Headline
CVE-2016-3471: Oracle Critical Patch Update - July 2016
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - July 2016****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Patch Availability
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2016 Documentation Map, My Oracle Support Note.
Affected Products and Versions
Patch Availability
Application Express, version(s) prior to 5.0.4
Database
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
Database
Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7
Fusion Middleware
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
Fusion Middleware
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0
Fusion Middleware
Oracle Exalogic Infrastructure, version(s) 1.x, 2.x
Fusion Middleware
Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
Fusion Middleware
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
Fusion Middleware
Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0
Fusion Middleware
Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
Fusion Middleware
Oracle Portal, version(s) 11.1.1.6
Fusion Middleware
Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0, 12.2.1.1
Fusion Middleware
Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0
Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0
Fusion Middleware
Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
Fusion Middleware
Hyperion Financial Reporting, version(s) 11.1.2.4
Fusion Middleware
Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0
Enterprise Manager
Enterprise Manager for Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9
Enterprise Manager
Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2
Enterprise Manager
Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
E-Business Suite
Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
Oracle Supply Chain Products
Oracle Agile PLM, version(s) 9.3.4, 9.3.5
Oracle Supply Chain Products
Oracle Demand Planning, version(s) 12.1, 12.2
Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
Oracle Supply Chain Products
PeopleSoft Enterprise FSCM, version(s) 9.1, 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55
PeopleSoft
JD Edwards EnterpriseOne Tools, version(s) 9.2.0.5
JD Edwards
Oracle Knowledge, version(s) 8.5.x
Oracle Knowledge
Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016
Siebel
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10
Fusion Applications
Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3
Oracle Communications ASAP
Oracle Communications Core Session Manager, version(s) 7.2.5, 7.3.5
Oracle Communications Core Session Manager
Oracle Communications EAGLE Application Processor, version(s) 16.0
Oracle Communications EAGLE Application Processor
Oracle Communications Messaging Server, version(s) 6.3, 7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0
Oracle Communications Messaging Server
Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, version(s) prior to 3.3.92.0.0
Oracle Communications Operations Monitor
Oracle Communications Policy Management, version(s) prior to 9.9.2
Oracle Communications Policy Management
Oracle Communications Session Border Controller, version(s) 7.2.0, 7.3.0
Oracle Communications Session Border Controller
Oracle Communications Unified Session Manager, version(s) 7.2.5, 7.3.5
Oracle Communications Unified Session Manager
Oracle Enterprise Communications Broker, version(s) Prior to PCz 2.0.0m4p1
Oracle Enterprise Communications Broker
Oracle Banking Platform, version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0
Oracle Banking Platform
Oracle Financial Services Lending and Leasing, version(s) 14.1, 14.2
Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3
Oracle Financial Services Applications
Oracle Health Sciences Clinical Development Center, version(s) 3.1.1.x, 3.1.2.x
Health Sciences
Oracle Health Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0
Health Sciences
Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0
Health Sciences
Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0, 4.0.1
Health Sciences
Oracle Documaker, version(s) prior to 12.5
Oracle Insurance Applications
Oracle Insurance Calculation Engine, version(s) 9.7.1, 10.1.2, 10.2.2
Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Oracle Insurance Applications
Oracle Insurance Rules Palette, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Oracle Insurance Applications
MICROS Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
Retail XBRi
Oracle Retail Central, Back Office, Returns Management, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
Retail Point-of-Service
Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Retail Integration Bus
Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0
Retail Order Broker
Oracle Retail Service Backbone, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Retail Service Backbone
Oracle Retail Store Inventory Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
Retail Store Inventory Management
Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
Oracle Utilities Applications
Oracle Utilities Network Management System, version(s) 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
Oracle Utilities Applications
Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.8
Oracle Utilities Applications
Oracle In-Memory Policy Analytics, version(s) 12.0.1
