Oracle Security Alert Advisory - CVE-2017-9805
List of Affected Products and Versions

Purpose

This document details the Oracle Products and Versions affected by patches distributed in Security Alert CVE-2017-9805.

Affected Products and Versions

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and VersionsPatch Availability
MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and priorOracle MySQL Product Suite
Oracle Communications Policy Management, versions 11.5, 12.xOracle Communications Policy Management
Oracle FLEXCUBE Private Banking, versions 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1Oracle Financial Services Applications
Oracle Financial Services Analytical Applications Infrastructure, versions 7.2, 7.3Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 3.5, 3.5.1, 8.0.0 to 8.0.4Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5Oracle Financial Services Asset Liability Management
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.0 to 8.0.4Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.0 to 8.0.4Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 7.3.0, 7.4.0, 8.0.0 to 8.0.5Oracle Financial Services Data Foundation
Oracle Financial Services Data Integration Hub, versions 8.0.1 to 8.0.4Oracle Financial Services Data Integration Hub
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.0 to 8.0.5Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Funds Transfer Pricing, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services ICAAP Analytics, version 8.0Oracle Financial Services ICAAP Analytics
Oracle Financial Services Institutional Performance Analytics, versions 8.0.0 to 8.0.5Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery, versions 8.0.0 to 8.0.5Oracle Financial Services Pricing Management, Transfer Pricing Component
Oracle Financial Services Profitability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5Oracle Financial Services Profitability Management
Oracle Financial Services Retail Customer Analytics, versions 8.0.0 to 8.0.5Oracle Financial Services Retail Customer Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.0 to 8.0.5Oracle Financial Services Retail Performance Analytics
Oracle Insurance Data Foundation, versions 8.0.0 to 8.0.5Oracle Insurance Data Foundation
Oracle Insurance Performance Insight for General Insurance, version 8.0Oracle Insurance Performance Insight for General Insurance
Oracle Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1Retail Applications
Siebel Applications, versions 6.1, 6.2, 7.1Siebel
WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3Fusion Middleware



Modification History

DateNote
2017-September-22Rev 1. Initial Release.

 

 

 

Appendix - Oracle Applications

Oracle Siebel CRM Executive Summary

This Security Alert contains 1 new security fix for Oracle Siebel CRM.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9805Siebel Apps - E-BillingSecurity (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh6.1, 6.2, 7.1 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

 

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Security Alert contains 1 new security fix for Oracle Communications Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9805Oracle Communications Policy ManagementSecurity (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.5, 12.x 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

 

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Security Alert contains 21 new security fixes for Oracle Financial Services Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9805Oracle Financial Services Analytical Applications InfrastructureCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh7.2, 7.3 
CVE-2017-9805Oracle Financial Services Analytical Applications Reconciliation FrameworkCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh3.5, 3.5.1, 8.0.0 to 8.0.4 
CVE-2017-9805Oracle Financial Services Asset Liability ManagementCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 
CVE-2017-9805Oracle Financial Services Basel Regulatory Capital BasicCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.4 
CVE-2017-9805Oracle Financial Services Basel Regulatory Capital Internal Ratings Based ApproachCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.4 
CVE-2017-9805Oracle Financial Services Data FoundationCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh7.3.0, 7.4.0, 8.0.0 to 8.0.5 
CVE-2017-9805Oracle Financial Services Data Integration HubCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.1 to 8.0.4 
CVE-2017-9805Oracle Financial Services Enterprise Financial Performance AnalyticsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle Financial Services Funds Transfer PricingCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 
CVE-2017-9805Oracle Financial Services Hedge Management and IFRS ValuationsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 
CVE-2017-9805Oracle Financial Services ICAAP AnalyticsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0 
CVE-2017-9805Oracle Financial Services Institutional Performance AnalyticsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle Financial Services Liquidity Risk ManagementCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.1, 8.0.2, 8.0.4 
CVE-2017-9805Oracle Financial Services Loan Loss Forecasting and ProvisioningCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 
CVE-2017-9805Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and DiscoveryCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle Financial Services Profitability ManagementCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 
CVE-2017-9805Oracle Financial Services Retail Customer AnalyticsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle Financial Services Retail Performance AnalyticsCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle FLEXCUBE Private BankingCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1 
CVE-2017-9805Oracle Insurance Data FoundationCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.0 to 8.0.5 
CVE-2017-9805Oracle Insurance Performance Insight for General InsuranceCore (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

 

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Security Alert contains 1 new security fix for Oracle Fusion Middleware.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9805WebLogic ServerSamples (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

 

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Security Alert contains 1 new security fix for Oracle MySQL.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9787MySQL Enterprise MonitorMonitoring: General (Struts 2)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier  
 


 

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Security Alert contains 1 new security fix for Oracle Retail Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix


CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-9805Oracle Retail XBRi Loss PreventionInternal Operations (Struts 2)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.