Oracle Critical Patch Update Advisory - October 2017

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2017 Critical Patch Update: Executive Summary and Analysis.

Please note that on September 22, 2017, Oracle released Security Alert for CVE-2017-9805. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2017 Documentation Map, My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2340 and prior to XCP3030 Oracle and Sun Systems Products Suite
Java Advanced Management Console, version 2.7 Oracle Java SE
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
JD Edwards World Security, versions A9.1, A9.2, A9.3, A9.4 JD Edwards
Management Pack for Oracle GoldenGate, version 11.2.1.0.12 Fusion Middleware
MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1 Retail Applications
MySQL Connectors, versions 6.9.9 and prior Oracle MySQL Product Suite
MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and prior Oracle MySQL Product Suite
MySQL Server, versions 5.5.57 and prior, 5.6.37 and prior, 5.7.19 and prior Oracle MySQL Product Suite
Oracle Access Manager, version 11.1.2.3.0 Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle Communications Billing and Revenue Management, version 7.5 Oracle Communications Billing and Revenue Management
Oracle Communications Diameter Signaling Router (DSR), version 7.x Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE LNP Application Processor, version 10.x Oracle Communications EAGLE LNP Application Processor
Oracle Communications Messaging Server, version 8.x Oracle Communications Messaging Server
Oracle Communications Order and Service Management, versions 7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.x Oracle Communications Order and Service Management
Oracle Communications Policy Management, versions 11.5, 12.x Oracle Communications Policy Management
Oracle Communications Services Gatekeeper, versions 5.1, 6.0 Oracle Communications Services Gatekeeper
Oracle Communications Unified Session Manager, version SCz 7.x Oracle Communications Unified Session Manager
Oracle Communications User Data Repository, version 10.x Oracle Communications User Data Repository
Oracle Communications WebRTC Session Controller, versions 7.0, 7.1, 7.2 Oracle Communications WebRTC Session Controller
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1 Database
Oracle Directory Server Enterprise Edition, version 11.1.1.7.0 Fusion Middleware
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 2.4, 3.0, 3.1, 3.2 Fusion Middleware
Oracle Engineering Data Management, versions 6.1.3.0, 6.2.2.0 Oracle Supply Chain Products
Oracle Enterprise Manager Ops Center, versions 12.2.2, 12.3.2 Enterprise Manager
Oracle FLEXCUBE Universal Banking, versions 11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0 Oracle Financial Services Applications
Oracle Fusion Applications, versions 11.1.2 through 11.1.9 Fusion Applications
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle GlassFish Server, versions 3.0.1, 3.1.2 Fusion Middleware
Oracle Healthcare Master Person Index, version 4.x Health Sciences
Oracle Hospitality Cruise AffairWhere, versions 2.2.5.0, 2.2.6.0, 2.2.7.0 Oracle Hospitality Cruise AffairWhere
Oracle Hospitality Cruise Fleet Management, version 9.0.2.0 Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Materials Management, version 7.30.564.0 Oracle Hospitality Cruise Materials Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.2.0 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Hotel Mobile, version 1.1 Oracle Hospitality Hotel Mobile
Oracle Hospitality OPERA 5 Property Services, versions 5.4.2.x through 5.5.1.x Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0 Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.6, 2.7, 2.8, 2.9 Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.1, 8.10.2 Oracle Hospitality Suite8
Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle Hyperion BI+, version 11.1.2.4 Fusion Middleware
Oracle Hyperion Financial Reporting, version 11.1.2 Fusion Middleware
Oracle Identity Manager, version 11.1.2.3.0 Fusion Middleware
Oracle Identity Manager Connector, version 9.1.1.5.0 Fusion Middleware
Oracle Integrated Lights Out Manager (ILOM), versions prior to 3.2.6 Oracle and Sun Systems Products Suite
Oracle iPlanet Web Server, version 7.0 Fusion Middleware
Oracle Java SE, versions 6u161, 7u151, 8u144, 9 Oracle Java SE
Oracle Java SE Embedded, version 8u144 Oracle Java SE
Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0 Fusion Middleware
Oracle JRockit, version R28.3.15 Oracle Java SE
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle Outside In Technology, version 8.5.3.0 Fusion Middleware
Oracle Retail Back Office, versions 13.2, 13.3, 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Clearance Optimization Engine, version 13.4 Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.1.132 Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 14.0 Retail Applications
Oracle Retail Point-of-Service, versions 13.2, 13.3, 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Store Inventory Management, versions 13.2.9, 14.0.4, 14.1.3, 15.0.1, 16.0.1 Retail Applications
Oracle Retail Xstore Point of Service, versions 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1 Retail Applications
Oracle Secure Global Desktop (SGD), version 5.3 Oracle Linux and Virtualization
Oracle Server X7-2/2L, versions 1.0 and 1.0.1 Oracle and Sun Systems Products Suite
Oracle Server X7-8, version 1.0 Oracle and Sun Systems Products Suite
Oracle SOA Suite, version 11.1.1.7.0 Fusion Middleware
Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2 Oracle Supply Chain Products
Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0 Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.1.30 Oracle Linux and Virtualization
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 Fusion Middleware
PeopleSoft Enterprise FSCM, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56 PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00 PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56 PeopleSoft
PeopleSoft Enterprise SCM eProcurement, versions 9.1.00, 9.2.00 PeopleSoft
Primavera Unifier, versions 9.13, 9.14, 10.x, 15.x, 16.x Oracle Construction and Engineering Suite
Siebel Applications, versions 16.0, 17.0 Siebel
Solaris Cluster, versions 3.3, 4.3 Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123 Oracle and Sun Systems Products Suite
SPARC M7, T7, S7 based Servers, versions prior to 9.7.6.b Oracle and Sun Systems Products Suite
Sun ZFS Storage Appliance Kit (AK), version AK 2013 Oracle and Sun Systems Products Suite
Tekelec HLR Router, version 4.x Tekelec HLR Router

Note:

