Oracle Critical Patch Update Advisory - July 2016

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below.  The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column.   Please click on the link in the Patch Availability column below to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Patch Availability

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2016 Documentation Map, My Oracle Support Note.

 

Affected Products and Versions Patch Availability
Application Express, version(s) prior to 5.0.4 Database
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2 Database
Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7 Fusion Middleware
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0 Fusion Middleware
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0 Fusion Middleware
Oracle Exalogic Infrastructure, version(s) 1.x, 2.x Fusion Middleware
Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0 Fusion Middleware
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2 Fusion Middleware
Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0 Fusion Middleware
Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0 Fusion Middleware
Oracle Portal, version(s) 11.1.1.6 Fusion Middleware
Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0, 12.2.1.1 Fusion Middleware
Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0 Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0 Fusion Middleware
Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2 Fusion Middleware
Hyperion Financial Reporting, version(s) 11.1.2.4 Fusion Middleware
Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0 Enterprise Manager
Enterprise Manager for Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9 Enterprise Manager
Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2 Enterprise Manager
Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 E-Business Suite
Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0 Oracle Supply Chain Products
Oracle Agile PLM, version(s) 9.3.4, 9.3.5 Oracle Supply Chain Products
Oracle Demand Planning, version(s) 12.1, 12.2 Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1 Oracle Supply Chain Products
PeopleSoft Enterprise FSCM, version(s) 9.1, 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55 PeopleSoft
JD Edwards EnterpriseOne Tools, version(s) 9.2.0.5 JD Edwards
Oracle Knowledge, version(s) 8.5.x Oracle Knowledge
Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016 Siebel
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10 Fusion Applications
Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3 Oracle Communications ASAP
Oracle Communications Core Session Manager, version(s) 7.2.5, 7.3.5 Oracle Communications Core Session Manager
Oracle Communications EAGLE Application Processor, version(s) 16.0 Oracle Communications EAGLE Application Processor
Oracle Communications Messaging Server, version(s) 6.3, 7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0 Oracle Communications Messaging Server
Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, version(s) prior to 3.3.92.0.0 Oracle Communications Operations Monitor
Oracle Communications Policy Management, version(s) prior to 9.9.2 Oracle Communications Policy Management
Oracle Communications Session Border Controller, version(s) 7.2.0, 7.3.0 Oracle Communications Session Border Controller
Oracle Communications Unified Session Manager, version(s) 7.2.5, 7.3.5 Oracle Communications Unified Session Manager
Oracle Enterprise Communications Broker, version(s) Prior to PCz 2.0.0m4p1 Oracle Enterprise Communications Broker
Oracle Banking Platform, version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0 Oracle Banking Platform
Oracle Financial Services Lending and Leasing, version(s) 14.1, 14.2 Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3 Oracle Financial Services Applications
Oracle Health Sciences Clinical Development Center, version(s) 3.1.1.x, 3.1.2.x Health Sciences
Oracle Health Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0 Health Sciences
Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0 Health Sciences
Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0, 4.0.1 Health Sciences
Oracle Documaker, version(s) prior to 12.5 Oracle Insurance Applications
Oracle Insurance Calculation Engine, version(s) 9.7.1, 10.1.2, 10.2.2 Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2 Oracle Insurance Applications
Oracle Insurance Rules Palette, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2 Oracle Insurance Applications
MICROS Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1 Retail XBRi
Oracle Retail Central, Back Office, Returns Management, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0 Retail Point-of-Service
Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0 Retail Integration Bus
Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0 Retail Order Broker
Oracle Retail Service Backbone, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0 Retail Service Backbone
Oracle Retail Store Inventory Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1 Retail Store Inventory Management
Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0 Oracle Utilities Applications
Oracle Utilities Network Management System, version(s) 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5 Oracle Utilities Applications
Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.8 Oracle Utilities Applications
Oracle In-Memory Policy Analytics, version(s) 12.0.1 Oracle Policy Automation
Oracle Policy Automation, version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1 Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6 Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, version(s) 12.1.1 Oracle Policy Automation
Primavera Contract Management, version(s) 14.2 Oracle Primavera Products Suite
Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1 Oracle Primavera Products Suite
Oracle Java SE, version(s) 6u115, 7u101, 8u92 Oracle Java SE
Oracle Java SE Embedded, version(s) 8u91 Oracle Java SE
Oracle JRockit, version(s) R28.3.10 Oracle Java SE
40G 10G 72/64 Ethernet Switch, version(s) 2.0.0 Oracle and Sun Systems Products Suite
Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2320 Oracle and Sun Systems Products Suite
ILOM, version(s) 3.0, 3.1, 3.2 Oracle and Sun Systems Products Suite
Oracle Switch ES1-24, version(s) 1.3 Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.3 Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4.3 Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121 Oracle and Sun Systems Products Suite
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) 1.2 Oracle and Sun Systems Products Suite
Sun Data Center InfiniBand Switch 36, version(s) prior to 2.2.2 Oracle and Sun Systems Products Suite
Sun Network 10GE Switch 72p, version(s) 1.2 Oracle and Sun Systems Products Suite
Sun Network QDR InfiniBand Gateway Switch, version(s) prior to 2.2.2 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2 Oracle Linux and Virtualization
Oracle VM VirtualBox, version(s) prior to 5.0.26 Oracle Linux and Virtualization
MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior Oracle MySQL Product Suite

Note:

  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2016 Availability Document, My Oracle Support Note 2136219.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Accenture TVM Prague; Adam Willard of Raytheon Foreground Security; Alexander Kornbrust of Red Database Security; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Alvaro Munoz of Trend Micro's Zero Day Initiative; Ben Lincoln of NCC Group; Brian Martin of Tenable Network Security; Bruno Cirone; Christian Schneider; David Litchfield of Google; Devin Rosenbauer of Identity Works LLC; Aleksandar Nikolic of Cisco Talos; Jack Fei of FINRA; Juan Manuel Fernández Torres of Telefonica.com; Kasper Andersen; Matias Mevied of Onapsis; Matthias Kaiser of Code White; Matthias-Christian Ott; Nicholas Lemonias of Advanced Information Security Corporation; Nicolas Collignon of synacktiv; Reno Robert; Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.; Stephan Borosh of Veris Group, LLC; Stephen Kost of Integrigy; Steven Seeley working with Beyond Security's SSD program; Sven Blumenstein of Google; Teemu Kääriäinen; Ubais PK; and XOR19 of Trend Micro's Zero Day Initiative.

 

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of ERPScan; David Litchfield of Google; Paul M. Wright; and Quan Nguyen of Google for contributions to Oracle's Security-In-Depth program.

 

On-Line Presence Security Contributors

Oracle provides acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Cameron Dawe of Spam404.com; Jubaer Al Nazi - ServerGhosts Bangladesh; Karim Rahal; Latish Danawale of Pristine Infosolutions; Othmane Tamagart - APPBOX; Ramal Hajataliyev; Rodolfo Godalle Jr.; Shawar Khan; Tayyab Qadir; Vikas Khanna; and Winnye Jakeson for contributions to Oracle's On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 October 2016
  • 17 January 2017
  • 18 April 2017
  • 18 July 2017

References


Modification History

Date Note
2016-October-18 Rev 2. Updated score for CVE-2016-3504 and associated it with CVE-2016-5019.
2016-July-19 Rev 1. Initial Release.

 

 

 

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 9 new security fixes for the Oracle Database Server.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  2 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.



Oracle Database Server Risk Matrix


CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3609 OJVM Create Session Multiple No 9.0 Network Low Low Required Changed High High High 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2016-3506 JDBC None Oracle Net Yes 8.1 Network High None None Un-
changed
High High High 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2016-3479 Portable Clusterware None Oracle Net Yes 7.5 Network Low None None Un-
changed
None None High 11.2.0.4, 12.1.0.2  
CVE-2016-3489 Data Pump Import Index on SYS.INCVID Oracle Net No 6.7 Local Low High None Un-
changed
High High High 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2016-3448 Application Express None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 5.0.4  
CVE-2016-3467 Application Express None HTTP Yes 5.8 Network Low None None Changed None None Low Prior to 5.0.4  
CVE-2015-0204 RDBMS HTTPS Listener HTTPS Yes 5.3 Network High None Required Un-
changed
None High None 12.1.0.1, 12.1.0.2  
CVE-2016-3488 DB Sharding Execute on gsmadmin_internal Oracle Net No 4.4 Local Low High None Un-
changed
None High None 12.1.0.2  
CVE-2016-3484 Database Vault Create Public Synonym Oracle Net No 3.4 Local Low High None Un-
changed
Low Low None 11.2.0.4, 12.1.0.1, 12.1.0.2  
 

Notes:

  1. The score 9.0 is for Windows platform. On Linux platform the score is 8.0.

 

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2016-3506 and CVE-2015-0204.


 

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware.  35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Fusion Middleware Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7182 Oracle Directory Server Enterprise Edition Admin Server HTTPS Yes 9.8 Network Low None None Un-
changed
High High High 7.0, 11.1.1.7.0  
CVE-2016-3607 Oracle GlassFish Server Web Container HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.0.1, 3.1.2  
CVE-2016-3510 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.0  
CVE-2016-3586 Oracle WebLogic Server WLS Core Components HTTP Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0, 12.1.3.0, 12.2.1.0  
CVE-2016-3499 Oracle WebLogic Server Web Container HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1.3.0, 12.2.1.0  
CVE-2016-3504 Oracle JDeveloper ADF Faces HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0  
CVE-2016-3574 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3575 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3576 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3577 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3578 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3579 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3580 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3581 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3582 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3583 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3590 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3591 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3592 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3593 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3594 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3595 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3596 Outside In Technology Outside In Filters HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-3446 Oracle Business Intelligence Enterprise Edition Analytics Web Administration HTTP Yes 8.3 Network Low None None Changed Low Low Low 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-1181 Oracle Portal User and Group Security HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.1.1.6 See Note 2
CVE-2016-3564 Oracle TopLink JPA-RS HTTP Yes 8.1 Network High None None Un-
changed
High High High 12.1.3.0, 12.2.1.0, 12.2.1.1  
CVE-2016-3487 Oracle WebCenter Sites WebCenter Sites HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.1.1.8, 12.2.1.0  
CVE-2016-3544 Oracle Business Intelligence Enterprise Edition Analytics Web General HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0  
CVE-2016-1548 Oracle Exalogic Infrastructure Base Image Multiple Yes 6.5 Network Low None None Un-
changed
None Low Low 1.x, 2.x  
CVE-2015-3237 Oracle GlassFish Server Administration HTTP Yes 6.5 Network Low None None Un-
changed
Low None Low 3.0.1, 3.1.2  
CVE-2016-3502 Oracle WebCenter Sites WebCenter Sites HTTP No 6.5 Network Low Low Required Changed Low Low Low 11.1.1.8, 12.2.1.0  
CVE-2016-2107 Oracle Access Manager Web Server Plugin HTTPS Yes 5.9 Network High None None Un-
changed
High None None 10.1.4.x, 11.1.1.7  
CVE-2016-2107 Oracle Exalogic Infrastructure Base Image Multiple Yes 5.9 Network High None None Un-
changed
High None None 1.x, 2.x  
CVE-2016-3608 Oracle GlassFish Server Administration HTTP Yes 5.8 Network Low None None Changed Low None None 3.0.1  
CVE-2016-5477 Oracle GlassFish Server Administration HTTP Yes 5.8 Network Low None None Changed Low None None 2.1.1, 3.0.1  
CVE-2016-3432 BI Publisher (formerly XML Publisher) Web Server HTTP No 5.4 Network Low Low Required Changed Low Low None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-3433 Oracle Business Intelligence Enterprise Edition Analytics Web Administration HTTP No 5.4 Network Low Low Required Changed Low Low None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-3445 Oracle WebLogic Server Web Container HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 10.3.6.0, 12.1.3.0  
CVE-2016-3474 BI Publisher (formerly XML Publisher) Security HTTP Yes 3.7 Network High None None Un-
changed
Low None None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0  
CVE-2016-3482 Oracle HTTP Server SSL/TLS Module HTTPS Yes 3.7 Network High None None Un-
changed
Low None None 11.1.1.9, 12.1.3.0  
 

