Oracle Critical Patch Update Advisory - January 2016



Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:


Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.


Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.


This Critical Patch Update contains 248 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.


Please note that on November 10, 2015, Oracle released Security Alert for CVE-2015-4852. Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-4852.


This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.


Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below.  The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column.   Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.


The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:


Affected Products and Versions Patch Availability
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2 Database
Oracle GoldenGate, version(s) 11.2, 12.1.2 Oracle GoldenGate
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0 Fusion Middleware
Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0 Fusion Middleware
Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0, 12.2.1 Fusion Middleware
Oracle GlassFish Server, version(s) 3.1.2 Fusion Middleware
Oracle Identity Federation, version(s) 11.1.1.7, 11.1.2.2 Fusion Middleware
Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2 Fusion Middleware
Oracle Tuxedo, version(s) 12.1.1.0 Fusion Middleware
Oracle Web Cache, version(s) 11.1.1.7.0, 11.1.1.9.0 Fusion Middleware
Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.8.0 Fusion Middleware
Oracle WebLogic Portal, version(s) 10.3.6 Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1 Fusion Middleware
Enterprise Manager Base Platform, version(s) 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5 Enterprise Manager
Enterprise Manager Ops Center, version(s) prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0 Enterprise Manager
Oracle Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2 Enterprise Manager
Application Mgmt Pack for E-Business Suite, version(s) 12.1, 12.2 E-Business Suite
Oracle E-Business Suite, version(s) 11.5.10.2, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.2, 12.2.3, 12.2.4, 12.2.5 E-Business Suite
Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0 Oracle Supply Chain Products
Oracle Agile PLM, version(s) 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3 Oracle Supply Chain Products
Oracle Configurator, version(s) 11.5.10.2, 12.1, 12.2 Oracle Supply Chain Products
PeopleSoft Enterprise HCM Global Payroll Switzerland, version(s) 9.1, 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55 PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version(s) 9.1, 9.2 PeopleSoft
PeopleSoft Enterprise SCM Order Management, version(s) 9.1, 9.2 PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version(s) 9.1, 9.2 PeopleSoft
JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2 JD Edwards
Oracle iLearning, version(s) 6.0, 6.1 iLearning
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10 Fusion Applications
Oracle Communications Converged Application Server - Service Controller, version(s) 6.1 Communications Converged Application Server - Service Controller
Oracle Communications EAGLE LNP Application Processor, version(s) 10.0 Communications EAGLE LNP Application Processor
Oracle Communications Online Mediation Controller, version(s) 6.1 Communications Online Mediation Controller
Oracle Communications Service Broker, version(s) 6.0, 6.1 Communications Service Broker
Oracle Communications Service Broker Engineered System Edition, version(s) 6.0 Communications Service Broker Engineered System Edition
MICROS CWDirect, version(s) 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0 MICROS CWDirect
Oracle Retail Open Commerce Platform Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0 Retail Open Commerce Platform Cloud Service
Oracle Retail Order Broker Cloud Service, version(s) 4.0, 4.1. Retail Order Broker Cloud Service
Oracle Retail Order Management System Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0, 15.0 Retail Order Management System Cloud Service
Oracle Retail Point-of-Service, version(s) 13.4, 14.0, 14.1 Retail Point-of-Service
Oracle Java SE, version(s) 6u105, 7u91, 8u66 Oracle Java SE
Oracle Java SE Embedded, version(s) 8u65 Oracle Java SE
Oracle JRockit, version(s) R28.3.8 Oracle Java SE
Oracle Switch ES1-24, version(s) prior to 1.3.1.13 Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11 Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4, 4.2 Oracle and Sun Systems Products Suite
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2.13 Oracle and Sun Systems Products Suite
Sun Network 10GE Switch 72p, version(s) prior to 1.2.2.15 Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2 Oracle Linux and Virtualization
Oracle VM VirtualBox, version(s) prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.36, prior to 5.0.14 Oracle Linux and Virtualization
MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9 Oracle MySQL Product Suite


Patch Availability Table and Risk Matrices


Patch Availability Table


For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2016 Documentation Map, My Oracle Support Note 2068533.1.


Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and Critical Patch Update January 2016 Availability Document, My Oracle Support Note 2074802.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch Set Update and Critical Patch Update January 2016 Availability Document, My Oracle Support Note 2074802.1
Oracle Fusion Applications Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (January 2016) My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Oracle Enterprise Manager Oracle Enterprise Manage Risk Matrix Patch Set Update and Critical Patch Update January 2016 Availability Document, My Oracle Support Note 2074802.1
Oracle Applications - E-Business Suite Oracle E-Business Suite Risk Matrix Patch Set Update and Critical Patch Update January 2016 Availability Document, My Oracle Support Note 2072202.1
Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, JDEdwards and iLearning Oracle Supply Chain Risk Matrix
Oracle PeopleSoft Enterprise Risk Matrix
Oracle JDEdwards Risk Matrix
Oracle iLearning Risk Matrix		 Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, JDEdwards and iLearning Product Suite, My Oracle Support Note 2095485.1
Oracle Communications Applications Suite Oracle Communications Applications Risk Matrix
Oracle Retail Applications Suite Oracle Retail Applications Risk Matrix
Oracle Java SE Oracle Java SE Risk Matrix
  • Critical Patch Update January 2016 Patch Availability Document for Java SE, My Oracle Support Note 2087883.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.
Oracle and Sun Systems Products Suite Oracle and Sun Systems Products Suite Risk Matrix Critical Patch Update January 2016 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 2091648.1
Oracle Linux and Virtualization Products Oracle Linux and Virtualization Products Risk Matrix Critical Patch Update January 2016 Patch Delivery Document for Oracle Linux and Virtualization Products, My Oracle Support Note 2090210.1
Oracle MySQL Oracle MySQL Risk Matrix Critical Patch Update January 2016 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 2096144.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.


Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.


Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.


The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.


Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.


Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.


Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2016 Availability Document, My Oracle Support Note 2074802.1.


Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.


Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.


Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.


Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.


Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Raytheon Foreground Security; Alexey Tyurin of ERPScan; Andrea Micalizzi aka rgod, working with HP's Zero Day Initiative; Anonymous working with HP's Zero Day Initiative; Brandon Vincent; Cybersecurity-upv; David Litchfield of Google; Dmitry Janushkevich of Secunia Research; Fernando Russ of Onapsis; FortiGuard Labs of Fortinet, Inc.; Francois Goichon of Context Information Security; Igor Kopylenko of McAfee Database Security Research Team; Ivan Chalykin of ERPScan; Jakub Palaczynski from ING Services Polska; Karthikeyan Bhargavan, Gaetan Leurent of INRIA; Lovi Yu of Salesforce.com; Luca Carettoni; Matias Mevied of Onapsis; Mike Arnold (Bruk0ut) working with HP's Zero Day Initiative; Nassim Bouali; Nicholas Lemonias of Advanced Information Security Corporation; Nikita Kelesis of ERPScan; Peter Kostiuk of Salesforce.com; Ryan Giobbi of American Eagle Outfitters; Sergey Gorbaty of Salesforce.com; Shai Meir of McAfee Security Research; Spyridon Chatzimichail of COSMOTE - Mobile Telecommunications S.A.; Stefan Kanthak; Stephen Kost of Integrigy; Travis Emmert of Salesforce.com; and Will Dormann of CERT/CC.


Security-In-Depth Contributors


Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Adam Willard of Raytheon Foreground Security; Calum Hutton; David Litchfield of Google; John Page (hyp3rlinx); Stephen Kost of Integrigy; and Wouter Coekaerts for contributions to Oracle's Security-In-Depth program.


On-Line Presence Security Contributors


Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Ahmed Adel Abdelfattah; Ayoub Ait Elmokhtar; Ben Khlifa Fahmi; Cyber Warrior Bug Researchers; Danyal Zafar; Hamza Zulfiqar Bhatti; Jose Carlos Exposito Bueno; Khair Alhamad; Mohamed Khaled Fathy; Mohammed Al Bess, Mohammad Abuhassan of Mohammed Al Bess ,Mohammad Abuhassan; Muhammed Gamal Fahmy; Pradeep Kumar; Prem Kumar; Renato Rodrigues; Samuel Orellana; Shahmeer Amir of Maads Security; Shawar Khan; Waleed Ezz Eldin (WIBF); and Weijun Lin of Future-Sec for contributions to Oracle's On-Line Presence Security program.


Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and January. The next four dates are:

  • 19 April 2016
  • 19 July 2016
  • 18 October 2016
  • 17 January 2017

References


Modification History


2016-February-12 Rev 2. Updated CVE-2015-4923 to reflect impact on client-only installations
2016-January-19 Rev 1. Initial Release

 

Appendix - Oracle Database Server

 

 

Oracle Database Server Executive Summary

 

This Critical Patch Update contains 10 new security fixes for the Oracle Database Server divided as follows:

  • 7 new security fixes for the Oracle Database Server.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.  1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

     

  • 3 new security fixes for Oracle GoldenGate.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

     

 

 

Oracle Database Server Risk Matrix


CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0499 Java VM Multiple Create Session No 9.0 Network Low Single Complete Complete Complete 11.2.0.4, 12.1.0.1, 12.1.0.2 See Note 1
CVE-2015-4925 Workspace Manager Oracle Net Create Session, Create Table, Create Procedure No 6.5 Network Low Single Partial+ Partial+ Partial+ 11.2.0.4  
CVE-2016-0472 XDB - XML Database Oracle Net Create Session No 5.5 Network Low Single Partial+ None Partial 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2015-4921 Database Vault Oracle Net Create Session No 4.0 Network Low Single None Partial None 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2016-0467 Security Oracle Net Create Session, Create Java Source No 4.0 Network Low Single None Partial None 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2016-0461 XDB - XML Database Oracle Net Create Session No 4.0 Network Low Single None None Partial 11.2.0.4, 12.1.0.1, 12.1.0.2  
CVE-2015-4923 XML Developer's Kit for C HTTP Valid account No 4.0 Network Low Single None None Partial 11.2.0.4, 12.1.0.1, 12.1.0.2  
 

 

Notes:

  1. The CVSS score is 9.0 only on Windows for Database versions prior to 12c. The CVSS is 6.5 (Confidentiality, Integrity and Availability is "Partial+") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms

 

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2015-4923.



 

Oracle GoldenGate Executive Summary

 

This Critical Patch Update contains 3 new security fixes for Oracle GoldenGate.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle GoldenGate Risk Matrix


CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0451 Oracle GoldenGate Oracle Golden Gate None Yes 10.0 Network Low None Complete Complete Complete 11.2, 12.1.2 See Note 1
CVE-2016-0452 Oracle GoldenGate Oracle Golden Gate None Yes 10.0 Network Low None Complete Complete Complete 11.2, 12.1.2 See Note 1
CVE-2016-0450 Oracle GoldenGate Oracle Golden Gate None Yes 5.0 Network Low None None None Partial+ 11.2, 12.1.2  
 

 

Notes:

  1. The CVSS score is 10.0 only on Windows for Database versions prior to 12c. The CVSS is 7.5 (Confidentiality, Integrity and Availability is "Partial+") for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms

 

Appendix - Oracle Fusion Middleware

 

 

Oracle Fusion Middleware Executive Summary

 

This Critical Patch Update contains 27 new security fixes for Oracle Fusion Middleware.  17 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the January 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2074802.1.

