Headline
CVE-2014-4288: Oracle Critical Patch Update - October 2014
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - October 2014****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
Oracle acknowledges Dana Taylor of netinfiltration.com for bringing to Oracle’s attention a number of sites that were vulnerable to disclosure of sensitive information because Oracle CPU fixes were not applied to those sites for more than a year.
This Critical Patch Update contains 154 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
Please note that on September 26, 2014, Oracle released a Security Alert for CVE-2014-7169 “Bash” and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169.
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Oracle Database 11_g_ Release 1, version 11.1.0.7
Database
Oracle Database 11_g_ Release 2, versions 11.2.0.3, 11.2.0.4
Database
Oracle Database 12_c_ Release 1, versions 12.1.0.1, 12.1.0.2
Database
Oracle Application Express, versions prior to 4.2.6
Database
Oracle Fusion Middleware 11_g_ Release 1, versions 11.1.1.5, 11.1.1.7
Fusion Middleware
Oracle Fusion Middleware 11_g_ Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4
Fusion Middleware
Oracle Fusion Middleware 12_c_, versions 12.1.1.0, 12.1.2.0, 12.1.3.0
Fusion Middleware
Oracle Fusion Applications, versions 11.1.2 through 11.1.8
Fusion Applications
Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
Fusion Middleware
Oracle Adaptive Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
Fusion Middleware
Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1
Fusion Middleware
Oracle Enterprise Data Quality versions 8.1.2, 9.0.11
Fusion Middleware
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
Fusion Middleware
Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
Fusion Middleware
Oracle OpenSSO version 3.0-04
Fusion Middleware
Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3
Fusion Middleware
Application Performance Management, versions prior to 12.1.0.6.2
Enterprise Manager
Enterprise Manager for Oracle Database Releases 10_g_, 11_g_, 12_c_
Enterprise Manager
Oracle E-Business Suite Release 11_i_ version 11.5.10.2
E-Business Suite
Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
E-Business Suite
Oracle Agile PLM, versions 9.3.1.2, 9.3.3
Oracle Supply Chain
Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5
Oracle Supply Chain
Oracle PeopleSoft Enterprise HRMS, version 9.2
PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54
PeopleSoft
Oracle JD Edwards EnterpriseOne Tools, version 8.98
JD Edwards
Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
Communications
Oracle Communications Session Border Controller, version SCX640m5
Communications
Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
Retail
Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0
Retail
Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
Retail
Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4
Retail
Oracle Health Sciences Empirica Inspections, versions 1.0.1.0 and prior
Health Sciences
Oracle Health Sciences Empirica Signal, versions 7.3.3.3 and prior
Health Sciences
Oracle Health Sciences Empirica Study, versions 3.1.2.0 and prior
Health Sciences
Oracle Primavera Contract Management, versions 13.1, 14.0
Primavera
Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.0, 8.1, 8.2, 8.3
Primavera
Oracle JavaFX, version 2.2.65
Oracle Java SE
Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20
Oracle Java SE
Oracle Java SE Embedded, version 7u60
Oracle Java SE
Oracle JRockit, versions R27.8.3, R28.3.3
Oracle Java SE
Oracle Fujitsu server, versions M10-1, M10-4, M10-4S
Oracle and Sun Systems Products Suite
Oracle Solaris, versions 10, 11
Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14
Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier
Oracle MySQL Product Suite
Patch Availability Table and Risk Matrices****Patch Availability Table
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2014 Documentation Map, My Oracle Support Note 1907791.1.
Product Group
Risk Matrix
Patch Availability and Installation Information
Oracle Database
Oracle Database Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1912224.1
Oracle Fusion Middleware
Oracle Fusion Middleware Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1912224.1
Oracle Fusion Applications
Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix
Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (October 2014) My Oracle Support Note 1933784.1 for information on patches to be applied to Fusion Application environments.
Oracle Enterprise Manager
Oracle Enterprise Manage Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1912224.1
Oracle Applications - E-Business Suite
Oracle E-Business Suite Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1923805.1
Oracle Applications - PeopleSoft Enterprise, Oracle Supply Chain and JD Edwards Product Suite
Oracle PeopleSoft Enterprise Risk Matrix
Oracle Supply Chain Risk Matrix
Oracle JD Edwards Risk Matrix
Critical Patch Update Knowledge Document for PeopleSoft Enterprise, Oracle Supply Chain and JD Edwards Product SuiteMy Oracle Support Note 1933711.1
Oracle Communications Industry Suite
Oracle Communications Applications Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1929597.1
Oracle Retail Industry Suite
Oracle Retail Applications Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1929149.1
Oracle Health Sciences Industry Suite
Oracle Health Sciences Applications Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1930332.1
Oracle Primavera Products Suite
Oracle Primavera Products Suite Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1932448.1
Oracle Java SE
Oracle SE Risk Matrix
- Critical Patch Update October 2014 Patch Availability Document for Java SE, My Oracle Support Note 1931846.1
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
- The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.