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
  2. Please refer to My Oracle Support Note 2155256.1 for instructions on how to address this issue.

Additional CVEs addressed:

  • The fix for CVE-2015-7182 also addresses CVE-2015-2721, CVE-2015-4000, CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
  • The fix for CVE-2016-1181 also addresses CVE-2016-1182.
  • The fix for CVE-2016-1548 also addresses CVE-2015-7979, CVE-2016-1547, CVE-2016-1550, CVE-2016-2108, CVE-2016-2518, CVE-2016-4051, CVE-2016-4052, and CVE-2016-4053.
  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
  • The fix for CVE-2016-3504 also addresses CVE-2016-5019.

 

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Hyperion Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3493 Hyperion Financial Reporting Security Models HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.2.4  
 


 

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle Enterprise Manager Grid Control.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.



Oracle Enterprise Manager Grid Control Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Enterprise Manager Ops Center Enterprise Controller Install HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1.4, 12.2.2, 12.3.2  
CVE-2016-0635 Enterprise Manager Ops Center Framework HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1.4, 12.2.2, 12.3.2  
CVE-2015-3237 Enterprise Manager Ops Center Networking HTTP Yes 6.5 Network Low None None Un-
changed
Low None Low 12.1.4, 12.2.2, 12.3.2  
CVE-2016-3494 Enterprise Manager Ops Center OS Provisioning HTTP Yes 6.5 Adjacent
Network
Low None None Un-
changed
None None High 12.1.4, 12.2.2, 12.3.2  
CVE-2016-3563 Enterprise Manager Base Platform Security Framework None No 6.3 Local Low High Required Changed Low High None 12.1.0.5  
CVE-2016-2107 Enterprise Manager Base Platform Discovery Framework HTTP Yes 5.9 Network High None None Un-
changed
High None None 12.1.0.5, 13.1.0.0  
CVE-2015-3197 Enterprise Manager Ops Center Networking SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None 12.1.4, 12.2.2, 12.3.2  
CVE-2016-3496 Enterprise Manager for Fusion Middleware SOA Topology Viewer HTTP Yes 4.7 Network Low None Required Changed Low None None 11.1.1.7, 11.1.1.9  
CVE-2016-3540 Enterprise Manager Base Platform UI Framework HTTP Yes 4.3 Network Low None Required Un-
changed
Low None None 12.1.0.5, 13.1.0.0  
CVE-2015-0228 Enterprise Manager Ops Center Update Provisioning HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.1.4, 12.2.2, 12.3.2  
 

Additional CVEs addressed:

  • The fix for CVE-2015-3237 also addresses CVE-2015-3236.

 

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 23 new security fixes for the Oracle E-Business Suite.  21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle E-Business Suite Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3546 Oracle Advanced Collections Report JSPs HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-3541 Oracle Common Applications Calendar Notes HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3543 Oracle Common Applications Calendar Tasks HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3532 Oracle Advanced Inbound Telephony SDK client integration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-3535 Oracle CRM Technical Foundation Remote Launch HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3  
CVE-2016-3491 Oracle CRM Technical Foundation Wireless Framework HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3  
CVE-2016-3512 Oracle Customer Interaction History Function Security HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-3536 Oracle Marketing Deliverables HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-3522 Oracle Web Applications Desktop Integrator Application Service HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3528 Oracle Internet Expenses Expenses Admin Utilities HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3524 Oracle Applications Technology Stack Configuration HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3542 Oracle Knowledge Management Search, Browse HTTP No 6.5 Network Low High None Un-
changed
High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3525 Oracle Applications Manager Cookie Management HTTP Yes 5.9 Network High None None Un-
changed
High None None 12.1.3  
CVE-2016-3545 Oracle Application Object Library Web based help screens HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3549 Oracle E-Business Suite Secure Enterprise Search Search Integration Engine HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3548 Oracle Marketing Marketing activity collateral HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3547 Oracle One-to-One Fulfillment Content Manager HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3520 Oracle Application Object Library AOL Diagnostic tests HTTP No 4.9 Network Low High None Un-
changed
High None None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3558 Oracle Email Center Email Center Agent Console HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3559 Oracle Email Center Email Center Agent Console HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3534 Oracle Installed Base Engineering Change Order HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3533 Oracle Knowledge Management Search HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-3523 Oracle Web Applications Desktop Integrator Application Service HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5  
 



Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 25 new security fixes for the Oracle Supply Chain Products Suite.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Supply Chain Products Suite Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3468 Oracle Agile Engineering Data Management Install HTPP Yes 9.8 Network Low None None Un-
changed
High High High 6.1.3.0, 6.2.0.0  
CVE-2016-3556 Oracle Agile PLM EM Integration HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.3.4, 9.3.5  
CVE-2016-3527 Oracle Demand Planning ODPDA Servlet HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1, 12.2  
CVE-2016-3554 Oracle Agile PLM PC / BOM, MCAD, Design HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.3.4, 9.3.5  
CVE-2015-7501 Oracle Transportation Management Web Container HTTP No 8.8 Network Low Low None Un-
changed
High High High 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1  
CVE-2016-3526 Oracle Agile PLM SDK HTTP Yes 7.5 Network Low None None Un-
changed
High None None 9.3.4, 9.3.5  
CVE-2016-3561 Oracle Agile PLM SDK HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 9.3.4, 9.3.5  
CVE-2016-3538 Oracle Agile PLM File Folders / Attachment HTTP No 7.1 Network Low Low None Un-
changed
None High Low 9.3.4, 9.3.5  
CVE-2016-3539 Oracle Agile PLM File Folders / Attachment HTTP No 7.1 Network Low Low None Un-
changed
None High Low 9.3.4, 9.3.5  
CVE-2016-3530 Oracle Agile PLM PGC / Import HTTP No 7.1 Network Low Low None Un-
changed
None High Low 9.3.4, 9.3.5  
CVE-2016-3470 Oracle Transportation Management Install HTTP No 7.1 Network Low Low None Un-
changed
High Low None 6.4.1  
CVE-2016-3537 Oracle Agile PLM File Folders / Attachment HTTP No 6.5 Network Low Low None Un-
changed
High None None 9.3.4, 9.3.5  
CVE-2016-3557 Oracle Agile PLM File Load HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.4, 9.3.5  
CVE-2016-3519 Oracle Agile PLM PC / Get Shortcut HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.4, 9.3.5  
CVE-2016-3555 Oracle Agile PLM PGC / Excel Plugin HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.4, 9.3.5  
CVE-2016-2107 Oracle Agile Engineering Data Management Install HTTP Yes 5.9 Network High None None Un-
changed
High None None 6.1.3.0, 6.2.0.0  
CVE-2016-3529 Oracle Agile PLM SDK HTTP Yes 5.8 Network Low None None Changed Low None None 9.3.4, 9.3.5  
CVE-2016-3509 Oracle Agile PLM File Folders / URL Attachment HTTP No 5.4 Network Low Low Required Changed Low Low None 9.3.4, 9.3.5  
CVE-2016-3553 Oracle Agile PLM PC Core HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.3.4, 9.3.5  
CVE-2016-3560 Oracle Agile PLM SDK HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 9.3.4, 9.3.5  
CVE-2016-3517 Oracle Agile PLM PC / Get Shortcut HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 9.3.4, 9.3.5  
CVE-2016-3507 Oracle Agile PLM WebClient / Admin HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 9.3.4, 9.3.5  
CVE-2016-3531 Oracle Agile PLM PC / Notification HTTP No 3.5 Network Low Low Required Un-
changed
Low None None 9.3.4, 9.3.5  
CVE-2016-5473 Oracle Agile PLM File Folders / Attachment HTTP No 3.1 Network High Low None Un-
changed
Low None None 9.3.4, 9.3.5  
CVE-2016-3490 Oracle Transportation Management Database HTTP No 3.0 Network High Low Required Changed Low None None 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1  
 



Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle PeopleSoft Products.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle PeopleSoft Products Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-5465 PeopleSoft Enterprise PeopleTools Panel Processor HTTP Yes 8.2 Network Low None Required Changed High Low None 8.53, 8.54, 8.55  
CVE-2016-5472 PeopleSoft Enterprise PeopleTools Install and Packaging None No 7.8 Local Low Low None Un-
changed
High High High 8.54, 8.55  
CVE-2016-3483 PeopleSoft Enterprise PeopleTools File Processing HTTP Yes 7.2 Network Low None None Changed Low None Low 8.53, 8.54, 8.55  
CVE-2016-5470 PeopleSoft Enterprise PeopleTools Application Designer HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 8.54, 8.55  
CVE-2016-3478 PeopleSoft Enterprise PeopleTools File Processing HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.53, 8.54, 8.55  
CVE-2016-2107 PeopleSoft Enterprise PeopleTools Security HTTP Yes 5.9 Network High None None Un-
changed
High None None 8.53, 8.54, 8.55  
CVE-2016-5467 PeopleSoft Enterprise FSCM eProcurement HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.1, 9.2  
 

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.


Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle JD Edwards Products Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-3197 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC HTTP Yes 5.9 Network High None None Un-
changed
High None None 9.2.0.5  
 



Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Siebel CRM.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Siebel CRM Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-5451 Siebel UI Framework EAI HTTP No 8.1 Network Low Low None Un-
changed
High High None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-3476 Oracle Knowledge Information Manager Console HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 8.5.x  
CVE-2016-5461 Siebel Core - Server Framework Object Manager HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-3472 Siebel Engineering - Installer and Deployment Web Server HTTP No 5.7 Network Low Low Required Un-
changed
High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5468 Siebel UI Framework EAI HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5456 Siebel Core - Server Framework Services HTTP No 5.3 Network High Low None Un-
changed
High None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5459 Siebel Core - Common Components iHelp HTTP Yes 4.7 Network Low None Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5450 Siebel UI Framework UIF Open UI HTTP Yes 4.7 Network Low None Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-3475 Oracle Knowledge Information Manager Console HTTP No 4.3 Network Low Low None Un-
changed
Low None None 8.5.x  
CVE-2016-5463 Siebel UI Framework SWSE Server HTTP No 4.1 Network Low Low Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5464 Siebel UI Framework SWSE Server HTTP No 4.1 Network Low Low Required Changed None Low None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-3450 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High None None Un-
changed
Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5460 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High None None Un-
changed
Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5466 Siebel Core - Server Framework Services HTTP Yes 3.7 Network High None None Un-
changed
Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-3469 Siebel Core - Server Framework Services None No 3.3 Local Low Low None Un-
changed
Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
CVE-2016-5462 Siebel Core - Server Framework Workspaces HTTP No 2.7 Network Low High None Un-
changed
Low None None 8.1.1, 8.2.2, IP2014, IP2015, IP2016  
 


 

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Communications Applications.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Communications Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-0235 Oracle Communications EAGLE Application Processor Other HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.0  
CVE-2015-7182 Oracle Communications Messaging Server Security HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 7.0.5.37.0 and 8.0.1.1.0  
CVE-2015-7501 Oracle Communications ASAP Service request translator T3 No 8.8 Network Low Low None Un-
changed
High High High 7.0, 7.2, 7.3  
CVE-2014-3571 Oracle Communications Core Session Manager Routing TLS Yes 7.5 Network Low None None Un-
changed
None None High 7.2.5, 7.3.5  
CVE-2016-3515 Oracle Enterprise Communications Broker Crash, network, system, admin HTTP Yes 7.5 Network Low None None Un-
changed
High None None Prior to PCz 2.0.0m4p1  
CVE-2016-3513 Oracle Communications Operations Monitor Infrastructure HTTPS No 6.5 Network Low Low None Un-
changed
High None None Prior to 3.3.92.0.0  
CVE-2016-3514 Oracle Enterprise Communications Broker GUI HTTP No 6.5 Network Low Low None Un-
changed
High None None Prior to PCz 2.0.0m4p1  
CVE-2016-5458 Oracle Communications EAGLE Application Processor APPL HTTP No 6.4 Network Low Low None Changed Low Low None 16.0  
CVE-2015-3197 Oracle Communications Network Charging and Control DAP, OSD, PI TLS/SSL Yes 5.9 Network High None None Un-
changed
High None None 5.0.2.0.0, 5.0.1.0.0, 5.0.0.2.0, 5.0.0.1.0, 4.4.1.5.0  
CVE-2016-2107 Oracle Communications Unified Session Manager Routing TLS Yes 5.9 Network High None None Un-
changed
High None None 7.2.5, 7.3.5  
CVE-2016-5455 Oracle Communications Messaging Server Multiplexor HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 6.3, 7.0, 8.0  
CVE-2014-9708 Oracle Enterprise Communications Broker GUI HTTP Yes 5.3 Network Low None None Un-
changed
None None Low Prior to PCz 2.0.0m4p1  
CVE-2016-0702 Oracle Communications Session Border Controller Encryption TLS Yes 4.8 Network High None None Un-
changed
Low Low None 7.2.0, 7.3.0  
CVE-2015-2808 Oracle Communications Policy Management Security HTTP Yes 3.7 Network High None None Un-
changed
Low None None Prior to 9.9.2  
CVE-2015-5300 Oracle Communications Session Border Controller System NTP No 3.7 Adjacent
Network
High Low None Un-
changed
Low None Low 7.2.0, 7.3.0  
CVE-2016-3516 Oracle Enterprise Communications Broker GUI HTTP No 3.1 Network High Low None Un-
changed
Low None None Prior to PCz 2.0.0m4p1  
 

Additional CVEs addressed:

  • The fix for CVE-2014-3571 also addresses CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206.
  • The fix for CVE-2015-5300 also addresses CVE-2015-7704, and CVE-2015-8138.
  • The fix for CVE-2015-7182 also addresses CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
  • The fix for CVE-2016-0702 also addresses CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, and CVE-2016-0800.
  • The fix for CVE-2016-5455 also addresses CVE-2015-7181, CVE-2015-7183, CVE-2015-7575, CVE-2016-1938, and CVE-2016-1978.

 

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Financial Services Applications.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Financial Services Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Oracle Banking Platform Rules collections HTTP No 8.8 Network Low Low None Un-
changed
High High High 2.3.0, 2.4.0, 2.4.1  
CVE-2014-0224 Oracle Financial Services Lending and Leasing Admin and setup HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 14.1 , 14.2  
CVE-2016-3589 Oracle FLEXCUBE Direct Banking Base HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.0.1, 12.0.2, 12.0.3  
CVE-2016-1181 Oracle Banking Platform OPS HTTP Yes 3.1 Network High None Required Un-
changed
None Low None 2.3.0, 2.4.0, 2.4.1, 2.5.0  
 

Additional CVEs addressed:

  • The fix for CVE-2016-1181 also addresses CVE-2016-1182.