 

Oracle Fusion Middleware Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2014-0107 Oracle WebCenter Sites HTTP Sites Yes 7.5 Network Low None Partial Partial Partial 7.6.2, 11.1.1.8.0  
CVE-2013-2186 Oracle WebLogic Portal HTTP Core Services Yes 7.5 Network Low None Partial Partial Partial 10.3.6  
CVE-2016-0574 Oracle WebLogic Server HTTP WLS Core Components Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.3.6, 12.1.2, 12.1.3, 12.2.1  
CVE-2014-0107 Oracle WebLogic Server HTTP XML Parser Yes 7.5 Network Low None Partial Partial Partial 10.3.6, 12.1.2, 12.1.3  
CVE-2016-0573 Oracle WebLogic Server JMS WLS Java Messaging Service Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.3.6, 12.1.2, 12.1.3, 12.2.1  
CVE-2016-0572 Oracle WebLogic Server Multiple Coherence Container Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.3.6, 12.1.2, 12.1.3, 12.2.1  
CVE-2016-0577 Oracle WebLogic Server T3 WLS Core Components Yes 7.5 Network Low None Partial+ Partial+ Partial+ 10.3.6, 12.1.2, 12.1.3, 12.2.1  
CVE-2016-0441 Oracle GlassFish Server HTTP Embedded Server No 6.8 Network High Single Complete Complete Partial+ 3.1.2  
CVE-2015-1793 Oracle Business Intelligence Enterprise Edition HTTPS BI Platform Security Yes 6.4 Network Low None Partial Partial None 11.1.1.7.0, 11.1.1.9.0  
CVE-2015-1793 Oracle Endeca Server HTTPS SSL/TLS Yes 6.4 Network Low None Partial Partial None 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0  
CVE-2015-1793 Oracle Tuxedo HTTPS SSL/TLS Yes 6.4 Network Low None Partial Partial None 12.1.1.0  
CVE-2016-0470 Oracle BI Publisher HTTP BI Publisher Security No 5.5 Network Low Single Partial Partial None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0  
CVE-2016-0439 Web Cache HTTPS SSL Support Yes 5.0 Network Low None Partial None None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-0401 Oracle BI Publisher HTTP Scheduler Yes 4.3 Network Medium None None Partial None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-0429 Oracle BI Publisher HTTP Scheduler Yes 4.3 Network Medium None None Partial None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-0404 Oracle Identity Federation HTTP Admin Yes 4.3 Network Medium None None Partial None 11.1.2.2  
CVE-2016-0464 Oracle WebLogic Server HTTP WLS-Console Yes 4.3 Network Medium None None Partial None 10.3.6, 12.1.2, 12.1.3  
CVE-2016-0430 Web Cache HTTPS SSL Support Yes 4.3 Network Medium None Partial None None 11.1.1.7.0, 11.1.1.9.0  
CVE-2016-0433 Web Cache HTTPS SSL Support Yes 4.3 Network Medium None Partial None None 11.1.1.9.0  
CVE-2016-0614 Oracle BI Publisher HTTP Security No 4.0 Network Low Single Partial None None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0  
CVE-2016-0413 Oracle Identity Federation HTTP Federation protocol support No 4.0 Network Low Single None Partial+ None 11.1.1.7  
CVE-2015-4808 Oracle Outside In Technology None Outside In Filters No 1.9 Local Medium None None None Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2015-6013 Oracle Outside In Technology None Outside In Filters No 1.9 Local Medium None None None Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2015-6014 Oracle Outside In Technology None Outside In Filters No 1.9 Local Medium None None None Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2015-6015 Oracle Outside In Technology None Outside In Filters No 1.9 Local Medium None None None Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-0432 Oracle Outside In Technology None Outside In Filters No 1.9 Local Medium None None None Partial 8.5.0, 8.5.1, 8.5.2 See Note 1
CVE-2016-0453 Oracle GlassFish Server HTTP Embedded Server No 1.8 Adjacent Network High None None Partial None 3.1.2  
 

 

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Additional CVEs addressed:

  1. CVE-2013-2186 fix also addresses CVE-2014-0050.

 

Appendix - Oracle Enterprise Manager Grid Control

 

 

Oracle Enterprise Manager Grid Control Executive Summary

 

This Critical Patch Update contains 33 new security fixes for Oracle Enterprise Manager Grid Control.  23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2074802.1.

 

