Oracle Critical Patch Update

Home
Skip to Content
Skip to Search

Sign In Account
Oracle Account

Sign Out
- Account
- Help
Oracle Account

Manage your account and access personalized content.
Sign in
- Create an account
- Help
Cloud Account

Access your cloud dashboard, manage orders, and more.
Sign in
Country/Region
Call

Oracle Technology Network
Security Advisory

Oracle Critical Patch Update Advisory - July 2017

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 310 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2017 Critical Patch Update: Executive Summary and Analysis.

Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2017 Documentation Map, My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions	Patch Availability
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1	Database
Oracle REST Data Services, versions prior to 3.0.10.25.02.36	Database
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0	Fusion Middleware
Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0	Fusion Middleware
Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0	Fusion Middleware
Oracle Enterprise Data Quality, version 8.1.13.0.0	Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0	Fusion Middleware
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2	Fusion Middleware
Oracle OpenSSO, version 3.0.0.8	Fusion Middleware
Oracle Outside In Technology, version 8.5.3.0	Fusion Middleware
Oracle Secure Enterprise Search, version 11.2.2.2.0	Fusion Middleware
Oracle Service Bus, version 11.1.1.9.0	Fusion Middleware
Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0	Fusion Middleware
Oracle Tuxedo, version 12.1.1	Fusion Middleware
Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0	Fusion Middleware
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2	Fusion Middleware
Hyperion Essbase, version 12.2.1.1	Fusion Middleware
Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.2	Enterprise Manager
Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3	Enterprise Manager
Oracle Business Transaction Management, versions 11.1.x, 12.1.x	Enterprise Manager
Oracle Configuration Manager, versions prior to 12.1.2.0.4	Enterprise Manager
Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0	E-Business Suite
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6	E-Business Suite
Oracle Agile PLM, versions 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2	Oracle Supply Chain Products
PeopleSoft Enterprise FSCM, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55	PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0	PeopleSoft
Siebel Applications, versions 16.0, 17.0	Siebel
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2	Oracle Commerce
Oracle iLearning, version 6.2	iLearning
Oracle Fusion Applications, versions 11.1.2 through 11.1.9	Fusion Applications
Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0	Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Convergence, versions 3.0, 3.0.1	Oracle Communications Convergence
Oracle Communications EAGLE LNP Application Processor, version 10.0	Oracle Communications EAGLE LNP Application Processor
Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0	Oracle Communications Network Charging and Control
Oracle Communications Policy Management, version 11.5	Oracle Communications Policy Management
Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740	Oracle Communications Session Router
Oracle Enterprise Communications Broker, version PCZ210	Oracle Enterprise Communications Broker
Oracle Enterprise Session Border Controller, version ECZ7.3.0	Oracle Enterprise Session Border Controller
Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5	Oracle Banking Platform
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0	Oracle Financial Services Applications
Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1	Hospitality Hotel Mobile
Hospitality Property Interfaces, version 8.10.x	Hospitality Property Interfaces
Hospitality Suite8, version 8.10.x	Hospitality Suite8
Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x	Hospitality WebSuite8 Cloud Service
MICROS BellaVita, version 2.7.x	MICROS BellaVita
MICROS PC Workstation 2015, versions Prior to O1302h	MICROS PC Workstation
MICROS Workstation 650, versions Prior to E1500n	MICROS Workstation
Oracle Hospitality 9700, version 4.0	Oracle Hospitality 9700
Oracle Hospitality Cruise AffairWhere, version 2.2.05.062	Hospitality Cruise AffairWhere
Oracle Hospitality Cruise Dining Room Management, version 8.0.75	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Materials Management, version 7.30.562	Oracle Hospitality Cruise Materials Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality e7, version 4.2.1	Oracle Hospitality e7
Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0	Oracle Hospitality Guest Access
Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0	Oracle Hospitality Inventory Management
Oracle Hospitality Materials Control, versions 8.31.4, 8.32.0	Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.5	Oracle Hospitality RES
Oracle Hospitality Simphony, versions 2.8, 2.9	Oracle Hospitality Simphony
Oracle Hospitality Simphony First Edition, version 1.7.1	Hospitality Simphony First Edition
Oracle Hospitality Simphony First Edition Venue Management, version 3.9	Hospitality Simphony First Edition Venue Management
Oracle Hospitality Suites Management, version 3.7	Hospitality Suites Management
Oracle Payment Interface, version 6.1.1	Oracle Payment Interface
Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1	Retail Applications
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1	Retail Applications
Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1	Retail Applications
Oracle Retail Workforce Management, versions 1.60.7, 1.64.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0	Retail Applications
Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3	Oracle Policy Automation
Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2	Oracle Primavera Products Suite
Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2	Oracle Primavera Products Suite
Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2	Oracle Primavera Products Suite
Java Advanced Management Console, version 2.6	Oracle Java SE
Oracle Java SE, versions 6u151, 7u141, 8u131	Oracle Java SE
Oracle Java SE Embedded, version 8u131	Oracle Java SE
Oracle JRockit, version R28.3.14	Oracle Java SE
Solaris, versions 10, 11	Oracle and Sun Systems Products Suite
Solaris Cluster, version 4	Oracle and Sun Systems Products Suite
Sun ZFS Storage Appliance Kit (AK), version AK 2013	Oracle and Sun Systems Products Suite
Oracle VM VirtualBox, versions prior to 5.1.24	Oracle Linux and Virtualization
MySQL Cluster, versions 7.3.5 and prior	Oracle MySQL Product Suite
MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior	Oracle MySQL Product Suite
MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior	Oracle MySQL Product Suite
MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior	Oracle MySQL Product Suite
Oracle Explorer, versions prior to 8.16	Oracle Support Tools