 

Appendix - Oracle Health Sciences Applications

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Health Sciences Applications.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Health Sciences Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-3253 Oracle Health Sciences Clinical Development Center Installation and configuration HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.1.1.x, 3.1.2.x  
CVE-2015-7501 Oracle Health Sciences Clinical Development Center Installation and configuration HTTP No 8.8 Network Low Low None Un-
changed
High High High 3.1.1.x, 3.1.2.x  
CVE-2016-0635 Oracle Health Sciences Information Manager Health Policy Monitor TLS, UDP No 8.8 Network Low Low None Un-
changed
High High High 1.2.8.3, 2.0.2.3, 3.0.1.0  
CVE-2015-7501 Oracle Healthcare Analytics Data Integration Self Service Analytics HTTP No 8.8 Network Low Low None Un-
changed
High High High 3.1.0.0.0  
CVE-2016-0635 Oracle Healthcare Master Person Index Internal operations HTTP No 8.8 Network Low Low None Un-
changed
High High High 2.0.12, 3.0.0, 4.0.1  
 


 

Appendix - Oracle Insurance Applications

Oracle Insurance Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Insurance Applications.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Insurance Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Oracle Documaker Development tools HTTP No 8.8 Network Low Low None Un-
changed
High High High Prior to 12.5  
CVE-2016-0635 Oracle Documaker Development tools HTTP No 8.8 Network Low Low None Un-
changed
High High High Prior to 12.5  
CVE-2015-7501 Oracle Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.7.1, 10.1.2, 10.2.2  
CVE-2016-0635 Oracle Insurance Calculation Engine Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.7.1, 10.1.2, 10.2.2  
CVE-2015-7501 Oracle Insurance Policy Administration J2EE Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2  
CVE-2016-0635 Oracle Insurance Policy Administration J2EE Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2  
CVE-2015-7501 Oracle Insurance Rules Palette Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2  
CVE-2016-0635 Oracle Insurance Rules Palette Architecture HTTP No 8.8 Network Low Low None Un-
changed
High High High 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2  
 


 

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Retail Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3444 Oracle Retail Integration Bus Install HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.0, 13.1, 13.2, 14.0, 14.1, 15.0  
CVE-2015-3253 Oracle Retail Order Broker System Administration HTTP Yes 9.8 Network Low None None Un-
changed
High High High 4.1, 5.1, 5.2, 15.0  
CVE-2015-3253 Oracle Retail Service Backbone Install HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.0, 13.1, 13.2, 14.0, 14.1, 15.0  
CVE-2015-3253 Oracle Retail Store Inventory Management SIMINT HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.2, 14.0, 14.1  
CVE-2015-7501 MICROS Retail XBRi Loss Prevention Retail HTTP No 8.8 Network Low Low None Un-
changed
High High High 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1  
CVE-2015-7501 Oracle Retail Central, Back Office, Returns Management Install HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.0 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1  
CVE-2016-0635 Oracle Retail Integration Bus Install HTTP No 8.8 Network Low Low None Un-
changed
High High High 15.0  
CVE-2016-0635 Oracle Retail Order Broker Order Broker Foundation HTTP No 8.8 Network Low Low None Un-
changed
High High High 5.1, 5.2, 15.0  
CVE-2015-7501 Oracle Retail Service Backbone Install HTTP No 8.8 Network Low Low None Un-
changed
High High High 15.0  
CVE-2016-5474 Oracle Retail Service Backbone RSB Kernel HTTP No 8.8 Network Low Low None Un-
changed
High High High 14.0, 14.1, 15.0  
CVE-2016-3081 MICROS Retail XBRi Loss Prevention Retail HTTP Yes 8.1 Network High None None Un-
changed
High High High 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1  
CVE-2016-5476 Oracle Retail Integration Bus Install HTTP No 7.6 Network Low Low None Un-
changed
High Low Low 13.0, 13.1, 13.2, 14.0, 14.1, 15.0  
CVE-2016-3565 Oracle Retail Order Broker System Administration HTTP No 7.6 Network Low Low None Un-
changed
Low High Low 5.1, 5.2  
CVE-2016-5475 Oracle Retail Service Backbone Install HTTP No 7.6 Network Low Low None Un-
changed
High Low Low 14.0, 14.1, 15.0  
CVE-2015-7501 Oracle Retail Store Inventory Management SIMINT HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 12.0, 13.0, 13.1, 13.2, 14.0, 14.1  
CVE-2016-3611 Oracle Retail Order Broker System Administration HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 15.0  
 


 

Appendix - Oracle Utilities Applications

Oracle Utilities Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Utilities Applications.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Utilities Applications Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Oracle Utilities Framework System wide HTTP No 8.8 Network Low Low None Un-
changed
High High High 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0  
CVE-2015-7501 Oracle Utilities Network Management System System wide HTTP No 8.8 Network Low Low None Un-
changed
High High High 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5  
CVE-2015-7501 Oracle Utilities Work and Asset Management Integrations HTTP No 8.8 Network Low Low None Un-
changed
High High High 1.9.1.2.8  
 


 

Appendix - Oracle Policy Automation

Oracle Policy Automation Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Policy Automation.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Policy Automation Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Oracle In-Memory Policy Analytics Analysis Server HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.0.1  
CVE-2015-7501 Oracle Policy Automation Determinations Engine HTTP No 8.8 Network Low Low None Un-
changed
High High High 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1  
CVE-2015-7501 Oracle Policy Automation Connector for Siebel Determinations Server HTTP No 8.8 Network Low Low None Un-
changed
High High High 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6  
CVE-2015-7501 Oracle Policy Automation for Mobile Devices Mobile Application HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1.1  
 


