Oracle Critical Patch Update Advisory - January 2014

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Database
Oracle Database 12c Release 1, version 12.1.0.1 Database
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1 Fusion Middleware
Oracle Fusion Middleware 12c Release 2, version 12.1.2 Fusion Middleware
Oracle Enterprise Data Quality, versions 8.1, 9.0.8 Fusion Middleware
Oracle Forms and Reports 11g, Release 2, version 11.1.2.1 Fusion Middleware
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2 Fusion Middleware
Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle HTTP Server 12c, version 12.1.2 Fusion Middleware
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1 Fusion Middleware
Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle iPlanet Web Proxy Server, version 4.0 Fusion Middleware
Oracle iPlanet Web Server, versions 6.1, 7.0 Fusion Middleware
Oracle Outside In Technology, versions 8.4.0, 8.4.1 Fusion Middleware
Oracle Portal, version 11.1.1.6 Fusion Middleware
Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1 Fusion Middleware
Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7 Fusion Middleware
Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0 Fusion Middleware
Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0 Fusion Middleware
Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3 Fusion Middleware
Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2 Fusion Middleware
Oracle E-Business Suite Release 11i, version 11.5.10.2 E-Business Suite
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2 E-Business Suite
Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1 Oracle Supply Chain
Oracle AutoVue, versions 20.1.1 Oracle Supply Chain
Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3 Oracle Supply Chain
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2 Oracle Supply Chain
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0 PeopleSoft
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2 PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53 PeopleSoft
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2 PeopleSoft
Oracle Siebel Core, versions 8.1.1, 8.2.2 Siebel
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2 Siebel
Oracle iLearning, version 6.0 iLearning
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2 Oracle FLEXCUBE
Oracle JavaFX, versions 2.2.45 and earlier Oracle Java SE
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier Oracle Java SE
Oracle Java SE Embedded, versions 7u45 and earlier Oracle Java SE
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier Oracle Java SE
Oracle Solaris versions 8, 9, 10, 11.1 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10 Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6 Oracle Linux and Virtualization
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0 Oracle MySQL Product Suite
Oracle MySQL Server, versions 5.1, 5.5, 5.6 Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices

Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2014 Documentation Map, My Oracle Support Note 1592294.1.

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Applications - E-Business Suite Oracle E-Business Suite Risk Matrix Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1
Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite Oracle Supply Chain Risk Matrix
Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle iLearning Products Risk Matrix
Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products suite, My Oracle Support Note 1608821.1
Oracle FLEXCUBE Products Suite Oracle Financial Services Software Risk Matrix Contact Oracle Customer Support for patches, https://support.oracle.com
Oracle Java Oracle JDK and JRE Risk Matrix
  • Critical Patch Update January 2014 Patch Availability Document for Java, My Oracle Support Note 1607034.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7.
Oracle and Sun Systems Products Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update January 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1607615.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1608471.1
Oracle MySQL Oracle MySQL Risk Matrix Critical Patch Update January 2014 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1609570.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; Alexander Kornbrust of Red Database Security; Alexey Tyurin of ERPScan (Digital Security Research Group); Apple Inc.; Arseniy Akuney of TELUS Security Labs; Borked of the Google Security Team; Carlo Di Dato of iDefense; Christopher Meyer of Ruhr-University Bochum; Daniel EkBerg of Kentor AB Sweden; Esteban Martinez Fayo formerly of Application Security Inc.; Fernando Muñoz; Information Security Office for the University of Texas at Austin; John Leitch working with HP's Zero Day Initiative; Joseph Sheridan of Reactionis; Juraj Somorovsky of Ruhr-University Bochum; Matthew Daley; Oliver Gruskovnjak of Portcullis Inc; Sam Thomas of Pentest Limited; Sebastian Schinzel of University of Applied Sciences Münster; Tanel Poder; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Moez Roy; Owais Mohammad Khan formerly of KPMG; Tor Erling Bjorstad; and Yash Kadakia of Security Brigade for contributions to Oracle's Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes Abdullah Hussam Gazi; Adam Willard of Foreground Security; Ali Hasan Ghauri; Ali Hussein of Help AG Middle East; Anand Tiwari; Ben Khlifa Fahmi; Dibyendu Sikdar; Griffin Francis; James Pearson; Johnathan Simon; Koutrouss Naddara of Kotros Nadara; Mohammed Osman; Muhammad Talha Khan; Osanda Malith Jayathissa; Peter Jaric; Rafay Baloch; Rakesh Singh of Zero Day Guys; Sky_BlaCk; Sunil Dadhich; Suraj Radhakrishnan; and Vishnu Patel for contributions to Oracle's On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 April 2014
  • 15 July 2014
  • 14 October 2014
  • 20 January 2015