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2017 Availability Document, My Oracle Support Note 2261562.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Adam Willard of Blue Canopy: CVE-2017-10040
Antonio Sanso: CVE-2017-10176
Ary Dobrovolskiy of Citadel: CVE-2017-10119
Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10141, CVE-2017-10196
CERT/CC: CVE-2017-10042
Che-Chun Kuo of Divergent Security: CVE-2017-10137
Daniel Bleichenbacher of Google: CVE-2017-10115, CVE-2017-10118
David Litchfield of Apple: CVE-2017-10120
Deniz Cevik of Biznet Bilisim A.S: CVE-2017-10063
Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10106, CVE-2017-10146
Emiliano J. Fausto of Onapsis: CVE-2017-10192
Federico Dobal of Onapsis: CVE-2017-10192
Gaston Traberg of Onapsis: CVE-2017-10108, CVE-2017-10109, CVE-2017-10180
Hassan El Hadary - Secure Misr: CVE-2017-10181
Ilya Maykov: CVE-2017-10135
Jakub Palaczynski of ING Services Polska: CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10156, CVE-2017-10157
James Forshaw: CVE-2017-10129, CVE-2017-10204
John Lightsey: CVE-2017-3636
Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10244, CVE-2017-10245
Justin Ng of Spark: CVE-2017-10134
Li Qiang of the Qihoo 360 Gear Team: CVE-2017-10187, CVE-2017-10209, CVE-2017-10210, CVE-2017-10236, CVE-2017-10237, CVE-2017-10238, CVE-2017-10239, CVE-2017-10240, CVE-2017-10241, CVE-2017-10242
Luca Napolitano of Hewlett Packard Enterprise: CVE-2017-10058
Lucas Molas of Fundación Sadosky: CVE-2017-10235
Lukasz Mikula: CVE-2017-10059
Marcin Wołoszyn of ING Services Polska: CVE-2017-10024, CVE-2017-10030, CVE-2017-10035, CVE-2017-10043
Marcus Mengs: CVE-2017-10125
Marios Nicolaides of RUNESEC: CVE-2017-10046
Maris Elsins of Pythian: CVE-2017-3562
Matias Mevied of Onapsis: CVE-2017-10184, CVE-2017-10185, CVE-2017-10186, CVE-2017-10191
Mohit Rawat: CVE-2017-10041
Moritz Bechler: CVE-2017-10102, CVE-2017-10116
Or Hanuka of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
Owais Mehtab of IS: CVE-2017-10075
Reno Robert: CVE-2017-10210, CVE-2017-10233, CVE-2017-10236, CVE-2017-10239, CVE-2017-10240
Roman Shalymov of ERPScan: CVE-2017-10061
Sarath Nair: CVE-2017-10246
Sean Gambles: CVE-2017-10025
Sergio Abraham of Onapsis: CVE-2017-10192
Shannon Hickey of Adobe: CVE-2017-10053
Sule Bekin of Turk Telekom: CVE-2017-10028
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.: CVE-2017-10178
Tayeeb Rana of IS: CVE-2017-10075
Tzachy Horesh of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
Tzachy Horesh of Palantir Security: CVE-2017-10092, CVE-2017-10093, CVE-2017-10094
Ubais PK of EY Global Delivery Services: CVE-2017-10073
Vahagn Vardanyan of ERPScan: CVE-2017-10147, CVE-2017-10148
Zuozhi Fan formerly of Alibaba: CVE-2017-3640, CVE-2017-3641

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Christopher Tarquini
Francis Alexander
Francisco Correa
George Argyros of Columbia University
Jesse Wilson of Square
Kexin Pei of Columbia University
Nick Bloor of NCC Group
Pham Van Khanh of Viettel Information Security Center
Prof. Angelos D. Keromytis of Columbia University
Prof. Suman Jana of Columbia University
Suphannee Sivakorn of Columbia University

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Adam Willard of Blue Canopy
Adesh Nandkishor Kolte
Ahsan Khan
Amin Achour of Trading House
Ashish Gautam Kamble
Guifre Ruiz
Haider Kamal
Jolan Saluria
Muhammad Uwais
Nithin R
Pratik Luhana
Rodolfo Godalle Jr.
Sadik Shaikh of extremehacking.org
Willy Gaston Lindo