Oracle and Sun Systems Products Suite
Oracle and Sun Systems Products Suite Risk Matrix
Critical Patch Update October 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1931712.1
Oracle Linux and Virtualization Products
Oracle Linux and Virtualization Products Risk Matrix
Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1931903.1
Oracle MySQL
Oracle MySQL Risk Matrix
Critical Patch Update October 2014 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 1926629.1
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2014 Availability Document, My Oracle Support Note 1912224.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: 0ang3el; Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Alberto Garcia Illera of Salesforce.com; Alexey Tyurin of ERPScan; Dhanesh K.; Florian Weimer of Red Hat; Gleb Cherbov of ERPScan; Ilja van Sprundel of ioactive.com; Ivan Chalykin of ERPScan; Jakub Palaczynski; Khai Tran of Netspi; Laszlo Toth; Lupin LanYuShi; Meder Kydyraliev of Google; Nikita Kelesis of ERPScan; Recx; Richard Dalton; Sergey Gorbaty of Salesforce.com; Sloane Bernstein of cPanel; Stefan Nordhausen; Wolfgang Ettlinger of SEC Consult Vulnerability Lab; Yash Kadakia of Security Brigade; Yuki Chen of Qihoo working with HP’s Zero Day Initiative; and Zubin Mithra.
Security-In-Depth Contributors
Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Danny Tsechansky of McAfee Security Research; G. Geshev from MWR Labs; and Tudor Enache of Help AG for contributions to Oracle’s Security-In-Depth program.
On-Line Presence Security Contributors
Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes 1NC0GN1T0; Abdul Wasay; Adam Willard of Foreground Security; Ayoub Fathi; Barry Cogan of CAaNES; Ben Khlifa Fahmi; Benjamin Kunz Mejri of Evolution Security; Bikash Dash; Hardik Tailor; Ismail Belkacim; Jay Jani; Jitendra Jaiswal; Justine Edic; Koutrouss Naddara; Lalit Kumar; Mohammad Yaseen Khan; Mohammed Fayez Albanna; Nicholas Lemonias of Advanced Information Security Corporation; Parth Malhotra; Ranjan Kathuria; Sahil Dhar; and Satheesh Raj for contributions to Oracle’s On-Line Presence Security program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 January 2015
- 14 April 2015
- 14 July 2015
- 20 October 2015
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - October 2014 Documentation Map [ My Oracle Support Note 1907791.1 ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
2014-November-21
Rev 5. Corrected that CVE-2014-2478 does not affect client-only installations
2014-November-06
Rev 4. Corrected CVE-2014-4301 to CVE-2014-6477
2014-November-03
Rev 3. Updated the note for CVE-2014-6468
2014-October-20
Rev 2. Removed 12.1.0.2 from the affected versions list for CVE-2014-6544 and CVE-2014-4289
2014-October-14
Rev 1. Initial Release
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 31 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 3 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Java VM and SQLJ are components of the database that are installed by default. JPublisher is not installed by default; however, there are server-side components of JPublisher that are installed in the database by default.
Oracle Database Server Risk Matrix
CVE#
Component
Protocol
Package and/or Privilege Required
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6546
JPublisher
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6467
Java VM
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6545
Java VM
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6453
Java VM
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6560
Java VM
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6455
SQLJ
Oracle Net
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2014-6537
Java VM
Oracle Net
Create Session
No
6.5
Network
Low
Single
Partial
Partial
Partial
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6483
Application Express
HTTP
Create Session
No
6.0
Network
Medium
Single
Partial
Partial
Partial
All releases prior to 4.2.6
CVE-2014-0050
Application Express
HTTP
None
Yes
5.0
Network
Low
None
None
None
Partial
All releases prior to 4.2.6
CVE-2014-6547
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4293
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4292
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4291
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4290
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4297
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4296
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6477
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4310
JPublisher
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6538
Java VM
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4295
Java VM
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4294
Java VM
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6563
Java VM
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6542
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4298
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4299
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-4300
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6452
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6454
SQLJ
Oracle Net
Create Session
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2014-6544
JDBC
Oracle Net
Create Session
No
3.6
Network
High
Single
Partial
Partial
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-4289
JDBC
Oracle Net
Create Session
No
3.6
Network
High
Single
Partial
Partial
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-2478
Core RDBMS
Oracle Net
none
Yes
2.6
Network
High
None
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
Notes:
- These vulnerabilities have a CVSS score of 9.0 on Windows and the confidentiality, availability and integrity impacts are Complete. These vulnerabilities have a CVSS score of 6.5 on non-Windows and the confidentiality, availability and integrity impacts are Partial+.