References

Modification History

2014-January-14 Rev 1. Initial Release

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-5853 Core RDBMS Oracle Net - Yes 5.0 Network Low None None None Partial 11.1.0.7, 11.2.0.3, 12.1.0.1
CVE-2014-0378 Spatial Oracle Net Local Login, Create Session No 4.1 Local Medium Single Partial Partial Partial 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-0377 Core RDBMS Oracle Net Create Session, Create Role, Create User, Select privilege on SYS tables. No 4.0 Network Low Single Partial None None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5858 Core RDBMS Oracle Net Create Session, Create View No 4.0 Network Low Single None Partial None 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5764 Core RDBMS Oracle Net Create Session, Alter Session No 3.5 Network Medium Single None None Partial+ 11.1.0.7, 11.2.0.3, 12.1.0.1

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1594621.1.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-4316 Oracle WebCenter Sites HTTP WebCenter Sites Community Yes 10.0 Network Low None Complete Complete Complete 11.1.1.6.1, 11.1.1.8.0 See Note 1
CVE-2013-5785 Oracle Reports Developer HTTP Security and Authentication Yes 7.5 Network Low None Partial+ Partial+ Partial+ 11.1.1.6, 11.1.1.7, 11.1.2.1 See Note 2
CVE-2007-0009 Oracle HTTP Server HTTPS OSSL Module Yes 6.8 Network Medium None Partial Partial Partial OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 3
CVE-2014-0400 Oracle Internet Directory HTTP OID LDAP server No 6.3 Network Medium Single Complete None None 11.1.1.6, 11.1.1.7
CVE-2013-1862 Oracle HTTP Server HTTP Web Listener Yes 5.1 Network High None Partial Partial Partial OHS: 11.1.1.6.0, 11.1.1.7.0, 12.1.2.0 Oracle Forms and Reports: 11.1.2.1
CVE-2012-3544 Oracle Enterprise Data Quality HTTP Internal Operations Yes 5.0 Network Low None None None Partial 8.1, 9.0.8 See Note 4
CVE-2013-1654 Oracle HTTP Server HTTPS OSSL Module Yes 5.0 Network Low None None Partial None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 Fusion Middleware: 10.1.3.5.0
CVE-2012-4605 Oracle HTTP Server HTTPS OSSL Module Yes 5.0 Network Low None Partial None None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 5
CVE-2014-0391 Oracle Identity Manager HTTP End User Self Service Yes 5.0 Network Low None Partial None None 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5869 Oracle WebCenter Portal HTTP Page Service Yes 5.0 Network Low None Partial None None 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
CVE-2013-1620 Oracle GlassFish Server HTTPS Security Yes 4.3 Network Medium None Partial None None GlassFish Enterprise Server 2.1.1, Sun Java Application Server 8.1, 8.2
CVE-2012-3499 Oracle HTTP Server HTTP Web Listener Yes 4.3 Network Medium None None Partial None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 See Note 6
CVE-2013-5900 Oracle Identity Manager HTTP End User Self Service Yes 4.3 Network Medium None None Partial None 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5901 Oracle Identity Manager HTTP Identity Console Yes 4.3 Network Medium None Partial+ None None 11.1.2.0, 11.1.2.1
CVE-2014-0374 Oracle Portal HTTP Page Parameters and Events Yes 4.3 Network Medium None None Partial None 11.1.1.6
CVE-2013-1620 Oracle Traffic Director HTTPS Security Yes 4.3 Network Medium None Partial None None 11.1.1.6, 11.1.1.7
CVE-2013-1620 Oracle iPlanet Web Proxy Server HTTPS Security Yes 4.3 Network Medium None Partial None None 4.0
CVE-2013-1620 Oracle iPlanet Web Server HTTPS Security Yes 4.3 Network Medium None Partial None None 6.1, 7.0
CVE-2014-0383 Oracle Identity Manager HTTP Identity Console No 3.5 Network Medium Single Partial None None 11.1.2.0, 11.1.2.1
CVE-2007-1858 Oracle HTTP Server HTTPS OSSL Module Yes 2.6 Network High None Partial None None OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
CVE-2013-5808 Oracle iPlanet Web Proxy Server HTTP Administration Yes 2.6 Network High None Partial None None 4.0
CVE-2013-5879 Oracle Outside In Technology HTTP Outside In Maintenance No 1.5 Local Medium Single None None Partial 8.4.0, 8.4.1 See Note 7

