Oracle Critical Patch Update CVSS V2 Risk Matrices - April 2016

Description

This is a placeholder for the Critical Patch Update of April, 2016, that provides CVSS V2 versions of the Risk Matrix Appendices for all vulnerabilities whose fixes were included in the Oracle Critical Patch Update for April, 2016.

The main Advisory for Oracle Critical Patch Update Release April, 2016 can be found here.

Note that the Oracle Critical Patch Update Advisory for April, 2016 will be the only Oracle Critical Patch Update Advisory that will include both CVSS V2 and CVSS V3 scoring and that future versions of Oracle Security Alerts or Oracle Critical Patch Update Advisories will not contain CVSS V2 information.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Please note that the Oracle Critical Patch Update Advisory for January 2016 was updated post release to clarify that CVE-2015-4923 is applicable to client-only installations. Database customers are strongly advised to apply the patches released in CPUJan2016 or later to their client-only installations.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3454 Java VM Multiple None Yes 7.6 Network High None Complete Complete Complete 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2016-0681 Oracle OLAP Oracle Net Execute on DBMS_AW No 6.5 Network Low Single Partial+ Partial+ Partial+ 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-0677 RDBMS Security Kerberos None Yes 5.0 Network Low None None None Partial+ 12.1.0.1, 12.1.0.2
CVE-2016-0690 RDBMS Security Oracle Net Create Session No 4.0 Network Low Single None Partial None 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-0691 RDBMS Security Oracle Net Create Session No 4.0 Network Low Single None Partial None 11.2.0.4, 12.1.0.1, 12.1.0.2

Notes:

  1. The CVSS score is 7.6 only on Windows for Database versions prior to 12c. The CVSS is 5.1 (Confidentiality, Integrity and Availability is "Partial+") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3455 Oracle Outside In Technology Multiple Outside In Filters Yes 9.0 Network Low None Complete Partial Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2015-7182 Oracle GlassFish Server HTTPS Security Yes 7.5 Network Low None Partial Partial Partial 2.1.1
CVE-2015-7182 Oracle OpenSSO HTTPS Web Agents Yes 7.5 Network Low None Partial Partial Partial 3.0-0.7
CVE-2015-7182 Oracle Traffic Director HTTPS Security Yes 7.5 Network Low None Partial Partial Partial 11.1.1.7.0, 11.1.1.9.0
CVE-2015-3253 Oracle WebCenter Sites Multiple Sites Yes 7.5 Network Low None Partial Partial Partial 11.1.1.8.0, 12.2.1
CVE-2016-0638 Oracle WebLogic Server JMS Java Messaging Service Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.3.6, 12.1.2, 12.1.3, 12.2.1
CVE-2015-7182 Oracle iPlanet Web Proxy Server HTTPS Security Yes 7.5 Network Low None Partial Partial Partial 4.0
CVE-2015-7182 Oracle iPlanet Web Server HTTPS Security Yes 7.5 Network Low None Partial Partial Partial 7.0
CVE-2015-7547 Oracle Exalogic Infrastructure multiple Base Image Yes 6.8 Network Medium None Partial Partial Partial 1.0, 2.0
CVE-2016-0696 Oracle WebLogic Server HTTP Console Yes 6.4 Network Low None Partial Partial None 10.3.6
CVE-2016-0479 Oracle Business Intelligence Enterprise Edition HTTP Analytics Scorecard Yes 5.8 Network Medium None Partial Partial None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
CVE-2015-3195 Oracle API Gateway HTTPS OAG Yes 5.0 Network Low None None None Partial 11.1.2.3.0, 11.1.2.4.0
CVE-2014-3576 Oracle BI Publisher Multiple Security Yes 5.0 Network Low None None None Partial 12.2.1.0.0
CVE-2015-3195 Oracle Exalogic Infrastructure HTTPS Network Infra Framework Yes 5.0 Network Low None None None Partial 1.0, 2.0
CVE-2015-3197 Oracle Exalogic Infrastructure HTTPS Base Image Yes 4.3 Network Medium None Partial+ None None 1.0, 2.0
CVE-2015-3197 Oracle Tuxedo HTTPS Open SSL Yes 4.3 Network Medium None Partial None None 12.1.1.0
CVE-2016-0675 Oracle WebLogic Server HTTP Console Yes 4.3 Network Medium None None Partial None 10.3.6, 12.1.2, 12.1.3
CVE-2016-0700 Oracle WebLogic Server HTTP Console Yes 4.3 Network Medium None None Partial None 10.3.6, 12.1.2, 12.1.3
CVE-2016-3416 Oracle WebLogic Server HTTP Console Yes 4.3 Network Medium None None Partial None 10.3.6, 12.1.2, 12.1.3, 12.2.1
CVE-2016-0468 Oracle Business Intelligence Enterprise Edition HTTP Analytics Web General No 3.5 Network Medium Single None Partial None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
CVE-2016-0671 Oracle HTTP Server HTTPS OSSL Module Yes 2.6 Network High None Partial None None 12.1.2.0
CVE-2016-0688 Oracle WebLogic Server HTTP Core Components Yes 2.6 Network High None None Partial None 10.3.6, 12.1.2, 12.1.3