Oracle Enterprise Manager Grid Control Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2013-1741 Enterprise Manager Ops Center HTTP Satellite Framework Yes 7.5 Network Low None Partial+ Partial+ Partial+ Prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0  
CVE-2016-0415 Enterprise Manager Base Platform HTTP UI Framework Yes 6.8 Network Medium None Partial Partial Partial 11.1.0.1, 12.1.0.4, 12.1.0.5  
CVE-2016-0442 Enterprise Manager Base Platform HTTP Loader Service No 6.5 Network Low Single Partial Partial Partial+ 12.1.0.4, 12.1.0.5  
CVE-2016-0489 Oracle Application Testing Suite HTTP Test Manager for Web Apps No 6.5 Network Low Single Partial Partial Partial 12.4.0.2, 12.5.0.2  
CVE-2015-1793 Enterprise Manager Base Platform HTTPS Discovery Framework Yes 6.4 Network Low None Partial Partial None 12.1.0.4, 12.1.0.5  
CVE-2015-1793 Enterprise Manager Ops Center HTTPS Networking Yes 6.4 Network Low None Partial Partial None Prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0  
CVE-2016-0488 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 6.4 Network Low None Partial Partial None 12.4.0.2, 12.5.0.2  
CVE-2016-0491 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 6.4 Network Low None None Partial+ Partial 12.4.0.2, 12.5.0.2  
CVE-2016-0492 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 6.4 Network Low None Partial Partial None 12.4.0.2, 12.5.0.2  
CVE-2016-0487 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 6.4 Network Low None Partial Partial None 12.4.0.2, 12.5.0.2  
CVE-2016-0490 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 6.4 Network Low None Partial Partial None 12.4.0.2, 12.5.0.2  
CVE-2016-0455 Enterprise Manager Base Platform None Agent Next Gen No 5.2 Local Low Single Complete None Partial 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
CVE-2015-0286 Enterprise Manager Ops Center HTTP Networking Yes 5.0 Network Low None None None Partial Prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0  
CVE-2015-3153 Enterprise Manager Ops Center HTTP Networking Yes 5.0 Network Low None Partial None None Prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0  
CVE-2014-3583 Enterprise Manager Ops Center HTTP Update Provisioning Yes 5.0 Network Low None None Partial None Prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0  
CVE-2016-0476 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 5.0 Network Low None Partial+ None None 12.4.0.2, 12.5.0.2  
CVE-2016-0477 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 5.0 Network Low None Partial+ None None 12.4.0.2, 12.5.0.2  
CVE-2016-0478 Oracle Application Testing Suite HTTP Load Testing for Web Apps Yes 5.0 Network Low None Partial+ None None 12.4.0.2, 12.5.0.2  
CVE-2016-0480 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial None None 12.4.0.2, 12.5.0.2  
CVE-2016-0481 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial None None 12.4.0.2, 12.5.0.2  
CVE-2016-0482 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial None None 12.4.0.2, 12.5.0.2  
CVE-2016-0484 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial+ None None 12.4.0.2 , 12.5.0.2  
CVE-2016-0485 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial None None 12.4.0.2, 12.5.0.2  
CVE-2016-0486 Oracle Application Testing Suite HTTP Test Manager for Web Apps Yes 5.0 Network Low None Partial+ None None 12.4.0.2, 12.5.0.2  
CVE-2016-0411 Enterprise Manager Base Platform None Agent Next Gen No 4.6 Local Low None Partial+ Partial+ Partial+ 11.1.0.1, 11.2.0.4  
CVE-2016-0445 Enterprise Manager Base Platform None Agent Next Gen No 4.6 Local Low None Partial+ Partial+ Partial+ 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5,  
CVE-2016-0447 Enterprise Manager Base Platform None Agent Next Gen No 4.6 Local Low None Partial Partial Partial 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
CVE-2016-0449 Enterprise Manager Base Platform None Agent Next Gen No 4.6 Local Low None Partial Partial Partial 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
CVE-2016-0444 Enterprise Manager Base Platform None Agent Next Gen No 4.4 Local Medium None Partial+ Partial Partial 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
CVE-2015-4885 Enterprise Manager Base Platform HTTP Agent Next Gen Yes 4.3 Network Medium None Partial None None 12.1.0.4  
CVE-2016-0443 Enterprise Manager Base Platform HTTP Agent Next Gen Yes 4.3 Network Medium None Partial+ None None 11.1.0.1, 12.1.0.4, 12.1.0.5  
CVE-2016-0427 Enterprise Manager Base Platform HTTP UI Framework No 4.0 Network Low Single Partial None None 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
CVE-2016-0446 Enterprise Manager Base Platform None Agent Next Gen No 2.1 Local Low None Partial+ None None 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5  
 

 

Additional CVEs addressed:

  1. CVE-2013-1741 fix also addresses CVE-2013-1739, CVE-2013-1740, CVE-2013-5605, CVE-2013-5606, CVE-2013-5855, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
  2. CVE-2014-3583 fix also addresses CVE-2013-5704, CVE-2014-3581, CVE-2014-8109.
  3. CVE-2015-0286 fix also addresses CVE-2015-0204, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787.

 

Appendix - Oracle Applications

 

 

Oracle E-Business Suite Executive Summary

 

This Critical Patch Update contains 78 new security fixes for the Oracle E-Business Suite.  69 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2016), My Oracle Support Note 2072202.1.

 