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316, CVE-2013-2251, CVE-2013-2248, CVE-2013-2135 and CVE-2013-2134. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.
  2. Please refer to Doc ID My Oracle Support Note 1608683.1 for instructions on how to address this issue.
  3. This fix also addresses CVE-2007-0008.
  4. Please refer to Doc ID My Oracle Support Note 1595538.1 for instructions on how to address this issue.
  5. This fix also addresses CVE-2006-0998 and CVE-2006-0999.
  6. This fix also addresses CVE-2012-4558.
  7. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-3830 Hyperion Strategic Finance Microsoft RPC Server No 7.1 Network High Single Complete Complete Complete 11.1.2.1, 11.1.2.2
CVE-2014-0367 Hyperion Essbase Administration Services HTTP Admin Console No 5.5 Network Low Single Partial Partial None 11.1.2.1, 11.1.2.2, 11.1.2.3

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1.

Oracle E-Business Suite Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-5890 Oracle Payroll HTTP Exception Reporting No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2
CVE-2014-0398 Oracle Application Object Library HTTP Discoverer Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2014-0366 Oracle Applications Framework HTTP Attachments No 4.0 Network Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2013-5874 Oracle Application Object Library None Logging No 1.7 Local Low Single Partial None None 11.5.10.2, 12.0.6, 12.1.3, 12.2.2