Oracle Policy Automation
Oracle Policy Automation, version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, version(s) 12.1.1
Oracle Policy Automation
Primavera Contract Management, version(s) 14.2
Oracle Primavera Products Suite
Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1
Oracle Primavera Products Suite
Oracle Java SE, version(s) 6u115, 7u101, 8u92
Oracle Java SE
Oracle Java SE Embedded, version(s) 8u91
Oracle Java SE
Oracle JRockit, version(s) R28.3.10
Oracle Java SE
40G 10G 72/64 Ethernet Switch, version(s) 2.0.0
Oracle and Sun Systems Products Suite
Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2320
Oracle and Sun Systems Products Suite
ILOM, version(s) 3.0, 3.1, 3.2
Oracle and Sun Systems Products Suite
Oracle Switch ES1-24, version(s) 1.3
Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.3
Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4.3
Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121
Oracle and Sun Systems Products Suite
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) 1.2
Oracle and Sun Systems Products Suite
Sun Data Center InfiniBand Switch 36, version(s) prior to 2.2.2
Oracle and Sun Systems Products Suite
Sun Network 10GE Switch 72p, version(s) 1.2
Oracle and Sun Systems Products Suite
Sun Network QDR InfiniBand Gateway Switch, version(s) prior to 2.2.2
Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2
Oracle Linux and Virtualization
Oracle VM VirtualBox, version(s) prior to 5.0.26
Oracle Linux and Virtualization
MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior
Oracle MySQL Product Suite
Note:
- Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
- Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2016 Availability Document, My Oracle Support Note 2136219.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Accenture TVM Prague; Adam Willard of Raytheon Foreground Security; Alexander Kornbrust of Red Database Security; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Alvaro Munoz of Trend Micro’s Zero Day Initiative; Ben Lincoln of NCC Group; Brian Martin of Tenable Network Security; Bruno Cirone; Christian Schneider; David Litchfield of Google; Devin Rosenbauer of Identity Works LLC; Aleksandar Nikolic of Cisco Talos; Jack Fei of FINRA; Juan Manuel Fernández Torres of Telefonica.com; Kasper Andersen; Matias Mevied of Onapsis; Matthias Kaiser of Code White; Matthias-Christian Ott; Nicholas Lemonias of Advanced Information Security Corporation; Nicolas Collignon of synacktiv; Reno Robert; Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.; Stephan Borosh of Veris Group, LLC; Stephen Kost of Integrigy; Steven Seeley working with Beyond Security’s SSD program; Sven Blumenstein of Google; Teemu Kääriäinen; Ubais PK; and XOR19 of Trend Micro’s Zero Day Initiative.
Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of ERPScan; David Litchfield of Google; Paul M. Wright; and Quan Nguyen of Google for contributions to Oracle’s Security-In-Depth program.
On-Line Presence Security Contributors
Oracle provides acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Cameron Dawe of Spam404.com; Jubaer Al Nazi - ServerGhosts Bangladesh; Karim Rahal; Latish Danawale of Pristine Infosolutions; Othmane Tamagart - APPBOX; Ramal Hajataliyev; Rodolfo Godalle Jr.; Shawar Khan; Tayyab Qadir; Vikas Khanna; and Winnye Jakeson for contributions to Oracle’s On-Line Presence Security program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 18 October 2016
- 17 January 2017
- 18 April 2017
- 18 July 2017
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - July 2016 Documentation Map [ My Oracle Support Note ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
Date
Note
2016-October-18
Rev 2. Updated score for CVE-2016-3504 and associated it with CVE-2016-5019.
2016-July-19
Rev 1. Initial Release.
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 9 new security fixes for the Oracle Database Server. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Package and/or Privilege Required
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3609
OJVM
Create Session
Multiple
No
9.0
Network
Low
Low
Required
Changed
High
High
High
11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2016-3506
JDBC
None
Oracle Net
Yes
8.1
Network
High
None
None
Un changed
High
High
High
11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3479
Portable Clusterware
None
Oracle Net
Yes
7.5
Network
Low
None
None
Un changed
None
None
High
11.2.0.4, 12.1.0.2
CVE-2016-3489
Data Pump Import
Index on SYS.INCVID
Oracle Net
No
6.7
Local
Low
High
None
Un changed
High
High
High
11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3448
Application Express
None
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
Prior to 5.0.4
CVE-2016-3467
Application Express
None
HTTP
Yes
5.8
Network
Low
None
None
Changed
None
None
Low
Prior to 5.0.4
CVE-2015-0204
RDBMS
HTTPS Listener
HTTPS
Yes
5.3
Network
High
None
Required
Un changed
None
High
None
12.1.0.1, 12.1.0.2
CVE-2016-3488
DB Sharding
Execute on gsmadmin_internal
Oracle Net
No
4.4
Local
Low
High
None
Un changed
None
High
None
12.1.0.2
CVE-2016-3484
Database Vault
Create Public Synonym
Oracle Net
No
3.4
Local
Low
High
None
Un changed
Low
Low
None
11.2.0.4, 12.1.0.1, 12.1.0.2
Notes:
- The score 9.0 is for Windows platform. On Linux platform the score is 8.0.
