Oracle Critical Patch Update Advisory - April 2018

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

 

 

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 254 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2018 Critical Patch Update: Executive Summary and Analysis.

The January 2018 Critical Patch Update provided patches in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note (Doc ID 2347948.1) for information on how to obtain these patches.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0 Enterprise Manager
Enterprise Manager for MySQL Database, version 12.1.0.4 Enterprise Manager
Enterprise Manager for Virtualization, version 13.2 Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 Enterprise Manager
Hardware Management Pack, versions prior to 2.4.3 Systems
Instantis EnterpriseTrack, versions 17.1, 17.2 Oracle Construction and Engineering Suite
Integrated Lights Out Manager (ILOM), versions 3.x, 4.x Systems
JD Edwards EnterpriseOne Tools, version 9.2.2 JD Edwards
JD Edwards World Security, versions A9.2, A9.3, A9.4 JD Edwards
Management Pack for Oracle GoldenGate, version 11.2.1.0.13 Fusion Middleware
MICROS Handheld Terminal, versions Prior to Fusion 2.03.0.0.021R MICROS Handheld Terminal
MICROS Lucas, version 2.9.5 Retail Applications
MySQL Cluster, versions 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior MySQL
MySQL Enterprise Monitor, versions 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior MySQL
MySQL Server, versions 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior MySQL
Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0 Fusion Middleware
Oracle Adaptive Access Manager, version 11.1.2.3.0 Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.1.1.6, 6.2.0.0, 6.2.1.0 Oracle Supply Chain Products
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1 Enterprise Manager
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0 Oracle Financial Services Applications
Oracle Banking Enterprise Collections, version 2.6 Oracle Banking Platform
Oracle Banking Enterprise Originations, version 2.6 Oracle Banking Platform
Oracle Banking Enterprise Product Manufacturing, version 2.6 Oracle Banking Platform
Oracle Banking Payments, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0 Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4, 2.5, 2.6 Oracle Banking Platform
Oracle Big Data Discovery, version 1.6.0 Fusion Middleware
Oracle Business Intelligence Data Warehouse Administration Console, version 11.1.1.6.4 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Communications Calendar Server, version 8.x Oracle Communications Calendar Server
Oracle Communications Contacts Server, version 8.x Oracle Communications Contacts Server
Oracle Communications EAGLE LNP Application Processor, versions 10.1.0.0.0 and prior Oracle Communications EAGLE LNP Application Processor
Oracle Communications Messaging Server, version 8.x Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0 Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network Charging and Control
Oracle Communications Network Intelligence, version 7.3.x Oracle Communications Network Intelligence
Oracle Communications Order and Service Management, versions 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x Oracle Communications Order and Service Management
Oracle Communications Unified Inventory Management, version 7.x Oracle Communications Unified Inventory Management
Oracle Data Visualization Desktop, version 12.2.4.1.1 Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0 Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 3.1, 3.2 Fusion Middleware
Oracle Endeca Information Discovery Studio, versions 7.6.1.0.0, 7.7.0.0.0 Fusion Middleware
Oracle Endeca Server, version 7.7 Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0 Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.x, 8.0.x Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Basel Regulatory Capital Basic, version 8.0.x Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, version 8.0.x Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Market Risk Measurement and Management, version 8.0.5 Oracle Financial Services Market Risk Measurement and Management
Oracle FLEXCUBE Core Banking, versions 11.5.0, 11.6.0, 11.7.0 Oracle Financial Services Applications
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0 Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0 Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0 Oracle Financial Services Applications
Oracle Fusion Applications , versions 11.1.2 through 11.1.9 Fusion Applications
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 11.1.1.7.0, 11.1.1.9.0 Fusion Middleware
Oracle GoldenGate, version 12.2.0.1 Oracle GoldenGate
Oracle GoldenGate Veridata, versions 11.2.0.1.2, 12.1.3.0.0 Fusion Middleware
Oracle Hospitality Cruise Fleet Management System, version 9.x Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.0 Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9, 2.10 Oracle Hospitality Simphony
Oracle Hospitality Simphony First Edition, versions 1.6, 1.7 Oracle Hospitality Simphony First Edition
Oracle Hospitality Suite8, version 8.x Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.1.3, 12.2.1.2 Fusion Middleware
Oracle Java SE, versions 6u181, 7u161, 7u171, 8u152, 8u162, 10 Java SE
Oracle Java SE Embedded, versions 8u152, 8u161 Java SE
Oracle JRockit, version R28.3.17 Java SE
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Mobile Security Suite, version 3.0.1 Fusion Middleware
Oracle Outside In Technology, version 8.5.3 Fusion Middleware
Oracle Retail Advanced Inventory Planning, versions 13.2, 13.4, 14.1, 15.0 Retail Applications
Oracle Retail Back Office, versions 13.4.9, 14.0.4, 14.1.3 Retail Applications
Oracle Retail Central Office, versions 13.4.9, 14.0.4, 14.1.3 Retail Applications
Oracle Retail Customer Engagement, version 16.0 Retail Applications
Oracle Retail EFTLink, versions 1.1.124, 15.0.1, 16.0.2 Retail Applications
Oracle Retail Insights, versions 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Integration Bus, version 13.2 Retail Applications
Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Merchandising System, version 15.0 Retail Applications
Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0 Retail Applications
Oracle Retail Order Management System, versions 4.0, 4.5, 4.7, 5.0 Retail Applications
Oracle Retail Point-of-Service, versions 13.3.8, 13.4.9, 14.0.4, 14.1.3 Retail Applications
Oracle Retail Predictive Application Server, versions 13.4.3, 14.0.3, 14.1.3 Retail Applications
Oracle Retail Price Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Returns Management, versions 2.3.8, 2.4.9, 14.0.4, 14.1.3 Retail Applications
Oracle Retail Store Inventory Management, versions 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1 Retail Applications
Oracle Retail Xstore Point of Service, versions 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2 Retail Applications
Oracle Secure Global Desktop (SGD), version 5.3 Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Transportation Management, versions 6.2, 6.4.3 Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0.0 Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0, 4.3.0 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.1.36, prior to 5.2.10 Virtualization
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle WebCenter Portal, versions 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle WebLogic Portal, version 10.3.6.0.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 Fusion Middleware
OSS Support Tools, versions prior to 18.2 Support Tools
PeopleSoft Enterprise HCM, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Shared Components, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56 PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1 PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56 PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 16.2, 17.1 – 17.12 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.x, 17.x Oracle Construction and Engineering Suite
Real-Time Decisions (RTD) Solutions, version 3.2.0.0.0 Fusion Middleware
Siebel Applications, version 17.0 Siebel
Solaris, versions 10, 11.3 Systems
Solaris Cluster, version 4.3 Systems
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.17 Systems