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 16 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-5897 Oracle Agile Product Lifecycle Management for Process HTTP Manage Data Cache No 5.5 Network Low Single Partial+ Partial+ None 6.0, 6.1, 6.1.1
CVE-2014-0372 Oracle Demantra Demand Management HTTP DM Others No 5.5 Network Low Single Partial+ Partial+ None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2
CVE-2013-5877 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial None None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1
CVE-2013-5880 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial None None 12.2.0, 12.2.1, 12.2.2
CVE-2013-5795 Oracle Demantra Demand Management HTTP DM Others Yes 5.0 Network Low None Partial+ None None 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
CVE-2012-3544 Oracle Transportation Management HTTP Application Server Yes 5.0 Network Low None None None Partial 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0434 Oracle Agile Product Lifecycle Management for Process HTTP Installation Yes 4.3 Network Medium None None Partial None 6.0, 6.1, 6.1.1
CVE-2014-0379 Oracle Demantra Demand Management HTTP DM Others Yes 4.3 Network Medium None None Partial None 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2
CVE-2013-2067 Oracle Transportation Management HTTP Application Server No 4.0 Network Low Single Partial+ None None 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-2071 Oracle Transportation Management HTTP Application Server No 4.0 Network Low Single Partial None None 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0399 Oracle Transportation Management HTTP Data, Domain & Function Security No 4.0 Network Low Single Partial None None 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0435 Oracle Transportation Management HTTP Data, Domain & Function Security No 4.0 Network Low Single None None Partial 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-5871 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial None None 20.1.1
CVE-2013-5868 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial+ None None 20.1.1
CVE-2014-0444 Oracle AutoVue HTTP Web General No 3.5 Network Medium Single Partial None None 20.1.1
CVE-2014-0371 Oracle Demantra Demand Management HTTP DM Others No 3.5 Network Medium Single None Partial None 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle PeopleSoft Products. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-5873 PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0441 PeopleSoft Enterprise PeopleTools HTTP Integration Broker Yes 5.0 Network Low None None None Partial 8.52, 8.53
CVE-2014-0396 PeopleSoft Enterprise PeopleTools HTTP Portal - Web Services Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0443 PeopleSoft Enterprise PeopleTools HTTP Security Yes 5.0 Network Low None None Partial None 8.52
CVE-2014-0394 PeopleSoft Enterprise PeopleTools HTTP Updates Environment Mgmt Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2014-0395 PeopleSoft Enterprise PeopleTools HTTP Updates Environment Mgmt Yes 5.0 Network Low None Partial None None 8.52, 8.53
CVE-2013-5909 PeopleSoft Enterprise HRMS HTTP Org and Workforce Dev No 4.9 Network Medium Single Partial Partial None 9.1, 9.2
CVE-2013-5886 PeopleSoft Enterprise HRMS HTTP Common Application Objects Yes 4.3 Network Medium None None Partial None 9.1, 9.2
CVE-2014-0380 PeopleSoft Enterprise PeopleTools HTTP MultiChannel Framework (MCF) Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2014-0445 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 4.3 Network Medium None None Partial None 8.52, 8.53
CVE-2014-0392 PeopleSoft Enterprise HRMS HTTP Security No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2014-0388 PeopleSoft Enterprise HRMS Human Resources HTTP Org and Workforce Dev No 4.0 Network Low Single Partial None None 9.1, 9.2
CVE-2014-0440 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology No 4.0 Network Low Single None None Partial 8.52, 8.53
CVE-2014-0439 PeopleSoft Enterprise PeopleTools HTTP Report Distribution No 4.0 Network Low Single None Partial None 8.52, 8.53
CVE-2014-0438 PeopleSoft Enterprise PeopleTools None Panel Processor No 4.0 Network Low Single Partial None None 8.52, 8.53
CVE-2014-0425 PeopleSoft Enterprise SCM Services Procurement HTTP Security No 4.0 Network Low Single Partial None None 9.2
CVE-2014-0381 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology Yes 2.6 Network High None None Partial None 8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2014-0369 Siebel Core - EAI HTTP Java Integration Yes 5.0 Network Low None Partial None None 8.1.1, 8.2.2
CVE-2014-0370 Siebel Life Sciences HTTP Clinical Trip Report No 2.8 Network Medium Multiple None None Partial 8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2014-0389 Oracle iLearning HTTP Learner Pages Yes 4.3 Network Medium None None Partial None 6.0

Appendix - Oracle Financial Services Software

Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-4316 Oracle FLEXCUBE Private Banking HTTP Core Yes 10.0 Network Low None Complete Complete Complete 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2 See Note 1