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. The score here assumes that the hosting software passes data received over the network to Outside In Technology code. In any other cases, the scores could be lower than this.

Additional CVEs addressed:

  1. CVE-2015-7182 fix also addresses CVE-2015-2721, CVE-2015-4000, CVE-2015-7181, CVE-2015-7183, CVE-2015-7575.

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2015-7501 Oracle Application Testing Suite HTTPS Install No 8.5 Network Medium Single Complete Complete Complete 12.4.0.2, 12.5.0.2
CVE-2015-3197 OSS Support Tools Oracle Explorer HTTPS Binaries Yes 4.3 Network Medium None Partial None None 8.11.16.3.8

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle E-Business Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (April 2016), My Oracle Support Note 2113110.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3466 Oracle Field Service HTTP Wireless Yes 6.4 Network Low None Partial+ Partial+ None 12.1.1, 12.1.2, 12.1.3
CVE-2016-3434 Oracle Application Object Library HTTP Logout Yes 4.3 Network Medium None None Partial None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3439 Oracle CRM Wireless HTTP Call Phone Number Page Yes 4.3 Network Medium None None Partial None 12.1.3
CVE-2016-3437 Oracle CRM Wireless HTTP Person Address Page Yes 4.3 Network Medium None None Partial None 12.1.3
CVE-2016-3436 Oracle Common Applications Calendar HTTP Tasks Yes 4.3 Network Medium None None Partial None 12.1.1, 12.1.2, 12.1.3
CVE-2016-0697 Oracle Application Object Library Oracle Net DB Privileges No 3.6 Network High Single Partial+ Partial+ None 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3447 Oracle Applications Framework HTTP OAF Core Yes 2.6 Network High None None Partial None 12.1.3, 12.2.3, 12.2.4, 12.2.5

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3438 Oracle Configurator HTTP JRAD Heartbeat Yes 6.4 Network Low None Partial Partial None 12.1, 12.2
CVE-2015-3195 Oracle Transportation Management HTTPS Install Yes 5.0 Network Low None None None Partial 6.1, 6.2
CVE-2016-3456 Oracle Complex Maintenance, Repair, and Overhaul HTTP Dialog Box Yes 4.3 Network Medium None None Partial None 12.1.1, 12.1.2, 12.1.3
CVE-2016-3420 Oracle Agile PLM HTTP Security No 3.6 Network High Single Partial Partial None 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3
CVE-2016-3431 Oracle Agile PLM HTTP Security No 3.6 Network High Single Partial Partial None 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3
CVE-2016-3428 Oracle Agile Engineering Data Management ECI (Proprietary EDM Protocol) Engineering Communication Interface No 1.8 Adjacent Network High None None None Partial 6.1.3.0, 6.2.0.0

