This is a placeholder for the Critical Patch Update of April, 2016, that provides CVSS V2 versions of the Risk Matrix Appendices for all vulnerabilities whose fixes were included in the Oracle Critical Patch Update for April, 2016.
The main Advisory for Oracle Critical Patch Update Release April, 2016 can be found here.
Note that the Oracle Critical Patch Update Advisory for April, 2016 will be the only Oracle Critical Patch Update Advisory that will include both CVSS V2 and CVSS V3 scoring and that future versions of Oracle Security Alerts or Oracle Critical Patch Update Advisories will not contain CVSS V2 information.
This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Please note that the Oracle Critical Patch Update Advisory for January 2016 was updated post release to clarify that CVE-2015-4923 is applicable to client-only installations. Database customers are strongly advised to apply the patches released in CPUJan2016 or later to their client-only installations.
CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3454 | Java VM | Multiple | None | Yes | 7.6 | Network | High | None | Complete | Complete | Complete | 11.2.0.4, 12.1.0.1, 12.1.0.2 | See Note 1 |
CVE-2016-0681 | Oracle OLAP | Oracle Net | Execute on DBMS_AW | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 11.2.0.4, 12.1.0.1, 12.1.0.2 | |
CVE-2016-0677 | RDBMS Security | Kerberos | None | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 12.1.0.1, 12.1.0.2 | |
CVE-2016-0690 | RDBMS Security | Oracle Net | Create Session | No | 4.0 | Network | Low | Single | None | Partial | None | 11.2.0.4, 12.1.0.1, 12.1.0.2 | |
CVE-2016-0691 | RDBMS Security | Oracle Net | Create Session | No | 4.0 | Network | Low | Single | None | Partial | None | 11.2.0.4, 12.1.0.1, 12.1.0.2 |
This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1.
CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3455 | Oracle Outside In Technology | Multiple | Outside In Filters | Yes | 9.0 | Network | Low | None | Complete | Partial | Partial | 8.5.0, 8.5.1, 8.5.2 | See Note 1 |
CVE-2015-7182 | Oracle GlassFish Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 2.1.1 | |
CVE-2015-7182 | Oracle OpenSSO | HTTPS | Web Agents | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 3.0-0.7 | |
CVE-2015-7182 | Oracle Traffic Director | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.1.1.7.0, 11.1.1.9.0 | |
CVE-2015-3253 | Oracle WebCenter Sites | Multiple | Sites | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.1.1.8.0, 12.2.1 | |
CVE-2016-0638 | Oracle WebLogic Server | JMS | Java Messaging Service | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 10.3.6, 12.1.2, 12.1.3, 12.2.1 | |
CVE-2015-7182 | Oracle iPlanet Web Proxy Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 4.0 | |
CVE-2015-7182 | Oracle iPlanet Web Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 7.0 | |
CVE-2015-7547 | Oracle Exalogic Infrastructure | multiple | Base Image | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 1.0, 2.0 | |
CVE-2016-0696 | Oracle WebLogic Server | HTTP | Console | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 10.3.6 | |
CVE-2016-0479 | Oracle Business Intelligence Enterprise Edition | HTTP | Analytics Scorecard | Yes | 5.8 | Network | Medium | None | Partial | Partial | None | 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 | |
CVE-2015-3195 | Oracle API Gateway | HTTPS | OAG | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.1.2.3.0, 11.1.2.4.0 | |
CVE-2014-3576 | Oracle BI Publisher | Multiple | Security | Yes | 5.0 | Network | Low | None | None | None | Partial | 12.2.1.0.0 | |
CVE-2015-3195 | Oracle Exalogic Infrastructure | HTTPS | Network Infra Framework | Yes | 5.0 | Network | Low | None | None | None | Partial | 1.0, 2.0 | |
CVE-2015-3197 | Oracle Exalogic Infrastructure | HTTPS | Base Image | Yes | 4.3 | Network | Medium | None | Partial+ | None | None | 1.0, 2.0 | |
CVE-2015-3197 | Oracle Tuxedo | HTTPS | Open SSL | Yes | 4.3 | Network | Medium | None | Partial | None | None | 12.1.1.0 | |
CVE-2016-0675 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 | |
CVE-2016-0700 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 | |
CVE-2016-3416 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3, 12.2.1 | |
CVE-2016-0468 | Oracle Business Intelligence Enterprise Edition | HTTP | Analytics Web General | No | 3.5 | Network | Medium | Single | None | Partial | None | 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 | |
CVE-2016-0671 | Oracle HTTP Server | HTTPS | OSSL Module | Yes | 2.6 | Network | High | None | Partial | None | None | 12.1.2.0 | |
CVE-2016-0688 | Oracle WebLogic Server | HTTP | Core Components | Yes | 2.6 | Network | High | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 |
This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1.
CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2015-7501 | Oracle Application Testing Suite | HTTPS | Install | No | 8.5 | Network | Medium | Single | Complete | Complete | Complete | 12.4.0.2, 12.5.0.2 | |
CVE-2015-3197 | OSS Support Tools Oracle Explorer | HTTPS | Binaries | Yes | 4.3 | Network | Medium | None | Partial | None | None | 8.11.16.3.8 |
This Critical Patch Update contains 7 new security fixes for the Oracle E-Business Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (April 2016), My Oracle Support Note 2113110.1.
CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3466 | Oracle Field Service | HTTP | Wireless | Yes | 6.4 | Network | Low | None | Partial+ | Partial+ | None | 12.1.1, 12.1.2, 12.1.3 | |
CVE-2016-3434 | Oracle Application Object Library | HTTP | Logout | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 | |
CVE-2016-3439 | Oracle CRM Wireless | HTTP | Call Phone Number Page | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3 | |
CVE-2016-3437 | Oracle CRM Wireless | HTTP | Person Address Page | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3 | |
CVE-2016-3436 | Oracle Common Applications Calendar | HTTP | Tasks | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.1, 12.1.2, 12.1.3 | |
CVE-2016-0697 | Oracle Application Object Library | Oracle Net | DB Privileges | No | 3.6 | Network | High | Single | Partial+ | Partial+ | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 | |
CVE-2016-3447 | Oracle Applications Framework | HTTP | OAF Core | Yes | 2.6 | Network | High | None | None | Partial | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 |
This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Sub- component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3438 | Oracle Configurator | HTTP | JRAD Heartbeat | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 12.1, 12.2 | |
CVE-2015-3195 | Oracle Transportation Management | HTTPS | Install | Yes | 5.0 | Network | Low | None | None | None | Partial | 6.1, 6.2 | |
CVE-2016-3456 | Oracle Complex Maintenance, Repair, and Overhaul | HTTP | Dialog Box | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.1, 12.1.2, 12.1.3 | |
CVE-2016-3420 | Oracle Agile PLM | HTTP | Security | No | 3.6 | Network | High | Single | Partial | Partial | None | 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3 | |
CVE-2016-3431 | Oracle Agile PLM | HTTP | Security | No | 3.6 | Network | High | Single | Partial | Partial | None | 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3 | |
CVE-2016-3428 | Oracle Agile Engineering Data Management | ECI (Proprietary EDM Protocol) | Engineering Communication Interface | No | 1.8 | Adjacent Network | High | None | None | None | Partial | 6.1.3.0, 6.2.0.0 |
This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3421 | PeopleSoft Enterprise PeopleTools | HTTP | Activity Guide | No | 6.5 | Network | Low | Single | Partial | Partial | Partial | 8.53, 8.54, 8.55 | |
CVE-2016-3460 | PeopleSoft Enterprise HCM | HTTP | ePerformance | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.2 | |
CVE-2016-3457 | PeopleSoft Enterprise HCM ePerformance | HTTP | Security | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.2 | |
CVE-2016-0685 | PeopleSoft Enterprise PeopleTools | HTTP | File Processing | No | 5.5 | Network | Low | Single | Partial | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2016-0679 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Grids | No | 5.5 | Network | Low | Single | None | Partial+ | Partial+ | 8.53, 8, 54, 8.55 | |
CVE-2016-0680 | PeopleSoft Enterprise SCM | HTTP | Services Procurement | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.1, 9.2 | |
CVE-2016-3435 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Core Technology | Yes | 5.0 | Network | Low | None | None | None | Partial | 8.53, 8.54, 8.55 | |