Oracle E-Business Suite Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0576 Oracle Application Object Library HTTP ICX LOVs Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0589 Oracle Application Object Library HTTP Menu Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0581 Oracle Approvals Management HTTP AME Page rendering Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0514 Oracle CRM Technical Foundation HTTP BIS Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0515 Oracle CRM Technical Foundation HTTP BIS Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0550 Oracle CRM Technical Foundation HTTP CRM HTML Administration Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0563 Oracle CRM Technical Foundation HTTP Common Techstack Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.3  
CVE-2016-0532 Oracle CRM Technical Foundation HTTP Security Assignments Yes 6.4 Network Low None Partial Partial None 11.5.10.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0578 Oracle CRM Technology Foundation HTTP BIS Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0545 Oracle Customer Intelligence HTTP Data Issues Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0551 Oracle Customer Intelligence HTTP Data Issues Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0552 Oracle Customer Intelligence HTTP Data Issues Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0559 Oracle Customer Intelligence HTTP Data Issues Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0560 Oracle Customer Intelligence HTTP Data Issues Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0527 Oracle Customer Interaction History HTTP User GUI Yes 6.4 Network Low None Partial Partial None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0528 Oracle Customer Interaction History HTTP User GUI Yes 6.4 Network Low None Partial Partial None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0529 Oracle Customer Interaction History HTTP User GUI Yes 6.4 Network Low None Partial Partial None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0530 Oracle Customer Interaction History HTTP User GUI Yes 6.4 Network Low None Partial Partial None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0510 Oracle E-Business Intelligence HTTP Business Views Catalog Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0511 Oracle E-Business Intelligence HTTP Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0547 Oracle E-Business Intelligence HTTP Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0548 Oracle E-Business Intelligence HTTP Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0549 Oracle E-Business Intelligence HTTP Common Components Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0553 Oracle E-Business Intelligence HTTP Definition Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0517 Oracle Human Resources HTTP General utilities Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0518 Oracle Human Resources HTTP General utilities Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0537 Oracle Human Resources HTTP Person Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0512 Oracle Human Resources HTTP Self Service - Common Modules Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0554 Oracle Interaction Center Intelligence HTTP Business Intelligence Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0544 Oracle Marketing HTTP Architecture Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0543 Oracle Marketing HTTP Preview Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0516 Oracle Quality HTTP QA / Order Management Integration Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0524 Oracle Universal Work Queue HTTP Work Provider Administration Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2  
CVE-2016-0525 Oracle Universal Work Queue HTTP Work Provider Administration Yes 6.4 Network Low None Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0556 Oracle Advanced Collections HTTP Administration No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0557 Oracle Advanced Collections HTTP Administration No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0561 Oracle E-Business Intelligence HTTP Definition No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0564 Oracle E-Business Intelligence HTTP Overview Page/Report Rendering No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0523 Oracle Interaction Blending HTTP Blending Administration No 5.5 Network Low Single Partial+ Partial+ None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0456 Application Mgmt Pack for E-Business Suite HTTP REST Framework Yes 5.0 Network Low None Partial None None 12.1, 12.2  
CVE-2016-0457 Application Mgmt Pack for E-Business Suite HTTP REST Framework Yes 5.0 Network Low None Partial None None 12.1, 12.2  
CVE-2016-0585 Oracle Application Object Library HTTP ICX Error Yes 5.0 Network Low None None None Partial+ 11.5.10.2  
CVE-2016-0571 Oracle Balanced Scorecard HTTP Scorecard Security Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1  
CVE-2016-0526 Oracle CRM Technical Foundation HTTP Wireless Framework Yes 5.0 Network Low None None Partial None 11.5.10.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0567 Oracle E-Business Intelligence HTTP Embedded Data Warehouse Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0569 Oracle E-Business Intelligence HTTP Overview Page/Report Rendering Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0568 Oracle Email Center HTTP Server Components Yes 5.0 Network Low None Partial None None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0538 Oracle Financial Consolidation Hub HTTP Business Intelligence Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0570 Oracle HCM Configuration Workbench HTTP Internal Operations Yes 5.0 Network Low None Partial None None 12.1.1, 12.1.2, 12.1.3  
CVE-2015-3195 Oracle HTTP Server HTTP Open SSL Yes 5.0 Network Low None None None Partial 11.5.10.2  
CVE-2016-0566 Oracle Marketing HTTP Deliverables Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0565 Oracle Marketing HTTP Marketing Administration Yes 5.0 Network Low None None Partial None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0580 Oracle Report Manager HTTP Publishing Yes 5.0 Network Low None None None Partial+ 11.5.10.2  
CVE-2016-0539 Oracle Report Manager HTTP Report Display Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1.3, 12.2.3, 12.2.4  
CVE-2016-0520 Oracle Application Object Library HTTP Java APIs Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0586 Oracle Application Object Library HTTP iHelp Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0555 Oracle CADView-3D HTTP Studio Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0513 Oracle CRM Technical Foundation HTTP BIS Common Components Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0533 Oracle CRM Technical Foundation HTTP Messaging Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.1.3  
CVE-2016-0579 Oracle CRM Technology Foundation HTTP BIS Common Components Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0582 Oracle CRM Technology Foundation HTTP BIS Common Components Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0583 Oracle CRM Technology Foundation HTTP BIS Common Components Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0584 Oracle CRM Technology Foundation HTTP BIS Common Components Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0542 Oracle Field Service HTTP Field Service Map Yes 4.3 Network Medium None None Partial None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0588 Oracle General Ledger HTTP Consolidation Hierarchy Viewer Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0509 Oracle Internet Expenses HTTP AP Web Utilities Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0575 Oracle Learning Management HTTP OTA Self Service Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0534 Oracle Project Contracts HTTP Printing Yes 4.3 Network Medium None None Partial None 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0558 Oracle Service Contracts HTTP Renewals Yes 4.3 Network Medium None None Partial None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2016-0536 Oracle Universal Work Queue HTTP Error Messages Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0521 Oracle iProcurement HTTP Redirection Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0507 Oracle iReceivables HTTP AR Web Utilities Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0519 Oracle iReceivables HTTP AR Web Utilities Yes 4.3 Network Medium None None Partial None 11.5.10.2  
CVE-2016-0459 Oracle Applications Framework HTTP Popup Windows No 4.0 Network Low Single None Partial None 11.5.10.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5  
CVE-2016-0531 Oracle Applications Manager HTTP Oracle Diagnostics Interfaces No 4.0 Network Low Single None Partial None 12.1.3  
CVE-2016-0562 Oracle Common Applications HTTP CRM User Management Framework No 4.0 Network Low Single None Partial None 11.5.10.2, 12.1.1, 12.1.2, 12.1.3  
CVE-2015-4926 Oracle Applications Framework HTTP UIX Yes 2.6 Network High None None Partial None 11.5.10.2, 12.1, 12.2  
CVE-2016-0454 Oracle Mobile Application Servlet None MWA Server Manager No 2.1 Local Low None Partial None None 12.1, 12.2  
 

 

Additional CVEs addressed:

  1. CVE-2015-3195 fix also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792.


 

Oracle Supply Chain Products Suite Executive Summary

 

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle Supply Chain Products Suite Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0540 Oracle Configurator HTTP UI Servlet Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1, 12.2  
CVE-2016-0541 Oracle Configurator HTTP UI Servlet Yes 5.0 Network Low None Partial None None 11.5.10.2, 12.1, 12.2  
CVE-2016-0497 Oracle Agile Engineering Data Management HTTP Web Client Yes 4.3 Network Medium None None Partial None 6.1.2.2, 6.1.3.0, 6.2.0.0  
CVE-2015-4924 Oracle Agile PLM HTTP Security No 3.5 Network Medium Single None Partial None 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3  
CVE-2016-0498 Oracle Agile Engineering Data Management None Install No 1.5 Local Medium Single Partial+ None None 6.1.2.2, 6.1.3.0, 6.2.0.0  
 

 



 

Oracle PeopleSoft Products Executive Summary

 