  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2017 Availability Document, My Oracle Support Note 2296870.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Adam Willard of Blue Canopy: CVE-2017-10360
  • Alexey Tyurin of ERPScan: CVE-2017-10271
  • An Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program: CVE-2017-10355
  • Andrés Blanco of Onapsis: CVE-2017-10336
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10051
  • Charles Fol of Ambionics: CVE-2017-10362
  • Christopher Tarquini: CVE-2017-10268
  • Cris Neckar of Divergent Security: CVE-2017-10154
  • Daniel Ekberg of Swedish Public Employment Service: CVE-2017-10321
  • Daniel Fröjdendahl: CVE-2017-10293
  • David Litchfield of Apple: CVE-2017-10292
  • Devin Rosenbauer of Identity Works LLC: CVE-2017-10352
  • Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10327, CVE-2017-10373
  • Fabio Pires of NCC Group: CVE-2017-10310, CVE-2017-10312
  • Federico Dotta of Media Service: CVE-2017-10271
  • Francesco Palmarini of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Gaston Traberg of Onapsis: CVE-2017-10281, CVE-2017-10332, CVE-2017-10347, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
  • Hassan El Hadary - Secure Misr: CVE-2017-10363
  • Jakub Palaczynski of ING Services Polska: CVE-2017-10034
  • Jared McLaren of SecureWorks: CVE-2017-10259
  • Jeffrey Altman of Secure Endpoints Inc.: CVE-2017-10388
  • Joshua Graham of Datacom TSS: CVE-2017-10379
  • José Carlos Expósito Bueno of Internet Security Auditors: CVE-2017-10163
  • Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10066, CVE-2017-10324, CVE-2017-10325, CVE-2017-10328, CVE-2017-10329, CVE-2017-10330, CVE-2017-10331, CVE-2017-10336
  • loopx9: CVE-2017-10352
  • Lukasz Mikula: CVE-2017-10060
  • Léa Nuel of NES: CVE-2017-10055
  • Marcin WoĹ‚oszyn of ING Services Polska: CVE-2017-10163, CVE-2017-10312, CVE-2017-10358, CVE-2017-10359
  • Marco Squarcina of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Martin Doyhenard of Onapsis: CVE-2017-10322, CVE-2017-10326, CVE-2017-10332
  • Mathew Nash of NCC Group: CVE-2017-10310, CVE-2017-10312
  • Matias Mevied of Onapsis: CVE-2017-10323, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
  • Mauro Tempesta of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Ming Yi Ang of SourceClear: CVE-2017-10385, CVE-2017-10391, CVE-2017-10393, CVE-2017-10400
  • Nikita Egorov of ERPScan: CVE-2017-10304, CVE-2017-10306
  • Orange Tsai: CVE-2017-10295
  • Owais Mehtab of IS: CVE-2017-10026, CVE-2017-10259
  • Reno Robert: CVE-2017-10392, CVE-2017-10407, CVE-2017-10408, CVE-2017-10428
  • Riccardo Focardi of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Sebastian Cornejo of SIA Group: CVE-2017-10033
  • Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2017-10152
  • Steven Seeley of Source Incite: CVE-2017-10309
  • Tamas Szakaly: CVE-2017-10309
  • Tayeeb Rana of IS: CVE-2017-10026, CVE-2017-10259
  • Tobias Ospelt of modzero: CVE-2017-10356
  • Tor Erling Bjorstad of Mnemonic AS: CVE-2017-10060
  • Travis Emmert of Exodus Intelligence: CVE-2017-10369
  • Travis Emmert of Synack Red Team: CVE-2017-10364
  • Tushar Parab: CVE-2017-10159
  • Vahagn Vardanyan of ERPScan: CVE-2017-10366, CVE-2017-10409, CVE-2017-10410, CVE-2017-10411, CVE-2017-10412, CVE-2017-10413, CVE-2017-10414, CVE-2017-10415, CVE-2017-10416, CVE-2017-10417
  • Vicente Motos of SIA Group: CVE-2017-10033
  • Zakaria Amous: CVE-2017-10261

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Andreev Ivan
  • Ian Haken
  • Jayson Grace of Sandia National Laboratories
  • Juan Pablo Perez Etchegoyen of Onapsis
  • Mohammad Abdullah - ErrOr SquaD Bangladesh
  • Or Hanuka of Motorola Solutions
  • Steven Danneman of Security Innovation
  • Tansel ÇETÄ°N
  • Tzachy Horesh of Motorola Solutions

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abdelfattah Ibrahim
  • Abhineeti Singh
  • Adam Willard of Blue Canopy
  • Ahsan Khan
  • Ali Ardic
  • Athul Jayaram
  • Berk Ä°mran
  • DoÄźukan KaraciÄźer
  • Emad Shanab of Emad Abou Shanab
  • Karthik Reddy
  • Krishna Manoj Vandavasi
  • Lecamen Nartatez
  • Muhammad Osama
  • Mushraf Mustafa (3 reports)
  • Pal Patel
  • S. Venkatesh
  • SaifAllah benMassaoud
  • Teemu Kääriäinen
  • Vinod Kurup
  • Yassine Nafiai
  • ÇaÄźatay Çalı

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

References

Modification History

Date Note
2018-February-15 Rev 10. Updated protocol associated with CVE-2017-10271.
2018-January-25 Rev 9. Updated Supported Versions Affected for CVE-2017-10352.
2018-January-05 Rev 8. Updated CVSS score for CVE-2017-10352.
2017-December-22 Rev 7. Credit Statement Update.
2017-December-15 Rev 6. Updated CVSS score for CVE-2017-10271, CVE-2017-10404 and CVE-2017-10405.
2017-November-20 Rev 5. Updated CVE-2017-5706, CVE-2017-5709.
2017-November-16 Rev 4. Updated CVE-2015-4852.
2017-October-26 Rev 3. Credit Statement Update; Affected versions update for CVE-2017-10065; CVSS score update for CVE-2017-10396.
2017-October-19 Rev 2. Credit Statement Update.
2017-October-17 Rev 1. Initial Release.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10321 Core RDBMS Create session Oracle Net No 8.8 Local Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1 See Note 1
CVE-2016-6814 Spatial (Apache Groovy) None Multiple Yes 8.3 Network High None Required Changed High High High 12.2.0.1 See Note 2
CVE-2017-10190 Java VM Create Session, Create Procedure Multiple No 8.2 Local Low High None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2016-8735 WLM (Apache Tomcat) None Multiple Yes 8.1 Network High None None Un- changed High High High 12.2.0.1  
CVE-2017-10261 XML Database Create Session Oracle Net No 6.5 Local Low Low None Changed High None None 11.2.0.4, 12.1.0.2 See Note 3
CVE-2017-10292 RDBMS Security Create User Oracle Net No 2.3 Local Low High None Un- changed None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1  

Notes:

  1. This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged.
  2. Component installed optionally. Not in the default installation.
  3. This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged.

