java SE. 9
of these vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without the need for a username and
password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start
application has administrator privileges (typical on Windows). When the user
does not run with administrator privileges (typical on Solaris and Linux), the
corresponding CVSS impact scores for Confidentiality, Integrity, and
Availability are "Low" instead of "High", lowering the CVSS Base Score. For
example, a Base Score of 9.6 becomes 7.1.
Users should only use the default Java Plug-in and Java Web Start from the
latest JDK or JRE 7 and 8 releases.
ORACLE JAVA SE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3587 Java SE, Java SE
Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High High
High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3606 Java SE,
Java SE Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High
High High Java SE: 7u101, 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3598
Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required
Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3610 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low
None Required Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See
Note 1 CVE-2016-3552 Java SE Install None No 8.1 Local High None None Changed
High High High Java SE: 8u92 See Note 2 CVE-2016-3511 Java SE Deployment None No
7.7 Local High None Required Changed High High High Java SE: 7u101, 8u92 See
Note 1 CVE-2016-3503 Java SE Install None No 7.7 Local High None Required
Changed High High High Java SE: 6u115, 7u101, 8u92 See Note 2 CVE-2016-3498 Java
SE JavaFX Multiple Yes 5.3 Network Low None None Un changed None None Low Java
SE: 7u101, 8u92 See Note 1 CVE-2016-3500 Java SE, Java SE Embedded, JRockit JAXP
Multiple Yes 5.3 Network Low None None Un changed None None Low Java SE: 6u115,
7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10 See Note 3 CVE-2016-3508
Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None
Un changed None None Low Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91;
JRockit: R28.3.10 See Note 3 CVE-2016-3458 Java SE, Java SE Embedded CORBA
Multiple Yes 4.3 Network Low None Required Un changed None Low None Java SE:
6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3550 Java SE,
Java SE Embedded Hotspot Multiple Yes 4.3 Network Low None Required Un changed
Low None None Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3485 Java SE, Java SE Embedded, JRockit Networking None No 2.9 Local
High None None Un changed None Low None Java SE: 6u115, 7u101, 8u92; Java SE
Embedded: 8u91; JRockit: R28.3.10 See Note 3
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3587 Java SE, Java SE
Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High High
High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3606 Java SE,
Java SE Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High
High High Java SE: 7u101, 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3598
Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required
Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3610 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low
None Required Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See
Note 1 CVE-2016-3552 Java SE Install None No 8.1 Local High None None Changed
High High High Java SE: 8u92 See Note 2 CVE-2016-3511 Java SE Deployment None No
7.7 Local High None Required Changed High High High Java SE: 7u101, 8u92 See
Note 1 CVE-2016-3503 Java SE Install None No 7.7 Local High None Required
Changed High High High Java SE: 6u115, 7u101, 8u92 See Note 2 CVE-2016-3498 Java
SE JavaFX Multiple Yes 5.3 Network Low None None Un changed None None Low Java
SE: 7u101, 8u92 See Note 1 CVE-2016-3500 Java SE, Java SE Embedded, JRockit JAXP
Multiple Yes 5.3 Network Low None None Un changed None None Low Java SE: 6u115,
7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10 See Note 3 CVE-2016-3508
Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None
Un changed None None Low Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91;
JRockit: R28.3.10 See Note 3 CVE-2016-3458 Java SE, Java SE Embedded CORBA
Multiple Yes 4.3 Network Low None Required Un changed None Low None Java SE:
6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1 CVE-2016-3550 Java SE,
Java SE Embedded Hotspot Multiple Yes 4.3 Network Low None Required Un changed
Low None None Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3485 Java SE, Java SE Embedded, JRockit Networking None No 2.9 Local
High None None Un changed None Low None Java SE: 6u115, 7u101, 8u92; Java SE
Embedded: 8u91; JRockit: R28.3.10 See Note 3
NOTES:
1. This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on
the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator).
2. Applies to installation process on client deployment of Java.
3. Applies to client and server deployment of Java. This vulnerability can be
exploited through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the specified
Component without using sandboxed Java Web Start applications or sandboxed
Java applets, such as through a web service.