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3421 PeopleSoft Enterprise PeopleTools HTTP Activity Guide No 6.5 Network Low Single Partial Partial Partial 8.53, 8.54, 8.55
CVE-2016-3460 PeopleSoft Enterprise HCM HTTP ePerformance No 5.5 Network Low Single Partial Partial None 9.2
CVE-2016-3457 PeopleSoft Enterprise HCM ePerformance HTTP Security No 5.5 Network Low Single Partial Partial None 9.2
CVE-2016-0685 PeopleSoft Enterprise PeopleTools HTTP File Processing No 5.5 Network Low Single Partial Partial None 8.53, 8.54, 8.55
CVE-2016-0679 PeopleSoft Enterprise PeopleTools HTTP PIA Grids No 5.5 Network Low Single None Partial+ Partial+ 8.53, 8, 54, 8.55
CVE-2016-0680 PeopleSoft Enterprise SCM HTTP Services Procurement No 5.5 Network Low Single Partial Partial None 9.1, 9.2
CVE-2016-3435 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 5.0 Network Low None None None Partial 8.53, 8.54, 8.55
CVE-2016-0408 PeopleSoft Enterprise PeopleTools HTTP Activity Guide Yes 4.3 Network Medium None None Partial None 8.53, 8.54, 8.55
CVE-2016-3417 PeopleSoft Enterprise PeopleTools HTTP PIA Search Functionality Yes 4.3 Network Medium None None Partial None 8.53, 8.54, 8.55
CVE-2016-3442 PeopleSoft Enterprise PeopleTools HTTP Portal Yes 4.3 Network Medium None None Partial None 8.53, 8.54, 8.55
CVE-2016-0698 PeopleSoft Enterprise PeopleTools HTTP Rich Text Editor Yes 4.3 Network Medium None None Partial None 8.53, 8.54, 8.55
CVE-2015-3197 PeopleSoft Enterprise PeopleTools HTTPS Security Yes 4.3 Network Medium None Partial None None 8.53, 8.54, 8.55
CVE-2016-0407 PeopleSoft Enterprise HCM HTTP Fusion HR Talent Integration No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2016-0683 PeopleSoft Enterprise PeopleTools HTTP Search Framework No 4.0 Network Low Single None Partial None 8.53, 8.54, 8.55
CVE-2016-3423 PeopleSoft Enterprise PeopleTools HTTP Rich Text Editor No 3.5 Network Medium Single None Partial None 8.53, 8.54, 8.55

Additional CVEs addressed:

  1. CVE-2015-3197 fix also addresses CVE-2015-3195.

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2015-1793 JD Edwards EnterpriseOne Tools HTTP OneWorld Tools Security Yes 6.4 Network Low None Partial Partial None 9.1, 9.2

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0673 Siebel UI Framework HTTP UIF Open UI No 5.5 Network Low Single Partial Partial None 8.1.1, 8.2.2
CVE-2016-0674 Siebel Core - Common Components HTTP Email No 3.2 Local Low Single Partial Partial None 8.1.1, 8.2.2

Appendix - Oracle Industry Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2014-2532 Oracle Communications User Data Repository OpenSSH Security No 4.9 Network Medium Single Partial Partial None 10.0.1

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0684 Oracle Retail MICROS ARS POS Oracle Net POS No 6.8 Network Low Single Complete None None 1.5
CVE-2016-3429 Oracle Retail Xstore Point of Service HTTP Xstore Services No 5.4 Local Medium None Complete Partial None 5.0, 5.5, 6.0, 6.5, 7.0, 7.1
CVE-2016-0469 Oracle Retail MICROS C2 HTTPS POS No 4.6 Local Low Single Complete None None 9.89.0.0

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2015-3195 Oracle Life Sciences Data Hub HTTPS Open SSL Yes 5.0 Network Low None None None Partial 2.1

Appendix - Oracle Financial Services Software

Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Financial Services Software. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0699 Oracle FLEXCUBE Direct Banking HTTP Login Yes 9.4 Network Low None Complete Complete None 12.0.2, 12.0.3
CVE-2016-0672 Oracle FLEXCUBE Direct Banking HTTP Pre-Login Yes 5.0 Network Low None Partial None None 12.0.2, 12.0.3
CVE-2016-3463 Oracle FLEXCUBE Direct Banking HTTP Pre-Login Yes 5.0 Network Low None Partial None None 12.0.3
CVE-2016-3464 Oracle FLEXCUBE Direct Banking HTTP Accounts No 4.0 Network Low Single Partial None None 12.0.3

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-3443 Java SE Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u113, 7u99, 8u77 See Note 1
CVE-2016-0687 Java SE, Java SE Embedded Multiple Hotspot Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 See Note 1
CVE-2016-0686 Java SE, Java SE Embedded Multiple Serialization Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 See Note 1
CVE-2016-3427 Java SE, Java SE Embedded, JRockit Multiple JMX Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 See Note 2
CVE-2016-3449 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE: 6u113, 7u99, 8u77 See Note 1
CVE-2016-3422 Java SE Multiple 2D Yes 5.0 Network Low None None None Partial Java SE: 6u113, 7u99, 8u77 See Note 1
CVE-2016-3425 Java SE, Java SE Embedded, JRockit Multiple JAXP Yes 5.0 Network Low None None None Partial Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 See Note 2
CVE-2016-3426 Java SE, Java SE Embedded Multiple JCE Yes 4.3 Network Medium None Partial None None Java SE: 8u77; Java SE Embedded: 8u77 See Note 1
CVE-2016-0695 Java SE, Java SE Embedded, JRockit Multiple Security Yes 2.6 Network High None Partial None None Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 See Note 3

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  3. Applies to client and server deployment of JSSE.