Additional CVEs addressed are below:

  • The fix for CVE-2016-8735 also addresses CVE-2016-6816 and CVE-2016-8745

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle Communications Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-5461 Oracle Communications Messaging Server Security (NSS) Multiple Yes 9.8 Network Low None None Un- changed High High High 8.x  
CVE-2016-5019 Oracle Communications Services Gatekeeper Security (Apache Trinidad) HTTP Yes 9.8 Network Low None None Un- changed High High High 5.1, 6.0  
CVE-2015-0235 Oracle Communications User Data Repository Security (glibc) Multiple Yes 9.8 Network Low None None Un- changed High High High 10.x  
CVE-2015-3253 Oracle Communications WebRTC Session Controller Security (Apache Groovy) HTTP Yes 9.8 Network Low None None Un- changed High High High 7.0, 7.1, 7.2  
CVE-2015-0235 Oracle Communications WebRTC Session Controller Media (glibc) TLS Yes 9.8 Network Low None None Un- changed High High High 7.0, 7.1, 7.2  
CVE-2015-7501 Oracle Communications WebRTC Session Controller Security (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 7.0, 7.1, 7.2  
CVE-2016-0635 Oracle Communications WebRTC Session Controller Security (Spring) HTTP No 8.8 Network Low Low None Un- changed High High High 7.0, 7.1, 7.2  
CVE-2016-2107 Oracle Communications WebRTC Session Controller Security (OpenSSL) TLS Yes 8.2 Network Low None None Un- changed Low None High 7.0, 7.1, 7.2  
CVE-2014-0224 Tekelec HLR Router Security (OpenSSL) TLS Yes 8.1 Network High None None Un- changed High High High 4.x  
CVE-2016-7052 Oracle Communications Diameter Signaling Router (DSR) OAM and Signaling (OpenSSL) TLS Yes 7.5 Network Low None None Un- changed None None High 7.x  
CVE-2016-6304 Oracle Communications Unified Session Manager Routing (OpenSSL) TLS Yes 7.5 Network Low None None Un- changed None None High SCz 7.x  
CVE-2014-0114 Oracle Communications WebRTC Session Controller Media (BeanUtils) HTTP Yes 7.3 Network Low None None Un- changed Low Low Low 7.0, 7.1, 7.2  
CVE-2014-0107 Oracle Communications WebRTC Session Controller Security (Xalan) HTTP Yes 7.3 Network Low None None Un- changed Low Low Low 7.0, 7.1, 7.2  
CVE-2014-4345 Oracle Communications WebRTC Session Controller Security (Kerberos) Multiple Yes 7.3 Network Low None None Un- changed Low Low Low 7.0, 7.1, 7.2  
CVE-2015-7501 Oracle Communications Order and Service Management Security (Apache Commons Collections) Multiple Yes 7.1 Network Low None Required Changed Low Low Low 7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.x  
CVE-2016-2381 Oracle Communications Billing and Revenue Management Security (Perl) Multiple No 6.5 Network Low Low None Un- changed None High None 7.5  
CVE-2017-10153 Oracle Communications WebRTC Session Controller Security (Gson) Multiple No 6.3 Network High Low None Changed None None High 7.0, 7.1, 7.2  
CVE-2017-10159 Oracle Communications Policy Management Portal, CMP HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.5, 12.x  
CVE-2017-3732 Oracle Communications EAGLE LNP Application Processor Patches (OpenSSL) TLS Yes 5.9 Network High None None Un- changed High None None 10.x  
CVE-2014-3538 Oracle Communications WebRTC Session Controller Security (file) HTTP Yes 5.3 Network Low None None Un- changed None None Low 7.0, 7.1, 7.2  
CVE-2014-8714 Oracle Communications WebRTC Session Controller Security (Wireshark) Multiple Yes 5.3 Network Low None None Un- changed None None Low 7.0, 7.1, 7.2  
CVE-2014-0062 Oracle Communications WebRTC Session Controller Security (Postgresql) Multiple No 4.2 Network High Low None Un- changed Low Low None 7.0, 7.1, 7.2  
CVE-2014-3707 Oracle Communications WebRTC Session Controller Security (libcurl) HTTP Yes 3.7 Network High None None Un- changed Low None None 7.0, 7.1, 7.2  

Additional CVEs addressed are below:

  • The fix for CVE-2014-0062 also addresses CVE-2014-0060
  • The fix for CVE-2014-0224 also addresses CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-3470 and CVE-2014-3571
  • The fix for CVE-2014-3538 also addresses CVE-2014-3587
  • The fix for CVE-2014-3707 also addresses CVE-2014-3613
  • The fix for CVE-2014-4345 also addresses CVE-2014-4342
  • The fix for CVE-2014-8714 also addresses CVE-2014-8713
  • The fix for CVE-2015-7501 also addresses CVE-2015-4852
  • The fix for CVE-2016-2107 also addresses CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1793 and CVE-2015-3195
  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303 and CVE-2016-6306
  • The fix for CVE-2016-7052 also addresses CVE-2014-0224, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2016-0701, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307 and CVE-2016-6308
  • The fix for CVE-2017-5461 also addresses CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7575, CVE-2016-1950, CVE-2016-1979, CVE-2016-2834, CVE-2016-5285, CVE-2017-5462 and CVE-2017-7502

Appendix - Oracle Construction and Engineering Suite

Oracle Construction and Engineering Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Construction and Engineering Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Construction and Engineering Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2016-6814 Primavera Unifier Platform (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 9.13, 9.14, 10.x, 15.x, 16.x,  

Appendix - Oracle E-Business Suite

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 26 new security fixes for the Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2017), My Oracle Support Note 2304968.1.

