No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions

Oracle Critical Patch Update Advisory - July 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Category Management Planning & Optimization, version 15.0.3 Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0 Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0 Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5 Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0 Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1 Database
Hyperion Financial Close Management, version 11.1.2.4 Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3 Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2 JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2 JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior MySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior MySQL
MySQL Connectors, versions 8.0.20 and prior MySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior MySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0 Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2 Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1 Enterprise Manager
Oracle AutoVue, version 21.0 Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0 Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0 Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0 Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40 Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1 Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1 Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1 Oracle Commerce
Oracle Communications Analytics, version 12.1.1 Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0 Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0 Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0 Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1 Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4 Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1 Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1 Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0 Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4 Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0 Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3 Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0 Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0 Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3 Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6 Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3 Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4 Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0 Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0 Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1 Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1 Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6 Enterprise Manager
Oracle Configurator, versions 12.1, 12.2 Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0 Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1 Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9 E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0 Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0 Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0 Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0 Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8 Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0 Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6 Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8 Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4 Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0 Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20 Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0 Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0 Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2 Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3 Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2 Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0 Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0 Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0 Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4 Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1 iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9 Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0 Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0 Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0 Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1 Java SE
Oracle Java SE Embedded, version 8u251 Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5 Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2 Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0 Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3 Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0 Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0 Retail Applications
Oracle Retail Extract Transform and Load, version 19.0 Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0 Retail Applications
Oracle Retail Fusion Platform, version 5.5 Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3 Retail Applications
Oracle Retail Invoice Matching, version 16.0 Retail Applications
Oracle Retail Item Planning, version 15.0.3 Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3 Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3 Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3 Retail Applications
Oracle Retail Order Broker, version 15.0 Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3 Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3 Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3 Retail Applications
Oracle Retail Sales Audit, version 14.1 Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3 Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3 Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0 Retail Applications
Oracle SD-WAN Aware, versions 8.0, 8.1, 8.2 Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.0, 8.1, 8.2, 9.0 Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Solaris, version 11 Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0 Database
Oracle Transportation Management, versions 6.3.7, 6.4.3 Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12 Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8 Systems
PeopleSoft Enterprise FIN Expenses, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2 PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58 PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6 Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6 Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and prior Siebel

Note:

  • Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
  • Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
  • Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Abdullah Alzahrani: CVE-2020-14554, CVE-2020-14635
  • Alessandro Bosco of TIM S.p.A: CVE-2020-14690
  • Alexander Kornbrust of Red Database Security: CVE-2020-2984
  • Alves Christopher (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
  • Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
  • Andrej Simko of Accenture: CVE-2020-14534, CVE-2020-14555, CVE-2020-14590, CVE-2020-14657, CVE-2020-14658, CVE-2020-14659, CVE-2020-14660, CVE-2020-14661, CVE-2020-14665, CVE-2020-14666, CVE-2020-14667, CVE-2020-14679, CVE-2020-14688
  • Antonin B. of NCIA / NCSC: CVE-2020-14610
  • Arseniy Sharoglazov of Positive Technologies: CVE-2020-14622
  • Artur Wojtkowski and CQURE Team: CVE-2020-14617, CVE-2020-14618
  • Billy Cody of Context Information Security: CVE-2020-14595
  • Bui Duong from Viettel Cyber Security: CVE-2020-14611
  • CERT/CC: CVE-2020-14558
  • Chathura Abeydeera of Deloitte Risk Advisory Pty Ltd: CVE-2020-14531
  • Chi Tran: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
  • Conor McErlane working with Trend Micro's Zero Day Initiative: CVE-2020-14628
  • Damian Bury: CVE-2020-14546
  • Edoardo Predieri of TIM S.p.A: CVE-2020-14690
  • Emad Al-Mousa of Saudi Aramco: CVE-2020-2969, CVE-2020-2978
  • Fabio Minarelli of TIM S.p.A: CVE-2020-14690
  • Filip Ceglik: CVE-2020-14560, CVE-2020-14565
  • Forum Bhayani: CVE-2020-14592
  • Francesco Russo of TIM S.p.A: CVE-2020-14690
  • Giovanni Delvecchio of Almaviva Security Assessment Team: CVE-2020-14607, CVE-2020-14608
  • Hangfan Zhang: CVE-2020-14575, CVE-2020-14654
  • Hugo Santiago dos Santos: CVE-2020-14613
  • Johannes Kuhn: CVE-2020-14556
  • Julien Zhan (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
  • kdot working with Trend Micro Zero Day Initiative: CVE-2020-14664
  • Khuyen Nguyen of secgit.com: CVE-2020-14668, CVE-2020-14669, CVE-2020-14670, CVE-2020-14671, CVE-2020-14681, CVE-2020-14682, CVE-2020-14686
  • Kingkk: CVE-2020-14642, CVE-2020-14644
  • Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
  • Larry W. Cashdollar: CVE-2020-14724
  • Lionel Debroux: CVE-2020-2981
  • Luca Di Giuseppe of TIM S.p.A: CVE-2020-14690
  • Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-14646, CVE-2020-14647, CVE-2020-14648, CVE-2020-14649, CVE-2020-14650, CVE-2020-14673, CVE-2020-14674, CVE-2020-14694, CVE-2020-14695, CVE-2020-14703, CVE-2020-14704
  • lufei of Tencent Force: CVE-2020-14645
  • Lukas Braune of Siemens: CVE-2019-8457
  • Lukasz Mikula: CVE-2020-14541
  • Lukasz Rupala of ING Tech Poland: CVE-2020-14552
  • Maoxin Lin of Dbappsecurity Team: CVE-2020-14645, CVE-2020-14652
  • Marco Marsala: CVE-2020-14559
  • Markus Loewe: CVE-2020-14583
  • Markus Wulftange of Code White GmbH: CVE-2020-14644, CVE-2020-14645, CVE-2020-14687
  • Massimiliano Brolli of TIM S.p.A: CVE-2020-14690
  • Mateusz Dabrowski: CVE-2020-14584, CVE-2020-14585
  • Maxime Escourbiac of Michelin CERT: CVE-2020-14719, CVE-2020-14720
  • Mohamed Fadel: CVE-2020-14601, CVE-2020-14602, CVE-2020-14603, CVE-2020-14604, CVE-2020-14605
  • Ntears of Chaitin Security Team: CVE-2020-14645, CVE-2020-14652
  • Owais Zaman of Sabic: CVE-2020-14551
  • Pavel Cheremushkin: CVE-2020-14713
  • Philippe Antoine (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
  • Philippe Arteau of GoSecure: CVE-2020-14577
  • Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
  • Przemyslaw Nowakowski: CVE-2020-2977
  • Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14625
  • r00t4dm from A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
  • Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-14629, CVE-2020-14675, CVE-2020-14676, CVE-2020-14677
  • Roberto Suggi Liverani of NCIA / NCSC: CVE-2020-14610
  • Roger Meyer: CVE-2020-2513, CVE-2020-2971, CVE-2020-2972, CVE-2020-2973, CVE-2020-2974, CVE-2020-2975, CVE-2020-2976
  • Roman Shemyakin: CVE-2020-14621
  • Rui Zhong: CVE-2020-14575, CVE-2020-14654
  • Saeed Shiravi: CVE-2020-14548
  • Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14645, CVE-2020-14652
  • Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14532, CVE-2020-14533
  • Suthum Thitiananpakorn: CVE-2020-14569
  • Ted Raffle of rapid7.com: CVE-2020-14535, CVE-2020-14536
  • Tomasz Stachowicz: CVE-2020-14570, CVE-2020-14571
  • Trung Le: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
  • Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14598, CVE-2020-14599
  • Vijayakumar Muniraj of CybersecurityWorks Research Labs: CVE-2020-14723
  • Yaoguang Chen of Ant-financial Light-Year Security Lab: CVE-2020-14654, CVE-2020-14725
  • Yongheng Chen: CVE-2020-14575, CVE-2020-14654
  • ZeddYu Lu of StarCross Tech: CVE-2020-14588, CVE-2020-14589
  • Zhao Xin Jun: CVE-2020-14652
  • Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group​: CVE-2020-14711, CVE-2020-14712
  • Ziming Zhang from Codesafe Team of Legendsec at Qi'anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
  • Ziming Zhang from Codesafe Team of Legendsec at Qi'anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
  • Zouhair Janatil-Idrissi (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Alexander Kornbrust of Red Database Security [10 reports]
  • Cao Linhong of Sangfor Furthereye Security Team
  • Chi Tran [2 reports]
  • Fatih Çelik
  • James Nichols of 80/20 Labs
  • lufei of Tencent Force
  • Maoxin Lin of Dbappsecurity Team
  • Marc Fielding of Google
  • Markus Loewe [2 reports]
  • r00t4dm from A-TEAM of Legendsec at Qi'anxin Group
  • Ryan Gerstenkorn
  • Saeid Tizpaz Niari
  • Shimizu Kawasaki of Asiainfo-sec of CSS Group
  • Trung Le [2 reports]
  • Venustech ADLab
  • Yu Wang of BMH Security Team [2 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • 0xd0ff9 aka Bao Bui
  • 1ZRR4H aka Germán Fernández
  • @ngkogkos hunt4p1zza
  • Abdulkadir Mutlu
  • Abdullah Mohamed
  • Abhinav P
  • Aditra Andri Laksana
  • Ahmed Moustafa
  • Alfie Njeru (emenalf)
  • Aman Deep Singh Chawla
  • Anas Rahmani
  • Anat Bremler-Barr
  • Anis Azzi
  • Anon Venus
  • Ansar Uddin Anan
  • Ben Passmore
  • Celal Erdik of Ebruu Tech Limited
  • Chirag Prajapati
  • Dave Altena
  • Dhamu Harker
  • Dhiral Patel
  • Dhiren Kumar Pradhan
  • Elmonzer Kamaleldin of Monzer Kamal
  • HackersEra VMS [2 reports]
  • Hamza Megahed
  • Harpreet Singh of Pyramid Cyber Security & Forensic Pvt Ltd
  • Harry The DevOps Guy
  • Ilyas Orak
  • Jagdish Bharucha
  • Jatin Saini
  • Jeremy Lindsey of Burns & McDonnell [2 reports]
  • Jin DanLong
  • Josue Acevedo Maldonado
  • Ken Nevers
  • Kishore Hariram [2 reports]
  • Last Light [2 reports]
  • Lior Shafir
  • Luciano Anezin
  • Maayan Amid of Orca Security
  • Magrabur Alam Sofily
  • Matthijs R. Koot [2 reports]
  • Mayur Gupta
  • Meridian Miftari
  • Moaied Nagi Hassan (Moonlight)
  • Mohit Khemchandani
  • Muhammad Abdullah
  • Naveen Kumar
  • Ome Mishra
  • Prathmesh Lalingkar
  • Pratish Bhansali
  • Prince Achillies
  • Pritam Mukherjee
  • Rajesh Patil
  • Raphael Karger
  • Ricardo Iramar dos Santos
  • Ridvan Erbas
  • Roger Meyer
  • rootme34
  • Russell Muetzelfeldt of Flybuys
  • Saad Zitouni
  • Sajid Ali
  • Sam Jadali
  • Sarath Kumar (Kadavul)
  • Saurabh Dilip Mhatre
  • Severus of VietSunshine Security Engineering Team
  • Shailesh Kumar
  • Shubham Khadgi
  • Sipke Mellema
  • Siva Pathela
  • Smii Mondher
  • Srinivas M
  • Tinu Tomy
  • Tony Marcel Nasr [2 reports]
  • Tuatnh
  • Tushar Bhardwaj
  • Ujjwal Tyagi
  • Valentin Virtejanu of Lifespan
  • Victor Gevers
  • Viet Nguyen [2 reports]
  • Virendra Tiwari
  • Vishal Ajwani
  • Vlad Staricin
  • Yehuda Afek
  • Youssef A. Mohamed aka GeneralEG
  • Zubin