Note:

  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Adam Willard of Blue Canopy: CVE-2018-2750, CVE-2018-2828
  • Anthony Weems of Praetorian: CVE-2018-2813
  • Apostolos Giannakidis of Waratek : CVE-2018-2815
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2018-2806
  • Cris Neckar of Divergent Security: CVE-2018-2587
  • David Benjamin of Google: CVE-2018-2783
  • Francesco Palmarini of Ca' Foscari University of Venice: CVE-2018-2794
  • Ismail Bulbul: CVE-2018-2770
  • Jayson Grace of Sandia National Laboratories: CVE-2018-2821
  • Jens Müller of Ruhr-University Bochum: CVE-2018-2768
  • Jim LaValley, Towerwall, Inc.: CVE-2018-2849
  • John Heasman of DocuSign: CVE-2018-2811
  • Juan Pablo Perez Etchegoyen of Onapsis: CVE-2018-2864, CVE-2018-2865, CVE-2018-2866, CVE-2018-2867, CVE-2018-2868, CVE-2018-2869, CVE-2018-2870, CVE-2018-2871, CVE-2018-2872, CVE-2018-2873
  • Liao Xinxi of NSFOCUS Security Team: CVE-2018-2628
  • loopx9: CVE-2018-2628
  • Marche147: CVE-2018-2830
  • Marco Squarcina of Ca' Foscari University of Venice: CVE-2018-2794
  • Mateusz Krzywicki of Microsoft Corp: CVE-2018-2801
  • Mauro Tempesta of Ca' Foscari University of Venice: CVE-2018-2794
  • Michael Orlitzky: CVE-2018-2773
  • Moritz Bechler: CVE-2018-2800
  • Nabeel Ahmed of Dimension Data: CVE-2018-2739
  • Nikita Egorov of ERPScan: CVE-2018-2752
  • Niklas Baumstark working with Trend Micro's Zero Day Initiative: CVE-2018-2860
  • Prashant Kumar of Lucideus Tech: CVE-2018-2807
  • Reno Robert: CVE-2018-2842, CVE-2018-2843, CVE-2018-2844, CVE-2018-2845
  • Riccardo Focardi of Ca' Foscari University of Venice: CVE-2018-2794
  • Richard Alviarez: CVE-2018-2791
  • Roberto Suggi Liverani of Beyond Security’s SecuriTeam Secure Disclosure program: CVE-2018-2834
  • Roman Fiedler of Austrian Institute of Technology: CVE-2018-2831
  • Shargon: CVE-2018-2761
  • Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2018-2756
  • Tom Gilis of Dimension Data: CVE-2018-2739
  • Vasily Vasiliev working with Trend Micro's Zero Day Initiative: CVE-2018-2830, CVE-2018-2835, CVE-2018-2836, CVE-2018-2837
  • Wolfgang Ettlinger of SEC Consult Vulnerability Lab: CVE-2018-2879
  • XOR19 working with Trend Micro's Zero Day Initiative: CVE-2018-2825, CVE-2018-2826
  • Zuozhi Fan: CVE-2018-2779, CVE-2018-2780, CVE-2018-2781

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Andrea Scaduto
  • Gregory Rubin of Amazon Web Services IT Security
  • Jacob Baines of Tenable Network Security
  • Lokesh Sharma
  • Peter Baris
  • Sean Devlin
  • Vahagn Vardanyan of ERPScan (6 reports)

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abhishek Kar
  • Adesh Nandkishor Kolte
  • Akrem
  • Amirhossein Shahin
  • Anti Räis
  • Arpit Jain
  • Ashish Gautam Kamble
  • Aviral Apurva
  • Bourrou Said
  • Chacko K Abraham
  • Chirag Gupta
  • Cole Woods
  • Dadou Bendjedidi
  • Dan Protopopescu
  • Florian Charbonneau
  • Havoc Guhan
  • Ipsita Subhadarshan Sahoo (5 reports)
  • Ismail Bulbul
  • Mazlum Bozan
  • Miguel Santareno (2 reports)
  • Mohammed Almouty
  • Mohammed Israil
  • Mustafa Kamal
  • Narasimha Murthy Sagi
  • Nikhil sahoo (5 reports)
  • Nisheal A John
  • Prathamesh Joshi
  • Pubudu Priyashan Sanjay Singh
  • Rahul R
  • Rickard von Essen
  • Rishi Mohandas
  • Ronnie T Baby
  • Sadik Shaikh
  • Sahil Tikoo
  • Shivram (Shiv) Chouhan
  • Shrey Shah of Comexpo Cyber Security
  • so9256761
  • Suyog Palav
  • Tansel ÇETİN
  • Vasim Shaikh (Vidyalankar Institute of Technology) (2 reports)
  • Vishal Shukla
  • Wai Yan Aung
  • Wen Bin Kong
  • White Hat Bangladesh
  • Yash Mehta
  • Zishan Ahamed Thandar