CVE-2016-0408 | PeopleSoft Enterprise PeopleTools | HTTP | Activity Guide | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2016-3417 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Search Functionality | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2016-3442 | PeopleSoft Enterprise PeopleTools | HTTP | Portal | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2016-0698 | PeopleSoft Enterprise PeopleTools | HTTP | Rich Text Editor | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2015-3197 | PeopleSoft Enterprise PeopleTools | HTTPS | Security | Yes | 4.3 | Network | Medium | None | Partial | None | None | 8.53, 8.54, 8.55 | |
CVE-2016-0407 | PeopleSoft Enterprise HCM | HTTP | Fusion HR Talent Integration | No | 4.0 | Network | Low | Single | Partial | None | None | 9.1, 9.2 | |
CVE-2016-0683 | PeopleSoft Enterprise PeopleTools | HTTP | Search Framework | No | 4.0 | Network | Low | Single | None | Partial | None | 8.53, 8.54, 8.55 | |
CVE-2016-3423 | PeopleSoft Enterprise PeopleTools | HTTP | Rich Text Editor | No | 3.5 | Network | Medium | Single | None | Partial | None | 8.53, 8.54, 8.55 |
This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2015-1793 | JD Edwards EnterpriseOne Tools | HTTP | OneWorld Tools Security | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 9.1, 9.2 |
This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0673 | Siebel UI Framework | HTTP | UIF Open UI | No | 5.5 | Network | Low | Single | Partial | Partial | None | 8.1.1, 8.2.2 | |
CVE-2016-0674 | Siebel Core - Common Components | HTTP | No | 3.2 | Local | Low | Single | Partial | Partial | None | 8.1.1, 8.2.2 |
This Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2014-2532 | Oracle Communications User Data Repository | OpenSSH | Security | No | 4.9 | Network | Medium | Single | Partial | Partial | None | 10.0.1 |
This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0684 | Oracle Retail MICROS ARS POS | Oracle Net | POS | No | 6.8 | Network | Low | Single | Complete | None | None | 1.5 | |
CVE-2016-3429 | Oracle Retail Xstore Point of Service | HTTP | Xstore Services | No | 5.4 | Local | Medium | None | Complete | Partial | None | 5.0, 5.5, 6.0, 6.5, 7.0, 7.1 | |
CVE-2016-0469 | Oracle Retail MICROS C2 | HTTPS | POS | No | 4.6 | Local | Low | Single | Complete | None | None | 9.89.0.0 |
This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2015-3195 | Oracle Life Sciences Data Hub | HTTPS | Open SSL | Yes | 5.0 | Network | Low | None | None | None | Partial | 2.1 |
This Critical Patch Update contains 4 new security fixes for Oracle Financial Services Software. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0699 | Oracle FLEXCUBE Direct Banking | HTTP | Login | Yes | 9.4 | Network | Low | None | Complete | Complete | None | 12.0.2, 12.0.3 | |
CVE-2016-0672 | Oracle FLEXCUBE Direct Banking | HTTP | Pre-Login | Yes | 5.0 | Network | Low | None | Partial | None | None | 12.0.2, 12.0.3 | |
CVE-2016-3463 | Oracle FLEXCUBE Direct Banking | HTTP | Pre-Login | Yes | 5.0 | Network | Low | None | Partial | None | None | 12.0.3 | |
CVE-2016-3464 | Oracle FLEXCUBE Direct Banking | HTTP | Accounts | No | 4.0 | Network | Low | Single | Partial | None | None | 12.0.3 |
This Critical Patch Update contains 9 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-3443 | Java SE | Multiple | 2D | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77 | See Note 1 |
CVE-2016-0687 | Java SE, Java SE Embedded | Multiple | Hotspot | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 | See Note 1 |
CVE-2016-0686 | Java SE, Java SE Embedded | Multiple | Serialization | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 | See Note 1 |
CVE-2016-3427 | Java SE, Java SE Embedded, JRockit | Multiple | JMX | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 2 |
CVE-2016-3449 | Java SE | Multiple | Deployment | Yes | 7.6 | Network | High | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77 | See Note 1 |
CVE-2016-3422 | Java SE | Multiple | 2D | Yes | 5.0 | Network | Low | None | None | None | Partial | Java SE: 6u113, 7u99, 8u77 | See Note 1 |