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 October 2020
  • 19 January 2021
  • 20 April 2021
  • 20 July 2021

References

 

Modification History

Date Note
2020-October-21 Rev 8. Updated CVSS score of CVE-2020-14564.
2020-August-31 Rev 7. Credit Statement Update.
2020-August-3 Rev 6. Credit Statement Update.
2020-July-27 Rev 5. Credit Statement Update.
2020-July-24 Rev 4. Affected version number changes to CVE-2020-14701 & CVE-2020-14606
2020-July-23
Rev 3. Added entry for CVE-2020-14725 in MySQL Risk Matrix. The fix was included in patches already released but was inadvertently not documented.
2020-July-20 Rev 2. Credit Statement Update.
2020-July-14 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 27 new security patches for the Oracle Database Products divided as follows:

  • 19 new security patches for Oracle Database Server. 
  • 3 new security patches for Oracle Berkeley DB. 
  • 1 new security patch for Oracle Global Lifecycle Management. 
  • 3 new security patches for Oracle GoldenGate. 
  • 1 new security patch for Oracle TimesTen In-Memory Database. 

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches for the Oracle Database Server.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-1000031 MapViewer (Apache Commons FileUpload) Valid User Account HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.2.0.1, 18c, 19c See Note 1
CVE-2020-2968 Java VM Create Session, Create Procedure Multiple No 8.0 Network High Low Required Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2016-9843 Core RDBMS (zlib) Create Session Oracle Net No 7.2 Network Low High None Un-
changed
High High High 18c  
CVE-2020-2969 Data Pump DBA role account Oracle Net No 6.6 Network High High None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-8112 GeoRaster (OpenJPG) Create Session Oracle Net No 5.7 Network Low Low Required Un-
changed
None None High 18c  
CVE-2020-2513 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2971 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2972 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2973 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2974 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2976 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2020-2975 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None 5.1-19.2  
CVE-2019-17569 Workload Manager (Apache Tomcat) None HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 12.2.0.1, 18c, 19c  
CVE-2020-2977 Oracle Application Express Valid User Account HTTP No 4.6 Network Low Low Required Un-
changed
Low Low None 5.1-19.2  
CVE-2020-2978 Oracle Database - Enterprise Edition DBA role account Oracle Net No 4.1 Network Low High None Changed None Low None 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2019-13990 MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava) Local Logon None No 0.0 Local Low Low Required Un-
changed
None None None 12.2.0.1, 18c, 19c See Note 2
CVE-2018-18314 Oracle Database (Perl) Local Logon None No 0.0 Local High High None Un-
changed
None None None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c See Note 3
CVE-2019-10086 Spatial Studio (Apache Commons Beanutils) Local Logon None No 0.0 Local Low Low None Un-
changed
None None None Spatial Studio: Prior to 19.2.1 See Note 4
CVE-2019-16943 TFA (jackson-databind) Local Logon None No 0.0 Local High High None Un-
changed
None None None 12.2.0.1, 18c, 19c See Note 5
Notes:
  1. MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
  2. The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
  3. None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
  4. The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
  5. The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.
Additional CVEs addressed are below:
  • The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
  • The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
  • The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
  • The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
  • The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
  • The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.

 

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Berkeley DB.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-10140 Data Store None None No 7.3 Local Low Low Required Un-
changed
High High High Prior to 6.1.38  
CVE-2020-2981 Data Store None None No 7.0 Local High None Required Un-
changed
High High High Prior to 18.1.40  
CVE-2019-8457 Data Store (SQLite) None TCP No 0.0 Network Low None Required Un-
changed
None None None Prior to 18.1.40 See Note 1
Notes:
  1. The CVE-2019-8457 is not exploitable in the context of Oracle Berkeley DB product, thus the CVSS score is 0.0.

 

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546 Oracle Global Lifecycle Management/OPatch Patch Installer (jackson-databind) None No 0.0 Local Low Low None Un-
changed
None None None Prior to 12.2.0.1.20 See Note 1
Notes:
  1. None of the CVEs listed against this row are exploitable in the Oracle Global Lifecycle Management product, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
  • The patch for CVE-2020-9546 also addresses CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

 

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14705 Oracle GoldenGate Process Management TCP Yes 9.6 Adjacent
Network
Low None None Changed High High High Prior to 19.1.0.0.0  
CVE-2019-0222 GoldenGate Stream Analytics Security (ActiveMQ) TCP No 6.5 Network Low Low None Un-
changed
None None High Prior to 19.1.0.0.1  
CVE-2019-14379 GoldenGate Stream Analytics Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark) None No 0.0 Local Low Low None Un-
changed
None None None Prior to 19.1.0.0.1 See Note 1
Notes:
  1. CVE-2019-14379 and other CVEs addressed by these patches are not exploitable in the Oracle GoldenGate product, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
  • The patch for CVE-2019-14379 also addresses CVE-2016-5017, CVE-2017-5637, CVE-2018-17190, CVE-2018-8012, CVE-2018-8088, CVE-2019-0201, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14439 and CVE-2019-14893.