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 July 2018
  • 16 October 2018
  • 15 January 2019
  • 16 April 2019

References


Modification History

Date Note
2018-April-23 Rev 2. Updated credit statement, updated the CVSS score associated with a fix for Siebel UI Framework, modified affected versions for CVE-2018-2765 and updated the affected versions associated with the following Oracle Retail products: Oracle Retail EFTLink, Oracle Retail Merchandising System and Oracle Retail Xstore Point of Service.
2018-April-17 Rev 1. Initial Release.

 

 

 

Oracle Database Server Risk Matrix

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server divided as follows:

  • 1 new security fix for the Oracle Database Server.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
  • 1 new security fix for Oracle GoldenGate.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

 



CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2841 Java VM Create Session, Create Procedure Multiple No 8.5 Network High Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0  
 



This Critical Patch Update contains 1 new security fix for Oracle GoldenGate.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2832 Oracle GoldenGate None HTTP Yes 8.6 Network Low None None Changed High None None 12.2.0.1  
 


 

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security fixes for Oracle Communications Applications.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Oracle Communications Network Intelligence Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.x  
CVE-2017-5645 Oracle Communications Unified Inventory Management Logging (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.x  
CVE-2017-15095 Oracle Communications Calendar Server WCAP (jackson-databind) WCAP Yes 8.1 Network High None None Un-
changed
High High High 8.x  
CVE-2017-15095 Oracle Communications Contacts Server REST (jackson-databind) RESTful Addressbook Protocol Yes 8.1 Network High None None Un-
changed
High High High 8.x  
CVE-2016-6304 Oracle Communications EAGLE LNP Application Processor Security (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 10.1.0.0.0 and Prior  
CVE-2017-7805 Oracle Communications Messaging Server Security (NSS) TLS No 7.5 Network High Low None Un-
changed
High High High 8.x  
CVE-2017-5662 Oracle Communications MetaSolv Solution Print Preview (Apache Batik) HTTP No 7.3 Network Low Low Required Un-
changed
High None High 6.3.0  
CVE-2018-2756 Oracle Communications Order and Service Management WebUI HTTP No 6.3 Network Low Low Required Un-
changed
High Low None 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x  
CVE-2017-3736 Oracle Communications Network Charging and Control Common (OpenSSL) TLS Yes 5.9 Network High None None Un-
changed
High None None 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0  
 

Additional CVEs addressed are below:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

 

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 4 new security fixes for the Oracle Construction and Engineering Suite.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-12617 Instantis EnterpriseTrack Web Server (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-
changed
High High High 17.1, 17.2  
CVE-2017-15095 Primavera Unifier Core (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 16.x, 17.x  
CVE-2018-2849 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 7.7 Network Low Low None Changed High None None 16.2, 17.1 – 17.12  
CVE-2017-5662 Instantis EnterpriseTrack Sitewand (Apache Batik) HTTP No 7.3 Network Low Low Required Un-
changed
High None High 17.1, 17.2  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-12617 also addresses CVE-2017-5664.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.

 

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 12 new security fixes for the Oracle E-Business Suite.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2018), My Oracle Support Note 2369524.1.

 



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2870 Oracle Human Resources General Utilities HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2871 Oracle Human Resources General Utilities HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2804 Oracle Application Object Library DB Privileges HTTP Yes 7.4 Network High None None Un-
changed
High High None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2864 Oracle Application Object Library Diagnostics HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2867 Oracle Application Object Library Diagnostics HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2872 Oracle General Ledger Account Hierarchy Manager HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2873 Oracle General Ledger Account Hierarchy Manager HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2865 Oracle General Ledger Consolidation Hierarchy Viewer HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2866 Oracle General Ledger Consolidation Hierarchy Viewer HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2868 Oracle Human Resources General Utilities HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2869 Oracle Human Resources General Utilities HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2018-2874 Oracle Application Object Library Logging None No 4.3 Physical Low None Required Un-
changed
High None None 12.1.3  
 


 

Oracle Enterprise Manager Products Suite Risk Matrix

This Critical Patch Update contains 10 new security fixes for the Oracle Enterprise Manager Products Suite.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Enterprise Manager Products Suite installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

 



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Enterprise Manager Ops Center Networking (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.2, 12.3.3  
CVE-2017-5645 Oracle Application Testing Suite Load Testing for Web Apps (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.5.0.3, 13.1.0.1, 13.2.0.1  
CVE-2015-7501 Enterprise Manager for MySQL Database EM Plugin: General (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1.0.4  
CVE-2016-0635 Enterprise Manager for MySQL Database EM Plugin: General (Spring Framework) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1.0.4  
CVE-2017-15095 Enterprise Manager for Virtualization Generic Virtualization (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 13.2  
CVE-2017-5664 Enterprise Manager for MySQL Database EM Plugin: General (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 12.1.0.4  
CVE-2018-2742 Enterprise Manager Ops Center Framework HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.2.2, 12.3.3  
CVE-2018-2750 Enterprise Manager Base Platform UI Framework HTTP Yes 7.1 Network Low None Required Changed Low Low Low 12.1.0.5  
CVE-2017-3736 Enterprise Manager Base Platform Discovery Framework (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
High None None 12.1.0.5, 13.2.0.0  
CVE-2017-3736 Enterprise Manager Ops Center Networking (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
High None None 12.2.2, 12.3.3  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.
  • The fix for CVE-2017-5664 also addresses CVE-2017-12617.
  • The fix for CVE-2018-2742 also addresses CVE-2016-3092, CVE-2017-10393 and CVE-2017-10400.