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

17 October 2017
16 January 2018
17 April 2018
17 July 2018

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Critical Patch Update - July 2017 Documentation Map [ My Oracle Support Note ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
English text version of the risk matrices [ Oracle Technology Network ]
CVRF XML version of the risk matrices [ Oracle Technology Network ]
The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

Date	Note
2017-July-18	Rev 1. Initial Release.
2017-August-1	Rev 2. Credit Statement Update.
2017-August-9	Rev 3. Updated CVSS score for CVE-2017-10183.
2017-August-10	Rev 4. Added CVE-2017-10008 and CVE-2017-10064.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server divided as follows:

4 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10202	OJVM	Create Session, Create Procedure	Multiple	No	9.9	Network	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1	See Note 1
CVE-2014-3566	DBMS_LDAP	None	LDAP	Yes	6.8	Network	High	None	None	Changed	High	None	None	11.2.0.4, 12.1.0.2
CVE-2016-2183	Real Application Clusters	None	SSL/TLS	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	11.2.0.4, 12.1.0.2
CVE-2017-10120	RDBMS Security	Create Session, Select Any Dictionary	Oracle Net	No	1.9	Local	High	High	None	Un- changed	None	Low	None	12.1.0.2

Notes:

This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8.

Oracle REST Data Services Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle REST Data Services Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3092	Oracle REST Data Services	None	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 3.0.10.25.02.36

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Fusion Middleware Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10137	Oracle WebLogic Server	JNDI	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	10.3.6.0, 12.1.3.0
CVE-2015-3253	Oracle Enterprise Data Quality	General (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.13.0.0
CVE-2015-5254	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 12.1.3.0.0
CVE-2017-5638	Oracle WebLogic Server	Sample apps (Struts 2)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2015-7501	Oracle Data Integrator	Studio	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
CVE-2015-7501	Oracle Endeca Server	Core (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.6.0.0, 7.6.1.0
CVE-2015-7501	Oracle Enterprise Data Quality	General (Apache Commons Fileupload)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.1.13.0.0
CVE-2015-7501	Oracle Enterprise Repository	Security	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.3.0.0
CVE-2016-0635	Oracle Enterprise Repository	Security Subsystem	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.3.0.0
CVE-2016-2834	Oracle OpenSSO	Web Agents (NSS)	HTTPS	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	3.0.0.8
CVE-2016-2834	Oracle Traffic Director	Security (NSS)	HTTPS	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0
CVE-2015-7501	Oracle Tuxedo System and Applications Monitor	General (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0
CVE-2016-0635	Oracle Tuxedo System and Applications Monitor	General (Spring)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0
CVE-2017-10147	Oracle WebLogic Server	Core Components	T3	Yes	8.6	Network	Low	None	None	Changed	None	None	High	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10025	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	11.1.1.7.0
CVE-2017-10043	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0, 11.1.1.9.0
CVE-2017-10156	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10024	BI Publisher	Layout Tools	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0
CVE-2017-10028	BI Publisher	Web Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0
CVE-2017-10029	BI Publisher	Web Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0
CVE-2017-10030	BI Publisher	Web Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0
CVE-2017-10035	BI Publisher	Web Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0, 11.1.1.9.0
CVE-2017-10048	Oracle Enterprise Repository	Web Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.7.0, 12.1.3.0.0
CVE-2017-10141	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3.0
CVE-2017-10196	Oracle Outside In Technology	Outside In Filters	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	8.5.3.0
CVE-2017-10040	Oracle WebCenter Content	Content Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	Low	High	None	11.1.1.9.0, 12.2.1.1.0
CVE-2017-10075	Oracle WebCenter Content	Content Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10059	BI Publisher	Mobile Service	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.7.0
CVE-2017-10041	BI Publisher	Web Server	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10119	Oracle Service Bus	OSB Web Console Design, Admin	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.9.0
CVE-2016-3092	BI Publisher	Web Server (Apache Commons Fileupload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2015-7940	Oracle Enterprise Repository	Security Subsystem (Bouncy Castle)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0
CVE-2015-7940	Oracle Secure Enterprise Search	Generic (Bouncy Castle)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.2.2.2.0
CVE-2017-10058	Oracle Business Intelligence Enterprise Edition	Analytics Web Administration	HTTP	No	6.9	Network	Low	High	Required	Changed	Low	High	None	11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10157	BI Publisher	BI Publisher Security	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10178	Oracle WebLogic Server	Web Container	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-3732	Oracle API Gateway	OAG (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.4.0
CVE-2017-3732	Oracle Endeca Server	Core (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0
CVE-2017-3732	Oracle Tuxedo	SSL Module (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.1
CVE-2013-2027	Oracle WebLogic Server	WLST	None	No	5.9	Local	Low	None	None	Un- changed	Low	Low	Low	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10148	Oracle WebLogic Server	Core Components	T3	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10063	Oracle WebLogic Server	Web Services	HTTP	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10123	Oracle WebLogic Server	Web Container	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.3.0
CVE-2014-3566	Oracle Endeca Server	Core (OpenSSL)	HTTPS	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0

Additional CVEs addressed are below:

The fix for CVE-2015-7501 also addresses CVE-2011-2730.
The fix for CVE-2015-7940 also addresses CVE-2015-7501, and CVE-2016-5019.
The fix for CVE-2016-2834 also addresses CVE-2016-1950, and CVE-2016-1979.
The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-0635	Hyperion Essbase	Java Based Agent (Spring)	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High		See Note 1

Notes:

Fixed in all versions from 12.2.1.1 onward.