This Critical Patch Update contains 11 new security fixes for Oracle PeopleSoft Products.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle PeopleSoft Products Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0591 PeopleSoft Enterprise SCM Purchasing HTTP Supplier Change No 5.5 Network Low Single Partial Partial None 9.1, 9.2  
CVE-2016-0460 PeopleSoft Enterprise PeopleTools HTTP Fluid Homepage and NavBar Yes 5.0 Network Low None None Partial None 8.55  
CVE-2016-0471 PeopleSoft Enterprise PeopleTools HTTP Multichannel Framework Yes 4.3 Network Medium None Partial None None 8.53, 8.54  
CVE-2016-0463 PeopleSoft Enterprise PeopleTools HTTP Portal Yes 4.3 Network Medium None Partial None None 8.53, 8.54, 8.55  
CVE-2016-0590 PeopleSoft Enterprise SCM Order Management HTTP Security Yes 4.3 Network Medium None None Partial None 9.1, 9.2  
CVE-2016-0409 PeopleSoft Enterprise HCM Global Payroll Switzerland HTTP Security No 4.0 Network Low Single Partial None None 9.1, 9.2  
CVE-2016-0587 PeopleSoft Enterprise PeopleTools HTTP File Processing No 4.0 Network Low Single Partial None None 8.53, 8.54, 8.55  
CVE-2016-0462 PeopleSoft Enterprise PeopleTools HTTP Multichannel Framework No 4.0 Network Low Single Partial None None 8.53, 8.54  
CVE-2016-0473 PeopleSoft Enterprise PeopleTools HTTP Fluid Core No 3.5 Network Medium Single None Partial None 8.54, 8.55  
CVE-2016-0474 PeopleSoft Enterprise PeopleTools HTTP PIA Core Technology No 3.5 Network Medium Single None Partial None 8.54, 8.55  
CVE-2016-0412 PeopleSoft Enterprise SCM eProcurement HTTP Manage Requisition Status No 3.5 Network Medium Single None Partial None 9.1, 9.2  
 

 



 

Oracle JD Edwards Products Executive Summary

 

This Critical Patch Update contains 7 new security fixes for Oracle JD Edwards Products.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle JD Edwards Products Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0420 JD Edwards EnterpriseOne Tools HTTP Monitoring and Diagnostics Yes 7.8 Network Low None None None Complete 9.1, 9.2  
CVE-2016-0423 JD Edwards EnterpriseOne Tools HTTP Enterprise Infrastructure SEC Yes 7.3 Network High None Complete Complete Partial+ 9.1, 9.2  
CVE-2016-0422 JD Edwards EnterpriseOne Tools HTTP Enterprise Infrastructure SEC Yes 7.1 Network Medium None None None Complete 9.1, 9.2  
CVE-2016-0424 JD Edwards EnterpriseOne Tools HTTP Enterprise Infrastructure SEC Yes 7.1 Network Medium None None None Complete 9.1, 9.2  
CVE-2015-4919 JD Edwards EnterpriseOne Tools HTTP Monitoring and Diagnostics SEC Yes 6.8 Network Medium None Partial+ Partial+ Partial+ 9.1, 9.2  
CVE-2016-0425 JD Edwards EnterpriseOne Tools HTTP Monitoring and Diagnostics No 6.0 Network Medium Single Partial+ Partial+ Partial+ 9.1, 9.2  
CVE-2016-0421 JD Edwards EnterpriseOne Tools HTTP Monitoring and Diagnostics SEC Yes 5.0 Network Low None None None Partial+ 9.1, 9.2  
 

 



 

Oracle iLearning Executive Summary

 

This Critical Patch Update contains 1 new security fix for Oracle iLearning.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle iLearning Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0508 Oracle iLearning HTTP Learner Administration Yes 4.3 Network Medium None None Partial None 6.0, 6.1  
 

 


 

Appendix - Oracle Industry Applications

 

 

Oracle Communications Applications Executive Summary

 

This Critical Patch Update contains 5 new security fixes for Oracle Communications Applications.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle Communications Applications Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2015-0235 Oracle Communications EAGLE LNP Application Processor Multiple Glibc No 6.0 Network Medium Single Partial Partial Partial 10.0  
CVE-2014-0050 Oracle Communications Converged Application Server - Service Controller HTTP Apache Commons FileUpLoad No 5.8 Adjacent Network Low None Partial Partial Partial 6.1  
CVE-2014-0050 Oracle Communications Online Mediation Controller HTTP Apache Commons FileUpLoad No 5.8 Adjacent Network Low None Partial Partial Partial 6.1  
CVE-2014-0050 Oracle Communications Service Broker HTTP Apache Commons FileUpLoad No 5.8 Adjacent Network Low None Partial Partial Partial 6.0, 6.1  
CVE-2014-0050 Oracle Communications Service Broker Engineered System Edition HTTP Apache Commons FileUpLoad No 5.5 Network Low Single Partial Partial None 6.0  
 

 

Additional CVEs addressed:

  1. CVE-2014-0050 fix also addresses CVE-2013-2186.


 

Oracle Retail Applications Executive Summary

 