APPENDIX - ORACLE SUN SYSTEMS PRODUCTS SUITE
ORACLE SUN SYSTEMS PRODUCTS SUITE EXECUTIVE SUMMARY
This Critical Patch Update contains 34 new security fixes for the Oracle Sun
Systems Products Suite. 21 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password. The English text form of this Risk Matrix can be
found here.
ORACLE SUN SYSTEMS PRODUCTS SUITE RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5453 ILOM IPMI IPMI Yes 9.8
Network Low None None Un changed High High High 3.0, 3.1, 3.2 CVE-2015-0235
Sun Data Center InfiniBand Switch 36 Firmware Multiple Yes 9.8 Network Low None
None Un changed High High High Versions prior to 2.2.2 CVE-2015-0235 Sun
Network QDR InfiniBand Gateway Switch Firmware Multiple Yes 9.8 Network Low None
None Un changed High High High Versions prior to 2.2.2 CVE-2016-5457 ILOM
LUMAIN Multiple No 8.8 Network Low Low None Un changed High High High 3.0, 3.1,
3.2 CVE-2012-3410 ILOM Restricted Shell Multiple No 8.8 Network Low Low None
Un changed High High High 3.0, 3.1, 3.2 CVE-2016-5445 ILOM Authentication
Multiple Yes 8.3 Network Low None None Changed Low Low Low 3.0, 3.1, 3.2
CVE-2015-5600 ILOM SSH SSH Yes 8.2 Network Low None None Un changed Low None
High 3.0, 3.1, 3.2 CVE-2016-3481 ILOM Web HTTP No 7.7 Network Low Low None
Changed None None High 3.0, 3.1, 3.2 CVE-2016-5447 ILOM Backup-Restore HTTP No
7.6 Network Low Low None Un changed High Low Low 3.0, 3.1, 3.2 CVE-2016-5449
ILOM Console Redirection HTTP Yes 7.5 Network Low None None Un changed None None
High 3.0, 3.1, 3.2 CVE-2016-3585 ILOM Emulex HTTPS Yes 7.4 Network High None
None Un changed High High None 3.0, 3.1, 3.2 CVE-2016-5446 ILOM Infrastructure
Multiple Yes 7.3 Network Low None None Un changed Low Low Low 3.0, 3.1, 3.2
CVE-2016-3584 Solaris Libadimalloc None No 7.0 Local High Low None Un changed
High High High 11.3 CVE-2016-5448 ILOM SNMP SNMP Yes 6.5 Network Low None None
Un changed None Low Low 3.0, 3.1, 3.2 CVE-2015-1793 ILOM OpenSSL SSL/TLS Yes
6.5 Network Low None None Un changed Low Low None 3.0, 3.1, 3.2 CVE-2015-3183
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware HTTP Yes
6.5 Network Low None Required Un changed None High None XCP prior to XCP1121
CVE-2015-8104 Solaris Solaris Kernel Zones None No 6.5 Local Low Low None
Changed None None High 11.3 CVE-2016-5454 Solaris Verified Boot None No 6.4
Local High Low None Changed None Low High 11.3 CVE-2015-3197 40G 10G 72/64
Ethernet Switch Firmware SSL/TLS Yes 5.9 Network High None None Un changed High
None None 2.0.0 CVE-2015-3197 Oracle Switch ES1-24 Firmware SSL/TLS Yes 5.9
Network High None None Un changed High None None 1.3 CVE-2015-3197 Sun Blade
6000 Ethernet Switched NEM 24P 10GE Firmware SSL/TLS Yes 5.9 Network High None
None Un changed High None None 1.2 CVE-2015-3197 Sun Network 10GE Switch 72p
Firmware SSL/TLS Yes 5.9 Network High None None Un changed High None None 1.2
CVE-2016-3453 Solaris Kernel None No 5.5 Local Low Low None Un changed None None
High 10 CVE-2016-3497 Solaris Kernel None No 5.5 Local Low Low None Un changed
None None High 11.3 CVE-2016-5469 Solaris Kernel None No 5.5 Local Low Low
None Un changed None None High 11.3 CVE-2016-5471 Solaris Kernel None No 5.5
Local Low Low None Un changed None None High 11.3 CVE-2016-5452 Solaris
Verified Boot None No 5.5 Local Low Low None Un changed High None None 11.3
CVE-2013-2566 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3
