Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices

This document provides the text form of the CPUOct2016 Advisory Risk Matrices. Please note that the CVE numbers in this document correspond to the same CVE numbers in the CPUOct2016 Advisory

Text Form of Risk Matrix for Oracle Database Server

This table provides the text form of the Risk Matrix for Oracle Database Server.

CVE Identifier Description

CVE-2010-5312

Vulnerability in the Application Express component of Oracle Database Server. The supported version that is affected is Prior to 5.0.4.00.07. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Application Express accessible data as well as unauthorized read access to a subset of Application Express accessible data.

CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-3562

Vulnerability in the RDBMS Security and SQL*Plus component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows high privileged attacker having DBA level privileged account privilege with network access via Oracle Net to compromise RDBMS Security and SQL*Plus. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS Security and SQL*Plus accessible data.

Note: Fix applicable to both server and client side installations.

CVSS v3.0 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5497

Vulnerability in the RDBMS Security component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Difficult to exploit vulnerability allows high privileged attacker having Create Session privilege with logon to the infrastructure where RDBMS Security executes to compromise RDBMS Security. Successful attacks of this vulnerability can result in takeover of RDBMS Security.

CVSS v3.0 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5498

Vulnerability in the RDBMS Security component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with logon to the infrastructure where RDBMS Security executes to compromise RDBMS Security. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS Security accessible data.

CVSS v3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5499

Vulnerability in the RDBMS Security component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with logon to the infrastructure where RDBMS Security executes to compromise RDBMS Security. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS Security accessible data.

CVSS v3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5505

Vulnerability in the RDBMS Programmable Interface component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with logon to the infrastructure where RDBMS Programmable Interface executes to compromise RDBMS Programmable Interface. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all RDBMS Programmable Interface accessible data.

CVSS v3.0 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5516

Vulnerability in the Kernel PDB component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Easily exploitable vulnerability allows high privileged attacker having Execute on DBMS_PDB_EXEC_SQL privilege with logon to the infrastructure where Kernel PDB executes to compromise Kernel PDB. While the vulnerability is in Kernel PDB, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Kernel PDB.

CVSS v3.0 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5555

Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows high privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM.

CVSS v3.0 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5572

Vulnerability in the Kernel PDB component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Difficult to exploit vulnerability allows high privileged attacker having Create Session privilege with logon to the infrastructure where Kernel PDB executes to compromise Kernel PDB. Successful attacks of this vulnerability can result in takeover of Kernel PDB.

CVSS v3.0 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Secure Backup

This table provides the text form of the Risk Matrix for Oracle Secure Backup.

CVE Identifier Description

CVE-2015-0286

Vulnerability in the Oracle Secure Backup component of Oracle Secure Backup. The supported version that is affected is Prior to 10.4.0.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Secure Backup. While the vulnerability is in Oracle Secure Backup, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Secure Backup.

CVSS v3.0 Base Score 5.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-1351

Vulnerability in the Oracle Secure Backup component of Oracle Secure Backup. The supported version that is affected is Prior to 12.1.0.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Secure Backup. While the vulnerability is in Oracle Secure Backup, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Secure Backup.

CVSS v3.0 Base Score 5.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Big Data Graph

This table provides the text form of the Risk Matrix for Oracle Big Data Graph.

CVE Identifier Description

CVE-2015-7501

Vulnerability in the Big Data Graph component of Oracle Big Data Graph (subcomponent: Apache Commons Collections). The supported version that is affected is Prior to 1.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Big Data Graph. Successful attacks of this vulnerability can result in takeover of Big Data Graph.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Fusion Middleware

This table provides the text form of the Risk Matrix for Oracle Fusion Middleware.

CVE Identifier Description

CVE-2015-3253

Vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing). Supported versions that are affected are 1.1.1, 1.1.3 and 1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-1950

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Security). The supported version that is affected is 2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle GlassFish Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle GlassFish Server.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-1950

Vulnerability in the Oracle iPlanet Web Proxy Server component of Oracle Fusion Middleware (subcomponent: Security). The supported version that is affected is 4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iPlanet Web Proxy Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iPlanet Web Proxy Server.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-1950

Vulnerability in the Oracle iPlanet Web Server component of Oracle Fusion Middleware (subcomponent: Security ). The supported version that is affected is 7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iPlanet Web Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iPlanet Web Server.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Installation). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0 and 12.2.1.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-3473

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: Security). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0 and 12.2.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher (formerly XML Publisher) accessible data.