Oracle Database Server Client-Only Installations
The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2014-6544 and CVE-2014-4289.
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 18 new security fixes for Oracle Fusion Middleware. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1912224.1.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-0114
Oracle Adaptive Access Manager
HTTP
OAAM Server (Struts based)
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-0114
Oracle Enterprise Data Quality
HTTP
Launchpad (Struts based)
Yes
7.5
Network
Low
None
Partial
Partial
Partial
8.1.2, 9.0.11
CVE-2014-0114
Oracle Identity Manager
HTTP
OIM Legacy UI (Struts based)
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2013-1741
Oracle OpenSSO
HTTPS
Web Agents
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
3.0-04
See Note 1
CVE-2014-0224
Oracle Endeca Information Discovery Studio
HTTP
Studio
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
3.1
See Note 2
CVE-2014-6499
Oracle WebLogic Server
HTTP
WebLogic Tuxedo Connector
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
See Note 3
CVE-2014-0114
Oracle WebLogic Server
HTTP
WLS-Console (Struts based)
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
CVE-2014-6553
Oracle Access Manager
HTTP
Admin Console
Yes
6.4
Network
Low
None
Partial
Partial
None
11.1.1.5, 11.1.1.7
CVE-2014-6554
Oracle Access Manager
HTTP
Admin Console
No
5.5
Network
Low
Single
Partial
Partial
None
11.1.2.1, 11.1.2.2
CVE-2014-0050
Oracle Endeca Information Discovery Studio
HTTP
Studio
Yes
5.0
Network
Low
None
None
None
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
See Note 4
CVE-2014-6552
Oracle Access Manager
HTTP
Admin Console
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-6462
Oracle Access Manager
HTTP
Admin Console
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.2.1, 11.1.2.2
CVE-2014-0119
Oracle Enterprise Data Quality
HTTP
Internal Operations
Yes
4.3
Network
Medium
None
Partial
None
None
8.1.2, 9.0.11
See Note 5
CVE-2014-2880
Oracle Identity Manager
HTTP
User Management
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-6522
Oracle JDeveloper
HTTP
ADF Faces
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
CVE-2014-6534
Oracle WebLogic Server
HTTP
WLS Console
No
4.0
Network
Low
Single
None
Partial
None
10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
CVE-2014-6487
Oracle Identity Manager
HTTP
End User Self Service
No
3.5
Network
Medium
Single
None
Partial
None
11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
CVE-2014-0114
Oracle JDeveloper
HTTP
ADF Controllers (Struts based)
Yes
0.0
Network
Low
None
None
None
None
10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
See Note 6
Notes:
- This fix also addresses CVE-2013-1739,CVE-2013-1740, CVE-2013-5605, CVE-2013-5606,CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
- This fix also addresses CVE-2014-3470,CVE-2010-5298,CVE-2014-0221,CVE-2014-0195,CVE-2014-0198.
- Please refer to Doc ID My Oracle Support Note 1930466.1 for instructions on how to address this issue.
- This fix also addresses CVE-2013-4286,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033.
- This fix also addresses CVE-2013-4286,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033,CVE-2014-0050,CVE-2014-0075,CVE-2014-0095,CVE-2014-0096.
- Please refer to Doc ID My Oracle Support Note 1926728.1 for instructions on how to address this issue. This fix also addresses CVE-2014-0050.