 

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-18314 Oracle TimesTen In-Memory Database Doc, EM Plug-in (Perl) OracleNet No 0.0 Network Low Low None Un-
changed
None None None Prior to 18.1.2.1.0 See Note 1
Notes:
  1. None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
  • The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Commerce.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14536 Oracle Commerce Guided Search / Oracle Commerce Experience Manager Workbench HTTP Yes 7.4 Network High None None Un-
changed
High High None 11.0, 11.1, 11.2, prior to 11.3.1  
CVE-2020-14535 Oracle Commerce Service Center Commerce Service Center HTTP Yes 7.4 Network High None None Un-
changed
High High None 11.1, 11.2, prior to 11.3.1  
CVE-2020-14532 Oracle Commerce Platform Dynamo Application Framework HTTP Yes 4.7 Network Low None Required Changed None Low None 11.1, 11.2, prior to 11.3.1  
CVE-2020-14533 Oracle Commerce Platform Dynamo Application Framework HTTP No 3.5 Network Low High Required Un-
changed
Low Low None 11.1, 11.2, prior to 11.3.1  

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 60 new security patches for Oracle Communications Applications.  46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14701 Oracle SD-WAN Aware User Interface HTTP Yes 10.0 Network Low None None Changed High High High 8.0, 8.1, 8.2  
CVE-2020-14606 Oracle SD-WAN Edge User Interface HTTP Yes 10.0 Network Low None None Changed High High High 8.0, 8.1, 8.2, 9.0  
CVE-2018-11058 Oracle Communications Analytics Platform (RSA BSAFE) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.1.1  
CVE-2019-16943 Oracle Communications Billing and Revenue Management Business Operation Center, Billing Care (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.5.0.23.0, 12.0.0.3.0  
CVE-2016-1000031 Oracle Communications Contacts Server Core (Apache Commons FileUpload) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.0.4.0  
CVE-2020-9546 Oracle Communications Contacts Server Core (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.0.4.0  
CVE-2020-1938 Oracle Communications Element Manager Core (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 8.1.1, 8.2.0, 8.2.1  
CVE-2020-9546 Oracle Communications Evolved Communications Application Server Session Design Center, Universal Data Recorder (jackson-databind) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 7.1  
CVE-2020-1938 Oracle Communications Instant Messaging Server Installation (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 10.0.1.4.0  
CVE-2020-9546 Oracle Communications Instant Messaging Server Presence API (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 10.0.1.4.0  
CVE-2019-13990 Oracle Communications IP Service Activator Netwok Processor Configuration Management (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.0, 7.4.0  
CVE-2020-11656 Oracle Communications Network Charging and Control Data Access Pack (SQLite) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.0.1, 12.0.0-12.0.3  
CVE-2019-2729 Oracle Communications Network Integrity Integration (Oracle WebLogic Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.2-7.3.6  
CVE-2019-2904 Oracle Communications Network Integrity User Interface (Application Development Framework) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.2-7.3.6  
CVE-2017-5645 Oracle Communications Network Integrity Cartridge Management (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 7.3.2-7.3.6  
CVE-2020-7060 Oracle Communications Diameter Signaling Router (DSR) Platform (PHP) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 8.0-8.4  
CVE-2020-1945 Oracle Communications MetaSolv Solution Online Help (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 6.3.0  
CVE-2018-1258 Oracle Communications Network Integrity Core (Spring Framework) HTTP No 8.8 Network Low Low None Un-
changed
High High High 7.3.2-7.3.6  
CVE-2020-9546 Oracle Communications Network Charging and Control Installer (jackson-databind) None No 8.4 Local Low None None Un-
changed
High High High 6.0.1, 12.0.0-12.0.3  
CVE-2020-14580 Oracle Communications Session Border Controller System Admin SSH No 8.2 Network Low Low Required Changed High Low Low 8.1.0, 8.2.0, 8.3.0  
CVE-2016-1181 Oracle Communications Network Integrity MSS Integration Cartridge (Apache Struts 1) HTTP Yes 8.1 Network High None None Un-
changed
High High High 7.3.2-7.3.6  
CVE-2017-0861 Oracle Communications LSMS Kernel None No 7.8 Local Low Low None Un-
changed
High High High 13.0-13.3  
CVE-2020-1945 Oracle Communications Order and Service Management Installer (Apache Ant) None No 7.7 Local Low None None Un-
changed
High High None 7.3, 7.4  
CVE-2020-5398 Oracle Communications BRM - Elastic Charging Engine Orchestration (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 11.3, 12.0  
CVE-2019-17359 Oracle Communications Convergence S/MIME Configuration (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 3.0.1.0-3.0.2.1  
CVE-2020-5398 Oracle Communications Element Manager Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 8.1.1, 8.2.0, 8.2.1  
CVE-2019-0227 Oracle Communications Network Integrity Adapters (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 7.3.5, 7.3.6  
CVE-2019-16056 Oracle Communications Operations Monitor VSP implementing webserver (Python) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 3.4, 4.1-4.3  
CVE-2019-0227 Oracle Communications Order and Service Management Installer, CMWS, CMT (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 7.3, 7.4  
CVE-2020-5398 Oracle Communications Session Report Manager Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 8.1.1, 8.2.0, 8.2.1  
CVE-2020-5398 Oracle Communications Session Route Manager Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 8.1.1, 8.2.0, 8.2.1  
CVE-2020-14630 Oracle Enterprise Session Border Controller File Upload HTTP No 7.5 Network Low High Required Changed Low Low High 8.1.0, 8.2.0, 8.3.0  
CVE-2019-10193 Oracle Communications Operations Monitor FDP, VSP Login, Packet Inspector (Redis) HTTP No 7.2 Network Low High None Un-
changed
High High High 3.4, 4.1  
CVE-2019-12423 Oracle Communications Element Manager REST API (Apache CXF) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.1.1, 8.2.0, 8.2.1  
CVE-2019-12423 Oracle Communications Session Report Manager REST API (Apache CXF) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.1.1, 8.2.0, 8.2.1  
CVE-2019-12423 Oracle Communications Session Route Manager REST API (Apache CXF) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-14721 Oracle Enterprise Communications Broker WebGUI HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 3.0.0-3.2.0  
CVE-2020-11022 Oracle Communications Analytics Platform (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.1  
CVE-2020-11022 Oracle Communications Element Manager User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-1941 Oracle Communications Element Manager Workorders (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-11022 Oracle Communications Interactive Session Recorder Dashboard (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 6.1-6.4  
CVE-2019-17091 Oracle Communications Network Integrity Core (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 7.3.5, 7.3.6  
CVE-2020-11022 Oracle Communications Operations Monitor Mediation Engine, Dashboard, Grapahs, Calls (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.4, 4.1-4.3  
CVE-2020-11022 Oracle Communications Session Report Manager User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-1941 Oracle Communications Session Report Manager Workorders (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-11022 Oracle Communications Session Route Manager User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-1941 Oracle Communications Session Route Manager Workorders (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-14563 Oracle Enterprise Communications Broker WebGUI HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.0.0-3.2.0  
CVE-2020-14722 Oracle Enterprise Communications Broker WebGUI HTTP Yes 5.8 Network High None Required Changed Low Low Low 3.0.0-3.2.0  
CVE-2018-3639 Oracle Communications LSMS Kernel None No 5.5 Local Low Low None Un-
changed
High None None 13.0-13.3  
CVE-2020-1951 Oracle Communications Messaging Server Security (Apache Tika) None No 5.5 Local Low None Required Un-
changed
None None High 8.0.2, 8.1.0  
CVE-2019-10247 Oracle Communications Analytics Platform (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.1  
CVE-2020-1934 Oracle Communications Element Manager Core (Apache HTTP Server) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.1.1, 8.2.0, 8.2.1  
CVE-2019-10247 Oracle Communications Services Gatekeeper Platform Test Environment (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 6.0, 6.1, 7.0  
CVE-2020-1934 Oracle Communications Session Report Manager Core (Apache HTTP Server) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-1934 Oracle Communications Session Route Manager Core (Apache HTTP Server) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.1.1, 8.2.0, 8.2.1  