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Enterprise Manager Grid Control. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-5387	Enterprise Manager Ops Center	Satellite Framework	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.2, 12.3.2
CVE-2016-1181	Oracle Application Testing Suite	Installation	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.5.0.2, 12.5.0.3
CVE-2017-10091	Enterprise Manager Base Platform	UI Framework	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	12.1.0, 13.1.0, 13.2.0
CVE-2015-7940	Oracle Business Transaction Management	Security	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.x, 12.1.x
CVE-2016-2381	Oracle Configuration Manager	Installation	Multiple	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	Prior to 12.1.2.0.4
CVE-2017-3732	Enterprise Manager Base Platform	Discovery Framework	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0, 13.1.0, 13.2.0
CVE-2017-3732	Enterprise Manager Ops Center	Networking	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.2.2, 12.3.2
CVE-2016-3092	Enterprise Manager Ops Center	Hosted Framework	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	12.2.2, 12.3.2

Additional CVEs addressed are below:

The fix for CVE-2016-2381 also addresses CVE-2015-8607, and CVE-2015-8608.
The fix for CVE-2016-5387 also addresses CVE-2016-5385, CVE-2016-5386, and CVE-2016-5388.

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 22 new security fixes for the Oracle E-Business Suite. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2017), My Oracle Support Note 2270270.1.

Some of the risk matrix rows in this section are assigned multiple CVE#s. In these cases, additional CVEs are listed below the risk matrix to improve readability. Each group of CVE identifiers share the same description, vulnerability type, Component, Sub-Component and affected versions listed in the risk matrix entry, but occur in different code sections within a Sub-Component.

Oracle E-Business Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10246	Oracle Application Object Library	iHelp	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10180	Oracle CRM Technical Foundation	CMRO	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10143	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10185	Oracle CRM Technical Foundation	User Management	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10113	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10170	Oracle Field Service	Wireless/WAP	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2017-10171	Oracle Marketing	Home Page	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10191	Oracle Web Analytics	Common Libraries	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10112	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10174	Oracle iSupport	Service Request	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10177	Oracle Application Object Library	Flexfields	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.2.6
CVE-2017-10130	Oracle iStore	User Management	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-6304	Application Server	OpenSSL	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3
CVE-2017-10144	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3
CVE-2017-10245	Oracle General Ledger	Account Hierarchy Manager	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10179	Application Management Pack for Oracle E-Business Suite	User Monitoring	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	AMP 12.1.0.4.0, AMP 13.1.1.1.0
CVE-2017-3562	Oracle Applications DBA	AD Utilities	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10244	Oracle Application Object Library	Attachments	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10184	Oracle Field Service	Wireless/WAP	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10192	Oracle iStore	Shopping Cart	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10186	Oracle iStore	User and Company Profile	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10175	Oracle iSupport	Profiles	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

Additional CVEs addressed are below:

The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10039	Oracle Agile PLM	Web Client	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	9.3.5, 9.3.6
CVE-2017-10052	Oracle Agile PLM	PCMServlet	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2017-10080	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2017-10082	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2017-10092	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2017-3732	Oracle Transportation Management	Apache Webserver	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.1, 6.2
CVE-2017-10094	Oracle Agile PLM	Security	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2017-10032	Oracle Transportation Management	Access Control List	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2
CVE-2017-10093	Oracle Agile PLM	Security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.3.5, 9.3.6
CVE-2017-10088	Oracle Agile PLM	Security	None	No	3.4	Local	Low	High	None	Un- changed	Low	Low	None	9.3.5, 9.3.6