CVSS v3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-3505

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: JavaServer Faces). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-3551

Vulnerability in the Oracle Web Services component of Oracle Fusion Middleware (subcomponent: JAXWS Web Services Stack). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services. Successful attacks of this vulnerability can result in takeover of Oracle Web Services.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5488

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Container). Supported versions that are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2016-5495

Vulnerability in the Oracle Discoverer component of Oracle Fusion Middleware (subcomponent: EUL Code & Schema). The supported version that is affected is 11.1.1.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Discoverer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Discoverer accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5500

Vulnerability in the Oracle Discoverer component of Oracle Fusion Middleware (subcomponent: Viewer). The supported version that is affected is 11.1.1.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Discoverer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Discoverer accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5506

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: App Server). For supported versions that are affected see note. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Identity Manager executes to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data.

Note: Fixed in all supported releases and patchsets.

CVSS v3.0 Base Score 3.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5511

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Security). Supported versions that are affected are 12.2.1.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data.

Note: Please refer to My Oracle Support Note 2188873.1 for instructions on how to address this issue.

CVSS v3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5519

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Java Server Faces). Supported versions that are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GlassFish Server. Successful attacks of this vulnerability can result in takeover of Oracle GlassFish Server.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5531

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS-WebServices). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5535

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5536

Vulnerability in the Oracle Platform Security for Java component of Oracle Fusion Middleware (subcomponent: Audit Schema). Supported versions that are affected are 12.1.3.0.0, 12.2.1.0.0 and 12.2.1.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Platform Security for Java accessible data as well as unauthorized update, insert or delete access to some of Oracle Platform Security for Java accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Platform Security for Java.

CVSS v3.0 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5537

Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import). The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of NetBeans.

CVSS v3.0 Base Score 5.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5558

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5574

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5577

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5578

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5579

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5588

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.4.0, 8.5.1, 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Outside In Technology accessible data as well as unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology.

Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

CVE-2016-5601

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: CIE Related Components). Supported versions that are affected are 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data.

CVSS v3.0 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5602

Vulnerability in the Oracle Data Integrator component of Oracle Fusion Middleware (subcomponent: Code Generation Engine). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0 and 12.2.1.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data.

Note: Please refer to My Oracle Support Note 2188855.1 for instructions on how to address this issue.

CVSS v3.0 Base Score 5.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5618

Vulnerability in the Oracle Data Integrator component of Oracle Fusion Middleware (subcomponent: Code Generation Engine). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0 and 12.2.1.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Data Integrator accessible data.

Note: Please refer to My Oracle Support Note 2188871.1 for instructions on how to address this issue.

CVSS v3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-8281

Vulnerability in the Oracle Platform Security for Java component of Oracle Fusion Middleware (subcomponent: Audit Reports). Supported versions that are affected are 12.1.3.0.0, 12.2.1.0.0 and 12.2.1.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Platform Security for Java accessible data as well as unauthorized update, insert or delete access to some of Oracle Platform Security for Java accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Platform Security for Java.

CVSS v3.0 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Enterprise Manager Grid Control

This table provides the text form of the Risk Matrix for Oracle Enterprise Manager Grid Control.

CVE Identifier Description

CVE-2015-7940

Vulnerability in the Oracle Application Testing Suite component of Oracle Enterprise Manager Grid Control (subcomponent: Load Testing for Web Apps). Supported versions that are affected are 12.5.0.1, 12.5.0.2 and 12.5.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2015-7940

Vulnerability in the Enterprise Manager component of Oracle Enterprise Manager Grid Control (subcomponent: Ops Center). Supported versions that are affected are 12.1.4 and 12.2.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Enterprise Manager component of Oracle Enterprise Manager Grid Control (subcomponent: Ops Center). Supported versions that are affected are 12.1.4, 12.2.2 and 12.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager and unauthorized read access to a subset of Enterprise Manager accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-4979

Vulnerability in the Enterprise Manager component of Oracle Enterprise Manager Grid Control (subcomponent: Ops Center). Supported versions that are affected are 12.1.4, 12.2.2 and 12.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Enterprise Manager accessible data.

CVSS v3.0 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory]

CVE-2016-5604

Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: Security Framework). The supported version that is affected is 12.1.0.5. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Enterprise Manager Base Platform executes to compromise Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data.

CVSS v3.0 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle E-Business Suite

This table provides the text form of the Risk Matrix for Oracle E-Business Suite.