CVE-2020-14574 Oracle Communications Interactive Session Recorder FACE None No 4.7 Local High High None Un-
changed
High Low None 6.1-6.4  
CVE-2020-9488 Oracle Communications Instant Messaging Server Installation (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 10.0.1.4.0  
CVE-2020-9488 Oracle Communications Interactive Session Recorder API, FACE, Archiver (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 6.1-6.4  
CVE-2020-9488 Oracle Communications Network Charging and Control Notification Gateway (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 6.0.1, 12.0.0-12.0.3  
Additional CVEs addressed are below:
  • The patch for CVE-2016-1181 also addresses CVE-2016-1182.
  • The patch for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693, CVE-2018-5390 and CVE-2018-7566.
  • The patch for CVE-2017-5645 also addresses CVE-2020-9488.
  • The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
  • The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
  • The patch for CVE-2018-3639 also addresses CVE-2018-10675, CVE-2018-10872 and CVE-2018-3665.
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-10193 also addresses CVE-2019-10192.
  • The patch for CVE-2019-10247 also addresses CVE-2019-10246.
  • The patch for CVE-2019-12423 also addresses CVE-2019-17573.
  • The patch for CVE-2019-13990 also addresses CVE-2019-5427.
  • The patch for CVE-2019-16056 also addresses CVE-2019-16935.
  • The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
  • The patch for CVE-2019-2729 also addresses CVE-2019-2725.
  • The patch for CVE-2019-2904 also addresses CVE-2019-2094.
  • The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
  • The patch for CVE-2020-11656 also addresses CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 and CVE-2020-9327.
  • The patch for CVE-2020-1934 also addresses CVE-2020-1927.
  • The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
  • The patch for CVE-2020-1951 also addresses CVE-2020-1950.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.
  • The patch for CVE-2020-7060 also addresses CVE-2020-7059.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Construction and Engineering.  15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Primavera Gateway Admin (Apache Ant) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.2.0-16.2.11, 17.12.0-17.12.7  
CVE-2020-10683 Primavera P6 Enterprise Project Portfolio Management Web Access (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6  
CVE-2020-9546 Primavera Unifier Platform (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2020-1945 Primavera Unifier Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2018-17196 Primavera P6 Enterprise Project Portfolio Management Web Access (kafka client) HTTP No 8.8 Network Low Low None Un-
changed
High High High 19.12.0-19.12.6  
CVE-2020-9484 Instantis EnterpriseTrack Core (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 17.1-17.3  
CVE-2020-11022 Primavera Gateway Admin (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4  
CVE-2020-2562 Primavera Portfolio Management Investor Module HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-14528 Primavera Portfolio Management Web Access HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-14706 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP Yes 5.9 Network High None Required Un-
changed
High Low None 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.5  
CVE-2020-14527 Primavera Portfolio Management Web Access HTTP Yes 5.9 Network High None Required Un-
changed
High Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-14549 Primavera Portfolio Management Web Server HTTPS Yes 5.9 Network High None Required Un-
changed
High Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-14618 Primavera Unifier Mobile App HTTPS Yes 5.9 Network High None Required Un-
changed
High Low None Prior to 20.6  
CVE-2020-14617 Primavera Unifier Platform, Mobile App HTTPS No 5.7 Network Low Low Required Un-
changed
High None None 16.1, 16.2, 17.7-17.12, 18.8, 19.12; Mobile App: Prior to 20.6  
CVE-2020-14653 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.18.2  
CVE-2020-14529 Primavera Portfolio Management Investor Module HTTP No 5.4 Network Low Low Required Changed Low Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-1934 Instantis EnterpriseTrack Core (Apache HTTP Server) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 17.1-17.3  
CVE-2020-14566 Primavera Portfolio Management Web Access HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0  
CVE-2020-9488 Instantis EnterpriseTrack Logging (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 17.1-17.3  
CVE-2020-9488 Primavera Gateway Admin (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4  
Additional CVEs addressed are below:
  • The patch for CVE-2017-5645 also addresses CVE-2020-1945.
  • The patch for CVE-2018-17196 also addresses CVE-2017-12610 and CVE-2018-1288.
  • The patch for CVE-2020-10683 also addresses CVE-2018-1000632.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-1934 also addresses CVE-2020-1927.
  • The patch for CVE-2020-9484 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 30 new security patches for the Oracle E-Business Suite.  24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2020), My Oracle Support Note 2679563.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14598 Oracle CRM Gateway for Mobile Devices Setup of Mobile Applications HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1-12.1.3  
CVE-2020-14599 Oracle CRM Gateway for Mobile Devices Setup of Mobile Applications HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1-12.1.3  
CVE-2020-14658 Oracle Marketing Marketing Administration HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14665 Oracle Trade Management Invoice HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14670 Oracle Advanced Outbound Telephony Settings HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14671 Oracle Advanced Outbound Telephony User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3  
CVE-2020-14534 Oracle Applications Framework Popups HTTP Yes 8.2 Network Low None Required Changed High Low None 12.2.9  
CVE-2020-14688 Oracle Common Applications CRM User Management Framework HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14660 Oracle CRM Technical Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14682 Oracle Depot Repair Estimate and Actual Charges HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3  
CVE-2020-14668 Oracle E-Business Intelligence DBI Setups HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3  
CVE-2020-14681 Oracle E-Business Intelligence DBI Setups HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3  
CVE-2020-14666 Oracle Email Center Message Display HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14596 Oracle iStore Address Book HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3  
CVE-2020-14582 Oracle iStore User Registration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14686 Oracle iSupport Others HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14719 Oracle Internet Expenses Mobile Expenses Admin Utilities HTTP No 7.7 Network Low Low None Changed None High None 12.2.4-12.2.9  
CVE-2020-14720 Oracle Internet Expenses Mobile Expenses Admin Utilities HTTP No 7.7 Network Low Low None Changed High None None 12.2.4-12.2.9  
CVE-2020-14610 Oracle Applications Framework Attachments / File Upload HTTP No 7.6 Network Low Low Required Changed High Low None 12.2.9  
CVE-2020-14657 Oracle CRM Technical Foundation Preferences HTTP No 7.6 Network Low Low Required Changed High Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14667 Oracle CRM Technical Foundation Preferences HTTP No 7.6 Network Low Low Required Changed High Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14679 Oracle CRM Technical Foundation Preferences HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.1.3, 12.2.3-12.2.9  
CVE-2020-14635 Oracle Application Object Library Logging HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.2.5-12.2.9  
CVE-2020-14554 Oracle Application Object Library Diagnostics HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3-12.2.8  
CVE-2020-14716 Oracle Common Applications CRM User Management Framework HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14717 Oracle Common Applications CRM User Management Framework HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14659 Oracle CRM Technical Foundation Preferences HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14661 Oracle CRM Technical Foundation Preferences HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3-12.2.9  
CVE-2020-14555 Oracle Marketing Marketing Administration HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1-12.1.3, 12.2.3-12.2.9  
CVE-2020-14590 Oracle Applications Framework Page Request HTTP No 2.7 Network Low High None Un-
changed
Low None None 12.1.3, 12.2.3-12.2.9  