Oracle E-Business Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10330 Oracle Common Applications Gantt Server HTTP Yes 9.1 Network Low None None Un- changed High High None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10329 Oracle Global Order Promising Reschedule Sales Orders HTTP Yes 9.1 Network Low None None Un- changed High High None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10416 Oracle Advanced Outbound Telephony Setup and Configuration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10417 Oracle Advanced Outbound Telephony Setup and Configuration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10325 Oracle Common Applications Calendar Applications Calendar HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10326 Oracle Common Applications Calendar Applications Calendar HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10303 Oracle Interaction Center Intelligence Setup HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3  
CVE-2017-10414 Oracle iStore Checkout and Order Placement HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10409 Oracle iStore Merchant UI HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10415 Oracle iSupport Others HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10410 Oracle Knowledge Management Search HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10411 Oracle Knowledge Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10412 Oracle Knowledge Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10413 Oracle Mobile Field Service Multiplatform Based on HTML5 HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-3444 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6  
CVE-2017-3445 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6  
CVE-2017-3446 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6  
CVE-2017-10323 Oracle Web Applications Desktop Integrator Application Service HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6  
CVE-2017-10328 Oracle Application Object Library Diagnostics HTTP Yes 7.5 Network Low None None Un- changed High None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10332 Oracle Universal Work Queue Administration HTTP Yes 7.5 Network Low None None Un- changed High None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10077 Oracle Applications DBA AD Utilities HTTP No 6.5 Network Low High None Un- changed High High None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10331 Oracle Application Object Library Diagnostics HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10324 Oracle Applications Technology Stack Oracle Forms HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10066 Oracle Applications Technology Stack Oracle Forms HTTP Yes 5.3 Network Low None None Un- changed None Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10322 Oracle Common Applications Calendar Applications Calendar HTTP Yes 5.3 Network Low None None Un- changed None Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  
CVE-2017-10387 Oracle CRM Technical Foundation Preferences HTTP Yes 4.3 Network Low None Required Un- changed None Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7  

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2296870.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2016-6814 Oracle Enterprise Manager Ops Center Networking (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 12.2.2, 12.3.2  

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10363 Oracle FLEXCUBE Universal Banking Security HTTP No 7.1 Network Low Low None Un- changed High Low None 11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0 See Note 1

Notes:

  1. Contact Support for fixes

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2017 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2296870.1.

Oracle Fusion Middleware Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10352 Oracle WebLogic Server WLS-WebServices HTTP Yes 9.9 Network Low None None Changed Low Low High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0, 12.2.1.3.0  
CVE-2015-5254 Oracle BI Publisher BI Publisher Security (Apache ActiveMQ) HTTP Yes 9.8 Network Low None None Un- changed High High High 11.1.1.7.0, 12.2.1.1.0, 12.2.1.2.0 See Note 1
CVE-2016-6814 Oracle JDeveloper Java Business Objects (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 12.2.1.2.0, 12.1.3.0.0  
CVE-2015-7501 Management Pack for Oracle GoldenGate Monitor (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 11.2.1.0.12  
CVE-2016-0714 Management Pack for Oracle GoldenGate Monitor (Apache Tomcat) HTTP No 8.8 Network Low Low None Un- changed High High High 11.2.1.0.12  
CVE-2015-7501 Oracle Business Process Management Suite Security (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 11.1.1.9.0, 12.2.1.1.0  
CVE-2016-2834 Oracle Directory Server Enterprise Edition Admin Server (NSS) HTTPS Yes 8.8 Network Low None Required Un- changed High High High 11.1.1.7.0  
CVE-2015-7501 Oracle Endeca Information Discovery Integrator Security (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 2.4, 3.0, 3.1, 3.2  
CVE-2016-0635 Oracle Endeca Information Discovery Integrator Security (Spring Framework) HTTP No 8.8 Network Low Low None Un- changed High High High 3.2  
CVE-2017-10034 Oracle BI Publisher Core Formatting API HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0  
CVE-2017-10060 Oracle Business Intelligence Enterprise Edition Analytics Web General HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10270 Oracle Identity Manager Connector Microsoft Active Directory None No 8.2 Local Low None Required Changed None High High 9.1.1.5.0  
CVE-2017-10026 Oracle SOA Suite Fabric Layer HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0  
CVE-2017-10360 Oracle WebCenter Content Content Server HTTP Yes 8.2 Network Low None Required Changed Low High None 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10259 Oracle Access Manager Web Server Plugin HTTP Yes 7.5 Network Low None None Un- changed High None None 11.1.2.3.0  
CVE-2017-10037 Oracle BI Publisher Web Service API HTTP Yes 7.5 Network Low None None Un- changed High None None 11.1.1.7.0, 11.1.1.9.0  
CVE-2015-7940 Oracle Business Process Management Suite Workspace and Process portal (Bouncy Castle Java package) HTTP Yes 7.5 Network Low None None Un- changed High None None 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2015-7940 Oracle Business Process Management Suite Runtime Engine (Bouncy Castle Java package) HTTPS Yes 7.5 Network Low None None Un- changed High None None 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2016-3092 Oracle GlassFish Server Web Container (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un- changed None None High 3.1.2  
CVE-2015-7940 Oracle Managed File Transfer MFT Runtime Server (Bouncy Castle Java package) HTTPS Yes 7.5 Network Low None None Un- changed High None None 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10369 Oracle Virtual Directory Virtual Directory Server HTTP No 7.5 Network High Low None Un- changed High High High 11.1.1.7.0, 11.1.1.9.0  
CVE-2017-10271 Oracle WebLogic Server WLS Security T3 Yes 7.5 Network Low None None Un- changed None None High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-5662 Oracle API Gateway Oracle API Gateway (Apache Batik) HTTP No 7.3 Network Low Low Required Un- changed High None High 11.1.2.4.0 See Note 2
CVE-2017-10391 Oracle GlassFish Server Administration HTTP Yes 7.3 Network Low None None Un- changed Low Low Low 3.0.1, 3.1.2  
CVE-2016-1181 Oracle Identity Manager OIM Legacy UI (Apache Struts 1) HTTP No 6.6 Network High High None Un- changed High High High 11.1.2.3.0  
CVE-2017-10152 Oracle WebLogic Server Web Container HTTP No 6.5 Network Low Low None Un- changed High None None 10.3.6.0.0, 12.1.3.0.0  
CVE-2017-10163 Oracle Business Intelligence Enterprise Edition Analytics Web General HTTP No 6.3 Network Low Low Required Un- changed Low High None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 See Note 3
CVE-2017-10385 Oracle GlassFish Server Web Container HTTP Yes 6.3 Network Low None Required Un- changed Low Low Low 3.0.1, 3.1.2  
CVE-2017-10393 Oracle GlassFish Server Web Container HTTP Yes 6.3 Network Low None Required Un- changed Low Low Low 3.0.1, 3.1.2  
CVE-2017-10055 Oracle iPlanet Web Server Admin Graphical User Interface HTTP Yes 6.1 Network Low None Required Changed Low Low None 7.0  
CVE-2015-2808 Oracle HTTP Server Web Listener HTTP Yes 5.9 Network High None None Un- changed High None None 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10051 Oracle Outside In Technology Outside In Filters HTTP No 5.7 Adjacent Network Low Low None Un- changed None None High 8.5.3.0 See Note 4
CVE-2017-10400 Oracle GlassFish Server Administration Graphical User Interface HTTP Yes 5.4 Network Low None Required Un- changed Low Low None 3.1.2  
CVE-2017-10154 Oracle Access Manager Web Server Plugin HTTP Yes 5.3 Network Low None None Un- changed Low None None 11.1.2.3.0  
CVE-2003-1418 Oracle HTTP Server Web Listener HTTP Yes 5.3 Network Low None None Un- changed Low None None 11.1.1.9.0, 12.1.3.0.0  
CVE-2017-10336 Oracle WebLogic Server Web Container HTTP Yes 5.3 Network Low None None Un- changed None Low None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10334 Oracle WebLogic Server Web Container HTTP No 4.3 Network Low Low None Un- changed Low None None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10033 Oracle WebCenter Sites Support Tools None No 4.0 Local High None None Un- changed Low Low None 11.1.1.8.0, 12.2.1.2.0 See Note 5
CVE-2016-2183 Oracle HTTP Server OSSL Module HTTPS Yes 3.7 Network High None None Un- changed Low None None 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0  
CVE-2017-10166 Oracle Security Service C Oracle SSL API HTTPS Yes 3.7 Network High None None Un- changed None Low None FMW: 11.1.1.9.0, 12.1.3.0.0  