 

Appendix - Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 15 new security fixes for the Oracle Primavera Products Suite.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Primavera Products Suite Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2015-7501 Primavera Contract Management PCM application HTTP No 8.8 Network Low Low None Un-
changed
High High High 14.2  
CVE-2016-0635 Primavera Contract Management PCM web services HTTP No 8.8 Network Low Low None Un-
changed
High High High 14.2  
CVE-2015-7501 Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 8.8 Network Low Low None Un-
changed
High High High 8.2, 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-0635 Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 8.8 Network Low Low None Un-
changed
High High High 8.2, 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2015-1791 Primavera P6 Enterprise Project Portfolio Management Project manager HTTP Yes 6.5 Network High None None Changed Low Low Low 8.3, 8.4, 15.1  
CVE-2016-3572 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 6.4 Network Low Low None Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2012-3137 Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 8.2, 8.3, 8.4  
CVE-2016-3566 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-3568 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-3569 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-3570 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-3571 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2016-3573 Primavera P6 Enterprise Project Portfolio Management Web access HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
CVE-2015-3197 Primavera P6 Enterprise Project Portfolio Management Project manager HTTP Yes 5.9 Network High None None Un-
changed
High None None 8.3, 8.4, 15.1, 15.2  
CVE-2016-3567 Primavera P6 Enterprise Project Portfolio Management Web access HTTP No 5.4 Network Low Low Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1  
 

Additional CVEs addressed:

  • The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, and CVE-2015-1792.
  • The fix for CVE-2015-3197 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, and CVE-2016-0701.

 

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 13 new security fixes for Oracle Java SE.  9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.



Oracle Java SE Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3587 Java SE, Java SE Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3606 Java SE, Java SE Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 7u101, 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3598 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3610 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3552 Java SE Install None No 8.1 Local High None None Changed High High High Java SE: 8u92 See Note 2
CVE-2016-3511 Java SE Deployment None No 7.7 Local High None Required Changed High High High Java SE: 7u101, 8u92 See Note 1
CVE-2016-3503 Java SE Install None No 7.7 Local High None Required Changed High High High Java SE: 6u115, 7u101, 8u92 See Note 2
CVE-2016-3498 Java SE JavaFX Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 7u101, 8u92 See Note 1
CVE-2016-3500 Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10 See Note 3
CVE-2016-3508 Java SE, Java SE Embedded, JRockit JAXP Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10 See Note 3
CVE-2016-3458 Java SE, Java SE Embedded CORBA Multiple Yes 4.3 Network Low None Required Un-
changed
None Low None Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3550 Java SE, Java SE Embedded Hotspot Multiple Yes 4.3 Network Low None Required Un-
changed
Low None None Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91 See Note 1
CVE-2016-3485 Java SE, Java SE Embedded, JRockit Networking None No 2.9 Local High None None Un-
changed
None Low None Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10 See Note 3
 

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to installation process on client deployment of Java.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

 