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle Enterprise Manager.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546 Enterprise Manager Base Platform Enterprise Manager Install (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.3.0.0, 13.4.0.0  
CVE-2017-5645 Oracle Application Testing Suite Load Testing for Web Apps (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 13.3.0.1  
CVE-2020-1945 Enterprise Manager Ops Center Networking (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.4.0.0  
CVE-2019-0227 Enterprise Manager for Fusion Middleware Coherence Management (Apache Axis) HTTP Yes 8.8 Adjacent
Network
Low None None Un-
changed
High High High 12.1.0.5  
CVE-2018-11776 Enterprise Manager Base Platform Reporting Framework (Apache Struts 2) HTTP Yes 8.1 Network High None None Un-
changed
High High High 13.3.0.0, 13.4.0.0  
CVE-2019-0227 Enterprise Manager Base Platform Application Service Level Mgmt (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 12.1.0.5, 13.3.0.0  
CVE-2020-7595 Oracle Real User Experience Insight APM Mesh (libxml2) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 13.3.1.0  
CVE-2020-2982 Enterprise Manager Base Platform Enterprise Config Management HTTP No 7.1 Network Low Low None Un-
changed
High Low None 13.3.0.0, 13.4.0.0  
CVE-2020-2984 Oracle Configuration Manager Discovery and collection script HTTP No 7.1 Network Low Low None Un-
changed
High Low None 12.1.2.0.6  
CVE-2020-2983 Oracle Data Masking and Subsetting Data Masking HTTP No 7.1 Network Low Low None Un-
changed
High Low None 13.3.0.0, 13.4.0.0  
CVE-2019-17091 Oracle Application Testing Suite Load Testing for Web Apps (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 13.2.0.1, 13.3.0.1  
CVE-2019-12415 Enterprise Manager Base Platform Application Service Level Mgmt (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 12.1.0.5, 13.3.0.0, 13.4.0.0  
CVE-2020-1934 Enterprise Manager Ops Center Networking (Apache HTTP Server) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.4.0.0  
CVE-2019-1551 Enterprise Manager Ops Center Networking (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 12.4.0.0  
Additional CVEs addressed are below:
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-12415 also addresses CVE-2017-12626.
  • The patch for CVE-2019-1551 also addresses CVE-2020-1967.
  • The patch for CVE-2020-1934 also addresses CVE-2019-0220, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2020-1927.
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.
  • The patch for CVE-2020-7595 also addresses CVE-2019-19956 and CVE-2019-20388.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990 Oracle Banking Payments Core (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.1.0-14.4.0  
CVE-2020-9546 Oracle Banking Platform Framework (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.4.0-2.9.0  
CVE-2019-2904 Oracle Financial Services Lending and Leasing Core (Application Development Framework) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.5.0, 14.1.0-14.2.0  
CVE-2017-5645 Oracle Financial Services Lending and Leasing Core (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.5.0, 14.1.0-14.8.0  
CVE-2017-15708 Oracle Financial Services Market Risk Measurement and Management User Interface (Apache Synapse) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6, 8.0.8  
CVE-2019-13990 Oracle FLEXCUBE Investor Servicing Infrastructure (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0  
CVE-2019-13990 Oracle FLEXCUBE Private Banking Core (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0.0, 12.1.0  
CVE-2019-11358 Oracle Insurance Accounting Analyzer User Interface (jQuery) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6-8.0.8  
CVE-2020-1945 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 8.0.6-8.1.0  
CVE-2020-1945 Oracle FLEXCUBE Investor Servicing Infrastructure (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0  
CVE-2020-1945 Oracle FLEXCUBE Private Banking Utilities (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.0.0, 12.1.0  
CVE-2020-14569 Oracle FLEXCUBE Investor Servicing Infrastructure HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0  
CVE-2020-1945 Oracle Banking Enterprise Collections Installer (Apache Ant) None No 7.7 Local Low None None Un-
changed
High High None 2.7.0-2.9.0  
CVE-2020-1945 Oracle Banking Platform Installer (Apache Ant) None No 7.7 Local Low None None Un-
changed
High High None 2.4.0-2.9.0  
CVE-2019-0227 Oracle Financial Services Compliance Regulatory Reporting Web Service to Regulatory Report (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 8.0.6-8.0.8  
CVE-2019-12402 Oracle FLEXCUBE Investor Servicing Infrastructure (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0  
CVE-2019-12423 Oracle FLEXCUBE Private Banking Core (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.0.0, 12.1.0  
CVE-2019-0188 Oracle FLEXCUBE Private Banking Core (Apache Camel) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.0.0, 12.1.0  
CVE-2019-17359 Oracle FLEXCUBE Private Banking Core (Bouncy Castle Java Library) TLS Yes 7.5 Network Low None None Un-
changed
None None High 12.0.0, 12.1.0  
CVE-2020-14602 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP No 7.1 Network Low Low None Un-
changed
Low High None 8.0.6-8.1.0  
CVE-2020-14691 Oracle Financial Services Liquidity Risk Management User Interface HTTP No 7.1 Network Low Low None Un-
changed
Low High None 8.0.6  
CVE-2020-14605 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
None High None 8.0.6-8.1.0  
CVE-2020-14685 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
None High None 8.0.6-8.1.0  
CVE-2020-14692 Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface HTTP No 6.5 Network Low Low None Un-
changed
None High None 8.0.6-8.0.8  
CVE-2020-14693 Oracle Insurance Accounting Analyzer User Interface HTTP No 6.5 Network Low Low None Un-
changed
None High None 8.0.6-8.0.9  
CVE-2020-14662 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 8.0.6-8.1.0  
CVE-2020-11022 Oracle Banking Enterprise Collections User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 2.7.0-2.8.0  
CVE-2020-11022 Oracle Banking Platform User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 2.4.0-2.10.0  
CVE-2020-14601 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-14615 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-11022 Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.4  
CVE-2019-12415 Oracle Banking Payments Core (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 14.1.0-14.4.0  
CVE-2019-12415 Oracle FLEXCUBE Private Banking Core (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 12.0.0, 12.1.0  
CVE-2020-14603 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.0.6-8.1.0  
CVE-2020-14604 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.0.6-8.1.0  
CVE-2020-14684 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 8.0.6-8.1.0  
CVE-2020-9488 Oracle Banking Platform Collections (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 2.4.0-2.10.0  
CVE-2020-9488 Oracle FLEXCUBE Investor Servicing Infrastructure (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0  
Additional CVEs addressed are below:
  • The patch for CVE-2017-5645 also addresses CVE-2020-9488.
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-12423 also addresses CVE-2019-17573.
  • The patch for CVE-2019-13990 also addresses CVE-2019-12402 and CVE-2019-5427.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14543 Oracle Hospitality Reporting and Analytics Installation None No 7.3 Local Low Low Required Un-
changed
High High High 9.1.0  
CVE-2020-14561 Oracle Hospitality Reporting and Analytics Installation None No 7.3 Local Low Low Required Un-
changed
High High High 9.1.0  
CVE-2020-14594 Oracle Hospitality Reporting and Analytics Inventory Integration None No 6.5 Local Low High Required Un-
changed
High High High 9.1.0  
CVE-2020-14616 Oracle Hospitality Reporting and Analytics Reporting HTTP No 2.7 Network Low High None Un-
changed
Low None None 9.1.0  