 

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 36 new security fixes for Oracle Financial Services Applications.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The "Oracle Financial Services Analytical Applications Infrastructure" is a component that is used by a number of Oracle Financial Services Applications. Customers should refer to the MOS Note (Doc ID 2380553.1) to determine the dependent products and refer Oracle Financial Services Analytical Applications Infrastructure MOS document to determine how to patch this component.

 



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-7489 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.x See Note 1
CVE-2018-7489 Oracle Financial Services Hedge Management and IFRS Valuations Hedge Definition, Valuation-run definition (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.4, 8.0.5  
CVE-2018-7489 Oracle Financial Services Market Risk Measurement and Management Infrastructure (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.5  
CVE-2017-5645 Oracle FLEXCUBE Core Banking Securities (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.5.0, 11.6.0, 11.7.0  
CVE-2017-5645 Oracle FLEXCUBE Private Banking Core (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0.0, 12.1.0  
CVE-2017-15095 Oracle Banking Enterprise Collections Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 2.6  
CVE-2017-15095 Oracle Banking Enterprise Originations Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 2.6  
CVE-2017-15095 Oracle Banking Enterprise Product Manufacturing Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 2.6  
CVE-2017-15095 Oracle Banking Platform Infrastructure (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 2.4, 2.5, 2.6  
CVE-2017-12617 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-
changed
High High High 7.3.x, 8.0.x See Note 1
CVE-2018-2855 Oracle Financial Services Basel Regulatory Capital Basic Portfolio, Attribution HTTP No 8.1 Network Low Low None Un-
changed
High High None 8.0.x  
CVE-2018-2856 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Portfolio, Attribution HTTP No 8.1 Network Low Low None Un-
changed
High High None 8.0.x  
CVE-2017-5662 Oracle Financial Services Analytical Applications Infrastructure Link Analysis and Metadata browser (Apache Batik) HTTP No 7.3 Network Low Low Required Un-
changed
High None High 7.3.x, 8.0.x See Note 1
CVE-2018-2746 Oracle Banking Corporate Lending Core module HTTP No 7.1 Network Low Low None Un-
changed
High Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2746 Oracle Banking Payments Payments Core HTTP No 7.1 Network Low Low None Un-
changed
High Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2746 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 7.1 Network Low Low None Un-
changed
High Low None 12.3.0, 14.0.0  
CVE-2018-2746 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 7.1 Network Low Low None Un-
changed
High Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0  
CVE-2018-2746 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 7.1 Network Low Low None Un-
changed
High Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0  
CVE-2018-2747 Oracle Banking Corporate Lending Core module HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2747 Oracle Banking Payments Payments Core HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2747 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.3.0, 14.0.0  
CVE-2018-2747 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.0.4, 12.1.0, 12.3.0, 12.4.0  
CVE-2018-2747 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
High None None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0  
CVE-2018-2748 Oracle Banking Corporate Lending Core module HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2748 Oracle Banking Payments Payments Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2854 Oracle Financial Services Basel Regulatory Capital Basic Portfolio, Attribution HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.x  
CVE-2018-2859 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Portfolio, Attribution HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.x  
CVE-2018-2807 Oracle FLEXCUBE Core Banking Securities HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.5.0, 11.6.0, 11.7.0  
CVE-2018-2748 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.3.0, 14.0.0  
CVE-2018-2748 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0  
CVE-2018-2748 Oracle FLEXCUBE Universal Banking Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0  
CVE-2018-2749 Oracle Banking Corporate Lending Core module HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2749 Oracle Banking Payments Payments Core HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 12.4.0, 12.5.0, 14.0.0  
CVE-2018-2749 Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 12.3.0, 14.0.0  
CVE-2018-2749 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 12.0.4, 12.1.0, 12.3.0, 12.4.0  
CVE-2018-2749 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0  
 

Notes:

  1. Please refer MOS document (Doc ID 2380553.1) for applicability across other Oracle Financial Services products.

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2018-7489 also addresses CVE-2017-15095 and CVE-2017-7525.

 

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 39 new security fixes for Oracle Fusion Middleware.  30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2353306.1.

 