Notes:

  1. Please refer to Doc ID My Oracle Support Note 2310008.1 for instructions on how to address this issue.
  2. Please refer to Doc ID My Oracle Support Note 2313917.1 for instructions on how to address this issue.
  3. Please refer to Doc ID My Oracle Support Note 2310021.1 for instructions on how to address this issue.
  4. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
  5. Please refer to Doc ID My Oracle Support Note 2318213.1 for instructions on how to address this issue.

Additional CVEs addressed are below:

  • The fix for CVE-2015-2808 also addresses CVE-2013-2566
  • The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706 and CVE-2016-0763
  • The fix for CVE-2016-1181 also addresses CVE-2014-0114, CVE-2015-0899 and CVE-2016-1182
  • The fix for CVE-2016-2834 also addresses CVE-2016-1950 and CVE-2016-1979

Appendix - Oracle Health Sciences Applications

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2016-6814 Oracle Healthcare Master Person Index Relationship Management (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 4.x  

Appendix - Oracle Hospitality Applications

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 37 new security fixes for Oracle Hospitality Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10402 Oracle Hospitality Reporting and Analytics Report HTTP Yes 10.0 Network Low None None Changed High High High 8.5.1, 9.0.0  
CVE-2017-5664 Oracle Hospitality Guest Access Base (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un- changed High High High 4.2.0, 4.2.1  
CVE-2017-10401 Oracle Hospitality Cruise Materials Management MMSUpdater None No 8.7 Local Low Low None Changed Low High High 7.30.564.0  
CVE-2017-10372 Oracle Hospitality Guest Access Base HTTP No 8.7 Network Low High None Changed None High High 4.2.0, 4.2.1  
CVE-2017-10398 Oracle Hospitality Cruise Fleet Management BaseMasterPage None No 8.4 Local Low Low None Changed High High None 9.0.2.0  
CVE-2017-10404 Oracle Hospitality Reporting and Analytics iQuery HTTP No 8.3 Network Low Low None Un- changed High High High 8.5.1, 9.0.0  
CVE-2017-10396 Oracle Hospitality Cruise AffairWhere AffairWhere None No 8.2 Local Low Low Required Changed High High High 2.2.5.0, 2.2.6.0, 2.2.7.0  
CVE-2017-10405 Oracle Hospitality Reporting and Analytics Report HTTP Yes 8.2 Network Low None None Un- changed High None Low 8.5.1, 9.0.0  
CVE-2017-10050 Oracle Hospitality Suite8 WebConnect HTTP Yes 8.2 Network Low None Required Changed High Low None 8.10.1, 8.10.2  
CVE-2017-10403 Oracle Hospitality Reporting and Analytics iQuery HTTP No 8.0 Network High Low Required Changed High High High 8.5.1, 9.0.0  
CVE-2017-5662 Oracle Hospitality Guest Access Base (Apache Batik) HTTP No 7.3 Network Low Low Required Un- changed High None High 4.2.0, 4.2.1  
CVE-2017-10353 Oracle Hospitality Hotel Mobile Suite8/RESTAPI HTTP No 7.1 Network Low Low None Un- changed High None Low 1.1  
CVE-2017-10370 Oracle Hospitality Guest Access Base HTTP No 6.9 Network Low High Required Changed High Low None 4.2.0, 4.2.1  
CVE-2017-10343 Oracle Hospitality Simphony Import/Export HTTP Yes 6.5 Network Low None Required Un- changed High None None 2.8, 2.9  
CVE-2017-10344 Oracle Hospitality Simphony Import/Export HTTP Yes 6.5 Network High None None Un- changed High Low None 2.8, 2.9  
CVE-2017-10421 Oracle Hospitality Suite8 Leisure HTTP No 6.5 Network Low Low None Un- changed High None None 8.10.1, 8.10.2  
CVE-2017-10316 Oracle Hospitality Suite8 WebConnect HTTP No 6.5 Network Low Low None Un- changed High None None 8.10.1, 8.10.2  
CVE-2017-10361 Oracle Hospitality Cruise Shipboard Property Management System OHC DRS HTTP No 6.4 Network Low Low None Changed Low None Low 8.0.2.0  
CVE-2017-10420 Oracle Hospitality Suite8 Leisure HTTP No 6.4 Network Low Low None Changed None Low Low 8.10.1, 8.10.2  
CVE-2017-10397 Oracle Hospitality Cruise Fleet Management BaseMasterPage HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.0.2.0  
CVE-2017-10339 Oracle Hospitality Suite8 WebConnect HTTP Yes 5.9 Network High None None Un- changed High None None 8.10.1, 8.10.2  
CVE-2017-10389 Oracle Hospitality Suite8 PMS None No 5.7 Local Low Low Required Changed Low Low Low 8.10.1, 8.10.2  
CVE-2017-10395 Oracle Hospitality Cruise Fleet Management GangwayActivityWebApp HTTP No 5.4 Network Low Low None Un- changed Low Low None 9.0.2.0  
CVE-2017-10367 Oracle Hospitality Simphony Engagement HTTP Yes 5.4 Network Low None Required Un- changed Low Low None 2.8, 2.9  
CVE-2017-10340 Oracle Hospitality Simphony Import/Export HTTP Yes 5.4 Network Low None Required Un- changed Low Low None 2.8, 2.9  
CVE-2017-10425 Oracle Hospitality Simphony Service Host HTTP No 5.4 Network Low Low None Un- changed Low Low None 2.6, 2.7, 2.8, 2.9  
CVE-2017-10337 Oracle Hospitality Suite8 Leisure HTTP No 5.4 Network Low Low None Un- changed Low None Low 8.10.1, 8.10.2  
CVE-2017-10383 Oracle Hospitality Guest Access Interface HTTP Yes 5.3 Network Low None None Un- changed Low None None 4.2.0, 4.2.1  
CVE-2017-10319 Oracle Hospitality Suite8 Leisure HTTP Yes 5.3 Network Low None None Un- changed Low None None 8.10.1, 8.10.2  
CVE-2017-10054 Oracle Hospitality Cruise Materials Management MMS None No 5.1 Local Low None None Un- changed Low Low None 7.30.564.0  
CVE-2017-10419 Oracle Hospitality Suite8 PMS None No 5.1 Local Low None None Un- changed Low Low None 8.10.1, 8.10.2  
CVE-2017-10318 Oracle Hospitality Suite8 WebConnect HTTP Yes 4.7 Network Low None Required Changed Low None None 8.10.1, 8.10.2  
CVE-2017-10375 Oracle Hospitality Guest Access Base HTTP No 4.6 Network Low Low Required Un- changed Low Low None 4.2.0, 4.2.1  
CVE-2017-10197 Oracle Hospitality OPERA 5 Property Services Folios None No 4.6 Physical Low None None Un- changed High None None 5.4.2.x through 5.5.1.x  
CVE-2017-10317 Oracle Hospitality Suite8 WebConnect None No 4.0 Local Low None None Un- changed Low None None 8.10.1, 8.10.2  
CVE-2017-10014 Oracle Hospitality Hotel Mobile Suite8/RESTAPI HTTP No 3.5 Network Low Low Required Un- changed None Low None 1.1  
CVE-2017-10399 Oracle Hospitality Cruise Fleet Management GangwayActivityWebApp HTTP No 3.1 Network High Low None Un- changed None None Low 9.0.2.0  