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 34 new security fixes for the Oracle Sun Systems Products Suite.  21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Sun Systems Products Suite Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-5453 ILOM IPMI IPMI Yes 9.8 Network Low None None Un-
changed
High High High 3.0, 3.1, 3.2  
CVE-2015-0235 Sun Data Center InfiniBand Switch 36 Firmware Multiple Yes 9.8 Network Low None None Un-
changed
High High High Versions prior to 2.2.2  
CVE-2015-0235 Sun Network QDR InfiniBand Gateway Switch Firmware Multiple Yes 9.8 Network Low None None Un-
changed
High High High Versions prior to 2.2.2  
CVE-2016-5457 ILOM LUMAIN Multiple No 8.8 Network Low Low None Un-
changed
High High High 3.0, 3.1, 3.2  
CVE-2012-3410 ILOM Restricted Shell Multiple No 8.8 Network Low Low None Un-
changed
High High High 3.0, 3.1, 3.2  
CVE-2016-5445 ILOM Authentication Multiple Yes 8.3 Network Low None None Changed Low Low Low 3.0, 3.1, 3.2  
CVE-2015-5600 ILOM SSH SSH Yes 8.2 Network Low None None Un-
changed
Low None High 3.0, 3.1, 3.2  
CVE-2016-3481 ILOM Web HTTP No 7.7 Network Low Low None Changed None None High 3.0, 3.1, 3.2  
CVE-2016-5447 ILOM Backup-Restore HTTP No 7.6 Network Low Low None Un-
changed
High Low Low 3.0, 3.1, 3.2  
CVE-2016-5449 ILOM Console Redirection HTTP Yes 7.5 Network Low None None Un-
changed
None None High 3.0, 3.1, 3.2  
CVE-2016-3585 ILOM Emulex HTTPS Yes 7.4 Network High None None Un-
changed
High High None 3.0, 3.1, 3.2  
CVE-2016-5446 ILOM Infrastructure Multiple Yes 7.3 Network Low None None Un-
changed
Low Low Low 3.0, 3.1, 3.2  
CVE-2016-3584 Solaris Libadimalloc None No 7.0 Local High Low None Un-
changed
High High High 11.3  
CVE-2016-5448 ILOM SNMP SNMP Yes 6.5 Network Low None None Un-
changed
None Low Low 3.0, 3.1, 3.2  
CVE-2015-1793 ILOM OpenSSL SSL/TLS Yes 6.5 Network Low None None Un-
changed
Low Low None 3.0, 3.1, 3.2  
CVE-2015-3183 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware HTTP Yes 6.5 Network Low None Required Un-
changed
None High None XCP prior to XCP1121  
CVE-2015-8104 Solaris Solaris Kernel Zones None No 6.5 Local Low Low None Changed None None High 11.3  
CVE-2016-5454 Solaris Verified Boot None No 6.4 Local High Low None Changed None Low High 11.3  
CVE-2015-3197 40G 10G 72/64 Ethernet Switch Firmware SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None 2.0.0  
CVE-2015-3197 Oracle Switch ES1-24 Firmware SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None 1.3  
CVE-2015-3197 Sun Blade 6000 Ethernet Switched NEM 24P 10GE Firmware SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None 1.2  
CVE-2015-3197 Sun Network 10GE Switch 72p Firmware SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None 1.2  
CVE-2016-3453 Solaris Kernel None No 5.5 Local Low Low None Un-
changed
None None High 10  
CVE-2016-3497 Solaris Kernel None No 5.5 Local Low Low None Un-
changed
None None High 11.3  
CVE-2016-5469 Solaris Kernel None No 5.5 Local Low Low None Un-
changed
None None High 11.3  
CVE-2016-5471 Solaris Kernel None No 5.5 Local Low Low None Un-
changed
None None High 11.3  
CVE-2016-5452 Solaris Verified Boot None No 5.5 Local Low Low None Un-
changed
High None None 11.3  
CVE-2013-2566 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3 Network High None Required Un-
changed
High None None XCP prior to XCP2280  
CVE-2016-0800 Fujitsu M10-1, M10-4, M10-4S Servers XCP Firmware SSL/TLS Yes 5.3 Network High None Required Un-
changed
High None None XCP prior to XCP2320  
CVE-2015-2808 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware SSL/TLS Yes 5.3 Network High None Required Un-
changed
High None None XCP prior to XCP1121  
CVE-2016-3451 ILOM Web HTTP Yes 4.7 Network Low None Required Changed None Low None 3.0, 3.1, 3.2  
CVE-2016-3480 Solaris Cluster HA for Postgresql None No 4.4 Local Low High None Un-
changed
High None None 3.3, 4.3  
CVE-2014-3566 Sun Data Center InfiniBand Switch 36 Firmware HTTPS Yes 3.1 Network High None Required Un-
changed
Low None None Versions prior to 2.2.2  
CVE-2014-3566 Sun Network QDR InfiniBand Gateway Switch Firmware HTTPS Yes 3.1 Network High None Required Un-
changed
Low None None Versions prior to 2.2.2  
 


 

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Virtualization.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle Virtualization Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3613 Oracle Secure Global Desktop OpenSSL SSL/TLS Yes 9.8 Network Low None None Un-
changed
High High High 4.63, 4.71, 5.2  
CVE-2013-2064 Oracle Secure Global Desktop X Server X11 Yes 7.3 Network Low None None Un-
changed
Low Low Low 4.71, 5.2  
CVE-2016-3612 Oracle VM VirtualBox Core SSL/TLS Yes 5.9 Network High None None Un-
changed
High None None VirtualBox prior to 5.0.22  
CVE-2016-3597 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed
None None High VirtualBox prior to 5.0.26  
 

Additional CVEs addressed:

  • The fix for CVE-2016-3612 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176.
  • The fix for CVE-2016-3613 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, and CVE-2016-2107.

 

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle MySQL.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.



Oracle MySQL Risk Matrix


CVE# Component Sub-
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3477 MySQL Server Server: Parser None No 8.1 Local High None None Changed High High High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3440 MySQL Server Server: Optimizer MySQL Protocol No 7.7 Network Low Low None Changed None None High 5.7.11 and earlier  
CVE-2016-2105 MySQL Server Server: Security: Encryption MySQL Protocol Yes 7.5 Network Low None None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3471 MySQL Server Server: Option None No 7.5 Local High High None Changed High High High 5.5.45 and earlier, 5.6.26 and earlier  
CVE-2016-3486 MySQL Server Server: FTS MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3501 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3518 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-3521 MySQL Server Server: Types MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3588 MySQL Server Server: InnoDB MySQL Protocol No 5.9 Network High Low None Un-
changed
None Low High 5.7.12 and earlier  
CVE-2016-3615 MySQL Server Server: DML MySQL Protocol No 5.3 Network High Low None Un-
changed
None None High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-3614 MySQL Server Server: Security: Encryption MySQL Protocol No 5.3 Network High Low None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-5436 MySQL Server Server: InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-3459 MySQL Server Server: InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-5437 MySQL Server Server: Log MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-3424 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-5439 MySQL Server Server: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-5440 MySQL Server Server: RBR MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier  
CVE-2016-5441 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-5442 MySQL Server Server: Security: Encryption MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-5443 MySQL Server Server: Connection None No 4.7 Local High None Required Un-
changed
None None High 5.7.12 and earlier  
CVE-2016-5444 MySQL Server Server: Connection MySQL Protocol Yes 3.7 Network High None None Un-
changed
Low None None 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier  
CVE-2016-3452 MySQL Server Server: Security: Encryption MySQL Protocol Yes 3.7 Network High None None Un-
changed
Low None None 5.5.48 and earlier, 5.6.29 and earlier, 5.7.10 and earlier  
 

Additional CVEs addressed:

  • The fix for CVE-2016-2105 also addresses CVE-2016-2106.