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Oracle Big Data Discovery Data Processing (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 1.6.0  
CVE-2017-5645 Oracle Business Intelligence Data Warehouse Administration Console DAC Installation (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.6.4  
CVE-2017-5645 Oracle Endeca Information Discovery Integrator Integrator Acquisition System (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.1, 3.2  
CVE-2017-5645 Oracle Endeca Server Product Code (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.7  
CVE-2017-5645 Oracle Enterprise Repository Core Issues - 12c (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.7.0, 12.1.3.0.0  
CVE-2017-5645 Oracle Enterprise Repository Security Subsystem (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.7.0, 12.1.3.0.0  
CVE-2016-5019 Oracle Fusion Middleware MapViewer Tile Server (Apache MyFaces Trinidad) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.7.0, 11.1.1.9.0  
CVE-2017-5645 Oracle Managed File Transfer MFT Runtime Server (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2017-5645 Oracle WebCenter Portal Security Framework (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.2.0, 12.2.1.3.0  
CVE-2017-5645 Oracle WebLogic Server WL Diagnostics Framework (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3  
CVE-2018-2628 Oracle WebLogic Server WLS Core Components T3 Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3  
CVE-2016-6814 Oracle Big Data Discovery Data Processing (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 1.6.0  
CVE-2018-2739 Oracle Access Manager Web Server Plugin HTTP Yes 9.3 Network Low None Required Changed High High None 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0  
CVE-2018-2879 Oracle Access Manager Authentication Engine HTTP Yes 9.0 Network High None None Changed High High High 11.1.2.3.0, 12.2.1.3.0 See Note 1
CVE-2015-7501 Oracle Business Intelligence Enterprise Edition Security (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 11.1.1.7.0, 11.1.1.9.0  
CVE-2015-7501 Oracle GoldenGate Veridata None (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 11.2.0.1.2, 12.1.3.0.0  
CVE-2015-7501 Oracle WebLogic Portal - (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 10.3.6.0.0  
CVE-2015-7501 Real-Time Decisions (RTD) Solutions Configuration (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 3.2.0.0.0  
CVE-2018-2834 Oracle Data Visualization Desktop Security HTTP No 8.5 Local Low None Required Changed Low High High 12.2.4.1.1 See Note 2
CVE-2018-2828 Oracle WebCenter Content Content Server HTTP No 8.2 Network Low Low Required Changed High Low Low 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2018-2791 Oracle WebCenter Sites Advanced UI HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2017-12617 Management Pack for Oracle GoldenGate Monitor (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.2.1.0.13  
CVE-2017-15095 Oracle WebCenter Portal Security Framework (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 12.2.1.2.0, 12.2.1.3.0  
CVE-2017-12617 Oracle WebCenter Sites Advanced UI (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.1.1.8.0  
CVE-2017-7525 Oracle WebLogic Server Sample apps (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3  
CVE-2018-2770 Oracle Adaptive Access Manager OAAM Admin HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.2.3.0  
CVE-2015-7940 Oracle Mobile Security Suite LEGACY: BMAX (Bouncy Castle Java package) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 3.0.1  
CVE-2018-2765 Oracle Security Service Oracle SSL API HTTPS Yes 7.5 Network Low None None Un-
changed
High None None 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2016-3092 Oracle WebCenter Sites Advanced UI (Apache Commons Fileupload) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 11.1.1.8.0, 12.2.1.2.0  
CVE-2017-5662 Oracle Business Intelligence Enterprise Edition BI Platform Security (Apache Batik) HTTP No 7.3 Network Low Low Required Un-
changed
High None High 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2017-5662 Oracle Enterprise Repository Security Subsystem (Apache Batik) HTTP No 7.3 Network Low Low Required Un-
changed
High None High 11.1.1.7.0, 12.1.3.0.0  
CVE-2013-1768 Oracle WebLogic Server WLS Security (Apache OpenJPA) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.2.1.3  
CVE-2018-2768 Oracle Outside In Technology Outside In Filters HTTP Yes 7.1 Network Low None Required Un-
changed
High None Low 8.5.3 See Note 3
CVE-2018-2806 Oracle Outside In Technology Outside In Filters HTTP Yes 7.1 Network Low None Required Un-
changed
High None Low 8.5.3 See Note 3
CVE-2018-2801 Oracle Outside In Technology Outside In Image Export SDK HTTP Yes 7.1 Network Low None Required Un-
changed
High None Low 8.5.3 See Note 3
CVE-2018-2587 Oracle Access Manager Web Server Plugin HTTP Yes 6.5 Network High None None Un-
changed
Low High None 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0  
CVE-2017-3736 Oracle Endeca Information Discovery Studio Endeca Server (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
High None None 7.6.1.0.0, 7.7.0.0.0  
CVE-2018-2760 Oracle HTTP Server OSSL Module HTTPS Yes 5.9 Network High None None Un-
changed
High None None 12.1.3, 12.2.1.2  
CVE-2017-3736 Oracle Tuxedo Docs-ATMI-IB (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
High None None 12.1.1.0.0  
 

Notes:

  1. Please refer to Doc ID My Oracle Support Note 2386496.1 for instructions on how to address this issue.
  2. Please refer to Doc ID My Oracle Support Note 2384640.1 for instructions on how to address this issue.
  3. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

  • The fix for CVE-2017-12617 also addresses CVE-2016-3092, CVE-2016-8745, CVE-2017-5664 and CVE-2017-7674.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.
  • The fix for CVE-2017-7525 also addresses CVE-2017-15707.

 