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1912224.1.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6557
Application Performance Management
HTTP
End User Experience Management
No
4.9
Network
Medium
Single
Partial
Partial
None
All releases prior to 12.1.0.6.2
CVE-2014-6488
Enterprise Manager for Oracle Database
HTTP
Content Management
No
2.1
Network
High
Single
None
Partial
None
EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4 EM Plugin for DB: 12.1.0.4, 12.1.0.5, 12.1.0.6
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 10 new security fixes for the Oracle E-Business Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2014), My Oracle Support Note 1923805.1.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-4278
Oracle Applications Technology Stack
HTTP
Oracle Forms
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
See Note 1
CVE-2014-6539
Oracle Applications Framework
HTTP
LOV
Yes
4.3
Network
Medium
None
None
Partial
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6472
Oracle Applications Framework
HTTP
LOV
Yes
4.3
Network
Medium
None
None
Partial
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-4281
Oracle Applications Framework
HTTP
Portal Integration
Yes
4.3
Network
Medium
None
None
Partial
None
12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6471
Oracle Applications Manager
HTTP
OAM Diagnostics
Yes
4.3
Network
Medium
None
None
Partial
None
12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6550
Oracle Applications Object Library
HTTP
iHelp
Yes
4.3
Network
Medium
None
None
Partial
None
11.5.10.2
CVE-2014-4285
Oracle Applications Technology
HTTP
Reports Configuration
Yes
4.3
Network
Medium
None
None
Partial
None
11.5.10.2
CVE-2014-6561
Oracle Payments
HTTP
Separate Remittance Advice
Yes
4.3
Network
Medium
None
Partial
None
None
12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6523
Oracle Applications Framework
HTTP
REST Interface
No
4.0
Network
Low
Single
Partial
None
None
12.1.3, 12.2.2, 12.2.3, 12.2.4
CVE-2014-6479
Oracle Applications Technology
HTTP
OC4J Configuration
No
4.0
Network
Low
Single
Partial
None
None
11.5.10.2, 12.0.6, 12.1.3
Notes:
- This is an Oracle E-Business Suite specific fix in Oracle Fusion Middleware.
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6533
Oracle Transportation Management
HTTP
Security
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
6.1, 6.2
CVE-2014-6498
Oracle Transportation Management
HTTP
Security
Yes
5.0
Network
Low
None
Partial
None
None
6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5
CVE-2014-6461
Agile PLM
HTTP
Roles & Privileges
No
4.9
Network
Medium
Single
Partial+
Partial+
None
9.3.1.2
CVE-2014-6543
Agile PLM
HTTP
ITEM (Item & BOM)
No
3.6
Network
High
Single
Partial
Partial
None
9.3.3
CVE-2014-6536
Agile PLM
HTTP
Security
No
3.5
Network
Medium
Single
None
Partial
None
9.3.3
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6535
PeopleSoft Enterprise PeopleTools
HTTP
SECURITY
Yes
5.8
Network
Medium
None
Partial
Partial
None
8.52, 8.53, 8.54
CVE-2014-6460
PeopleSoft Enterprise PeopleTools
HTTP
QUERY
No
4.9
Network
Medium
Single
Partial+
Partial+
None
8.52, 8.53, 8.54
CVE-2014-6486
PeopleSoft Enterprise HRMS
HTTPS
Talent Acquisition Manager - Security
No
4.0
Network
Low
Single
None
Partial
None
9.2
CVE-2014-6482
PeopleSoft Enterprise PT PeopleTools
HTTP
Updates Change Assistant
No
4.0
Network
Low
Single
None
Partial
None
8.53, 8.54
CVE-2014-6475
PeopleSoft Enterprise PeopleTools
HTTP
Security
No
3.5
Network
Medium
Single
Partial
None
None
8.52, 8.53, 8.54
Oracle JD Edwards Products Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle JD Edwards Products Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6516
JD Edwards EnterpriseOne Tools
HTTP
Installation SEC
No
4.3
Local
Low
Single
Partial+
Partial+
Partial+
8.98
Appendix - Oracle Industry Applications****Oracle Communications Applications Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Communications Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Communications Applications Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-0114
Oracle Communications MetaSolv Solution
HTTP
Infrastructure, LSR, ASR (Struts based)
Yes
7.5
Network
Low
None
Partial
Partial
Partial
MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
CVE-2014-6465
Oracle Communications Session Border Controller
TCP/TLS
Lawful Intercept
No
6.3
Network
Medium
Single
None
None
Complete
SCX640m5
Oracle Retail Applications Executive Summary
This Critical Patch Update contains 4 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Retail Applications Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-0114
Oracle Retail Allocation
HTTP
General application (Struts based)
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
10.0, 11.0, 12.0, 13.0, 13.1, 13.2
CVE-2014-0114
Oracle Retail Clearance Optimization Engine
HTTP
General application (Struts based)
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
13.3, 13.4, 14.0
CVE-2014-0114
Oracle Retail Invoice Matching
HTTP
General application (Struts based)
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