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle PeopleSoft Products. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10061	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	8.54, 8.55
CVE-2017-10146	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	8.54, 8.55
CVE-2017-10019	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	7.4	Network	Low	None	Required	Changed	High	None	None	8.54, 8.55
CVE-2017-10258	PeopleSoft Enterprise PRTL Interaction Hub	Add New Image	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10257	PeopleSoft Enterprise PRTL Interaction Hub	Browse Folder Hierarchy	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10215	PeopleSoft Enterprise PRTL Interaction Hub	EPPCM_DEFN_CATG	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10248	PeopleSoft Enterprise PRTL Interaction Hub	EPPCM_HIER_TOP	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10255	PeopleSoft Enterprise PRTL Interaction Hub	EPPCM_HIER_TOP	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10256	PeopleSoft Enterprise PRTL Interaction Hub	EPPCM_HIER_TOP	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10100	PeopleSoft Enterprise PRTL Interaction Hub	HTML Area	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10126	PeopleSoft Enterprise PRTL Interaction Hub	HTML Area	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10247	PeopleSoft Enterprise PRTL Interaction Hub	HTML Area	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10070	PeopleSoft Enterprise PRTL Interaction Hub	Maintenance Folders	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10249	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-10021	PeopleSoft Enterprise PeopleTools	PIA Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-10253	PeopleSoft Enterprise PeopleTools	Pivot Grid	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-10106	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-10017	PeopleSoft Enterprise PeopleTools	Workcenter	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-3731	PeopleSoft Enterprise PeopleTools	Security	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10134	PeopleSoft Enterprise FSCM	eProcurement	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.2
CVE-2017-10057	PeopleSoft Enterprise PRTL Interaction Hub	Discussion Forum	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.1.0
CVE-2017-10027	PeopleSoft Enterprise PeopleTools	Fluid Homepage & Navigation	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.54, 8.55
CVE-2017-10045	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	5.3	Network	High	None	Required	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10015	PeopleSoft Enterprise PeopleTools	Application Designer	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10251	PeopleSoft Enterprise PeopleTools	Test Framework	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10250	PeopleSoft Enterprise PeopleTools	Tuxedo	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10020	PeopleSoft Enterprise PeopleTools	Updates Change Assistant	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10252	PeopleSoft Enterprise PeopleTools	Updates Change Assistant	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	8.54, 8.55
CVE-2017-10018	PeopleSoft Enterprise FSCM	Strategic Sourcing	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.2
CVE-2017-10254	PeopleSoft Enterprise FSCM	Staffing Front Office	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.2

Additional CVEs addressed are below:

The fix for CVE-2017-3731 also addresses CVE-2016-7055.

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10049	Siebel Core CRM	Search	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0, 17.0

Oracle Commerce Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Commerce. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Commerce Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-3732	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Platform Services	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.1.4, 11.0, 11.1, 11.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10199	Oracle iLearning	Learner Pages	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	6.2

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-3253	Oracle Communications BRM	Elastic Charging Engine (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.0.0, 11.3.0.0.0
CVE-2015-0235	Oracle Communications Policy Management	Platform (GlibC)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.5
CVE-2015-7501	Oracle Communications BRM	Elastic Charging Engine (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0.0.0
CVE-2016-0635	Oracle Communications BRM	Elastic Charging Engine (Spring)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0.0.0, 11.3.0.0.0
CVE-2016-2107	Oracle Communications Session Router	Routing (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	SCZ730, SCZ740, ECZ730
CVE-2016-2107	Oracle Enterprise Communications Broker	Routing (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	PCZ210
CVE-2015-7940	Oracle Communications Convergence	Mail Proxy (Bouncy Castle)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.0, 3.0.1
CVE-2016-6304	Oracle Enterprise Session Border Controller	Routing (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	ECZ7.3.0
CVE-2017-10031	Oracle Communications Convergence	Mail Proxy (dojo)	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	3.0, 3.0.1
CVE-2016-2107	Oracle Communications EAGLE LNP Application Processor	Platform (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	10.0
CVE-2017-3732	Oracle Communications Network Charging and Control	Common fns (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0

Additional CVEs addressed are below:

The fix for CVE-2016-2107 also addresses CVE-2014-0224, CVE-2014-3571, CVE-2015-0286, CVE-2015-0286, CVE-2015-1788, CVE-2015-1788, CVE-2015-1789, CVE-2015-1789, CVE-2015-1790, CVE-2015-1790, CVE-2015-1791, CVE-2015-1791, CVE-2015-1792, CVE-2015-1792, CVE-2015-3195, CVE-2015-3195, CVE-2015-3197, CVE-2015-3197, CVE-2016-2105, CVE-2016-2105, CVE-2016-2106, CVE-2016-2106, CVE-2016-2108, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2109.
The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-0635	Financial Services Behavior Detection Platform	Admin Tool (Spring)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.0.1, 8.0.2
CVE-2016-3092	Oracle Banking Platform	Collections (Apache Commons FileUpload)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.3, 2.4, 2.4.1, 2.5
CVE-2017-10085	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10181	Oracle FLEXCUBE Direct Banking	Forgot Password	HTTP	No	6.8	Network	Low	Low	Required	Un- changed	Low	Low	High	12.0.2, 12.0.3
CVE-2017-10006	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10103	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10023	Oracle FLEXCUBE Private Banking	Operations	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10084	Oracle FLEXCUBE Universal Banking	Report Generator	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10005	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10083	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10011	Oracle FLEXCUBE Private Banking	Miscellaneous	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10012	Oracle FLEXCUBE Private Banking	Operations	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10072	Oracle FLEXCUBE Universal Banking	All Modules	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10073	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10098	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10010	Oracle FLEXCUBE Private Banking	FileUploads	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10009	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10007	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10008	Oracle FLEXCUBE Private Banking	Miscellaneous	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10022	Oracle FLEXCUBE Private Banking	Operations	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10071	Oracle FLEXCUBE Universal Banking	All Modules	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