CVE Identifier Description

CVE-2016-2176

Vulnerability in the Oracle HTTP Server component of Oracle E-Business Suite (subcomponent: OpenSSL). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle HTTP Server and unauthorized read access to a subset of Oracle HTTP Server accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-5489

Vulnerability in the Oracle iStore component of Oracle E-Business Suite (subcomponent: Runtime Catalog). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-5517

Vulnerability in the Oracle Applications DBA component of Oracle E-Business Suite (subcomponent: AD Utilities). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Applications DBA executes to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data.

CVSS v3.0 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5532

Vulnerability in the Oracle Shipping Execution component of Oracle E-Business Suite (subcomponent: Workflow Events). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Shipping Execution. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Shipping Execution accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5557

Vulnerability in the Oracle Advanced Pricing component of Oracle E-Business Suite (subcomponent: Price Book). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Pricing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Pricing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Pricing accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Pricing accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-5562

Vulnerability in the Oracle iProcurement component of Oracle E-Business Suite (subcomponent: Requisition Management). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iProcurement. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iProcurement, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iProcurement accessible data as well as unauthorized update, insert or delete access to some of Oracle iProcurement accessible data.

CVSS v3.0 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-5567

Vulnerability in the Oracle Applications DBA component of Oracle E-Business Suite (subcomponent: AD Utilities). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5570

Vulnerability in the Oracle Applications DBA component of Oracle E-Business Suite (subcomponent: AD Utilities). Supported versions that are affected are 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5571

Vulnerability in the Oracle Applications DBA component of Oracle E-Business Suite (subcomponent: AD Utilities). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5575

Vulnerability in the Oracle Common Applications Calendar component of Oracle E-Business Suite (subcomponent: Resources Module). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications Calendar. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Common Applications Calendar accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5581

Vulnerability in the Oracle iRecruitment component of Oracle E-Business Suite (subcomponent: Candidate Self Service). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows physical access to compromise Oracle iRecruitment. Successful attacks of this vulnerability can result in takeover of Oracle iRecruitment.

CVSS v3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5583

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: File Upload). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data.

CVSS v3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5585

Vulnerability in the Oracle Interaction Center Intelligence component of Oracle E-Business Suite (subcomponent: Select Application Dependencies). Supported versions that are affected are 12.1.1, 12.1.2 and 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Interaction Center Intelligence. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Interaction Center Intelligence accessible data as well as unauthorized read access to a subset of Oracle Interaction Center Intelligence accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5586

Vulnerability in the Oracle Email Center component of Oracle E-Business Suite (subcomponent: Dispatch/Service Call Requests). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Email Center. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Email Center accessible data as well as unauthorized read access to a subset of Oracle Email Center accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5587

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5589

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Responsibility Management). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle CRM Technical Foundation accessible data as well as unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5591

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5592

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Result-Reason). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5593

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Outcome-Result). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5595

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Result-Reason). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3 and 12.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory]

CVE-2016-5596

Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: Default Responsibility). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Supply Chain Products Suite

This table provides the text form of the Risk Matrix for Oracle Supply Chain Products Suite.

CVE Identifier Description

CVE-2015-3253

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Event Java PX). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Apache Commons Collections). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-0635

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Spring). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-0714

Vulnerability in the Oracle Transportation Management component of Oracle Supply Chain Products Suite (subcomponent: Install). Supported versions that are affected are 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6 and 6.3.7. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in takeover of Oracle Transportation Management.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Oracle Transportation Management component of Oracle Supply Chain Products Suite (subcomponent: Install). Supported versions that are affected are 6.1 and 6.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Transportation Management and unauthorized read access to a subset of Oracle Transportation Management accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-5504

Vulnerability in the Oracle Agile Product Lifecycle Management for Process component of Oracle Supply Chain Products Suite (subcomponent: Supplier Portal). Supported versions that are affected are 6.1.0.4, 6.1.1.6 and 6.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Agile Product Lifecycle Management for Process executes to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data.

CVSS v3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5510

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Folders, Files & Attachments). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5512

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Agile PLM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5513

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: File Manager). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5514

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: ExportServlet). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5515

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: RMIServlet). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5518

Vulnerability in the Oracle Agile Engineering Data Management component of Oracle Supply Chain Products Suite (subcomponent: webfileservices). Supported versions that are affected are 6.1.3.0 and 6.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Engineering Data Management. Successful attacks of this vulnerability can result in takeover of Oracle Agile Engineering Data Management.

CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5521

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5522

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5523

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: AutoVue Java Applet). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5524

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5526

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Apache Tomcat). Supported versions that are affected are 9.3.4 and 9.3.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Agile PLM accessible data as well as unauthorized read access to a subset of Oracle Agile PLM accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Agile PLM.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5527

Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.4 and 9.3.5. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data.

CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5599

Vulnerability in the Oracle Advanced Supply Chain Planning component of Oracle Supply Chain Products Suite (subcomponent: MscObieeSrvlt). Supported versions that are affected are 12.2.3, 12.2.4 and 12.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Supply Chain Planning. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Supply Chain Planning accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Supply Chain Planning accessible data.

CVSS v3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle PeopleSoft Products

This table provides the text form of the Risk Matrix for Oracle PeopleSoft Products.

CVE Identifier Description

CVE-2015-7940

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Bouncy Castle Java). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5529

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5530

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5600

Vulnerability in the PeopleSoft Enterprise SCM Services Procurement component of Oracle PeopleSoft Products (subcomponent: Security). Supported versions that are affected are 9.1 and 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Services Procurement. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Services Procurement accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Services Procurement accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-8285

Vulnerability in the PeopleSoft Enterprise HCM component of Oracle PeopleSoft Products (subcomponent: Candidate Gateway). The supported version that is affected is 9.2. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM accessible data.

CVSS v3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-8291

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Mobile Application Platform). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-8292

Vulnerability in the PeopleSoft Enterprise HCM component of Oracle PeopleSoft Products (subcomponent: Talent Acquisition Manager). The supported version that is affected is 9.2. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM accessible data.

CVSS v3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-8293

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-8294

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Query). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-8295

Vulnerability in the PeopleSoft Enterprise HCM component of Oracle PeopleSoft Products (subcomponent: Schedule). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise HCM accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-8296

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: LDAP). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data.

CVSS v3.0 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle JD Edwards Products

This table provides the text form of the Risk Matrix for Oracle JD Edwards Products.

CVE Identifier Description

CVE-2015-1793

Vulnerability in the JD Edwards World Security component of Oracle JD Edwards Products (subcomponent: GUI / World Vision). The supported version that is affected is A9.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise JD Edwards World Security. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards World Security accessible data as well as unauthorized read access to a subset of JD Edwards World Security accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-1181

Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime SEC). The supported version that is affected is 9.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools.

CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Siebel CRM

This table provides the text form of the Risk Matrix for Oracle Siebel CRM.

CVE Identifier Description

CVE-2016-3081

Vulnerability in the Siebel Apps - E-Billing component of Oracle Siebel CRM (subcomponent: Security). The supported version that is affected is 7.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - E-Billing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - E-Billing.

CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5534

Vulnerability in the Siebel Apps - Customer Order Management component of Oracle Siebel CRM (subcomponent: Customizable Prod/Configurator). The supported version that is affected is 16.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel Apps - Customer Order Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel Apps - Customer Order Management accessible data.

CVSS v3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5560

Vulnerability in the Siebel UI Framework component of Oracle Siebel CRM (subcomponent: OpenUI). The supported version that is affected is 16.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel UI Framework accessible data as well as unauthorized read access to a subset of Siebel UI Framework accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Commerce

This table provides the text form of the Risk Matrix for Oracle Commerce.

CVE Identifier Description

CVE-2015-3253

Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component of Oracle Commerce (subcomponent: Content Acquisition System). Supported versions that are affected are 3.1.1, 3.1.2, 11.0, 11.1 and 11.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Guided Search / Oracle Commerce Experience Manager. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Guided Search / Oracle Commerce Experience Manager.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-0635

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component of Oracle Commerce (subcomponent: Content Acquisition System). Supported versions that are affected are 3.1.1, 3.1.2, 11.0, 11.1 and 11.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Guided Search / Oracle Commerce Experience Manager. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Guided Search / Oracle Commerce Experience Manager.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component of Oracle Commerce (subcomponent: MDEX). Supported versions that are affected are 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1 and 6.5.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Commerce Guided Search / Oracle Commerce Experience Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Commerce Guided Search / Oracle Commerce Experience Manager and unauthorized read access to a subset of Oracle Commerce Guided Search / Oracle Commerce Experience Manager accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-5482

Vulnerability in the Oracle Commerce Guided Search component of Oracle Commerce (subcomponent: Oracle Commerce Guided Search). Supported versions that are affected are 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1 and 6.5.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Guided Search, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Commerce Guided Search accessible data as well as unauthorized update, insert or delete access to some of Oracle Commerce Guided Search accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

CVE-2016-5491

Vulnerability in the Oracle Commerce Service Center component of Oracle Commerce (subcomponent: Commerce Service Center). Supported versions that are affected are 10.0.3.5 and 10.2.0.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Service Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Service Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Commerce Service Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Commerce Service Center accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Communications Applications

This table provides the text form of the Risk Matrix for Oracle Communications Applications.