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 18 new security fixes for the Oracle Sun Systems Products Suite. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0693 Solaris Multiple PAM LDAP module Yes 10.0 Network Low None Complete Complete Complete 10, 11.3
CVE-2013-4786 Fujitsu M10-1, M10-4, M10-4S Servers IPMI XCP Firmware Yes 7.8 Network Low None Complete None None XCP prior to XCP2290
CVE-2016-3441 Solaris None Filesystem No 7.2 Local Low None Complete Complete Complete 10, 11.3
CVE-2015-7547 Fujitsu M10-1, M10-4, M10-4S Servers Multiple XCP Firmware Yes 6.8 Network Medium None Partial Partial Partial XCP prior to XCP2290
CVE-2015-1793 Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64 HTTPS Firmware Yes 6.4 Network Low None Partial Partial None Versions prior to 2.0.0.6
CVE-2015-3238 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers Multiple XCP Firmware Yes 5.8 Network Medium None Partial None Partial XCP prior to XCP 1121
CVE-2016-0669 Solaris None Fwflash No 5.2 Local Low Single None Partial Complete 11.3
CVE-2015-7236 Solaris RPC Utilities Yes 5.0 Network Low None None None Partial 10, 11.3
CVE-2011-4461 Sun Storage Common Array Manager HTTP Jetty Web Server Yes 5.0 Network Low None None None Partial 6.9.0
CVE-2016-3462 Solaris None Network Configuration Service No 4.9 Local Low None None None Complete 11.3
CVE-2016-3465 Solaris None ZFS No 4.9 Local Low None None None Complete 10, 11.3
CVE-2013-2566 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers HTTPS XCP Firmware Yes 4.3 Network Medium None Partial None None XCP prior to XCP 1121
CVE-2015-4000 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers HTTPS XCP Firmware Yes 4.3 Network Medium None None Partial None XCP prior to XCP 1121
CVE-2015-1789 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers HTTPS XCP Firmware Yes 4.3 Network Medium None None None Partial XCP prior to XCP 1121
CVE-2016-0623 Solaris Multiple Automated Installer Yes 4.3 Network Medium None None Partial None 11.3
CVE-2014-3566 Solaris Cluster HTTPS GlassFish Server Yes 4.3 Network Medium None Partial None None 4.2
CVE-2016-0676 Solaris None Kernel No 4.0 Local High None None None Complete 10
CVE-2016-3419 Solaris None Filesystem No 2.1 Local Low None None None Partial+ 10, 11.3

Additional CVEs addressed:

  1. CVE-2013-2566 fix also addresses CVE-2015-2808.
  2. CVE-2015-1789 fix also addresses CVE-2015-1790.

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2015-3195 Oracle VM VirtualBox HTTPS Core Yes 5.0 Network Low None None None Partial VirtualBox prior to 4.3.36, prior to 5.0.14
CVE-2015-3195 Sun Ray Software HTTPS Sun Ray Server Software Yes 5.0 Network Low None None None Partial 11.1
CVE-2015-3197 Oracle VM VirtualBox HTTPS Core Yes 4.3 Network Medium None Partial None None VirtualBox prior to 5.0.16
CVE-2016-0678 Oracle VM VirtualBox None Core No 4.1 Local Medium Single Partial+ Partial+ Partial+ VirtualBox prior to 5.0.18

Additional CVEs addressed:

  1. CVE-2015-3195 fix also addresses CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3196.

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub­component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0705 MySQL Server MySQL Protocol Server: Packaging Yes 10.0 Network Low None Complete Complete Complete 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0639 MySQL Server MySQL Protocol Server: Pluggable Authentication Yes 10.0 Network Low None Complete Complete Complete 5.6.29 and earlier, 5.7.11 and earlier
CVE-2015-3194 MySQL Server MySQL Protocol Server: Security: Encryption Yes 5.0 Network Low None None None Partial+ 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0640 MySQL Server MySQL Protocol Server: DML No 4.9 Network Medium Single None Partial Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0641 MySQL Server MySQL Protocol Server: MyISAM No 4.9 Network Medium Single Partial None Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-3461 MySQL Enterprise Monitor Multiple Monitoring: Server No 4.3 Network High Multiple Partial+ Partial+ Partial+ 3.0.25 and earlier, 3.1.2 and earlier
CVE-2016-2047 MySQL Server MySQL Protocol Server: Connection Handling Yes 4.3 Network Medium None None Partial None 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0642 MySQL Server MySQL Protocol Server: Federated No 4.3 Network Medium Multiple None Partial Partial+ 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0643 MySQL Server MySQL Protocl Server: DML No 4.0 Network Low Single Partial None None 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0644 MySQL Server MySQL Protocol Server: DDL No 4.0 Network Low Single None None Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0646 MySQL Server MySQL Protocol Server: DML No 4.0 Network Low Single None None Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0647 MySQL Server MySQL Protocol Server: FTS No 4.0 Network Low Single None None Partial+ 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0648 MySQL Server MySQL Protocol Server: PS No 4.0 Network Low Single None None Partial+ 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0649 MySQL Server MySQL Protocol Server: PS No 4.0 Network Low Single None None Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0650 MySQL Server MySQL Protocol Server: Replication No 4.0 Network Low Single None None Partial+ 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0652 MySQL Server MySQL Protocol Server: DML No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0653 MySQL Server MySQL Protocol Server: FTS No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0654 MySQL Server MySQL Protocol Server: InnoDB No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0655 MySQL Server MySQL Protocol Server: InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0656 MySQL Server MySQL Protocol Server: InnoDB No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0657 MySQL Server MySQL Protocol Server: JSON No 3.5 Network Medium Single Partial None None 5.7.11 and earlier
CVE-2016-0658 MySQL Server MySQL Protocol Server: Optimizer No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0651 MySQL Server MySQL Protocol Server: Optimizer No 3.5 Network Medium Single None None Partial+ 5.5.46 and earlier
CVE-2016-0659 MySQL Server MySQL Protocol Server: Optimizer No 3.5 Network Medium Single None None Partial+ 5.7.11 and earlier
CVE-2016-0661 MySQL Server MySQL Protocol Server: Options No 3.5 Network Medium Single None None Partial+ 5.6.28 and earlier, 5.7.10 and earlier
CVE-2016-0662 MySQL Server MySQL Protocol Server: Partition No 3.5 Network Medium Single None None Partial+ 5.7.11 and earlier
CVE-2016-0663 MySQL Server MySQL Protocol Server: Performance Schema No 3.5 Network Medium Single None None Partial+ 5.7.10 and earlier
CVE-2016-0665 MySQL Server MySQL Protocol Server: Security: Encryption No 3.5 Network Medium Single None None Partial+ 5.6.28 and earlier 5.7.10 and earlier
CVE-2016-0666 MySQL Server MySQL Protocol Server: Security: Privileges No 3.5 Network Medium Single None None Partial+ 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-0667 MySQL Server MySQL Protocol Server: Locking No 2.8 Network Medium Multiple None None Partial+ 5.7.11 and earlier
CVE-2016-0668 MySQL Server MySQL Protocol Server: InnoDB No 1.7 Network High Multiple None None Partial+ 5.6.28 and earlier 5.7.10 and earlier

Additional CVEs addressed:

  1. CVE-2015-3194 fix also addresses CVE-2015-3195.
  2. CVE-2016-0705 fix also addresses CVE-2015-3197, CVE-2016-0702, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800.

Appendix - Oracle Berkeley DB

Oracle Berkeley DB Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Berkeley DB Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confiden­tiality Integrity Avail­ability
CVE-2016-0682 DataStore None None No 6.9 Local Medium None Complete Complete Complete 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26
CVE-2016-0689 DataStore None None No 6.9 Local Medium None Complete Complete Complete 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26
CVE-2016-0692 DataStore None None No 6.9 Local Medium None Complete Complete Complete 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26
CVE-2016-0694 DataStore None None No 6.9 Local Medium None Complete Complete Complete 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26
CVE-2016-3418 DataStore None None No 6.9 Local Medium None Complete Complete Complete 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26