Appendix - Oracle Hospitality Applications

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 48 new security fixes for Oracle Hospitality Applications. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5689	MICROS PC Workstation 2015	BIOS (Intel AMT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to O1302h	See Note 1
CVE-2017-5689	MICROS Workstation 650	BIOS (Intel AMT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to E1500n	See Note 2
CVE-2017-10000	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	No	7.7	Network	Low	Low	None	Changed	None	None	High	8.5.1, 9.0.0
CVE-2017-10232	Hospitality WebSuite8 Cloud Service	General	HTTP	No	7.6	Network	Low	Low	None	Un- changed	High	Low	Low	8.9.6, 8.10.x
CVE-2017-10001	Oracle Hospitality Simphony First Edition	Core	HTTP	No	7.6	Network	Low	Low	Required	Un- changed	High	Low	High	1.7.1
CVE-2017-10136	Oracle Hospitality Simphony	Import/Export	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.9
CVE-2017-10206	Oracle Hospitality Simphony	Engagement	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	2.9
CVE-2017-10226	Oracle Hospitality Cruise Fleet Management	Fleet Management System Suite	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	9.0
CVE-2017-10225	Oracle Hospitality RES 3700	OPS Operations	NA	No	7.0	Physical	High	Low	None	Changed	High	High	Low	5.5
CVE-2017-10216	Hospitality Property Interfaces	Parser	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.10.x
CVE-2017-10212	Hospitality Suite8	WebConnect	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.10.x
CVE-2017-10047	MICROS BellaVita	Interface	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	2.7.x
CVE-2017-10224	Oracle Hospitality Inventory Management	Inventory and Count Cycle	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	8.5.1, 9.0.0
CVE-2017-10076	Oracle Hospitality Simphony First Edition Venue Management	Core	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	3.9
CVE-2017-10211	Hospitality Suite8	WebConnect	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.10.x
CVE-2017-10128	Hospitality WebSuite8 Cloud Service	General	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.9.6, 8.10.x
CVE-2017-10064	Hospitality WebSuite8 Cloud Service	General	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.9.6, 8.10.x
CVE-2017-10097	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5.1, 9.0.0
CVE-2017-10079	Oracle Hospitality Suites Management	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.7
CVE-2017-10188	Hospitality Hotel Mobile	Suite 8/Android	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	1.01
CVE-2017-10189	Hospitality Suite8	Leisure	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	8.10.x
CVE-2017-10169	Oracle Hospitality 9700	Operation Security	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	4.0
CVE-2017-10056	Oracle Hospitality 9700	Property Management Systems	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	4.0
CVE-2017-10231	Oracle Hospitality Cruise AffairWhere	AWExport	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	2.2.05.062
CVE-2017-10219	Oracle Hospitality Guest Access	Base	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	4.2.0.0, 4.2.1.0
CVE-2017-10201	Oracle Hospitality e7	Other	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	4.2.1
CVE-2017-10230	Oracle Hospitality Cruise Dining Room Management	SilverWhere	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.0.75
CVE-2017-10229	Oracle Hospitality Cruise Materials Management	Event Viewer	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	7.30.562
CVE-2017-10228	Oracle Hospitality Cruise Shipboard Property Management System	Module	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.0.0.0
CVE-2017-10002	Oracle Hospitality Inventory Management	Settings and Config	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.5.1, 9.0.0
CVE-2017-10222	Oracle Hospitality Materials Control	Production Tool	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.31.4, 8.32.0
CVE-2017-10223	Oracle Hospitality Materials Control	Purchasing	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.31.4, 8.32.0
CVE-2017-10142	Oracle Hospitality Reporting and Analytics	Mobile Apps	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.5.1, 9.0.0
CVE-2017-10044	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.5.1, 9.0.0
CVE-2017-10207	Oracle Hospitality Simphony	Utilities	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	2.9
CVE-2017-10069	Oracle Payment Interface	Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	6.1.1
CVE-2017-10221	Oracle Hospitality RES 3700	OPS Operations	None	No	5.0	Local	High	Low	Required	Changed	Low	Low	Low	5.5
CVE-2017-10168	Hospitality Hotel Mobile	Suite 8/Windows	NA	No	4.6	Physical	High	Low	None	Un- changed	High	None	Low	1.1
CVE-2017-10182	Oracle Hospitality OPERA 5 Property Services	OPERA Export Functionality	HTTP	No	4.4	Network	High	High	None	Un- changed	High	None	None	5.4.0.x, 5.4.1.x, 5.4.3.x
CVE-2017-10200	Oracle Hospitality e7	Other	None	No	4.4	Local	Low	Low	None	Un- changed	Low	Low	None	4.2.1
CVE-2017-10133	Hospitality Hotel Mobile	Suite8/RestAPI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	1.1
CVE-2017-10132	Hospitality Hotel Mobile	Suite8/iOS	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	1.05
CVE-2017-10217	Oracle Hospitality Guest Access	Base	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	4.2.0.0, 4.2.1.0
CVE-2017-10218	Oracle Hospitality Guest Access	Base	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	4.2.0.0, 4.2.1.0
CVE-2017-10205	Oracle Hospitality Simphony	Enterprise Management Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	2.9
CVE-2017-10195	Oracle Hospitality Simphony	Import/Export	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	2.8
CVE-2017-10208	Oracle Hospitality e7	Other	SMTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	4.2.1
CVE-2017-10220	Hospitality Property Interfaces	Parser	None	No	4.0	Local	Low	None	None	Un- changed	Low	None	None	8.10.x
CVE-2017-10213	Hospitality Suite8	WebConnect	None	No	4.0	Local	Low	None	None	Un- changed	Low	None	None	8.10.x