CVE Identifier Description

CVE-2013-2067

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2013-2566

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: Security). Supported versions that are affected are Ecz7.3m1p4 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSH to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Session Border Controller accessible data.

CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2013-4286

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2013-4322

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2013-4444

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2013-4590

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2014-0050

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2014-0075

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2014-0096

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2014-0099

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2014-0119

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2014-0224

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Session Border Controller accessible data as well as unauthorized read access to a subset of Oracle Enterprise Session Border Controller accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Session Border Controller.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2014-0224

Vulnerability in the Oracle Enterprise Communications Broker component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Pcz2.0.0m4p5 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Communications Broker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Communications Broker accessible data as well as unauthorized read access to a subset of Oracle Enterprise Communications Broker accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Communications Broker.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2014-0224

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2014-0227

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Tomcat). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). (legend) [Advisory]

CVE-2014-2532

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Security). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Communications Policy Management. While the vulnerability is in Oracle Communications Policy Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 4.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2014-3571

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Session Border Controller.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2014-3571

Vulnerability in the Oracle Enterprise Communications Broker component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Pcz2.0.0m4p5 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Communications Broker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Communications Broker.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2014-3571

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data.

CVSS v3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2014-9296

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: NTP). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via NTP to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0235

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Glibc). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2015-0286

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Session Border Controller.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0286

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2015-0381

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0382

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0409

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0411

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2015-0423

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-0433

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2015-0500

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-1791

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Session Border Controller accessible data as well as unauthorized read access to a subset of Oracle Enterprise Session Border Controller accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Session Border Controller.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2015-2568

Vulnerability in the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: MySQL). Supported versions that are affected are 9.7.3, 9.9.1, 10.4.1 and 12.1.1 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Policy Management.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-3195

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Session Border Controller.

CVSS v3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2015-3197

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Session Border Controller accessible data.

CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Oracle Enterprise Session Border Controller component of Oracle Communications Applications (subcomponent: OpenSSL). Supported versions that are affected are Ecz7.3m1p4 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Enterprise Session Border Controller. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Session Border Controller and unauthorized read access to a subset of Oracle Enterprise Session Border Controller accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Financial Services Applications

This table provides the text form of the Risk Matrix for Oracle Financial Services Applications.

CVE Identifier Description

CVE-2015-7501

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2 and 8.0.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Analytical Applications Infrastructure.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Universal Banking.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). The supported version that is affected is 12.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Investor Servicing.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 12.0.0 and 12.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Enterprise Limits and Collateral Management. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Enterprise Limits and Collateral Management.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 11.5.0.0.0 and 11.6.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Core Banking.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3 and 12.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Private Banking.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Financial Services Lending and Leasing component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). Supported versions that are affected are 14.1.0 and 14.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Lending and Leasing. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Lending and Leasing.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Banking Digital Experience component of Oracle Financial Services Applications (subcomponent: Apache Commons Collections). The supported version that is affected is 15.1. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Digital Experience. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Banking Digital Experience accessible data.

CVSS v3.0 Base Score 2.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-0635

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Inline Processing). Supported versions that are affected are 8.0.0, 8.0.1, 8.0.2 and 8.0.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Analytical Applications Infrastructure.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-3081

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Struts). Supported versions that are affected are 2.0.0, 2.0.1, 2.2.0, 12.0.1, 12.0.3 and 12.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Private Banking.

CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5479

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0 and 12.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5490

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). The supported version that is affected is 11.4.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle FLEXCUBE Universal Banking executes to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5493

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Admin). Supported versions that are affected are 12.0.1, 12.0.2 and 12.0.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Private Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.