This Critical Patch Update contains 9 new security fixes for Oracle Retail Applications.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle Retail Applications Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0522 Oracle Retail Open Commerce Platform Cloud Service HTTP Framework Yes 7.5 Network Low None Partial+ Partial+ Partial+ 3.5, 4.5, 4.7, 5.0  
CVE-2016-0500 Oracle Retail Order Broker Cloud Service HTTP System Administration Yes 7.5 Network Low None Partial+ Partial+ Partial+ 4.0, 4.1.  
CVE-2016-0496 MICROS CWDirect HTTP Order Entry Yes 4.3 Network Medium None Partial None None 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0  
CVE-2016-0506 Oracle Retail Order Management System Cloud Service HTTP Order Entry Yes 4.3 Network Medium None Partial None None 3.5, 4.5, 4.7, 5.0, 15.0  
CVE-2016-0435 Oracle Retail Point-of-Service None Mobile POS No 3.3 Local Medium None Partial+ Partial+ None 13.4, 14.0, 14.1  
CVE-2016-0434 Oracle Retail Point-of-Service None Mobile POS No 1.9 Local Medium None Partial None None 13.4, 14.0, 14.1  
CVE-2016-0436 Oracle Retail Point-of-Service None Mobile POS No 1.9 Local Medium None Partial None None 13.4, 14.0, 14.1  
CVE-2016-0437 Oracle Retail Point-of-Service None Mobile POS No 1.9 Local Medium None Partial None None 13.4, 14.0, 14.1  
CVE-2016-0438 Oracle Retail Point-of-Service None Mobile POS No 1.9 Local Medium None Partial None None 13.4, 14.0, 14.1  
 

 


 

Appendix - Oracle Java SE

 

 

Oracle Java SE Executive Summary

 

This Critical Patch Update contains 8 new security fixes for Oracle Java SE.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

 

Oracle Java SE Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0494 Java SE, Java SE Embedded Multiple 2D Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65 See Note 1
CVE-2015-8126 Java SE, Java SE Embedded Multiple AWT Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65 See Note 1
CVE-2016-0483 Java SE, Java SE Embedded, JRockit Multiple AWT Yes 10.0 Network Low None Complete Complete Complete Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8 See Note 2
CVE-2016-0475 Java SE, Java SE Embedded, JRockit Multiple Libraries Yes 5.8 Network Medium None Partial Partial None Java SE: 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8 See Note 2
CVE-2016-0402 Java SE, Java SE Embedded Multiple Networking Yes 5.0 Network Low None None Partial None Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65 See Note 1
CVE-2016-0466 Java SE, Java SE Embedded, JRockit Multiple JAXP Yes 5.0 Network Low None None None Partial Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8 See Note 2
CVE-2016-0448 Java SE, Java SE Embedded Multiple JMX No 4.0 Network Low Single Partial None None Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65 See Note 1
CVE-2015-7575 Java SE, Java SE Embedded, JRockit Multiple Security Yes 4.0 Network High None Partial Partial None Java SE: 6u105, 7u91, 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8 See Note 2
 

 

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Additional CVEs addressed:

  1. CVE-2015-8126 fix also addresses CVE-2015-8472.

 

Appendix - Oracle Sun Systems Products Suite

 

 

Oracle Sun Systems Products Suite Executive Summary

 

This Critical Patch Update contains 23 new security fixes for the Oracle Sun Systems Products Suite.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle Sun Systems Products Suite Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0440 Solaris NFS NFSv4 Yes 7.8 Network Low None None None Complete 11  
CVE-2016-0403 Solaris SMB SMB Utilities Yes 7.8 Network Low None None None Complete 11 See Note 1
CVE-2016-0414 Solaris None Solaris Kernel Zones No 7.2 Local Low None Complete Complete Complete 11 See Note 1
CVE-2015-8370 Solaris None Grub2 No 6.9 Local Medium None Complete Complete Complete 11  
CVE-2015-1793 Oracle Switch ES1-24 SSL/TLS Firmware Yes 6.4 Network Low None Partial Partial None Versions prior to 1.3.1.13  
CVE-2015-1793 Sun Blade 6000 Ethernet Switched NEM 24P 10GE SSL/TLS Firmware Yes 6.4 Network Low None Partial Partial None Versions prior to 1.2.2.13  
CVE-2015-1793 Sun Network 10GE Switch 72p SSL/TLS Firmware Yes 6.4 Network Low None Partial Partial None Versions prior to 1.2.2.15  
CVE-2016-0418 Solaris None Solaris Kernel Zones No 6.1 Local Low None Partial Partial Complete 11 See Note 1
CVE-2016-0416 Solaris Multiple System Archive Utility Yes 5.0 Network Low None None Partial None 11 See Note 1
CVE-2016-0419 Solaris None Solaris Kernel Zones No 4.9 Local Low None None None Complete 11 See Note 1
CVE-2016-0428 Solaris None Verified Boot No 4.9 Local Low None None None Complete 11 See Note 1
CVE-2016-0465 Solaris Cluster None Resource Group Manager No 4.9 Local Low None None None Complete 3.3, 4  
CVE-2016-0417 Solaris Cluster None HA for MySQL No 4.6 Local Low None Partial Partial Partial 3.3, 4.2  
CVE-2016-0535 Solaris RPC RPC Yes 4.3 Network Medium None None None Partial 10, 11  
CVE-2016-0458 Solaris None Kernel DAX No 4.0 Local High None None None Complete 11  
CVE-2016-0426 Solaris None Solaris Kernel Zones No 3.6 Local Low None Partial None Partial 11 See Note 1
CVE-2016-0493 Solaris None Kernel Cryptography No 3.3 Local Medium None None Partial Partial 11  
CVE-2016-0406 Solaris None Libc Library No 3.3 Local Medium None None Partial Partial 11  
CVE-2015-4922 Solaris None Boot No 2.1 Local Low None None None Partial 11 See Note 1
CVE-2015-4920 Solaris None NDMP Backup Service No 2.1 Local Low None None Partial None 11 See Note 1
CVE-2016-0405 Solaris Cluster None Cluster Manageability and Serviceability No 1.7 Local Low Single Partial None None 3.3, 4  
CVE-2016-0618 Solaris None Zones No 1.4 Local Low Multiple Partial None None 11  
CVE-2016-0431 Solaris None Solaris Kernel Zones No 1.2 Local High None None None Partial 11 See Note 1
 

 

Notes:

  1. Unsupported Solaris 11.x versions should be upgraded to a supported release or patch set. Refer to the Critical Patch Update January 2015 Patch Availability Document for Oracle Sun Systems Products Suite.