Notes:

MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5689	MICROS PC Workstation 2015	BIOS (Intel AMT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to O1302h	See Note 1
CVE-2017-5689	MICROS Workstation 650	BIOS (Intel AMT)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to E1500n	See Note 2
CVE-2016-6814	Oracle Retail Allocation	Manage Allocation	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1
CVE-2016-6814	Oracle Retail Customer Insights	ODI Configuration	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	15.0, 16.0
CVE-2017-10214	Oracle Retail Xstore Point of Service	Xstore Office	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
CVE-2016-3506	Oracle Retail Warehouse Management System	Installers	Oracle Net	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	14.0.4, 14.1.3, 15.0.1
CVE-2016-3506	Oracle Retail Workforce Management	Installation	Oracle Net	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	1.60.7, 1.64.0
CVE-2017-10183	Oracle Retail Xstore Point of Service	Point of Sale	HTTP	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
CVE-2017-10172	Oracle Retail Open Commerce Platform	Framework	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
CVE-2017-10173	Oracle Retail Open Commerce Platform	Website	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	Low	None	5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

Notes:

MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Policy Automation

Oracle Policy Automation Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Policy Automation Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3092	Oracle Policy Automation	Determinations Engine (Apache Commons FileUplaod)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

Appendix - Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 9 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-6814	Primavera Gateway	Primavera Integration (Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
CVE-2016-5019	Primavera P6 Enterprise Project Portfolio Management	Web Access (Apache Trinidad)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.3, 8.4, 15.1, 15.2
CVE-2015-0254	Primavera Gateway	Primavera Integration (Standard)	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
CVE-2017-10038	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	15.1, 15.2, 16.1, 16.2
CVE-2017-10131	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	8.3, 8.4, 15.1, 15.2, 16.1, 16.2
CVE-2017-10046	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2017-10149	Primavera Unifier	Platform	HTTP	No	4.8	Network	Low	High	Required	Changed	Low	Low	None	9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
CVE-2017-10160	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.3, 8.4, 15.1, 15.2, 16.1, 16.2
CVE-2017-10150	Primavera Unifier	Platform	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 32 new security fixes for Oracle Java SE. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10110	Java SE	AWT	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131	See Note 1
CVE-2017-10089	Java SE	ImageIO	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131	See Note 1
CVE-2017-10086	Java SE	JavaFX	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 7u141, 8u131	See Note 1
CVE-2017-10096	Java SE, Java SE Embedded	JAXP	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10101	Java SE, Java SE Embedded	JAXP	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10087	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10090	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10111	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10107	Java SE, Java SE Embedded	RMI	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10102	Java SE, Java SE Embedded	RMI	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 2
CVE-2017-10114	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u141, 8u131	See Note 1
CVE-2017-10074	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10116	Java SE, Java SE Embedded, JRockit	Security	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10078	Java SE	Scripting	Multiple	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	Java SE: 8u131	See Note 3
CVE-2017-10067	Java SE	Security	Multiple	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	Java SE: 6u151, 7u141, 8u131	See Note 1
CVE-2017-10115	Java SE, Java SE Embedded, JRockit	JCE	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10118	Java SE, Java SE Embedded, JRockit	JCE	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10176	Java SE, Java SE Embedded, JRockit	Security	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10104	Java Advanced Management Console	Server	HTTP	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	Java Advanced Management Console: 2.6
CVE-2017-10145	Java Advanced Management Console	Server	Multiple	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	Java Advanced Management Console: 2.6
CVE-2017-10125	Java SE	Deployment	None	No	7.1	Physical	High	None	None	Changed	High	High	High	Java SE: 7u141, 8u131	See Note 4
CVE-2017-10198	Java SE, Java SE Embedded, JRockit	Security	Multiple	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10243	Java SE, Java SE Embedded, JRockit	JAX-WS	Multiple	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10121	Java Advanced Management Console	Server	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Java Advanced Management Console: 2.6
CVE-2017-10135	Java SE, Java SE Embedded, JRockit	JCE	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10117	Java Advanced Management Console	Server	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Java Advanced Management Console: 2.6
CVE-2017-10053	Java SE, Java SE Embedded, JRockit	2D	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10108	Java SE, Java SE Embedded, JRockit	Serialization	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 3
CVE-2017-10109	Java SE, Java SE Embedded, JRockit	Serialization	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14	See Note 1
CVE-2017-10105	Java SE	Deployment	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	Java SE: 6u151, 7u141, 8u131	See Note 1
CVE-2017-10081	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1
CVE-2017-10193	Java SE, Java SE Embedded	Security	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Applies to deployment of Java where the Java Auto Update is enabled.