CVE-2014-0114
Oracle Retail Markdown Optimization
HTTP
General application (Struts based)
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
12.0, 13.0, 13.1, 13.2, 13.4
Oracle Health Sciences Applications Executive Summary
This Critical Patch Update contains 3 new security fixes for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Health Sciences Applications Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-0050
Oracle Health Sciences Empirica Inspections
HTTP
Tomcat, FileUpload
Yes
5.0
Network
Low
None
None
None
Partial
1.0.1.0 and prior
See Note 1
CVE-2014-0050
Oracle Health Sciences Empirica Signal
HTTP
Tomcat, FileUpload
Yes
5.0
Network
Low
None
None
None
Partial
7.3.3.3 and prior
See Note 1
CVE-2014-0050
Oracle Health Sciences Empirica Study
HTTP
Tomcat, FileUpload
Yes
5.0
Network
Low
None
None
None
Partial
3.1.2.0 and prior
See Note 1
Notes:
- This fix also addresses CVE-2013-4286, CVE-2013-4322, CVE-2013-4590 and CVE-2014-0033.
Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary
This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Primavera Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-0114
Primavera Contract Management
HTTP
Web Access (Struts based)
No
6.5
Network
Low
Single
Partial
Partial
Partial
13.1, 14.0
CVE-2014-0114
Primavera P6 Enterprise Project Portfolio Management
HTTP
Web Access (Struts based)
No
6.5
Network
Low
Single
Partial
Partial
Partial
7.0, 8.0, 8.1, 8.2, 8.3
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.
My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.
Oracle Java SE Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6513
Java SE, Java SE Embedded
Multiple
AWT
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60
See Note 1
CVE-2014-6532
Java SE
Multiple
Deployment
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6503
Java SE
Multiple
Deployment
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6456
Java SE
Multiple
Deployment
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6562
Java SE
Multiple
Libraries
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 8u20
See Note 1
CVE-2014-6485
Java SE, JavaFX
Multiple
JavaFX
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 8u20, JavaFX 2.2.65
See Note 1
CVE-2014-6492
Java SE
Multiple
Deployment
Yes
7.6
Network
High
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 2
CVE-2014-6493
Java SE
Multiple
Deployment
Yes
7.6
Network
High
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-4288
Java SE
Multiple
Deployment
Yes
7.6
Network
High
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6466
Java SE
None
Deployment
No
6.9
Local
Medium
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 3
CVE-2014-6458
Java SE
None
Deployment
No
6.9
Local
Medium
None
Complete
Complete
Complete
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6468
Java SE
None
Hotspot
No
6.9
Local
Medium
None
Complete
Complete
Complete
Java SE 8u20
See Note 6
CVE-2014-6506
Java SE, Java SE Embedded
Multiple
Libraries
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60
See Note 1
CVE-2014-6511
Java SE
Multiple
2D
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6476
Java SE
Multiple
Deployment
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6515
Java SE
SSL/TLS
Deployment
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 6u81, Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6504
Java SE, Java SE Embedded
Multiple
Hotspot
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE Embedded 7u60
See Note 1
CVE-2014-6519
Java SE, Java SE Embedded
Multiple
Hotspot
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60
See Note 1
CVE-2014-6517
Java SE, Java SE Embedded, JRockit
Multiple
JAXP
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3
See Note 4
CVE-2014-6531
Java SE, Java SE Embedded
HTTP
Libraries
Yes
4.3
Network
Medium
None
Partial
None
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60
See Note 1
CVE-2014-6512
Java SE, Java SE Embedded, JRockit
Multiple
Libraries
Yes
4.3
Network
Medium
None
None
Partial
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3
See Note 4
CVE-2014-6457
Java SE, Java SE Embedded, JRockit
SSL/TLS
JSSE
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3
See Note 5
CVE-2014-6527
Java SE
Multiple
Deployment
Yes
2.6
Network
High
None
None
Partial
None
Java SE 7u67, Java SE 8u20
See Note 1
CVE-2014-6502
Java SE, Java SE Embedded
Multiple
Libraries
Yes
2.6
Network
High
None
None
Partial
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60
See Note 1
CVE-2014-6558
Java SE, Java SE Embedded, JRockit
Multiple
Security
Yes
2.6
Network
High
None
None
Partial
None
Java SE 5.0u71, Java SE 6u81, Java SE 7u67, Java SE 8u20, Java SE Embedded 7u60, JRockit R27.8.3, JRockit R28.3.3
See Note 4
Notes:
- Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Applies to client deployment of Java on Firefox only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Applies to client deployment of Java on Internet Explorer only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Applies to client and server deployment of JSSE.