Oracle Database Server Client-Only Installations
The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2016-3506 and CVE-2015-0204.
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7182
Oracle Directory Server Enterprise Edition
Admin Server
HTTPS
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
7.0, 11.1.1.7.0
CVE-2016-3607
Oracle GlassFish Server
Web Container
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
3.0.1, 3.1.2
CVE-2016-3510
Oracle WebLogic Server
WLS Core Components
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3586
Oracle WebLogic Server
WLS Core Components
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3499
Oracle WebLogic Server
Web Container
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
12.1.3.0, 12.2.1.0
CVE-2016-3504
Oracle JDeveloper
ADF Faces
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
CVE-2016-3574
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3575
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3576
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3577
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3578
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3579
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3580
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3581
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3582
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3583
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3590
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3591
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3592
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3593
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3594
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3595
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3596
Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un changed
High
Low
Low
8.5.0, 8.5.1, 8.5.2
See Note 1
CVE-2016-3446
Oracle Business Intelligence Enterprise Edition
Analytics Web Administration
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
11.1.1.7.0, 11.1.1.9.0
CVE-2016-1181
Oracle Portal
User and Group Security
HTTP
Yes
8.1
Network
High
None
None
Un changed
High
High
High
11.1.1.6
See Note 2
CVE-2016-3564
Oracle TopLink
JPA-RS
HTTP
Yes
8.1
Network
High
None
None
Un changed
High
High
High
12.1.3.0, 12.2.1.0, 12.2.1.1
CVE-2016-3487
Oracle WebCenter Sites
WebCenter Sites
HTTP
Yes
8.1
Network
High
None
None
Un changed
High
High
High
11.1.1.8, 12.2.1.0
CVE-2016-3544
Oracle Business Intelligence Enterprise Edition
Analytics Web General
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
CVE-2016-1548
Oracle Exalogic Infrastructure
Base Image
Multiple
Yes
6.5
Network
Low
None
None
Un changed
None
Low
Low
1.x, 2.x
CVE-2015-3237
Oracle GlassFish Server
Administration
HTTP
Yes
6.5
Network
Low
None
None
Un changed
Low
None
Low
3.0.1, 3.1.2
CVE-2016-3502
Oracle WebCenter Sites
WebCenter Sites
HTTP
No
6.5
Network
Low
Low
Required
Changed
Low
Low
Low
11.1.1.8, 12.2.1.0
CVE-2016-2107
Oracle Access Manager
Web Server Plugin
HTTPS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
10.1.4.x, 11.1.1.7
CVE-2016-2107
Oracle Exalogic Infrastructure
Base Image
Multiple
Yes
5.9
Network
High
None
None
Un changed
High
None
None
1.x, 2.x
CVE-2016-3608
Oracle GlassFish Server
Administration
HTTP
Yes
5.8
Network
Low
None
None
Changed
Low
None
None
3.0.1
CVE-2016-5477
Oracle GlassFish Server
Administration
HTTP
Yes
5.8
Network
Low
None
None
Changed
Low
None
None
2.1.1, 3.0.1
CVE-2016-3432
BI Publisher (formerly XML Publisher)
Web Server
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
11.1.1.7.0, 11.1.1.9.0
CVE-2016-3433
Oracle Business Intelligence Enterprise Edition
Analytics Web Administration
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
11.1.1.7.0, 11.1.1.9.0
CVE-2016-3445
Oracle WebLogic Server
Web Container
HTTP
Yes
5.3
Network
Low
None
None
Un changed
None
None
Low
10.3.6.0, 12.1.3.0
CVE-2016-3474
BI Publisher (formerly XML Publisher)
Security
HTTP
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
CVE-2016-3482
Oracle HTTP Server
SSL/TLS Module
HTTPS
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
11.1.1.9, 12.1.3.0
Notes:
- Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
- Please refer to My Oracle Support Note 2155256.1 for instructions on how to address this issue.