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware.  48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Oracle Endeca Information Discovery Studio Studio (Apache Ant) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.2.0  
CVE-2019-17531 Oracle WebCenter Portal Security Framework (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-9546 Oracle WebLogic Server Centralized Thirdparty Jars (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2018-11058 Oracle WebLogic Server Security Service (RSA BSAFE) HTTPS Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14625 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14644 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14645 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14687 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2017-5645 Oracle WebLogic Server Centralized Thirdparty Jars (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2017-5645 Oracle WebLogic Server Console (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-1945 Oracle Endeca Information Discovery Studio Studio (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 3.2.0  
CVE-2020-1945 Oracle Enterprise Repository Security Subsystem (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 11.1.1.7.0  
CVE-2020-8112 Oracle Outside In Technology Installation (OpenJPEG) HTTP Yes 8.8 Network Low None Required Un-
changed
High High High 8.5.5, 8.5.4 See Note 1
CVE-2020-14609 Oracle Business Intelligence Enterprise Edition Analytics Web Answers HTTP Yes 8.6 Network Low None None Un-
changed
High Low Low 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14611 Oracle WebCenter Portal Composer HTTP Yes 8.6 Network Low None None Un-
changed
Low High Low 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14584 Oracle BI Publisher BI Publisher Security HTTP Yes 8.2 Network Low None Required Changed High Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14585 Oracle BI Publisher Mobile Service HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14690 Oracle Business Intelligence Enterprise Edition Analytics Actions HTTP Yes 8.2 Network Low None Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14608 Oracle Fusion Middleware MapViewer Tile Server HTTP Yes 8.2 Network Low None None Un-
changed
Low High None 12.2.1.3.0  
CVE-2020-14723 Oracle Help Technologies Web UIX HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.9.0, 12.2.1.3.0  
CVE-2020-14588 Oracle WebLogic Server Web Container HTTP Yes 8.2 Network Low None None Un-
changed
Low High None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14626 Oracle Business Intelligence Enterprise Edition Analytics Web General HTTP Yes 8.1 Network High None None Un-
changed
High High High 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14565 Oracle Unified Directory Security HTTP No 8.1 Network Low High Required Changed None High High 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2019-17359 Oracle Business Process Management Suite Runtime Engine (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14642 Oracle Coherence CacheStore HTTP Yes 7.5 Network Low None None Un-
changed
None None High 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2019-0227 Oracle WebCenter Portal WebCenter Spaces Application (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 12.2.1.3.0  
CVE-2020-14639 Oracle WebLogic Server Sample apps HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-5398 Oracle WebLogic Server Sample apps (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14589 Oracle WebLogic Server Web Container HTTP Yes 7.5 Network Low None None Un-
changed
None None High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-2967 Oracle WebLogic Server Web Services IIOP, T3 Yes 7.5 Network Low None None Un-
changed
High None None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14696 Oracle BI Publisher Layout Templates HTTP Yes 7.2 Network Low None None Changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14571 Oracle BI Publisher Mobile Service HTTP Yes 7.2 Network Low None None Changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14570 Oracle BI Publisher Mobile Service HTTP Yes 7.1 Network Low None Required Un-
changed
High Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14552 Oracle WebCenter Portal Security Framework HTTP No 6.8 Network Low Low Required Changed High None None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14557 Oracle WebLogic Server Web Container HTTP Yes 6.8 Network High None Required Un-
changed
High High None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14655 Oracle Security Service SSL API HTTPS Yes 6.5 Network High None None Un-
changed
High Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14652 Oracle WebLogic Server Core HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2019-14862 Oracle Business Intelligence Enterprise Edition BI Platform Security (Knockout) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-1941 Oracle Enterprise Repository Security Subsystem (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.1.1.7.0  
CVE-2020-14607 Oracle Fusion Middleware MapViewer Tile Server HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14613 Oracle WebCenter Sites Advanced User Interface HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14572 Oracle WebLogic Server Console HTTP Yes 6.1 Network Low None Required Changed Low Low None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14636 Oracle WebLogic Server Sample apps HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14637 Oracle WebLogic Server Sample apps HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14638 Oracle WebLogic Server Sample apps HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14640 Oracle WebLogic Server Sample apps HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14530 Oracle Security Service None HTTPS Yes 5.9 Network High None None Un-
changed
High None None 11.1.1.9.0  
CVE-2019-12415 Oracle WebCenter Portal Security Framework (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-2966 Oracle WebLogic Server Console HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14622 Oracle WebLogic Server Core HTTP No 4.9 Network Low High None Un-
changed
High None None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-9488 Oracle Fusion Middleware MapViewer Install (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14548 Oracle Business Intelligence Enterprise Edition Analytics Web General HTTP Yes 3.4 Network High None Required Changed Low None None 12.2.1.3.0, 12.2.1.4.0  
Notes:
  1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Additional CVEs addressed are below:
  • The patch for CVE-2017-5645 also addresses CVE-2019-17571.
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267, CVE-2019-20330 and CVE-2020-9546.
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.
  • The patch for CVE-2020-8112 also addresses CVE-2018-6616, CVE-2019-12973 and CVE-2020-6851.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle GraalVM.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17560 Oracle GraalVM Enterprise Edition GraalVM Compiler (Apache NetBeans) HTTPS Yes 9.1 Network Low None None Un-
changed
High High None 19.3.2, 20.1.0  
CVE-2020-14583 Oracle GraalVM Enterprise Edition Java Multiple Yes 8.3 Network High None Required Changed High High High 19.3.2, 20.1.0  
CVE-2020-11080 Oracle GraalVM Enterprise Edition JavaScript (Node.js) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 19.3.2, 20.1.0  
CVE-2020-14718 Oracle GraalVM Enterprise Edition JVMCI Multiple No 7.2 Network Low High None Un-
changed
High High High 19.3.2, 20.1.0  
Additional CVEs addressed are below:
  • The patch for CVE-2019-17560 also addresses CVE-2019-17561.
  • The patch for CVE-2020-11080 also addresses CVE-2020-8172.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938 Oracle Health Sciences Empirica Inspections Web server (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 1.0.1.2  
CVE-2020-1938 Oracle Health Sciences Empirica Signal Web server (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 7.3.3  
CVE-2020-5398 Oracle Healthcare Master Person Index Master Data Management (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 4.0.2  
CVE-2020-11022 Oracle Healthcare Translational Research Cohort Explorer (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.2.1, 3.3.1, 3.3.2, 3.4.0  
Additional CVEs addressed are below:
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938 Oracle Hospitality Guest Access Base (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 4.2.0, 4.2.1  
Additional CVEs addressed are below:
  • The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14546 Hyperion Financial Close Management Close Manager HTTP No 4.2 Network High High Required Un-
changed
None High None 11.1.2.4  
CVE-2020-14560 Oracle Hyperion BI+ UI and Visualization HTTP No 4.2 Network High High Required Un-
changed
High None None 11.1.2.4  
CVE-2020-14541 Hyperion Financial Close Management Close Manager HTTP No 2.0 Network High High Required Un-
changed
None Low None 11.1.2.4  

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14595 Oracle iLearning Assessment Manager HTTP Yes 8.2 Network Low None None Un-
changed
High None Low 6.1, 6.1.1  