CVSS v3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5502

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2 and 12.0.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5543

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 12.0.0 and 12.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Enterprise Limits and Collateral Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Enterprise Limits and Collateral Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5569

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Limits and Collateral). Supported versions that are affected are 12.0.0 and 12.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Enterprise Limits and Collateral Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5594

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2 and 12.0.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. While the vulnerability is in Oracle FLEXCUBE Universal Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 5.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5603

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5607

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Universal Banking.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5619

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5620

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-5621

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5622

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: INFRA). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle FLEXCUBE Universal Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Health Sciences Applications

This table provides the text form of the Risk Matrix for Oracle Health Sciences Applications.

CVE Identifier Description

CVE-2016-2107

Vulnerability in the Oracle Life Sciences Data Hub component of Oracle Health Sciences Applications (subcomponent: OpenSSL). The supported version that is affected is 2.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL to compromise Oracle Life Sciences Data Hub. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Life Sciences Data Hub and unauthorized read access to a subset of Oracle Life Sciences Data Hub accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Hospitality Applications

This table provides the text form of the Risk Matrix for Oracle Hospitality Applications.

CVE Identifier Description

CVE-2016-5563

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA File Upload Download). Supported versions that are affected are 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0 and 5.5.1.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5 Property Services.

CVSS v3.0 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory]

CVE-2016-5564

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Application Login). Supported versions that are affected are 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0 and 5.5.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5 Property Services.

CVSS v3.0 Base Score 7.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5565

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Xchange Interface (OXI)). Supported versions that are affected are 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0 and 5.5.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data.

CVSS v3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Insurance Applications

This table provides the text form of the Risk Matrix for Oracle Insurance Applications.

CVE Identifier Description

CVE-2015-7501

Vulnerability in the Oracle Insurance IStream component of Oracle Insurance Applications (subcomponent: Apache Commons Collections). The supported version that is affected is 4.3.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Insurance IStream. Successful attacks of this vulnerability can result in takeover of Oracle Insurance IStream.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Retail Applications

This table provides the text form of the Risk Matrix for Oracle Retail Applications.

CVE Identifier Description

CVE-2015-3253

Vulnerability in the Oracle Retail Customer Insights component of Oracle Retail Applications (subcomponent: Security). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Customer Insights. Successful attacks of this vulnerability can result in takeover of Oracle Retail Customer Insights.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-3253

Vulnerability in the Oracle Retail Merchandising Insights component of Oracle Retail Applications (subcomponent: Security). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Merchandising Insights. Successful attacks of this vulnerability can result in takeover of Oracle Retail Merchandising Insights.

CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Retail Clearance Optimization Engine component of Oracle Retail Applications (subcomponent: General Application). Supported versions that are affected are 13.2, 13.3, 13.4 and 14.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Clearance Optimization Engine. Successful attacks of this vulnerability can result in takeover of Oracle Retail Clearance Optimization Engine.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the Oracle Retail Xstore Point of Service component of Oracle Retail Applications (subcomponent: Xenvironment). Supported versions that are affected are 5.0, 5.5, 6.0, 6.5, 7.0 and 7.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in takeover of Oracle Retail Xstore Point of Service.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7501

Vulnerability in the MICROS XBR component of Oracle Retail Applications (subcomponent: Liferay). Supported versions that are affected are 7.0.2 and 7.0.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MICROS XBR. Successful attacks of this vulnerability can result in takeover of MICROS XBR.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-1881

Vulnerability in the Oracle Retail Back Office component of Oracle Retail Applications (subcomponent: Security). Supported versions that are affected are 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 and 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Back Office. While the vulnerability is in Oracle Retail Back Office, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Back Office accessible data as well as unauthorized read access to a subset of Oracle Retail Back Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Back Office.

CVSS v3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-1881

Vulnerability in the Oracle Retail Central Office component of Oracle Retail Applications (subcomponent: Security). Supported versions that are affected are 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 and 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Central Office. While the vulnerability is in Oracle Retail Central Office, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Central Office accessible data as well as unauthorized read access to a subset of Oracle Retail Central Office accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Central Office.

CVSS v3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-1881

Vulnerability in the Oracle Retail Returns Management component of Oracle Retail Applications (subcomponent: Security). Supported versions that are affected are 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 and 14.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Returns Management. While the vulnerability is in Oracle Retail Returns Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Returns Management accessible data as well as unauthorized read access to a subset of Oracle Retail Returns Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Returns Management.