CVE-2016-3425 | Java SE, Java SE Embedded, JRockit | Multiple | JAXP | Yes | 5.0 | Network | Low | None | None | None | Partial | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 2 |
CVE-2016-3426 | Java SE, Java SE Embedded | Multiple | JCE | Yes | 4.3 | Network | Medium | None | Partial | None | None | Java SE: 8u77; Java SE Embedded: 8u77 | See Note 1 |
CVE-2016-0695 | Java SE, Java SE Embedded, JRockit | Multiple | Security | Yes | 2.6 | Network | High | None | Partial | None | None | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 3 |
This Critical Patch Update contains 18 new security fixes for the Oracle Sun Systems Products Suite. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0693 | Solaris | Multiple | PAM LDAP module | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 10, 11.3 | |
CVE-2013-4786 | Fujitsu M10-1, M10-4, M10-4S Servers | IPMI | XCP Firmware | Yes | 7.8 | Network | Low | None | Complete | None | None | XCP prior to XCP2290 | |
CVE-2016-3441 | Solaris | None | Filesystem | No | 7.2 | Local | Low | None | Complete | Complete | Complete | 10, 11.3 | |
CVE-2015-7547 | Fujitsu M10-1, M10-4, M10-4S Servers | Multiple | XCP Firmware | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | XCP prior to XCP2290 | |
CVE-2015-1793 | Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64 | HTTPS | Firmware | Yes | 6.4 | Network | Low | None | Partial | Partial | None | Versions prior to 2.0.0.6 | |
CVE-2015-3238 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | Multiple | XCP Firmware | Yes | 5.8 | Network | Medium | None | Partial | None | Partial | XCP prior to XCP 1121 | |
CVE-2016-0669 | Solaris | None | Fwflash | No | 5.2 | Local | Low | Single | None | Partial | Complete | 11.3 | |
CVE-2015-7236 | Solaris | RPC | Utilities | Yes | 5.0 | Network | Low | None | None | None | Partial | 10, 11.3 | |
CVE-2011-4461 | Sun Storage Common Array Manager | HTTP | Jetty Web Server | Yes | 5.0 | Network | Low | None | None | None | Partial | 6.9.0 | |
CVE-2016-3462 | Solaris | None | Network Configuration Service | No | 4.9 | Local | Low | None | None | None | Complete | 11.3 | |
CVE-2016-3465 | Solaris | None | ZFS | No | 4.9 | Local | Low | None | None | None | Complete | 10, 11.3 | |
CVE-2013-2566 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | Partial | None | None | XCP prior to XCP 1121 | |
CVE-2015-4000 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | None | Partial | None | XCP prior to XCP 1121 | |
CVE-2015-1789 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | None | None | Partial | XCP prior to XCP 1121 | |
CVE-2016-0623 | Solaris | Multiple | Automated Installer | Yes | 4.3 | Network | Medium | None | None | Partial | None | 11.3 | |
CVE-2014-3566 | Solaris Cluster | HTTPS | GlassFish Server | Yes | 4.3 | Network | Medium | None | Partial | None | None | 4.2 | |
CVE-2016-0676 | Solaris | None | Kernel | No | 4.0 | Local | High | None | None | None | Complete | 10 | |
CVE-2016-3419 | Solaris | None | Filesystem | No | 2.1 | Local | Low | None | None | None | Partial+ | 10, 11.3 |
This Critical Patch Update contains 4 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2015-3195 | Oracle VM VirtualBox | HTTPS | Core | Yes | 5.0 | Network | Low | None | None | None | Partial | VirtualBox prior to 4.3.36, prior to 5.0.14 | |
CVE-2015-3195 | Sun Ray Software | HTTPS | Sun Ray Server Software | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.1 | |
CVE-2015-3197 | Oracle VM VirtualBox | HTTPS | Core | Yes | 4.3 | Network | Medium | None | Partial | None | None | VirtualBox prior to 5.0.16 | |
CVE-2016-0678 | Oracle VM VirtualBox | None | Core | No | 4.1 | Local | Medium | Single | Partial+ | Partial+ | Partial+ | VirtualBox prior to 5.0.18 |