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-12626 Oracle Insurance Policy Administration J2EE Architecture (Apache POI) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 10.2.0, 10.2.4  
CVE-2020-5398 Oracle Insurance Policy Administration J2EE Architecture (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0  
CVE-2020-5398 Oracle Insurance Rules Palette Architecture (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0  
CVE-2019-12415 Oracle Insurance Policy Administration J2EE Architecture (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 11.0.2, 11.1.0, 11.2.0  
CVE-2019-12415 Oracle Insurance Rules Palette Architecture (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0  
CVE-2020-9488 Oracle Insurance Data Gateway Security (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 1.0  
Additional CVEs addressed are below:
  • The patch for CVE-2019-12415 also addresses CVE-2017-12626.
  • The patch for CVE-2020-5398 also addresses CVE-2018-15756 and CVE-2020-5397.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14664 Java SE JavaFX Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 8u251 See Note 1
CVE-2020-14583 Java SE, Java SE Embedded Libraries Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 1
CVE-2020-14593 Java SE, Java SE Embedded 2D Multiple Yes 7.4 Network Low None Required Changed None High None Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 1
CVE-2020-14562 Java SE ImageIO Multiple Yes 5.3 Network Low None None Un-
changed
None None Low Java SE: 11.0.7, 14.0.1 See Note 1
CVE-2020-14621 Java SE, Java SE Embedded JAXP Multiple Yes 5.3 Network Low None None Un-
changed
None Low None Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 2
CVE-2020-14556 Java SE, Java SE Embedded Libraries Multiple Yes 4.8 Network High None None Un-
changed
Low Low None Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 3
CVE-2020-14573 Java SE Hotspot Multiple Yes 3.7 Network High None None Un-
changed
None Low None Java SE: 11.0.7, 14.0.1 See Note 3
CVE-2020-14581 Java SE, Java SE Embedded 2D Multiple Yes 3.7 Network High None None Un-
changed
Low None None Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 3
CVE-2020-14578 Java SE, Java SE Embedded Libraries Multiple Yes 3.7 Network High None None Un-
changed
None None Low Java SE: 7u261, 8u251; Java SE Embedded: 8u251 See Note 3
CVE-2020-14579 Java SE, Java SE Embedded Libraries Multiple Yes 3.7 Network High None None Un-
changed
None None Low Java SE: 7u261, 8u251; Java SE Embedded: 8u251 See Note 3
CVE-2020-14577 Java SE, Java SE Embedded JSSE TLS Yes 3.7 Network High None None Un-
changed
Low None None Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251 See Note 3
Notes:
  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle JD Edwards.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546 JD Edwards EnterpriseOne Orchestrator E1 IOT Orchestrator Security (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.4.2  
CVE-2020-9546 JD Edwards EnterpriseOne Tools EnterpriseOne Mobility Sec (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.4.2  
CVE-2020-9546 JD Edwards EnterpriseOne Tools Monitoring and Diagnostics (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.4.2  
CVE-2020-9546 JD Edwards EnterpriseOne Tools Web Runtime (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.4.2  
CVE-2020-9488 JD Edwards EnterpriseOne Tools Installation SEC (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None Prior to 9.2.3.3  
CVE-2020-9488 JD Edwards EnterpriseOne Tools Monitoring and Diagnostics (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None Prior to 9.2.3.3  
Additional CVEs addressed are below:
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle MySQL.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938 MySQL Enterprise Monitor Monitoring: General (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 4.0.12 and prior, 8.0.20 and prior  
CVE-2020-1967 MySQL Connectors Connector/C++ (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-1967 MySQL Connectors Connector/ODBC (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-5398 MySQL Enterprise Monitor Monitoring: General (Spring Framework) HTTPS Yes 7.5 Network High None Required Un-
changed
High High High 4.0.12 and prior, 8.0.20 and prior  
CVE-2020-1967 MySQL Server Server: Security: Encryption (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un-
changed
None None High 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14663 MySQL Server Server: Security: Privileges MySQL Protocol No 7.2 Network Low High None Un-
changed
High High High 8.0.20 and prior  
CVE-2020-14678 MySQL Server Server: Security: Privileges MySQL Protocol No 7.2 Network Low High None Un-
changed
High High High 8.0.20 and prior  
CVE-2020-14697 MySQL Server Server: Security: Privileges MySQL Protocol No 7.2 Network Low High None Un-
changed
High High High 8.0.20 and prior  
CVE-2020-14591 MySQL Server Server: Audit Plug-in MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14539 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14680 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14619 MySQL Server Server: Parser MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14576 MySQL Server Server: UDF MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14643 MySQL Server Server: Security: Roles MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.20 and prior  
CVE-2020-14651 MySQL Server Server: Security: Roles MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.20 and prior  
CVE-2020-14550 MySQL Client C API MySQL Protocol No 5.3 Network High Low None Un-
changed
None None High 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior  
CVE-2019-1551 MySQL Enterprise Monitor Monitoring: General (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 4.0.12 and prior, 8.0.20 and prior  
CVE-2020-14568 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14623 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14540 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14575 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14620 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14624 MySQL Server Server: JSON MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14656 MySQL Server Server: Locking MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14547 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14597 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14614 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14654 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14725 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14632 MySQL Server Server: Options MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14567 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.29 and prior, 8.0.19 and prior  
CVE-2020-14631 MySQL Server Server: Security: Audit MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14586 MySQL Server Server: Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14702 MySQL Server Server: Security: Privileges MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14641 MySQL Server Server: Security: Roles MySQL Protocol No 4.9 Network Low High None Un-
changed
High None None 8.0.20 and prior  
CVE-2020-14559 MySQL Server Server: Information Schema MySQL Protocol No 4.3 Network Low Low None Un-
changed
Low None None 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14553 MySQL Server Server: Pluggable Auth MySQL Protocol No 4.3 Network Low Low None Un-
changed
None Low None 5.7.30 and prior, 8.0.20 and prior  
CVE-2020-14633 MySQL Server InnoDB MySQL Protocol No 2.7 Network Low High None Un-
changed
None Low None 8.0.20 and prior  
CVE-2020-14634 MySQL Server InnoDB MySQL Protocol No 2.7 Network Low High None Un-
changed
Low None None 8.0.20 and prior  
CVE-2020-5258 MySQL Cluster Cluster: Packaging (dojo) Multiple No 0.0 Network Low Low Required Un-
changed
None None None 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior See Note 1
CVE-2020-1967 MySQL Enterprise Monitor Monitoring: General (OpenSSL) HTTPS No 0.0 Network Low None None Un-
changed
None None None 4.0.12 and prior, 8.0.20 and prior See Note 2
Notes:
  1. This CVE is not exploitable in MySQL Cluster. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
  2. This CVE is not exploitable in MySQL Enterprise Monitor. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
Additional CVEs addressed are below:
  • The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft.  9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17359 PeopleSoft Enterprise HCM Global Payroll Switzerland Global Payroll for Switzerland (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 9.2  
CVE-2019-16056 PeopleSoft Enterprise PeopleTools Porting (Python) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.57, 8.58  
CVE-2019-11358 PeopleSoft Enterprise FIN Expenses Expenses (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.2  
CVE-2020-14627 PeopleSoft Enterprise PeopleTools Query HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-14592 PeopleSoft Enterprise PeopleTools Rich Text Editor HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-14587 PeopleSoft Enterprise FIN Expenses Expenses HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2020-14612 PeopleSoft Enterprise HRMS Time and Labor HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2020-14558 PeopleSoft Enterprise PeopleTools Portal HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.56, 8.57, 8.58  
CVE-2019-1551 PeopleSoft Enterprise PeopleTools Security (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 8.56, 8.57, 8.58  
CVE-2020-14600 PeopleSoft Enterprise PeopleTools Portal HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 8.56, 8.57, 8.58  
CVE-2020-14564 PeopleSoft Enterprise PeopleTools Environment Mgmt Console HTTP No 3.4 Network Low High Required Changed None Low None 8.56, 8.57, 8.58  
Additional CVEs addressed are below:
  • The patch for CVE-2019-16056 also addresses CVE-2019-16935.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 47 new security patches for Oracle Retail Applications.  42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990 Customer Management and Segmentation Foundation Segment (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 18.0  
CVE-2019-12086 Customer Management and Segmentation Foundation Segment (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 18.0  
CVE-2020-2555 Oracle Retail Assortment Planning Application Core (Coherence) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0  
CVE-2017-5645 Oracle Retail Extract Transform and Load Mathematical Operators (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 19.0  
CVE-2020-1945 Oracle Retail Financial Integration PeopleSoft Integration (Apache Ant) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0  
CVE-2020-10683 Oracle Retail Integration Bus RIB Kernal (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0  
CVE-2019-13990 Oracle Retail Integration Bus RIB Kernal (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0  
CVE-2019-16943 Oracle Retail Merchandising System Inventory Movement (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0.3, 16.0.2, 16.0.3  
CVE-2019-16943 Oracle Retail Sales Audit Transaction Maintenance (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.1  
CVE-2017-5645 Oracle Retail Service Backbone Installer (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 14.1, 15.0, 16.0  
CVE-2019-13990 Oracle Retail Xstore Point of Service Xenvironment (Terracotta Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0, 17.0, 18.0, 19.0  
CVE-2020-9546 Oracle Retail Xstore Point of Service Xenvironment (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0, 17.0, 18.0, 19.0  
CVE-2020-1945 Category Management Planning & Optimization ODI Integration (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Assortment Planning Application Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3, 16.0.3  
CVE-2020-1945 Oracle Retail Bulk Data Integration BDI Job Scheduler (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0, 16.0  
CVE-2020-1945 Oracle Retail Data Extractor for Merchandising ODI Knowledge Module (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 1.9, 1.10  