Network High None Required Un changed High None None XCP prior to XCP2280
CVE-2016-0800 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3
Network High None Required Un changed High None None XCP prior to XCP2320
CVE-2015-2808 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP
Firmware SSL/TLS Yes 5.3 Network High None Required Un changed High None None
XCP prior to XCP1121 CVE-2016-3451 ILOM Web HTTP Yes 4.7 Network Low None
Required Changed None Low None 3.0, 3.1, 3.2 CVE-2016-3480 Solaris Cluster HA
for Postgresql None No 4.4 Local Low High None Un changed High None None 3.3,
4.3 CVE-2014-3566 Sun Data Center InfiniBand Switch 36 Firmware HTTPS Yes 3.1
Network High None Required Un changed Low None None Versions prior to 2.2.2
CVE-2014-3566 Sun Network QDR InfiniBand Gateway Switch Firmware HTTPS Yes 3.1
Network High None Required Un changed Low None None Versions prior to 2.2.2
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-5453 ILOM IPMI IPMI Yes 9.8
Network Low None None Un changed High High High 3.0, 3.1, 3.2 CVE-2015-0235
Sun Data Center InfiniBand Switch 36 Firmware Multiple Yes 9.8 Network Low None
None Un changed High High High Versions prior to 2.2.2 CVE-2015-0235 Sun
Network QDR InfiniBand Gateway Switch Firmware Multiple Yes 9.8 Network Low None
None Un changed High High High Versions prior to 2.2.2 CVE-2016-5457 ILOM
LUMAIN Multiple No 8.8 Network Low Low None Un changed High High High 3.0, 3.1,
3.2 CVE-2012-3410 ILOM Restricted Shell Multiple No 8.8 Network Low Low None
Un changed High High High 3.0, 3.1, 3.2 CVE-2016-5445 ILOM Authentication
Multiple Yes 8.3 Network Low None None Changed Low Low Low 3.0, 3.1, 3.2
CVE-2015-5600 ILOM SSH SSH Yes 8.2 Network Low None None Un changed Low None
High 3.0, 3.1, 3.2 CVE-2016-3481 ILOM Web HTTP No 7.7 Network Low Low None
Changed None None High 3.0, 3.1, 3.2 CVE-2016-5447 ILOM Backup-Restore HTTP No
7.6 Network Low Low None Un changed High Low Low 3.0, 3.1, 3.2 CVE-2016-5449
ILOM Console Redirection HTTP Yes 7.5 Network Low None None Un changed None None
High 3.0, 3.1, 3.2 CVE-2016-3585 ILOM Emulex HTTPS Yes 7.4 Network High None
None Un changed High High None 3.0, 3.1, 3.2 CVE-2016-5446 ILOM Infrastructure
Multiple Yes 7.3 Network Low None None Un changed Low Low Low 3.0, 3.1, 3.2
CVE-2016-3584 Solaris Libadimalloc None No 7.0 Local High Low None Un changed
High High High 11.3 CVE-2016-5448 ILOM SNMP SNMP Yes 6.5 Network Low None None
Un changed None Low Low 3.0, 3.1, 3.2 CVE-2015-1793 ILOM OpenSSL SSL/TLS Yes
6.5 Network Low None None Un changed Low Low None 3.0, 3.1, 3.2 CVE-2015-3183
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware HTTP Yes
6.5 Network Low None Required Un changed None High None XCP prior to XCP1121
CVE-2015-8104 Solaris Solaris Kernel Zones None No 6.5 Local Low Low None
Changed None None High 11.3 CVE-2016-5454 Solaris Verified Boot None No 6.4
Local High Low None Changed None Low High 11.3 CVE-2015-3197 40G 10G 72/64
Ethernet Switch Firmware SSL/TLS Yes 5.9 Network High None None Un changed High
None None 2.0.0 CVE-2015-3197 Oracle Switch ES1-24 Firmware SSL/TLS Yes 5.9
Network High None None Un changed High None None 1.3 CVE-2015-3197 Sun Blade
6000 Ethernet Switched NEM 24P 10GE Firmware SSL/TLS Yes 5.9 Network High None
None Un changed High None None 1.2 CVE-2015-3197 Sun Network 10GE Switch 72p
Firmware SSL/TLS Yes 5.9 Network High None None Un changed High None None 1.2