Additional CVEs addressed are below:

  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Hyperion. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10310 Oracle Hyperion Financial Reporting Security Models HTTP Yes 7.5 Network Low None None Un- changed High None None 11.1.2  
CVE-2017-10312 Oracle Hyperion BI+ UI and Visualization HTTP Yes 7.1 Network Low None Required Un- changed High Low None 11.1.2.4  
CVE-2017-10358 Oracle Hyperion Financial Reporting Workspace HTTP No 6.4 Network Low Low None Changed Low Low None 11.1.2  
CVE-2017-10359 Oracle Hyperion BI+ UI and Visualization HTTP Yes 5.4 Network Low None Required Un- changed Low Low None 11.1.2.4  

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Java SE. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10346 Java SE, Java SE Embedded Hotspot Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10285 Java SE, Java SE Embedded RMI Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10388 Java SE, Java SE Embedded Libraries Kerberos Yes 7.5 Network High None Required Un- changed High High High Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 2
CVE-2017-10309 Java SE Deployment Multiple Yes 7.1 Network Low None Required Changed Low Low Low Java SE: 8u144, 9 See Note 1
CVE-2017-10274 Java SE Smart Card IO Multiple Yes 6.8 Network High None Required Un- changed High High None Java SE: 6u161, 7u151, 8u144, 9 See Note 1
CVE-2017-10356 Java SE, Java SE Embedded, JRockit Security None No 6.2 Local Low None None Un- changed High None None Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3
CVE-2017-10293 Java SE Javadoc HTTP Yes 6.1 Network Low None Required Changed Low Low None Java SE: 6u161, 7u151, 8u144, 9 See Note 1
CVE-2017-10342 Java Advanced Management Console Server Multiple Yes 5.3 Network Low None None Un- changed None None Low Java Advanced Management Console: 2.7  
CVE-2017-10350 Java SE, Java SE Embedded JAX-WS Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10349 Java SE, Java SE Embedded JAXP Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10348 Java SE, Java SE Embedded Libraries Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10357 Java SE, Java SE Embedded Serialization Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2016-9841 Java SE, Java SE Embedded Util (zlib) Multiple Yes 5.3 Network Low None None Un- changed None Low None Java SE: 6u161, 7u151, 8u144; Java SE Embedded: 8u144 See Note 1
CVE-2016-10165 Java SE, Java SE Embedded, JRockit 2D (Little CMS 2) Multiple Yes 5.3 Network Low None None Un- changed Low None None Java SE: 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3
CVE-2017-10355 Java SE, Java SE Embedded, JRockit Networking Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3
CVE-2017-10281 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3
CVE-2017-10347 Java SE, JRockit Serialization Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144 See Note 1
CVE-2017-10386 Java Advanced Management Console Server HTTP No 4.8 Network Low High Required Changed Low Low None Java Advanced Management Console: 2.7  
CVE-2017-10380 Java Advanced Management Console Server HTTP Yes 4.7 Network High None Required Changed Low Low None Java Advanced Management Console: 2.7  
CVE-2017-10295 Java SE, Java SE Embedded, JRockit Networking HTTP Yes 4.0 Network High None None Changed None Low None Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3
CVE-2017-10341 Java Advanced Management Console Server Multiple Yes 3.7 Network High None None Un- changed None Low None Java Advanced Management Console: 2.7 See Note 1
CVE-2017-10345 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 3.1 Network High None Required Un- changed None None Low Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15 See Note 3

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to the Java SE Kerberos client.
  3. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Additional CVEs addressed are below:

  • The fix for CVE-2016-9841 also addresses CVE-2016-9840, CVE-2016-9842 and CVE-2016-9843

Appendix - Oracle JD Edwards Products

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-3732 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None 9.2  
CVE-2017-3732 JD Edwards World Security GUI / World Vision (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None A9.1, A9.2, A9.3, A9.4  

Additional CVEs addressed are below:

  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731 and CVE-2017-3733

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10424 MySQL Enterprise Monitor Monitoring: Web MySQL Protocol Yes 8.8 Network Low None Required Un- changed High High High 3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier  
CVE-2017-5664 MySQL Enterprise Monitor Monitoring: General (Apache Tomcat) MySQL Protocol Yes 7.5 Network Low None None Un- changed None High None 3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier  
CVE-2017-10155 MySQL Server Server: Pluggable Auth MySQL Protocol Yes 7.5 Network Low None None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-3731 MySQL Server Server: Security: Encryption (OpenSSL) MySQL Protocol Yes 7.5 Network Low None None Un- changed None None High 5.6.35 and earlier, 5.7.18 and earlier  
CVE-2017-10379 MySQL Server Client programs MySQL Protocol No 6.5 Network Low Low None Un- changed High None None 5.5.57 and earlier, 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10384 MySQL Server Server: DDL MySQL Protocol No 6.5 Network Low Low None Un- changed None None High 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier  
CVE-2017-10276 MySQL Server Server: FTS MySQL Protocol No 6.5 Network Low Low None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10167 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un- changed None None High 5.7.19 and earlier  
CVE-2017-10378 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un- changed None None High 5.5.57 and earlier, 5.6.37 and earlier, 5.7.11 and earlier  
CVE-2017-10277 MySQL Connectors Connector/Net MySQL Protocol Yes 5.4 Network Low None Required Un- changed Low Low None 6.9.9 and earlier  
CVE-2017-10203 MySQL Connectors Connector/Net MySQL Protocol Yes 5.3 Network Low None None Un- changed None None Low 6.9.9 and earlier  
CVE-2017-10283 MySQL Server Server: Performance Schema MySQL Protocol No 5.3 Network High Low None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10313 MySQL Server Group Replication GCS MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.19 and earlier  
CVE-2017-10296 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier  
CVE-2017-10311 MySQL Server Server: FTS MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.19 and earlier  
CVE-2017-10320 MySQL Server Server: InnoDB MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.19 and earlier  
CVE-2017-10314 MySQL Server Server: Memcached MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10227 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10279 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.6.36 and earlier, 5.7.18 and earlier  
CVE-2017-10294 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10165 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.19 and earlier  
CVE-2017-10284 MySQL Server Server: Stored Procedure MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier  
CVE-2017-10286 MySQL Server Server: InnoDB MySQL Protocol No 4.4 Network High High None Un- changed None None High 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10268 MySQL Server Server: Replication MySQL Protocol No 4.1 Local High High None Un- changed High None None 5.5.57 and earlier, 5.6.37 and earlier, 5.7.19 and earlier  
CVE-2017-10365 MySQL Server Server: InnoDB MySQL Protocol No 3.8 Network Low High None Un- changed None Low Low 5.7.18 and earlier  

Additional CVEs addressed are below:

  • The fix for CVE-2017-3731 also addresses CVE-2016-7055 and CVE-2017-3732

Appendix - Oracle PeopleSoft Products

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle PeopleSoft Products. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-10366 PeopleSoft Enterprise PT PeopleTools Performance Monitor HTTP Yes 9.8 Network Low None None Un- changed High High High 8.54, 8.55, 8.56  
CVE-2017-10338 PeopleSoft Enterprise PRTL Interaction Hub Enterprise Portal HTTP Yes 8.2 Network Low None Required Changed High Low None 9.1.00  
CVE-2017-10354 PeopleSoft Enterprise PRTL Interaction Hub Enterprise Portal HTTP Yes 8.2 Network Low None Required Changed High Low None 9.1.00  
CVE-2017-10364 PeopleSoft Enterprise PeopleTools Updates Environment Mgmt HTTP No 8.1 Network Low Low None Un- changed High High None 8.54, 8.55, 8.56  
CVE-2017-10335 PeopleSoft Enterprise PT PeopleTools Elastic Search HTTP Yes 7.5 Network Low None None Un- changed High None None 8.55, 8.56  
CVE-2017-10373 PeopleSoft Enterprise PT PeopleTools Health Center HTTP Yes 7.5 Network Low None None Un- changed High None None 8.55, 8.56  
CVE-2017-10362 PeopleSoft Enterprise PeopleTools Sawbridge HTTP Yes 7.2 Network Low None None Changed Low None Low 8.54, 8.55, 8.56  
CVE-2017-10280 PeopleSoft Enterprise PeopleTools Test Framework HTTP No 6.5 Network Low Low None Un- changed High None None 8.54, 8.55, 8.56  
CVE-2017-10418 PeopleSoft Enterprise PT PeopleTools PeopleSoft CDA HTTP No 6.4 Network Low Low None Changed Low Low None 8.56  
CVE-2017-10351 PeopleSoft Enterprise PT PeopleTools Application Server None No 6.2 Local Low None None Un- changed High None None 8.54, 8.55, 8.56  
CVE-2017-10158 PeopleSoft Enterprise PeopleTools Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56  
CVE-2017-10381 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56  
CVE-2017-10406 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56  
CVE-2017-10327 PeopleSoft Enterprise PeopleTools Query HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55, 8.56  
CVE-2017-10368 PeopleSoft Enterprise SCM eProcurement Manage Requisition Status HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.00, 9.2.00  
CVE-2017-10422 PeopleSoft Enterprise PeopleTools Updates Change Assistant HTTP Yes 5.9 Network High None None Un- changed High None None 8.54  
CVE-2017-10304 PeopleSoft Enterprise HCM Security HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2  
CVE-2017-10394 PeopleSoft Enterprise PeopleTools Security HTTP No 5.4 Network Low Low None Un- changed None Low Low 8.54, 8.55, 8.56  
CVE-2017-10382 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 4.7 Network Low None Required Changed None Low None 8.54, 8.55, 8.56  
CVE-2017-10306 PeopleSoft Enterprise HCM Security HTTP No 4.6 Network Low Low Required Un- changed Low Low None 9.2  
CVE-2017-10164 PeopleSoft Enterprise FSCM Staffing Front Office HTTP No 4.3 Network Low Low None Un- changed Low None None 9.2  
CVE-2017-10287 PeopleSoft Enterprise FSCM Strategic Sourcing HTTP No 4.3 Network Low Low None Un- changed Low None None 9.2  
CVE-2017-10426 PeopleSoft Enterprise FSCM Staffing Front Office HTTP No 2.7 Network Low High None Un- changed Low None None 9.2  