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-3632	Solaris	CDE Calendar	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10, 11	See Note 1
CVE-2017-10013	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	8.3	Network	High	None	Required	Changed	High	High	High	AK 2013
CVE-2017-10042	Solaris	IKE	IKE	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10, 11
CVE-2017-10036	Solaris	NFSv4	NFSv4	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10, 11
CVE-2017-10016	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	AK 2013
CVE-2017-10234	Solaris Cluster	NAS device addition	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	4
CVE-2017-10004	Solaris	Kernel	None	No	6.7	Local	Low	High	None	Un- changed	High	High	High	10, 11
CVE-2017-10062	Solaris	Oracle Java Web Console	None	No	5.3	Local	Low	Low	None	Un- changed	Low	Low	Low	10
CVE-2017-10003	Solaris	Network Services Library	None	No	4.5	Local	High	Low	None	Un- changed	Low	Low	Low	10
CVE-2017-10095	Solaris	Kernel	None	No	3.3	Local	Low	None	Required	Un- changed	None	Low	None	11
CVE-2017-10122	Solaris	Kernel	None	No	1.8	Local	High	High	Required	Un- changed	None	Low	None	10, 11

Notes:

CVE-2017-3632 is assigned to the "EASYSTREET" vulnerability.

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10204	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.24
CVE-2017-10129	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.24
CVE-2017-10210	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10233	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	Low	None	Changed	None	Low	High	Prior to 5.1.24
CVE-2017-10236	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10237	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10238	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10239	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10240	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10241	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10242	Oracle VM VirtualBox	Core	None	No	7.3	Local	Low	High	None	Changed	Low	Low	High	Prior to 5.1.24
CVE-2017-10235	Oracle VM VirtualBox	Core	None	No	6.7	Local	Low	High	None	Changed	None	Low	High	Prior to 5.1.24
CVE-2017-10209	Oracle VM VirtualBox	Core	None	No	5.2	Local	Low	Low	None	Changed	Low	None	Low	Prior to 5.1.24
CVE-2017-10187	Oracle VM VirtualBox	Core	None	No	4.6	Local	Low	High	None	Changed	None	Low	Low	Prior to 5.1.24

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-4436	MySQL Enterprise Monitor	Monitor: General (Apache Struts 2)	HTTP over TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.1.5.7958 and earlier, 3.2.5.1141 and earlier, 3.3.2.1162 and earlier,
CVE-2017-5651	MySQL Enterprise Monitor	Monitoring: Server (Apache Tomcat)	HTTP over TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.7.1204 and earlier, 3.3.3.1199 and earlier
CVE-2017-5647	MySQL Enterprise Monitor	Monitoring: Server (Apache Tomcat)	HTTP over TLS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.3.3.1199 and earlier
CVE-2017-3633	MySQL Server	Server: Memcached	Memcached	Yes	6.5	Network	High	None	None	Un- changed	None	Low	High	5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3634	MySQL Server	Server: DML	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3732	MySQL Connectors	Connector/C (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.1.9 and earlier
CVE-2017-3732	MySQL Connectors	Connector/ODBC (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.7 and earlier
CVE-2017-3732	MySQL Server	Server: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.35 and earlier, 5.7.17 and earlier
CVE-2017-3635	MySQL Connectors	Connector/C	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	6.1.10 and earlier	See Note 1
CVE-2017-3635	MySQL Server	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier	See Note 1
CVE-2017-3636	MySQL Server	Client programs	MySQL Protocol	No	5.3	Local	Low	Low	None	Un- changed	Low	Low	Low	5.5.56 and earlier, 5.6.36 and earlier
CVE-2017-3529	MySQL Server	Server: UDF	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3637	MySQL Server	X Plugin	X Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3639	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3640	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3641	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3643	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3644	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3638	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3642	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3645	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.18 and earlier
CVE-2017-3646	MySQL Server	X Plugin	X Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.16 and earlier
CVE-2014-1912	MySQL Cluster	CLSTCONF (Python)	MySQL Protocol	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	7.3.5 and earlier
CVE-2017-3648	MySQL Server	Server: Charsets	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3647	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3649	MySQL Server	Server: Replication	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3651	MySQL Server	Client mysqldump	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3652	MySQL Server	Server: DDL	MySQL Protocol	No	4.2	Network	High	Low	None	Un- changed	Low	Low	None	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3650	MySQL Server	C API	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.7.18 and earlier
CVE-2017-3653	MySQL Server	Server: DDL	MySQL Protocol	No	3.1	Network	High	Low	None	Un- changed	None	Low	None	5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

Notes:

The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see:
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html

Additional CVEs addressed are below:

The fix for CVE-2016-4436 also addresses CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, CVE-2016-4438, and CVE-2016-4465.
The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.
The fix for CVE-2017-5651 also addresses CVE-2017-5650.

Appendix - Oracle Support Tools

Oracle Support Tools Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Support Tools Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-3732	Oracle Explorer	Tools (OpenSSL)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 8.16

Oracle Account

Oracle Account

Cloud Account