- Applies to client and server deployment of Java. This vulnerability requires local access to the victim environment in order to plant the affected jar file. Once the affected jar file was planted, this vulnerability can be triggered through sandboxed Java Web Start applications, sandboxed Java applets, and launching the affected application locally. It can also be triggered by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 15 new security fixes for the Oracle Sun Systems Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Sun Systems Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6508
Solaris
TCP/IP
iSCSI Data Mover(IDM)
Yes
7.8
Network
Low
None
None
None
Complete
10, 11
CVE-2014-4276
Solaris
CIFS
Common Internet File System(CIFS)
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11
CVE-2014-4282
Solaris
None
Kernel/X86
No
7.2
Local
Low
None
Complete
Complete
Complete
11
CVE-2014-6473
Solaris
None
Zone Framework
No
7.2
Local
Low
None
Complete
Complete
Complete
10, 11
See Note 1
CVE-2014-0224
Fujitsu M10-1, Fujitsu M10-4, Fujitsu M10-4S servers
SSL/TLS
XCP
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
XCP prior to XCP2221
CVE-2014-6470
Solaris
None
Archive Utility
No
6.8
Local
Low
Single
Complete
Complete
Complete
11
CVE-2014-6529
Solaris
None
Hermon HCA PCIe driver
No
6.8
Adjacent Network
High
None
Complete
Complete
Complete
11
CVE-2014-4277
Solaris
HTTP
Automated Install Engine
Yes
5.0
Network
Low
None
Partial
None
None
11
CVE-2014-6490
Solaris
SMB
SMB server user component
Yes
5.0
Network
Low
None
None
None
Partial
11
CVE-2014-6497
Solaris
None
Kernel
No
4.9
Local
Low
None
None
None
Complete
11
CVE-2014-4275
Solaris
None
SMB server kernel module
No
4.9
Local
Low
None
None
None
Complete
11
CVE-2014-4280
Solaris
None
IPS transfer module
No
4.6
Local
Low
None
Partial
Partial
Partial
11
CVE-2014-4284
Solaris
None
IPS transfer module
No
4.4
Local
Medium
None
Partial
Partial
Partial
11
CVE-2014-4283
Solaris
SSL/TLS
Automated Install Engine
Yes
4.3
Network
Medium
None
Partial
None
None
11
CVE-2014-6501
Solaris
None
SSH
No
2.1
Local
Low
None
Partial
None
None
11
Notes:
- For Solaris 10, it only applies to SPARC systems with Solaris 8 and Solaris 9 branded zones.
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 7 new security fixes for Oracle Virtualization. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-2472
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv)
Yes
5.0
Network
Low
None
None
None
Partial
5.0, 5.1
CVE-2014-2474
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv)
Yes
5.0
Network
Low
None
None
None
Partial
5.0, 5.1
CVE-2014-2475
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv)
Yes
5.0
Network
Low
None
None
None
Partial
4.63, 4.71, 5.0, 5.1
CVE-2014-2476
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv)
Yes
5.0
Network
Low
None
None
None
Partial
5.0, 5.1
CVE-2014-6459
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv)
Yes
5.0
Network
Low
None
None
None
Partial
5.0, 5.1
CVE-2014-2473
Oracle Secure Global Desktop
Multiple
SGD Proxy Server (ttaauxserv) and SGD SSL Daemon (ttassl)
Yes
5.0
Network
Low
None
None
None
Partial
5.0, 5.1
CVE-2014-6540
Oracle VM VirtualBox
None
Graphics driver (WDDM) for Windows guests
No
1.9
Local
Medium
None
None
None
Partial
VirtualBox prior to 4.1.34, 4.2.26, 4.3.14
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 24 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2014-6507
MySQL Server
MySQL Protocol
SERVER:DML
No
8.0
Network
Low
Single
Partial+
Partial+
Complete
5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-6491
MySQL Server
MySQL Protocol
SERVER:SSL:yaSSL
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6500
MySQL Server
MySQL Protocol
SERVER:SSL:yaSSL
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6469
MySQL Server
MySQL Protocol
SERVER:OPTIMIZER
No
6.8