CVE-2016-3453 Solaris Kernel None No 5.5 Local Low Low None Un changed None None
High 10 CVE-2016-3497 Solaris Kernel None No 5.5 Local Low Low None Un changed
None None High 11.3 CVE-2016-5469 Solaris Kernel None No 5.5 Local Low Low
None Un changed None None High 11.3 CVE-2016-5471 Solaris Kernel None No 5.5
Local Low Low None Un changed None None High 11.3 CVE-2016-5452 Solaris
Verified Boot None No 5.5 Local Low Low None Un changed High None None 11.3
CVE-2013-2566 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3
Network High None Required Un changed High None None XCP prior to XCP2280
CVE-2016-0800 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3
Network High None Required Un changed High None None XCP prior to XCP2320
CVE-2015-2808 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP
Firmware SSL/TLS Yes 5.3 Network High None Required Un changed High None None
XCP prior to XCP1121 CVE-2016-3451 ILOM Web HTTP Yes 4.7 Network Low None
Required Changed None Low None 3.0, 3.1, 3.2 CVE-2016-3480 Solaris Cluster HA
for Postgresql None No 4.4 Local Low High None Un changed High None None 3.3,
4.3 CVE-2014-3566 Sun Data Center InfiniBand Switch 36 Firmware HTTPS Yes 3.1
Network High None Required Un changed Low None None Versions prior to 2.2.2
CVE-2014-3566 Sun Network QDR InfiniBand Gateway Switch Firmware HTTPS Yes 3.1
Network High None Required Un changed Low None None Versions prior to 2.2.2
APPENDIX - ORACLE LINUX AND VIRTUALIZATION
ORACLE VIRTUALIZATION EXECUTIVE SUMMARY
This Critical Patch Update contains 4 new security fixes for Oracle
Virtualization. 3 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. The English text form of this Risk Matrix can be found
here.
ORACLE VIRTUALIZATION RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3613 Oracle Secure Global
Desktop OpenSSL SSL/TLS Yes 9.8 Network Low None None Un changed High High High
4.63, 4.71, 5.2 CVE-2013-2064 Oracle Secure Global Desktop X Server X11 Yes
7.3 Network Low None None Un changed Low Low Low 4.71, 5.2 CVE-2016-3612
Oracle VM VirtualBox Core SSL/TLS Yes 5.9 Network High None None Un changed High
None None VirtualBox prior to 5.0.22 CVE-2016-3597 Oracle VM VirtualBox Core
None No 5.5 Local Low Low None Un changed None None High VirtualBox prior to
5.0.26
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3613 Oracle Secure Global
Desktop OpenSSL SSL/TLS Yes 9.8 Network Low None None Un changed High High High
4.63, 4.71, 5.2 CVE-2013-2064 Oracle Secure Global Desktop X Server X11 Yes
7.3 Network Low None None Un changed Low Low Low 4.71, 5.2 CVE-2016-3612
Oracle VM VirtualBox Core SSL/TLS Yes 5.9 Network High None None Un changed High
None None VirtualBox prior to 5.0.22 CVE-2016-3597 Oracle VM VirtualBox Core
None No 5.5 Local Low Low None Un changed None None High VirtualBox prior to
5.0.26
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2016-3612 also addresses CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176.
* The fix for CVE-2016-3613 also addresses CVE-2015-3193, CVE-2015-3194,
CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, and
CVE-2016-2107.
APPENDIX - ORACLE MYSQL
ORACLE MYSQL EXECUTIVE SUMMARY
This Critical Patch Update contains 22 new security fixes for Oracle MySQL. 3 of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
may be exploited over a network without the need for a username and password.