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2014-0410 Java SE Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0415 Java SE Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5907 Java SE, JRockit, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 2
CVE-2014-0428 Java SE, Java SE Embedded Multiple CORBA Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0422 Java SE, Java SE Embedded Multiple JNDI Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0385 Java SE HTTP Install Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45 on OS X See Note 3
CVE-2013-5889 Java SE Multiple Deployment Yes 9.3 Network Medium None Complete Complete Complete Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0408 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45 on OS X See Note 1
CVE-2013-5893 Java SE, Java SE Embedded Multiple Libraries Yes 9.3 Network Medium None Complete Complete Complete Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0417 Java SE, JavaFX, Java SE Embedded Multiple 2D Yes 9.3 Network Medium None Complete Complete Complete Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JavaFX 2.2.45, Java SE Embedded 7u45 See Note 1
CVE-2014-0387 Java SE Multiple Deployment Yes 7.6 Network High None Complete Complete Complete Java SE 6u65, Java SE 7u45 on Firefox See Note 1
CVE-2014-0424 Java SE Multiple Deployment Yes 7.5 Network Low None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0373 Java SE Multiple Serviceability Yes 7.5 Network Low None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5878 Java SE, Java SE Embedded Multiple Security Yes 7.5 Network Low None Partial Partial Partial Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5904 Java SE Multiple Deployment Yes 6.8 Network Medium None Partial Partial Partial Java SE 7u45 See Note 1
CVE-2013-5870 Java SE, JavaFX Multiple JavaFX Yes 6.8 Network Medium None Partial Partial Partial Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2014-0403 Java SE Multiple Deployment Yes 5.8 Network Medium None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0375 Java SE Multiple Deployment Yes 5.8 Network Medium None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0423 Java SE, JRockit, Java SE Embedded Multiple Beans No 5.5 Network Low Single Partial None Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 2
CVE-2013-5905 Java SE HTTP Install Yes 5.1 Network High None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 3
CVE-2013-5906 Java SE HTTP Install Yes 5.1 Network High None Partial Partial Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45 See Note 3
CVE-2013-5902 Java SE Multiple Deployment Yes 5.1 Network High None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0418 Java SE Multiple Deployment Yes 5.1 Network High None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5887 Java SE HTTP Deployment Yes 5.0 Network Low None None None Partial Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5899 Java SE Multiple Deployment Yes 5.0 Network Low None Partial None None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2013-5896 Java SE, Java SE Embedded Multiple CORBA Yes 5.0 Network Low None None None Partial Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5884 Java SE, Java SE Embedded Multiple CORBA Yes 5.0 Network Low None Partial None None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0416 Java SE, Java SE Embedded Multiple JAAS Yes 5.0 Network Low None None Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0376 Java SE, Java SE Embedded Multiple JAXP Yes 5.0 Network Low None None Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2014-0368 Java SE, Java SE Embedded Multiple Networking Yes 5.0 Network Low None Partial None None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5910 Java SE, Java SE Embedded Multiple Security Yes 5.0 Network Low None None Partial None Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45 See Note 1
CVE-2013-5895 Java SE, JavaFX Multiple JavaFX Yes 5.0 Network Low None Partial None None Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2013-5888 Java SE Multiple Deployment No 4.6 Local Low None Partial Partial Partial Java SE 6u65, Java SE 7u45 See Note 4
CVE-2014-0382 Java SE, JavaFX Multiple JavaFX Yes 4.3 Network Medium None None None Partial Java SE 7u45, JavaFX 2.2.45 See Note 1
CVE-2013-5898 Java SE HTTP Deployment Yes 4.0 Network High None Partial Partial None Java SE 6u65, Java SE 7u45 See Note 1
CVE-2014-0411 Java SE, JRockit, Java SE Embedded SSL/TLS JSSE Yes 4.0 Network High None Partial Partial None Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45 See Note 5

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  3. Applies to installation process on client deployment of Java.
  4. Applies to client deployment of Java under GNOME environment on Linux and Solaris.
  5. Applies to client and server deployment of JSSE.

Appendix - Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle and Sun Systems Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2003-1067 Solaris None Localization (L10N) No 7.2 Local Low None Complete Complete Complete 8, 9 See Note 1
CVE-2013-5834 Solaris None "ps" command line utility No 6.2 Local High None Complete Complete Complete 8
CVE-2013-5833 Solaris None Filesystem No 4.9 Local Low None None None Complete 8, 9
CVE-2013-5876 Solaris None Kernel No 4.9 Local Low None None None Complete 10, 11.1
CVE-2013-5821 Solaris None Remote Procedure Call (RPC) No 4.6 Local Low None Partial Partial Partial 8, 9, 10, 11.1
CVE-2014-0390 Solaris HTTP Java Web Console Yes 4.3 Network Medium None None Partial None 10
CVE-2013-5883 Solaris None Kernel No 3.2 Local Low Single None Partial Partial 8 See Note 1
CVE-2013-5875 Solaris None Role Based Access Control (RBAC) No 2.7 Local Medium Multiple None Partial Partial 11.1
CVE-2013-5872 Solaris None Name Service Cache Daemon (NSCD) No 2.1 Local Low None None None Partial+ 10, 11.1
CVE-2013-2924 Solaris None Localization (L10N) No 1.9 Local Medium None None None Partial 11.1
CVE-2013-5885 Solaris None Audit No 1.7 Local Low Single None Partial None 11.1