CVSS v3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5539

Vulnerability in the Oracle Retail Xstore Payment component of Oracle Retail Applications (subcomponent: Security). The supported version that is affected is 1.x. Easily exploitable vulnerability allows physical access to compromise Oracle Retail Xstore Payment. While the vulnerability is in Oracle Retail Xstore Payment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Xstore Payment accessible data as well as unauthorized access to critical data or complete access to all Oracle Retail Xstore Payment accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Xstore Payment.

CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory]

CVE-2016-5540

Vulnerability in the Oracle Retail Xstore Payment component of Oracle Retail Applications (subcomponent: Security). The supported version that is affected is 1.x. Difficult to exploit vulnerability allows physical access to compromise Oracle Retail Xstore Payment. While the vulnerability is in Oracle Retail Xstore Payment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Xstore Payment accessible data as well as unauthorized access to critical data or complete access to all Oracle Retail Xstore Payment accessible data.

CVSS v3.0 Base Score 6.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Primavera Products Suite

This table provides the text form of the Risk Matrix for Oracle Primavera Products Suite.

CVE Identifier Description

CVE-2016-2107

Vulnerability in the Primavera P6 Professional Project Management component of Oracle Primavera Products Suite (subcomponent: OpenSSL). Supported versions that are affected are 8.3, 8.4, 15.x and 16.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Professional Project Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera P6 Professional Project Management and unauthorized read access to a subset of Primavera P6 Professional Project Management accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-5533

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Team Member). Supported versions that are affected are 8.4, 15.x and 16.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data.

CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Java SE

This table provides the text form of the Risk Matrix for Oracle Java SE.

CVE Identifier Description

CVE-2016-5542

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5554

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5556

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5568

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5573

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5582

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5597

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Sun Systems Products Suite

This table provides the text form of the Risk Matrix for Oracle Sun Systems Products Suite.

CVE Identifier Description

CVE-2016-5480

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data.

CVSS v3.0 Base Score 2.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5481

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Services). The supported version that is affected is AK 2013. Difficult to exploit vulnerability allows unauthenticated attacker with network access via DNS to compromise Sun ZFS Storage Appliance Kit (AK). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Sun ZFS Storage Appliance Kit (AK) accessible data.

CVSS v3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5486

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Services). The supported version that is affected is AK 2013. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit (AK) executes to compromise Sun ZFS Storage Appliance Kit (AK). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Sun ZFS Storage Appliance Kit (AK) accessible data.

CVSS v3.0 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5487

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Files). The supported version that is affected is 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris.

CVSS v3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5492

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: SMB Users). The supported version that is affected is AK 2013. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit (AK) executes to compromise Sun ZFS Storage Appliance Kit (AK). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Sun ZFS Storage Appliance Kit (AK) accessible data as well as unauthorized access to critical data or complete access to all Sun ZFS Storage Appliance Kit (AK) accessible data.

Note: This vulnerability applies to local users (i.e. users in /etc/passwd) and not applicable to other (e.g. LDAP) users.

CVSS v3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5503

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Services). The supported version that is affected is AK 2013. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit (AK) executes to compromise Sun ZFS Storage Appliance Kit (AK). While the vulnerability is in Sun ZFS Storage Appliance Kit (AK), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Sun ZFS Storage Appliance Kit (AK).

CVSS v3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5508

Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: Cluster Geo). The supported version that is affected is 4.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris Cluster executes to compromise Solaris Cluster. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Solaris Cluster accessible data.

CVSS v3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5525

Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: Cluster check files). Supported versions that are affected are 3.3 and 4.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris Cluster executes to compromise Solaris Cluster. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris Cluster accessible data.

CVSS v3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-5544

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel/X86). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris.

CVSS v3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5553

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Filesystem). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris.

CVSS v3.0 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5559

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11.3. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Solaris accessible data.

CVSS v3.0 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory]

CVE-2016-5561

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: IKE). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via IKEv2 to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Solaris.

CVSS v3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2016-5566

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Installation). The supported version that is affected is 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Solaris accessible data.

CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5576

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones). The supported version that is affected is 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris.

CVSS v3.0 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5606

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones). The supported version that is affected is 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris as well as unauthorized update, insert or delete access to some of Solaris accessible data.

CVSS v3.0 Base Score 6.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). (legend) [Advisory]

CVE-2016-5615

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Lynx). The supported version that is affected is 11.3. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Solaris.

CVSS v3.0 Base Score 3.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

Text Form of Risk Matrix for Oracle Virtualization

This table provides the text form of the Risk Matrix for Oracle Virtualization.