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Hospitality Applications.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2829 Oracle Hospitality Simphony Enterprise Management Console HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 2.10  
CVE-2017-13082 MICROS Handheld Terminal MC40 Zebra Handheld unit (Fusion) WPA, WPA2 Yes 8.1 Adjacent
Network
Low None None Un-
changed
High High None Prior to Fusion 2.03.0.0.021R  
CVE-2018-2803 Oracle Hospitality Reporting and Analytics Report HTTP No 8.1 Network Low Low None Un-
changed
High High None 9.0  
CVE-2018-2833 Oracle Hospitality Simphony Enterprise Management Console HTTP No 8.1 Network Low Low None Un-
changed
High High None 2.7, 2.8, 2.9, 2.10  
CVE-2018-2851 Oracle Hospitality Simphony First Edition Enterprise Management Console HTTP No 8.1 Network Low Low None Un-
changed
High High None 1.6, 1.7  
CVE-2018-2824 Oracle Hospitality Simphony Enterprise Management Console HTTP No 7.7 Network Low Low None Changed High None None 2.8, 2.9, 2.10  
CVE-2018-2827 Oracle Hospitality Suite8 Profile HTTP No 7.6 Network Low Low Required Un-
changed
High Low High 8.x  
CVE-2018-2848 Oracle Hospitality Simphony First Edition Client Application Loader HTTP Yes 7.5 Network Low None None Un-
changed
High None None 1.6, 1.7  
CVE-2018-2850 Oracle Hospitality Cruise Fleet Management System Fleet Management System Suite Multiple Yes 7.3 Network Low None None Un-
changed
Low Low Low 9.x  
CVE-2018-2847 Oracle Hospitality Simphony First Edition Operations HTTP No 6.5 Network Low Low None Un-
changed
High None None 1.6, 1.7  
CVE-2018-2852 Oracle Hospitality Guest Access Base HTTP No 6.4 Network Low Low None Changed Low Low None 4.2.0, 4.2.1  
CVE-2018-2802 Oracle Hospitality Simphony Client Application Loader HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 2.8, 2.9  
CVE-2018-2853 Oracle Hospitality Simphony First Edition Operations, Client Application Loader HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 1.6, 1.7  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-13082 also addresses CVE-2017-13077, CVE-2017-13078 and CVE-2017-13080.

 

Oracle Java SE Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Java SE.  12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

 



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2825 Java SE Libraries Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 10 See Note 1
CVE-2018-2826 Java SE Libraries Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 10 See Note 1
CVE-2018-2814 Java SE, Java SE Embedded Hotspot Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 See Note 1
CVE-2018-2811 Java SE Install None No 7.7 Local High None Required Changed High High High Java SE: 8u162, 10 See Note 2
CVE-2018-2794 Java SE, JRockit Security None No 7.7 Local High None Required Changed High High High Java SE: 6u181, 7u171, 8u162, 10, JRockit: R28.3.17 See Note 3
CVE-2018-2783 Java SE, Java SE Embedded, JRockit Security Multiple Yes 7.4 Network High None None Un-
changed
High High None Java SE: 6u181, 7u161, 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17 See Note 3
CVE-2018-2798 Java SE, Java SE Embedded, JRockit AWT Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2796 Java SE, Java SE Embedded, JRockit Concurrency Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2799 Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2797 Java SE, Java SE Embedded, JRockit JMX Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2795 Java SE, Java SE Embedded, JRockit Security Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2815 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161; JRockit: R28.3.17 See Note 3
CVE-2018-2800 Java SE, JRockit RMI Multiple Yes 4.2 Network High None Required Un-
changed
Low Low None Java SE: 6u181, 7u171, 8u162; JRockit: R28.3.17 See Note 4
CVE-2018-2790 Java SE, Java SE Embedded Security Multiple Yes 3.1 Network High None Required Un-
changed
None Low None Java SE: 6u181, 7u171, 8u162, 10; Java SE Embedded: 8u161 See Note 1
 

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to installation process on client deployment of Java.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

 

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle JD Edwards Products.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 JD Edwards World Security Security Vulnerability (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High A9.2, A9.3, A9.4  
CVE-2017-15095 JD Edwards EnterpriseOne Tools EnterpriseOne Mobility Sec (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 9.2.2  
CVE-2017-3736 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) HTTP Yes 5.9 Network High None None Un-
changed
High None None 9.2.2  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.

 

Oracle MySQL Risk Matrix

This Critical Patch Update contains 33 new security fixes for Oracle MySQL.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2755 MySQL Server Server: Replication MySQL Protocol No 7.7 Local High None Required Changed High High High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2805 MySQL Server GIS Extension MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.39 and prior  
CVE-2018-2782 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2784 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2819 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2758 MySQL Server Server : Security : Privileges MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2817 MySQL Server Server: DDL MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2775 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2780 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.7.21 and prior  
CVE-2017-3737 MySQL Enterprise Monitor Monitoring: Agent (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
High None None 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior  
CVE-2018-2761 MySQL Server Client programs MySQL Protocol Yes 5.9 Network High None None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2786 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 5.7.21 and prior  
CVE-2018-2787 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2812 MySQL Server Server: Optimizer MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 5.7.21 and prior  
CVE-2018-2877 MySQL Cluster Cluster: ndbcluster/plugin None No 5.0 Local Low Low Required Un-
changed
None None High 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior  
CVE-2018-2759 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2766 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2777 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2810 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2818 MySQL Server Server : Security : Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2839 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2778 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2779 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2781 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2816 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2846 MySQL Server Server: Performance Schema MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2769 MySQL Server Server: Pluggable Auth MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2776 MySQL Server Group Replication GCS XCom No 4.9 Network Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2762 MySQL Server Server: Connection MySQL Protocol No 4.4 Local Low High None Un-
changed
None None High 5.7.21 and prior  
CVE-2018-2771 MySQL Server Server: Locking MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2813 MySQL Server Server: DDL MySQL Protocol No 4.3 Network Low Low None Un-
changed
Low None None 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2018-2773 MySQL Server Client programs None No 4.1 Local High High None Un-
changed
None None High 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior  
CVE-2016-9878 MySQL Enterprise Monitor EM Plugin: General (Spring Framework) HTTP No 3.8 Physical High High None Un-
changed
High None None 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3737 also addresses CVE-2017-3738.