The English text form of this Risk Matrix can be found here.
ORACLE MYSQL RISK MATRIX
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3477 MySQL Server Server:
Parser None No 8.1 Local High None None Changed High High High 5.5.49 and
earlier, 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-3440 MySQL Server
Server: Optimizer MySQL Protocol No 7.7 Network Low Low None Changed None None
High 5.7.11 and earlier CVE-2016-2105 MySQL Server Server: Security:
Encryption MySQL Protocol Yes 7.5 Network Low None None Un changed None None
High 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-3471 MySQL Server Server:
Option None No 7.5 Local High High None Changed High High High 5.5.45 and
earlier, 5.6.26 and earlier CVE-2016-3486 MySQL Server Server: FTS MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-3501 MySQL Server Server: Optimizer MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-3518 MySQL Server Server: Optimizer MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.7.12 and
earlier CVE-2016-3521 MySQL Server Server: Types MySQL Protocol No 6.5 Network
Low Low None Un changed None None High 5.5.49 and earlier, 5.6.30 and earlier,
5.7.12 and earlier CVE-2016-3588 MySQL Server Server: InnoDB MySQL Protocol No
5.9 Network High Low None Un changed None Low High 5.7.12 and earlier
CVE-2016-3615 MySQL Server Server: DML MySQL Protocol No 5.3 Network High Low
None Un changed None None High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12
and earlier CVE-2016-3614 MySQL Server Server: Security: Encryption MySQL
Protocol No 5.3 Network High Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-5436 MySQL Server Server: InnoDB MySQL
Protocol No 4.9 Network Low High None Un changed None None High 5.7.12 and
earlier CVE-2016-3459 MySQL Server Server: InnoDB MySQL Protocol No 4.9
Network Low High None Un changed None None High 5.6.30 and earlier, 5.7.12 and
earlier CVE-2016-5437 MySQL Server Server: Log MySQL Protocol No 4.9 Network
Low High None Un changed None None High 5.7.12 and earlier CVE-2016-3424 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un changed
None None High 5.7.12 and earlier CVE-2016-5439 MySQL Server Server:
Privileges MySQL Protocol No 4.9 Network Low High None Un changed None None High
5.6.30 and earlier, 5.7.12 and earlier CVE-2016-5440 MySQL Server Server: RBR
MySQL Protocol No 4.9 Network Low High None Un changed None None High 5.5.49 and
earlier, 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-5441 MySQL Server
Server: Replication MySQL Protocol No 4.9 Network Low High None Un changed None
None High 5.7.12 and earlier CVE-2016-5442 MySQL Server Server: Security:
Encryption MySQL Protocol No 4.9 Network Low High None Un changed None None High
5.7.12 and earlier CVE-2016-5443 MySQL Server Server: Connection None No 4.7
Local High None Required Un changed None None High 5.7.12 and earlier
CVE-2016-5444 MySQL Server Server: Connection MySQL Protocol Yes 3.7 Network
High None None Un changed Low None None 5.5.48 and earlier, 5.6.29 and earlier,
5.7.11 and earlier CVE-2016-3452 MySQL Server Server: Security: Encryption
MySQL Protocol Yes 3.7 Network High None None Un changed Low None None 5.5.48
and earlier, 5.6.29 and earlier, 5.7.10 and earlier
CVE# Component Subcomponent Protocol Remote Exploit without Auth.? CVSS VERSION
3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base
Score Attack Vector Attack Complex Privs Req'd User Interact Scope
Confidentiality Integrity Availability CVE-2016-3477 MySQL Server Server:
Parser None No 8.1 Local High None None Changed High High High 5.5.49 and
earlier, 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-3440 MySQL Server
Server: Optimizer MySQL Protocol No 7.7 Network Low Low None Changed None None