This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0705 | MySQL Server | MySQL Protocol | Server: Packaging | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0639 | MySQL Server | MySQL Protocol | Server: Pluggable Authentication | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2015-3194 | MySQL Server | MySQL Protocol | Server: Security: Encryption | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0640 | MySQL Server | MySQL Protocol | Server: DML | No | 4.9 | Network | Medium | Single | None | Partial | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0641 | MySQL Server | MySQL Protocol | Server: MyISAM | No | 4.9 | Network | Medium | Single | Partial | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-3461 | MySQL Enterprise Monitor | Multiple | Monitoring: Server | No | 4.3 | Network | High | Multiple | Partial+ | Partial+ | Partial+ | 3.0.25 and earlier, 3.1.2 and earlier | |
CVE-2016-2047 | MySQL Server | MySQL Protocol | Server: Connection Handling | Yes | 4.3 | Network | Medium | None | None | Partial | None | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0642 | MySQL Server | MySQL Protocol | Server: Federated | No | 4.3 | Network | Medium | Multiple | None | Partial | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0643 | MySQL Server | MySQL Protocl | Server: DML | No | 4.0 | Network | Low | Single | Partial | None | None | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0644 | MySQL Server | MySQL Protocol | Server: DDL | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0646 | MySQL Server | MySQL Protocol | Server: DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0647 | MySQL Server | MySQL Protocol | Server: FTS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0648 | MySQL Server | MySQL Protocol | Server: PS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0649 | MySQL Server | MySQL Protocol | Server: PS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0650 | MySQL Server | MySQL Protocol | Server: Replication | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0652 | MySQL Server | MySQL Protocol | Server: DML | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0653 | MySQL Server | MySQL Protocol | Server: FTS | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0654 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0655 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0656 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0657 | MySQL Server | MySQL Protocol | Server: JSON | No | 3.5 | Network | Medium | Single | Partial | None | None | 5.7.11 and earlier | |
CVE-2016-0658 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0651 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.5.46 and earlier | |
CVE-2016-0659 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.11 and earlier | |
CVE-2016-0661 | MySQL Server | MySQL Protocol | Server: Options | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.28 and earlier, 5.7.10 and earlier | |
CVE-2016-0662 | MySQL Server | MySQL Protocol | Server: Partition | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.11 and earlier | |
CVE-2016-0663 | MySQL Server | MySQL Protocol | Server: Performance Schema | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | |
CVE-2016-0665 | MySQL Server | MySQL Protocol | Server: Security: Encryption | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.28 and earlier 5.7.10 and earlier | |
CVE-2016-0666 | MySQL Server | MySQL Protocol | Server: Security: Privileges | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | |
CVE-2016-0667 | MySQL Server | MySQL Protocol | Server: Locking | No | 2.8 | Network | Medium | Multiple | None | None | Partial+ | 5.7.11 and earlier | |
CVE-2016-0668 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 1.7 | Network | High | Multiple | None | None | Partial+ | 5.6.28 and earlier 5.7.10 and earlier |
This Critical Patch Update contains 5 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2016-0682 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | |
CVE-2016-0689 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | |
CVE-2016-0692 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | |
CVE-2016-0694 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | |
CVE-2016-3418 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 |