 

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle PeopleSoft Products.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2772 PeopleSoft Enterprise PeopleTools Rich Text Editor HTTP No 8.8 Network Low Low None Un-
changed
High High High 8.54, 8.55, 8.56  
CVE-2018-2774 PeopleSoft Enterprise PT PeopleTools SQR HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 8.54, 8.55, 8.56  
CVE-2018-2793 PeopleSoft Enterprise PT PeopleTools PsAdmin None No 6.2 Local Low None None Un-
changed
High None None 8.54, 8.55, 8.56  
CVE-2018-2878 PeopleSoft Enterprise HCM Shared Components Notepad HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.2  
CVE-2018-2788 PeopleSoft Enterprise PeopleTools Fluid Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.55, 8.56  
CVE-2018-2821 PeopleSoft Enterprise PeopleTools Rich Text Editor HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56  
CVE-2018-2838 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_HIER_TOP HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1  
CVE-2017-3736 PeopleSoft Enterprise PeopleTools Security (OpenSSL) HTTP Yes 5.9 Network High None None Un-
changed
High None None 8.54, 8.55, 8.56  
CVE-2018-2752 PeopleSoft Enterprise HCM Security HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2  
CVE-2018-2785 PeopleSoft Enterprise PeopleTools Stylesheet HTTP Yes 4.7 Network Low None Required Changed None Low None 8.54, 8.55, 8.56  
CVE-2018-2820 PeopleSoft Enterprise PeopleTools Fluid Core HTTP No 4.3 Network Low Low None Un-
changed
Low None None 8.54, 8.55, 8.56  
CVE-2018-2809 PeopleSoft Enterprise PeopleTools Fluid Homepage & Navigation HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 8.54, 8.55, 8.56  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3736 also addresses CVE-2017-3735, CVE-2017-3737 and CVE-2017-3738.

 

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 31 new security fixes for Oracle Retail Applications.  27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 MICROS Lucas Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.9.5  
CVE-2017-5645 Oracle Retail Advanced Inventory Planning Operations & Maintenance (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.2, 13.4, 14.1, 15.0  
CVE-2017-5645 Oracle Retail Back Office Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.0.4, 14.1.3  
CVE-2017-5645 Oracle Retail Central Office Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.0.4, 14.1.3  
CVE-2017-5645 Oracle Retail EFTLink Installation (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 1.1.124, 15.0.1, 16.0.2  
CVE-2017-5645 Oracle Retail Insights Integration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.0, 14.1, 15.0, 16.0  
CVE-2017-5645 Oracle Retail Invoice Matching Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0  
CVE-2017-5645 Oracle Retail Order Broker System Administration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 5.0, 5.1, 5.2, 15.0, 16.0  
CVE-2017-5645 Oracle Retail Order Management System Upgrade Install (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 4.0, 4.5, 4.7, 5.0  
CVE-2017-5645 Oracle Retail Point-of-Service Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.0.4, 14.1.3  
CVE-2017-5645 Oracle Retail Price Management Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0  
CVE-2017-5645 Oracle Retail Returns Management Security (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.3.8, 2.4.9, 14.0.4, 14.1.3  
CVE-2017-5645 Oracle Retail Store Inventory Management SIM Integration (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1  
CVE-2016-6814 Oracle Retail Insights ODI Configuration (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 14.0, 14.1, 15.0, 16.0  
CVE-2016-0635 Oracle Retail Invoice Matching Security (Spring Framework) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.0, 13.0, 13.1, 13.2, 14.0, 14.1  
CVE-2016-3506 Oracle Retail Merchandising System Installation HTTP Yes 8.1 Network High None None Un-
changed
High High High 15.0  
CVE-2017-15095 Oracle Retail Order Broker System Administration (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 5.2  
CVE-2017-12617 Oracle Retail Order Broker Upgrade Install (Apache Tomcat) HTTP Yes 8.1 Network High None None Un-
changed
High High High 5.2, 15.0  
CVE-2018-2840 Oracle Retail Xstore Point of Service Xstore Office HTTP Yes 7.6 Network Low None Required Un-
changed
High Low Low 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2  
CVE-2016-9878 Oracle Retail Customer Engagement Internal Operations (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 16.0  
CVE-2017-5664 Oracle Retail Order Management System Upgrade Install (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 5.0  
CVE-2016-9878 Oracle Retail Predictive Application Server RPAS Fusion Client (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 13.4.3, 14.0.3, 14.1.3  
CVE-2017-9798 Oracle Retail Xstore Point of Service Xstore Office (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 6.0.11, 6.5.11, 7.0.6, 7.1.6  
CVE-2017-5645 Oracle Retail Xstore Point of Service Xenvironment (Apache Log4j) HTTP No 7.2 Network Low High None Un-
changed
High High High 6.0.11, 7.0.6, 7.1.6, 15.0.1  
CVE-2018-2876 Oracle Retail Integration Bus RIB Kernal(Apache Commons Collections) HTTP Yes 7.1 Network Low None Required Changed Low Low Low 13.2  
CVE-2018-2862 Oracle Retail Point-of-Service User Interface HTTP No 7.1 Network Low Low None Un-
changed
High Low None 13.3.8, 13.4.9, 14.0.4, 14.1.3  
CVE-2017-15095 Oracle Retail Xstore Point of Service Xenvironment (jackson-databind) HTTP No 6.6 Network High High None Un-
changed
High High High 6.5.11, 7.0.6, 7.1.6, 15.0.1, 16.0.2  
CVE-2018-2861 Oracle Retail Back Office Security HTTP Yes 6.5 Network Low None None Un-
changed
Low None Low 13.4.9, 14.0.4, 14.1.3  
CVE-2018-2738 Oracle Retail Central Office Security HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 13.4.9, 14.0.4, 14.1.3  
CVE-2018-2737 Oracle Retail Returns Management Security HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 2.3.8, 2.4.9, 14.0.4, 14.1.3  
CVE-2016-5007 Oracle Retail Xstore Point of Service Point of Sale (Spring Framework) HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1  
 

Additional CVEs addressed are below:

  • The fix for CVE-2016-5007 also addresses CVE-2014-0054.
  • The fix for CVE-2016-9878 also addresses CVE-2016-5007.
  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-5645 also addresses CVE-2017-12617.
  • The fix for CVE-2018-2876 also addresses CVE-2015-7501.