Network
Low
Single
None
None
Complete
5.5.39 and eariler, 5.6.20 and earlier
CVE-2014-0224
MySQL Server
MySQL Protocol
SERVER:SSL:OpenSSL
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
5.6.19 and earlier
See Note 1
CVE-2014-6530
MySQL Server
MySQL Protocol
CLIENT:MYSQLDUMP
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6555
MySQL Server
MySQL Protocol
SERVER:DML
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6489
MySQL Server
MySQL Protocol
SERVER:SP
No
5.5
Network
Low
Single
None
Partial
Partial+
5.6.19 and earlier
CVE-2012-5615
MySQL Server
MySQL Protocol
SERVER:PRIVILEGES AUTHENTICATION PLUGIN API
Yes
5.0
Network
Low
None
Partial
None
None
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6559
MySQL Server
MySQL Protocol
C API SSL CERTIFICATE HANDLING
Yes
4.3
Network
Medium
None
Partial+
None
None
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6494
MySQL Server
MySQL Protocol
CLIENT:SSL:yaSSL
Yes
4.3
Network
Medium
None
None
None
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6496
MySQL Server
MySQL Protocol
CLIENT:SSL:yaSSL
Yes
4.3
Network
Medium
None
None
None
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6495
MySQL Server
MySQL Protocol
SERVER:SSL:yaSSL
Yes
4.3
Network
Medium
None
None
None
Partial
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6478
MySQL Server
MySQL Protocol
SERVER:SSL:yaSSL
Yes
4.3
Network
Medium
None
None
Partial
None
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4274
MySQL Server
MySQL Protocol
SERVER:MyISAM
No
4.1
Local
Medium
Single
Partial+
Partial+
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-4287
MySQL Server
MySQL Protocol
SERVER:CHARACTER SETS
No
4.0
Network
Low
Single
None
None
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6520
MySQL Server
MySQL Protocol
SERVER:DDL
No
4.0
Network
Low
Single
None
None
Partial+
5.5.38 and earlier
CVE-2014-6484
MySQL Server
MySQL Protocol
SERVER:DML
No
4.0
Network
Low
Single
None
None
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6464
MySQL Server
MySQL Protocol
SERVER:INNODB DML FOREIGN KEYS
No
4.0
Network
Low
Single
None
None
Partial+
5.5.39 and earlier, 5.6.20 and earlier
CVE-2014-6564
MySQL Server
MySQL Protocol
SERVER:INNODB FULLTEXT SEARCH DML
No
4.0
Network
Low
Single
None
None
Partial+
5.6.19 and earlier
CVE-2014-6505
MySQL Server
MySQL Protocol
SERVER:MEMORY STORAGE ENGINE
No
4.0
Network
Low
Single
None
None
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6474
MySQL Server
Memcached
SERVER:MEMCACHED
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.19 and earlier
CVE-2014-6463
MySQL Server
MySQL Protocol
SERVER:REPLICATION ROW FORMAT BINARY LOG DML
No
3.3
Network
Low
Multiple
None
None
Partial+
5.5.38 and earlier, 5.6.19 and earlier
CVE-2014-6551
MySQL Server
MySQL Protocol
CLIENT:MYSQLADMIN
No
2.1
Local
Low
None
Partial
None
None
5.5.38 and earlier, 5.6.19 and earlier
Notes:
- This fix also addresses CVE-2010-5298,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-3470
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
Oracle Supports Ukraine
Oracle CloudWorld
Oracle and Premier League
Oracle Red Bull Racing
Employee Experience Platform
Oracle Support Rewards
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
** DISPUTED ** MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.
Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions through 5.5.28, and MariaDB 5.5.28a and possibly other versions, allows remote authenticated users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code, as demonstrated using certain variations of the (1) USE, (2) SHOW TABLES, (3) DESCRIBE, (4) SHOW FIELDS FROM, (5) SHOW COLUMNS FROM, (6) SHOW INDEX FROM, (7) CREATE TABLE, (8) DROP TABLE, (9) ALTER TABLE, (10) DELETE FROM, (11) UPDATE, and (12) SET PASSWORD commands.
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.