 

Appendix - Oracle Linux and Virtualization

 

 

Oracle Virtualization Executive Summary

 

This Critical Patch Update contains 9 new security fixes for Oracle Virtualization.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle Virtualization Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2015-7183 Oracle VM VirtualBox SSL/TLS Core Yes 7.5 Network Low None Partial Partial Partial VirtualBox prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.34, prior to 5.0.10  
CVE-2016-0602 Oracle VM VirtualBox None Windows Installer No 6.2 Local High None Complete Complete Complete VirtualBox prior to 5.0.14  
CVE-2015-3183 Oracle Secure Global Desktop HTTP Apache HTTP Server Yes 5.0 Network Low None None Partial None 4.63, 4.71, 5.2  
CVE-2016-0501 Oracle Secure Global Desktop WebSocket SGD Core Yes 5.0 Network Low None None None Partial+ 5.2  
CVE-2015-5307 Oracle VM VirtualBox None Core No 4.9 Local Low None None None Complete VirtualBox prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.34, prior to 5.0.10  
CVE-2015-8104 Oracle VM VirtualBox None Core No 4.7 Local Medium None None None Complete VirtualBox prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.34, prior to 5.0.10  
CVE-2015-4000 Oracle Secure Global Desktop SSL/TLS OpenSSL Yes 4.3 Network Medium None None Partial None 4.63, 4.71, 5.2  
CVE-2016-0495 Oracle VM VirtualBox Multiple Core Yes 4.3 Network Medium None None None Partial+ VirtualBox prior to 4.3.36, prior to 5.0.14  
CVE-2016-0592 Oracle VM VirtualBox None Core No 2.1 Local Low None None None Partial VirtualBox prior to 4.3.36, prior to 5.0.14  
 

 

Additional CVEs addressed:

  1. CVE-2015-4000 fix also addresses CVE-2015-1788, CVE-2015-1791.

 

Appendix - Oracle MySQL

 

 

Oracle MySQL Executive Summary

 

This Critical Patch Update contains 22 new security fixes for Oracle MySQL.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 

Oracle MySQL Risk Matrix


CVE# Component Protocol Sub-
component		 Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication		 Confiden-
tiality		 Integrity Avail-
ability
CVE-2016-0546 MySQL Server None Client No 7.2 Local Low None Complete Complete Complete 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9 See Note 1
CVE-2016-0504 MySQL Server MySQL Protocol Server: DML No 6.8 Network Low Single None None Complete 5.6.27 and earlier, 5.7.9  
CVE-2016-0505 MySQL Server MySQL Protocol Server: Options No 6.8 Network Low Single None None Complete 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0594 MySQL Server MySQL Protocol Server: DML No 4.0 Network Low Single None None Partial+ 5.6.21 and earlier  
CVE-2016-0595 MySQL Server MySQL Protocol Server: DML No 4.0 Network Low Single None None Partial+ 5.6.27 and earlier  
CVE-2016-0503 MySQL Server MySQL Protocol Server: DML No 4.0 Network Low Single None None Partial+ 5.6.27 and earlier, 5.7.9  
CVE-2016-0596 MySQL Server MySQL Protocol Server: DML No 4.0 Network Low Single None None Partial+ 5.5.46 and earlier, 5.6.27 and earlier  
CVE-2016-0502 MySQL Server MySQL Protocol Server: Optimizer No 4.0 Network Low Single None None Partial+ 5.5.31 and earlier, 5.6.11 and earlier  
CVE-2016-0597 MySQL Server MySQL Protocol Server: Optimizer No 4.0 Network Low Single None None Partial+ 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0611 MySQL Server MySQL Protocol Server: Optimizer No 4.0 Network Low Single None None Partial+ 5.6.27 and earlier, 5.7.9  
CVE-2016-0616 MySQL Server MySQL Protocol Server: Optimizer No 4.0 Network Low Single None None Partial+ 5.5.46 and earlier  
CVE-2016-0598 MySQL Server MySQL Protocol Server: DML No 3.5 Network Medium Single None None Partial+ 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0600 MySQL Server MySQL Protocol Server: InnoDB No 3.5 Network Medium Single None None Partial 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0610 MySQL Server MySQL Protocol Server: InnoDB No 3.5 Network Medium Single None None Partial+ 5.6.27 and earlier  
CVE-2016-0599 MySQL Server MySQL Protocol Server: Optimizer No 3.5 Network Medium Single None None Partial+ 5.7.9  
CVE-2016-0601 MySQL Server MySQL Protocol Server: Partition No 3.5 Network Medium Single None None Partial+ 5.7.9  
CVE-2016-0606 MySQL Server MySQL Protocol Server: Security: Encryption No 3.5 Network Medium Single None Partial None 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0608 MySQL Server MySQL Protocol Server: UDF No 3.5 Network Medium Single None None Partial+ 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
CVE-2016-0607 MySQL Server MySQL Protocol Server: Replication No 2.8 Network Medium Multiple None None Partial+ 5.6.27 and earlier, 5.7.9  
CVE-2015-7744 MySQL Server MySQL Protocol Server: Security: Encryption Yes 2.6 Network High None Partial None None 5.5.45 and earlier, 5.6.26 and earlier  
CVE-2016-0605 MySQL Server MySQL Protocol Server: General No 2.1 Network High Single None None Partial+ 5.6.26 and earlier  
CVE-2016-0609 MySQL Server MySQL Protocol Server: Security: Privileges No 1.7 Network High Multiple None None Partial+ 5.5.46 and earlier, 5.6.27 and earlier, 5.7.9  
 

 

Notes:

  1. The CVSS score is 7.2 if MySQL client is run with admin or root privileges. Otherwise, CVSS score is 4.6 (Confidentiality, Integrity and Availability is Partial+).