 

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5664 Siebel UI Framework EAI (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 17.0  
CVE-2018-2789 Siebel Core - Server Framework Services HTTP No 5.0 Network Low Low None Changed Low None None 17.0  
 


 

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle Sun Systems Products Suite.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-17562 Integrated Lights Out Manager (ILOM) System Management (GoAhead) HTTP No 9.1 Network Low High None Changed High High High 3.x, 4.x  
CVE-2018-2754 Solaris ZVNET Driver None No 7.7 Local Low None None Un-
changed
None High High 11.3  
CVE-2018-2764 Solaris Kernel NFS Yes 7.5 Network Low None None Un-
changed
None None High 10, 11.3  
CVE-2018-2718 Solaris RPC NFS Yes 7.5 Network Low None None Un-
changed
None None High 10, 11.3  
CVE-2018-2822 Solaris Cluster Cluster Geo None No 6.6 Local Low Low None Un-
changed
High Low Low 4.3  
CVE-2018-2857 Sun ZFS Storage Appliance Kit (AK) HTTP data path subsystems HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low Prior to 8.7.17  
CVE-2018-2753 Solaris Python modules None No 6.0 Local High Low Required Un-
changed
High High None 11.3  
CVE-2017-5753 Solaris Kernel None No 5.6 Local High Low None Changed High None None 10, 11.3  
CVE-2018-2858 Sun ZFS Storage Appliance Kit (AK) HTTP data path subsystems HTTP Yes 5.3 Network Low None None Un-
changed
Low None None Prior to 8.7.17  
CVE-2018-2808 Solaris Kernel None No 5.0 Local Low Low Required Un-
changed
None None High 11.3  
CVE-2018-2863 Sun ZFS Storage Appliance Kit (AK) API frameworks HTTP No 5.0 Network Low Low None Changed Low None None Prior to 8.7.17  
CVE-2018-2563 Solaris LDAP Library LDAP No 4.2 Network High Low None Un-
changed
Low Low None 10, 11.3  
CVE-2018-2792 Hardware Management Pack Ipmitool Multiple No 3.8 Network Low High None Un-
changed
Low Low None Prior to 2.4.3  
CVE-2018-2763 Solaris NTPD None No 3.3 Local Low Low None Un-
changed
None Low None 11.3  
 


 

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-15095 Oracle Agile PLM Framework Web Client (CS) HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.3.6  
CVE-2018-2823 Oracle Transportation Management Database HTTP No 6.5 Network Low Low None Un-
changed
None High None 6.4.3  
CVE-2018-2572 Oracle Agile Product Lifecycle Management for Process Installation HTTP Yes 6.1 Network Low None Required Changed Low Low None 6.1.1.6, 6.2.0.0, 6.2.1.0  
CVE-2017-3736 Oracle Agile Engineering Data Management Install (OpenSSL) HTTP Yes 5.9 Network High None None Un-
changed
High None None 6.1.3, 6.2.0, 6.2.1  
CVE-2017-3736 Oracle Transportation Management Install (OpenSSL) HTTP Yes 5.9 Network High None None Un-
changed
High None None 6.2  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-15095 also addresses CVE-2017-7525.
  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

 

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Support Tools.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-3736 OSS Support Tools Services Tools Bundle (OpenSSL) HTTP No 6.5 Network Low Low None Un-
changed
High None None Prior to 18.2  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3736 also addresses CVE-2017-3735.

 

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Utilities Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Oracle Utilities Framework Logging (Apache Log4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.2.0, 4.2.0, 4.3.0  
 


 

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 13 new security fixes for Oracle Virtualization.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.



CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-2842 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2843 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2844 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2830 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2835 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2836 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2837 Oracle VM VirtualBox Core None No 8.2 Local Low Low Required Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-2860 Oracle VM VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to 5.1.36, Prior to 5.2.10  
CVE-2017-9798 Oracle Secure Global Desktop (SGD) Web Server (Apache HTTP Server) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 5.3  
CVE-2018-2845 Oracle VM VirtualBox Core None No 6.6 Local Low Low None Un-
changed
Low Low High Prior to 5.1.36, Prior to 5.2.10  
CVE-2018-0739 Oracle VM VirtualBox Core (OpenSSL) TLS Yes 6.5 Network Low None Required Un-
changed
None None High Prior to 5.1.36, Prior to 5.2.10  
CVE-2017-3737 Oracle Secure Global Desktop (SGD) Core (OpenSSL) TLS Yes 5.9 Network High None None Un-
changed
High None None 5.3  
CVE-2018-2831 Oracle VM VirtualBox Core None No 3.8 Local Low Low None Changed Low None None Prior to 5.1.36, Prior to 5.2.10  
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3737 also addresses CVE-2017-3738.
<<<<<<<<<<<<<<<<