High 5.7.11 and earlier CVE-2016-2105 MySQL Server Server: Security:
Encryption MySQL Protocol Yes 7.5 Network Low None None Un changed None None
High 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-3471 MySQL Server Server:
Option None No 7.5 Local High High None Changed High High High 5.5.45 and
earlier, 5.6.26 and earlier CVE-2016-3486 MySQL Server Server: FTS MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-3501 MySQL Server Server: Optimizer MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-3518 MySQL Server Server: Optimizer MySQL
Protocol No 6.5 Network Low Low None Un changed None None High 5.7.12 and
earlier CVE-2016-3521 MySQL Server Server: Types MySQL Protocol No 6.5 Network
Low Low None Un changed None None High 5.5.49 and earlier, 5.6.30 and earlier,
5.7.12 and earlier CVE-2016-3588 MySQL Server Server: InnoDB MySQL Protocol No
5.9 Network High Low None Un changed None Low High 5.7.12 and earlier
CVE-2016-3615 MySQL Server Server: DML MySQL Protocol No 5.3 Network High Low
None Un changed None None High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12
and earlier CVE-2016-3614 MySQL Server Server: Security: Encryption MySQL
Protocol No 5.3 Network High Low None Un changed None None High 5.6.30 and
earlier, 5.7.12 and earlier CVE-2016-5436 MySQL Server Server: InnoDB MySQL
Protocol No 4.9 Network Low High None Un changed None None High 5.7.12 and
earlier CVE-2016-3459 MySQL Server Server: InnoDB MySQL Protocol No 4.9
Network Low High None Un changed None None High 5.6.30 and earlier, 5.7.12 and
earlier CVE-2016-5437 MySQL Server Server: Log MySQL Protocol No 4.9 Network
Low High None Un changed None None High 5.7.12 and earlier CVE-2016-3424 MySQL
Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un changed
None None High 5.7.12 and earlier CVE-2016-5439 MySQL Server Server:
Privileges MySQL Protocol No 4.9 Network Low High None Un changed None None High
5.6.30 and earlier, 5.7.12 and earlier CVE-2016-5440 MySQL Server Server: RBR
MySQL Protocol No 4.9 Network Low High None Un changed None None High 5.5.49 and
earlier, 5.6.30 and earlier, 5.7.12 and earlier CVE-2016-5441 MySQL Server
Server: Replication MySQL Protocol No 4.9 Network Low High None Un changed None
None High 5.7.12 and earlier CVE-2016-5442 MySQL Server Server: Security:
Encryption MySQL Protocol No 4.9 Network Low High None Un changed None None High
5.7.12 and earlier CVE-2016-5443 MySQL Server Server: Connection None No 4.7
Local High None Required Un changed None None High 5.7.12 and earlier
CVE-2016-5444 MySQL Server Server: Connection MySQL Protocol Yes 3.7 Network
High None None Un changed Low None None 5.5.48 and earlier, 5.6.29 and earlier,
5.7.11 and earlier CVE-2016-3452 MySQL Server Server: Security: Encryption
MySQL Protocol Yes 3.7 Network High None None Un changed Low None None 5.5.48
and earlier, 5.6.29 and earlier, 5.7.10 and earlier
ADDITIONAL CVES ADDRESSED:
* The fix for CVE-2016-2105 also addresses CVE-2016-2106.
RESOURCES FOR
* Careers
* Developers
* Investors
* Partners
* Researchers
* Students and Educators
WHY ORACLE
* Analyst Reports
* Best cloud-based ERP
* Cloud Economics
* Corporate Responsibility
* Diversity and Inclusion
* Security Practices
LEARN
* What is cloud computing?
* What is CRM?
* What is Docker?
* What is Kubernetes?
* What is Python?
* What is SaaS?
WHAT’S NEW
* News
* Oracle Applications Platform
* Oracle Supports Ukraine
* Oracle Red Bull Racing
* Oracle Sustainability
* Employee Experience Platform
CONTACT US
* US Sales: +1.800.633.0738
* How can we help?
* Subscribe to emails
* Events
* Blogs
--------------------------------------------------------------------------------
* Country/Region
*
* © 2023 Oracle
* Privacy/Do Not Sell My Info
* Cookie-Einstellungen
* Ad Choices
* Careers
*
*
*
*