CVE Identifier Description

CVE-2015-7501

Vulnerability in the Virtual Desktop Infrastructure component of Oracle Virtualization (subcomponent: Apache Commons Collection). The supported version that is affected is VDI prior to 3.5.3. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Virtual Desktop Infrastructure. Successful attacks of this vulnerability can result in takeover of Virtual Desktop Infrastructure.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2015-7940

Vulnerability in the Virtual Desktop Infrastructure component of Oracle Virtualization (subcomponent: Bouncy Castle Java). The supported version that is affected is VDI prior to 3.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Virtual Desktop Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Virtual Desktop Infrastructure accessible data.

CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-0714

Vulnerability in the Virtual Desktop Infrastructure component of Oracle Virtualization (subcomponent: Apache Tomcat). The supported version that is affected is VDI prior to 3.5.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Virtual Desktop Infrastructure. Successful attacks of this vulnerability can result in takeover of Virtual Desktop Infrastructure.

CVSS v3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-2107

Vulnerability in the Sun Ray Operating Software component of Oracle Virtualization (subcomponent: OpenSSL). The supported version that is affected is SROS prior to 11.1.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Sun Ray Operating Software. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun Ray Operating Software and unauthorized read access to a subset of Sun Ray Operating Software accessible data.

CVSS v3.0 Base Score 8.2 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory]

CVE-2016-5501

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.

CVSS v3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5538

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.

CVSS v3.0 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5580

Vulnerability in the Secure Global Desktop component of Oracle Virtualization (subcomponent: Web Services). Supported versions that are affected are 4.7 and 5.2. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Secure Global Desktop. While the vulnerability is in Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Secure Global Desktop accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Secure Global Desktop.

CVSS v3.0 Base Score 9.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H). (legend) [Advisory]

CVE-2016-5605

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: VirtualBox Remote Desktop Extension (VRDE)). The supported version that is affected is VirtualBox prior to 5.1.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data.

CVSS v3.0 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory]

CVE-2016-5608

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.

CVSS v3.0 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5610

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox.

CVSS v3.0 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5611

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data.

CVSS v3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-5613

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox.

CVSS v3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L). (legend) [Advisory]

CVE-2016-6304

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: OpenSSL). Supported versions that are affected are VirtualBox prior to 5.0.28 and prior to 5.1.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.

CVSS v3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

Text Form of Risk Matrix for Oracle MySQL

This table provides the text form of the Risk Matrix for Oracle MySQL.

CVE Identifier Description

CVE-2016-3492

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-3495

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5507

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.32 and earlier and 5.7.14 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5584

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.52 and earlier, 5.6.33 and earlier and 5.7.15 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data.

CVSS v3.0 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-5598

Vulnerability in the MySQL Connector component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 2.1.3 and earlier and 2.0.4 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connector. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connector accessible data as well as unauthorized read access to a subset of MySQL Connector accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connector.

CVSS v3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory]

CVE-2016-5609

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.6.31 and earlier 5.7.13 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5612

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.50 and earlier, 5.6.31 and earlier and 5.7.13 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5616

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.

CVSS v3.0 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5617

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.

CVSS v3.0 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5624

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.51 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5625

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.

CVSS v3.0 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-5626

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: GIS). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5627

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.31 and earlier and 5.7.13 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5628

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5629

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Federated). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5630

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.31 and earlier 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5631

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5632

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.14 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5633

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5634

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-5635

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-6304

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.6.33 and earlier and 5.7.15 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-6662

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Logging). Supported versions that are affected are 5.5.52 and earlier, 5.6.33 and earlier and 5.7.15 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server.

CVSS v3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2016-7440

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.52 and earlier, 5.6.33 and earlier and 5.7.15 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data.

CVSS v3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2016-8283

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Types). Supported versions that are affected are 5.5.51 and earlier, 5.6.32 and earlier and 5.7.14 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server.

CVSS v3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2016-8284

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.31 and earlier and 5.7.13 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server.

CVSS v3.0 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L). (legend) [Advisory]

CVE-2016-8286

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.14 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.

CVSS v3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2016-8287

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.13 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2016-8288

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB Plugin). Supported versions that are affected are 5.6.30 and earlier and 5.7.12 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data.

CVSS v3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory]

CVE-2016-8289

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.13 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.

CVSS v3.0 Base Score 4.7 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). (legend) [Advisory]

CVE-2016-8290

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.7.13 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVSS v3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]