CVE-2020-1945 Oracle Retail Item Planning Application Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Macro Space Optimization ODI Integration (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Merchandise Financial Planning Application Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Predictive Application Server RPAS Server (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0.3, 14.1.3, 15.0.3, 16.0.3  
CVE-2020-1945 Oracle Retail Regular Price Optimization Operations & Maintenance (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3, 16.0.3  
CVE-2020-1945 Oracle Retail Replenishment Optimization Application Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Service Backbone Install (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0, 16.0  
CVE-2020-1945 Oracle Retail Size Profile Optimization Application Core (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 15.0.3  
CVE-2020-1945 Oracle Retail Store Inventory Management SIM Integration (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0.4, 14.1.3, 15.0.3, 16.0.3  
CVE-2015-9251 Oracle Retail Customer Management and Segmentation Foundation Promotions (jQuery) HTTP No 8.0 Network Low Low Required Un-
changed
High High High 18.0  
CVE-2020-5398 Oracle Retail Assortment Planning Application Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 15.0, 16.0  
CVE-2020-5398 Oracle Retail Financial Integration PeopleSoft Integration (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 15.0, 16.0  
CVE-2017-12626 Oracle Retail Fusion Platform Retail Portal Framework (Apache POI) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 5.5  
CVE-2020-5398 Oracle Retail Integration Bus RIB Kernal (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 15.0.3, 16.0.3  
CVE-2019-12423 Oracle Retail Order Broker System Administration (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 15.0  
CVE-2020-5398 Oracle Retail Predictive Application Server RPAS Server (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 14.0.3, 14.1.3, 15.0.3, 16.0.3  
CVE-2020-5398 Oracle Retail Service Backbone RSB Installation (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 15.0, 16.0  
CVE-2019-10086 Customer Management and Segmentation Foundation Promotions (Apache Commons-Beanutils) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 18.0  
CVE-2020-14709 Customer Management and Segmentation Foundation Card HTTP No 7.1 Network Low Low None Un-
changed
Low High None 16.0, 17.0, 18.0  
CVE-2019-3740 Oracle Retail Store Inventory Management SIM Integration (BSAFE Crypto-J) TLS Yes 6.5 Network Low None Required Un-
changed
High None None 14.0.4, 14.1.3, 15.0.3, 16.0.3  
CVE-2019-17091 Oracle Retail Financial Integration PeopleSoft Integration (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 15.0, 16.0  
CVE-2019-17091 Oracle Retail Integration Bus RIB Kernal (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 15.0, 16.0  
CVE-2019-17091 Oracle Retail Invoice Matching Pricing (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.0  
CVE-2019-17091 Oracle Retail Service Backbone RSB kernel (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 15.0, 16.0  
CVE-2018-10237 Oracle Retail Integration Bus Packaging (Google Guava) HTTP Yes 5.9 Network High None None Un-
changed
None None High 15.0, 16.0  
CVE-2020-14710 Customer Management and Segmentation Foundation Security HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 16.0, 17.0, 18.0  
CVE-2020-14708 Customer Management and Segmentation Foundation Segment HTTP No 4.3 Network Low Low None Un-
changed
None Low None 16.0, 17.0, 18.0  
CVE-2018-15756 Oracle Retail Xstore Point of Service Point of Sale (Spring Framework) HTTP No 4.3 Network Low High Required Un-
changed
Low Low Low 7.1  
CVE-2020-9488 Oracle Retail Data Extractor for Merchandising Knowledge Module (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 18.0  
CVE-2020-9488 Oracle Retail Financial Integration PeopleSoft Integration (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 15.0, 16.0  
CVE-2020-9488 Oracle Retail Store Inventory Management SIM Integration (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 14.0.4, 14.1.3, 15.0.3, 16.0.3  
Additional CVEs addressed are below:
  • The patch for CVE-2015-9251 also addresses CVE-2020-11022.
  • The patch for CVE-2017-12626 also addresses CVE-2019-12415.
  • The patch for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
  • The patch for CVE-2019-12086 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 and CVE-2019-20330.
  • The patch for CVE-2019-12423 also addresses CVE-2019-17573.
  • The patch for CVE-2019-13990 also addresses CVE-2019-5427.
  • The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
  • The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.
  • The patch for CVE-2020-9546 also addresses CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-16943 Siebel Engineering - Installer & Deployment Siebel Approval Manager (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.20.5 and prior  
CVE-2020-1938 Siebel UI Framework EAI, SWSE (Apache Tomcat) Apache JServ Protocol (AJP) Yes 9.8 Network Low None None Un-
changed
High High High 20.5 and prior  
CVE-2019-16943 Siebel UI Framework EAI (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 20.5 and prior  
CVE-2020-14531 Siebel UI Framework SWSE Server HTTP Yes 5.9 Network High None Required Un-
changed
High Low None 20.6 and prior  
CVE-2020-9488 Siebel Engineering - Installer & Deployment Siebel Approval Manager (Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 2.20.5 and prior  
Additional CVEs addressed are below:
  • The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Supply Chain.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-2729 Oracle Rapid Planning Middle Tier HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2020-2555 Oracle Rapid Planning Middle Tier HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2016-1000031 Oracle Rapid Planning Middle Tier (Apache Commons FileUpload) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2016-5019 Oracle Rapid Planning Middle Tier (Apache Trinidad) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2020-10683 Oracle Rapid Planning Middle Tier (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2016-4000 Oracle Rapid Planning Middle Tier (jython) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2017-5645 Oracle Rapid Planning Middle Tier (Apache Ant) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2017-5645 Oracle Rapid Planning Middle Tier (Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.1, 12.2  
CVE-2019-17563 Oracle Transportation Management Install (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.3.7  
CVE-2016-6814 Oracle Agile Engineering Data Management Install (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 6.2.1.0  
CVE-2020-1945 Oracle Rapid Planning Middle Tier (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1, 12.2  
CVE-2015-7501 Oracle Rapid Planning Middle Tier (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.1, 12.2  
CVE-2020-14669 Oracle Configurator UI Servlet HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1, 12.2  
CVE-2019-0227 Oracle Agile Engineering Data Management Install (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 6.2.1.0  
CVE-2019-0227 Oracle Rapid Planning Installation (Apache Axis) HTTP Yes 7.5 Adjacent
Network
High None None Un-
changed
High High High 12.1, 12.2  
CVE-2020-5398 Oracle Rapid Planning Installation (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 12.1, 12.2  
CVE-2018-15756 Oracle Rapid Planning Middle Tier (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.1, 12.2  
CVE-2018-8013 Oracle Rapid Planning Middle Tier (Apache Batik) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.1, 12.2  
CVE-2019-17091 Oracle Rapid Planning Installation (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.1, 12.2  
CVE-2019-1547 Oracle Agile Engineering Data Management Install (OpenSSL) None No 4.7 Local High Low None Un-
changed
High None None 6.2.1.0  
CVE-2020-14551 Oracle AutoVue Security HTTP No 4.3 Network Low Low None Un-
changed
None Low None 21.0  
CVE-2020-14544 Oracle Transportation Management Data, Domain & Function Security HTTP No 4.3 Network Low Low None Un-
changed
Low None None 6.4.3  
Additional CVEs addressed are below:
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
  • The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
  • The patch for CVE-2019-2729 also addresses CVE-2019-2725.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Systems Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Systems.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11656 Oracle ZFS Storage Appliance Kit Operating System Image Multiple Yes 9.8 Network Low None None Un-
changed
High High High 8.8  
CVE-2020-14724 Oracle Solaris Device Driver Utility None No 7.3 Local Low Low Required Un-
changed
High High High 11  
CVE-2018-12207 Oracle Solaris Kernel None No 6.5 Local Low Low None Changed None None High 11 See Note 1
CVE-2020-14537 Oracle Solaris Packaging Scripts None No 5.5 Local Low High Required Changed None None High 11  
CVE-2020-14545 Oracle Solaris Device Driver Utility None No 5.0 Local High Low Required Un-
changed
None High Low 11  
CVE-2019-5489 Oracle Solaris Kernel Multiple No 3.5 Network High Low None Changed Low None None 11  
CVE-2020-14542 Oracle Solaris libsuri None No 3.3 Local Low Low None Un-
changed
Low None None 11  
Notes:
  1. Please refer to My Oracle Support Note 2609642.1 for further information on how CVE-2018-12207 impacts Oracle Solaris.
Additional CVEs addressed are below:
  • The patch for CVE-2020-11656 also addresses CVE-2020-1927 and CVE-2020-1934.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-12023 Oracle Utilities Framework Common (jackson-databind) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14628 Oracle VM VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12 See Note 1
CVE-2020-14646 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14647 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14649 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14713 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14674 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14675 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14676 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14677 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14699 Oracle VM VirtualBox Core None No 7.5 Local High High None Changed High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14711 Oracle VM VirtualBox Core None No 6.5 Local Low High Required Un-
changed
High High High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12 See Note 2
CVE-2020-14629 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14703 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14704 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14648 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14650 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14673 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14694 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14695 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14698 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14700 Oracle VM VirtualBox Core None No 5.3 Local High High None Changed High None None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14712 Oracle VM VirtualBox Core None No 5.0 Local Low Low Required Un-
changed
None High None Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14707 Oracle VM VirtualBox Core None No 5.0 Local Low Low Required Un-
changed
None None High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14714 Oracle VM VirtualBox Core None No 4.4 Local Low High None Un-
changed
None None High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
CVE-2020-14715 Oracle VM VirtualBox Core None No 4.4 Local Low High None Un-
changed
None None High Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12  
Notes:
  1. The CVE-2020-14628 is applicable to Windows VM only.
  2. The CVE-2020-14711 is applicable to macOS host only.