Notes:

  1. Applies only when Solaris is running on SPARC platform.

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-2067 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 6.8 Network Medium None Partial Partial Partial SGD prior to SGD 4.63 with December 2013 PSU , 4.71
CVE-2014-0419 Oracle Secure Global Desktop (SGD) HTTP Administration Console and Workspace Web Applications Yes 5.1 Network High None Partial Partial Partial SGD prior to 4.63 with December 2013 PSU , 4.71, 5.0 with December 2013 PSU, 5.10
CVE-2012-3544 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 5.0 Network Low None None None Partial SGD prior to 4.63 with December 2013 PSU, 4.71
CVE-2013-5892 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial+ Partial+ Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, 4.3.6
CVE-2014-0407 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial+ Partial+ Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0405 Oracle VM VirtualBox None Core No 3.5 Local High Single Partial Partial Partial VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4 See Note 1
CVE-2013-2071 Oracle Secure Global Desktop (SGD) HTTP Apache Tomcat Yes 2.6 Network High None Partial None None SGD prior to 4.71 with December 2013 PSU, 5.0 with December 2013 PSU See Note 2
CVE-2014-0406 Oracle VM VirtualBox None Core No 2.4 Local High Single None Partial+ Partial VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0404 Oracle VM VirtualBox None Core No 2.4 Local High Single None Partial Partial+ VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

Notes:

  1. Applies only when a Windows guest with VirtualBox Additions installed is running on VirtualBox.
  2. SGD releases prior to SGD 4.7 are not affected by CVE-2013-2071 as they do not ship with Apache Tomcat 7.x, which is the only affected release of Tomcat.

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Component Protocol Sub- component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2013-4316 MySQL Enterprise Monitor HTTP Service Manager Yes 10.0 Network Low None Complete Complete Complete 3.0.4 and earlier, 2.3.14 and earlier See Note 1
CVE-2013-5860 MySQL Server MySQL Protocol GIS No 6.8 Network Low Single None None Complete 5.6.14 and earlier
CVE-2013-5882 MySQL Server MySQL Protocol Stored Procedure No 6.8 Network Low Single None None Complete 5.6.13 and earlier
CVE-2014-0433 MySQL Server MySQL Protocol Thread Pooling Yes 4.3 Network Medium None None None Partial 5.6.13 and earlier
CVE-2013-5894 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.13 and earlier
CVE-2013-5881 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.6.14 and earlier
CVE-2014-0412 MySQL Server MySQL Protocol InnoDB No 4.0 Network Low Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0402 MySQL Server MySQL Protocol Locking No 4.0 Network Low Single None None Partial+ 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0386 MySQL Server MySQL Protocol Optimizer No 4.0 Network Low Single None None Partial+ 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2013-5891 MySQL Server MySQL Protocol Partition No 4.0 Network Low Single None None Partial+ 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0401 MySQL Server MySQL Protocol Privileges No 4.0 Network Low Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0427 MySQL Server MySQL Protocol FTS No 3.5 Network Medium Single None None Partial+ 5.6.13 and earlier
CVE-2014-0431 MySQL Server MySQL Protocol InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.14 and earlier
CVE-2014-0437 MySQL Server MySQL Protocol Optimizer No 3.5 Network Medium Single None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0393 MySQL Server MySQL Protocol InnoDB No 3.3 Network Low Multiple None Partial None 5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0430 MySQL Server MySQL Protocol Performance Schema No 2.8 Network Medium Multiple None None Partial+ 5.6.13 and earlier
CVE-2014-0420 MySQL Server MySQL Protocol Replication No 2.8 Network Medium Multiple None None Partial+ 5.5.34 and earlier, 5.6.14 and earlier
CVE-2013-5908 MySQL Server MySQL Protocol Error Handling Yes 2.6 Network High None None None Partial+ 5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

Notes:

  1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316. The CVSS score is 10.0 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 7.5 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.