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Retail Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2016-6814 Oracle Retail Convenience and Fuel POS Software OPT Server (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 2.1.132  
CVE-2016-6814 Oracle Retail Store Inventory Management SIM Integration (Apache Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 13.2.9, 14.0.4, 14.1.3, 15.0.1, 16.0.1  
CVE-2017-10065 Oracle Retail Point-of-Service Security HTTP No 8.5 Network Low Low None Changed Low High None 13.2, 13.3, 13.4, 14.0, 14.1  
CVE-2017-5664 MICROS Retail XBRi Loss Prevention Retail (Apache Tomcat) HTTP Yes 7.4 Network High None None Un- changed High High None 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1  
CVE-2016-3506 Oracle Retail Clearance Optimization Engine Installation Oracle Net Yes 7.4 Network High None None Un- changed High High None 13.4  
CVE-2016-3506 Oracle Retail Markdown Optimization Installation Oracle Net Yes 7.4 Network High None None Un- changed High High None 13.4, 14.0  
CVE-2017-5662 MICROS Retail XBRi Loss Prevention Retail (Apache Batik) HTTP No 7.3 Network Low Low Required Un- changed High None High 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1  
CVE-2017-10427 Oracle Retail Xstore Point of Service Point of Sale HTTP Yes 6.5 Network High None None Changed Low Low Low 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1  
CVE-2017-10423 Oracle Retail Back Office Security HTTP No 5.4 Network Low Low Required Changed Low Low None 13.2, 13.3, 13.4, 14.0, 14.1  

Additional CVEs addressed are below:

  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

Appendix - Oracle Siebel CRM

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2013-1903 Siebel Apps - Field Service Smart Answer (Python) HTTP Yes 10.0 Network Low None None Changed High High High 16.0, 17.0  
CVE-2017-10263 Siebel UI Framework UIF Open UI HTTP Yes 8.2 Network Low None Required Changed High Low None 16.0, 17.0  
CVE-2017-10333 Siebel UI Framework EAI HTTP No 7.4 Network Low Low None Changed Low Low Low 16.0, 17.0  
CVE-2017-10302 Siebel UI Framework UIF Open UI HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.0, 17.0  
CVE-2017-10315 Siebel UI Framework UIF Open UI HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.0, 17.0  
CVE-2017-10162 Siebel Core - Server Framework Services HTTP No 5.4 Network Low Low None Un- changed Low Low None 16.0, 17.0  
CVE-2017-10300 Siebel CRM Desktop Siebel Business Service Issues HTTP Yes 5.3 Network Low None None Un- changed Low None None 16.0, 17.0  
CVE-2017-10264 Siebel UI Framework UIF Open UI HTTP Yes 5.3 Network Low None None Un- changed None None Low 16.0, 17.0  

Additional CVEs addressed are below:

  • The fix for CVE-2013-1903 also addresses CVE-2013-0255, CVE-2013-1900, CVE-2013-1902, CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065 and CVE-2014-0066

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-5706 Oracle Server X7-2/2L, X7-8 Firmware None No 8.2 Local Low High None Changed High High High 1.0 and 1.0.1, 1.0  
CVE-2016-6304 Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers XCP Firmware TLS Yes 7.5 Network Low None None Un- changed None None High Prior to XCP2340 and Prior to XCP3030  
CVE-2017-10260 Oracle Integrated Lights Out Manager (ILOM) System Management HTTP Yes 7.5 Network Low None None Un- changed None None High Prior to 3.2.6  
CVE-2016-6304 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware TLS Yes 7.5 Network Low None None Un- changed None None High Prior to XCP1123  
CVE-2017-10265 Oracle Integrated Lights Out Manager (ILOM) System Management HTTP Yes 7.3 Network Low None None Un- changed Low Low Low Prior to 3.2.6  
CVE-2017-3588 Solaris Cluster HA for MySQL None No 7.3 Local Low None Required Un- changed High High Low 3.3, 4.3  
CVE-2016-7431 Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers XCP Firmware NTP Yes 5.3 Network Low None None Un- changed None Low None Prior to XCP2340 and Prior to XCP3030  
CVE-2016-7431 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers XCP Firmware NTP Yes 5.3 Network Low None None Un- changed None Low None Prior to XCP1123  
CVE-2017-10275 Sun ZFS Storage Appliance Kit (AK) Filesystem None No 5.0 Local Low Low Required Un- changed None None High AK 2013  
CVE-2017-10099 SPARC M7, T7, S7 based Servers Firmware None No 4.4 Local Low High None Un- changed None None High Prior to 9.7.6.b  
CVE-2017-10194 Oracle Integrated Lights Out Manager (ILOM) System Management HTTP No 2.7 Network Low High None Un- changed Low None None Prior to 3.2.6  

Additional CVEs addressed are below:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6306, CVE-2016-6515 and CVE-2017-3731
  • The fix for CVE-2016-7431 also addresses CVE-2016-7429 and CVE-2016-7433
  • The fix for CVE-2017-5706 also addresses CVE-2017-5709

Appendix - Oracle Supply Chain Products Suite

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2015-7501 Oracle Agile Engineering Data Management Install (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 6.1.3, 6.2.0  
CVE-2016-3092 Oracle Transportation Management Install (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un- changed None None High 6.4.1, 6.4.2  
CVE-2017-5664 Oracle Transportation Management Install (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un- changed None High None 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7  
CVE-2017-3732 Oracle Agile Engineering Data Management Install (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None 6.1.3, 6.2.0  
CVE-2017-10161 Oracle Engineering Data Management Web Services Security HTTP Yes 4.8 Network High None None Un- changed Low Low None 6.1.3.0, 6.2.2.0  
CVE-2017-10299 Oracle Agile PLM Security HTTP No 4.3 Network Low Low None Un- changed Low None None 9.3.5, 9.3.6  
CVE-2017-10308 Oracle Agile PLM Performance None No 3.5 Physical Low None None Un- changed Low Low None 9.3.5, 9.3.6  

Additional CVEs addressed are below:

  • The fix for CVE-2016-3092 also addresses CVE-2013-0248 and CVE-2014-0050
  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731 and CVE-2017-3733
  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

Appendix - Oracle Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Virtualization. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-3167 Oracle Secure Global Desktop (SGD) Web Server (Apache HTTP Server) HTTP Yes 7.4 Network High None None Un- changed High None High 5.3  
CVE-2017-10392 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.30  
CVE-2017-10407 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.30  
CVE-2017-10408 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.30  
CVE-2017-3733 Oracle VM VirtualBox Core (OpenSSL) TLS Yes 5.9 Network High None None Un- changed High None None Prior to 5.1.30  
CVE-2017-10428 Oracle VM VirtualBox Core None No 5.0 Local High High None Changed Low Low Low Prior to 5.1.30  

Additional CVEs addressed are below:

  • The fix for CVE-2017-3167 also addresses CVE-2017-3169, CVE-2017-7668, CVE-2017-7679 and CVE-2017-9788
  • The fix for CVE-2017-3733 also addresses CVE-2017-3730, CVE-2017-3731 and CVE-2017-3732