Additional CVEs addressed:
- The fix for CVE-2015-7182 also addresses CVE-2015-2721, CVE-2015-4000, CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
- The fix for CVE-2016-1181 also addresses CVE-2016-1182.
- The fix for CVE-2016-1548 also addresses CVE-2015-7979, CVE-2016-1547, CVE-2016-1550, CVE-2016-2108, CVE-2016-2518, CVE-2016-4051, CVE-2016-4052, and CVE-2016-4053.
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
- The fix for CVE-2016-3504 also addresses CVE-2016-5019.
Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Hyperion Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3493
Hyperion Financial Reporting
Security Models
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
11.1.2.4
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 10 new security fixes for Oracle Enterprise Manager Grid Control. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Enterprise Manager Ops Center
Enterprise Controller Install
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
12.1.4, 12.2.2, 12.3.2
CVE-2016-0635
Enterprise Manager Ops Center
Framework
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
12.1.4, 12.2.2, 12.3.2
CVE-2015-3237
Enterprise Manager Ops Center
Networking
HTTP
Yes
6.5
Network
Low
None
None
Un changed
Low
None
Low
12.1.4, 12.2.2, 12.3.2
CVE-2016-3494
Enterprise Manager Ops Center
OS Provisioning
HTTP
Yes
6.5
Adjacent Network
Low
None
None
Un changed
None
None
High
12.1.4, 12.2.2, 12.3.2
CVE-2016-3563
Enterprise Manager Base Platform
Security Framework
None
No
6.3
Local
Low
High
Required
Changed
Low
High
None
12.1.0.5
CVE-2016-2107
Enterprise Manager Base Platform
Discovery Framework
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
12.1.0.5, 13.1.0.0
CVE-2015-3197
Enterprise Manager Ops Center
Networking
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
12.1.4, 12.2.2, 12.3.2
CVE-2016-3496
Enterprise Manager for Fusion Middleware
SOA Topology Viewer
HTTP
Yes
4.7
Network
Low
None
Required
Changed
Low
None
None
11.1.1.7, 11.1.1.9
CVE-2016-3540
Enterprise Manager Base Platform
UI Framework
HTTP
Yes
4.3
Network
Low
None
Required
Un changed
Low
None
None
12.1.0.5, 13.1.0.0
CVE-2015-0228
Enterprise Manager Ops Center
Update Provisioning
HTTP
Yes
4.3
Network
Low
None
Required
Un changed
None
None
Low
12.1.4, 12.2.2, 12.3.2
Additional CVEs addressed:
- The fix for CVE-2015-3237 also addresses CVE-2015-3236.
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 23 new security fixes for the Oracle E-Business Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3546
Oracle Advanced Collections
Report JSPs
HTTP
Yes
9.1
Network
Low
None
None
Un changed
High
High
None
12.1.1, 12.1.2, 12.1.3
CVE-2016-3541
Oracle Common Applications Calendar
Notes
HTTP
Yes
9.1
Network
Low
None
None
Un changed
High
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3543
Oracle Common Applications Calendar
Tasks
HTTP
Yes
9.1
Network
Low
None
None
Un changed
High
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3532
Oracle Advanced Inbound Telephony
SDK client integration
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3
CVE-2016-3535
Oracle CRM Technical Foundation
Remote Launch
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3
CVE-2016-3491
Oracle CRM Technical Foundation
Wireless Framework
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3
CVE-2016-3512
Oracle Customer Interaction History
Function Security
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3
CVE-2016-3536
Oracle Marketing
Deliverables
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3
CVE-2016-3522
Oracle Web Applications Desktop Integrator
Application Service
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3528
Oracle Internet Expenses
Expenses Admin Utilities
HTTP
Yes
7.5
Network
Low
None
None
Un changed
None
None
High
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3524
Oracle Applications Technology Stack
Configuration
HTTP
Yes
6.5
Network
Low
None
None
Un changed
Low
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3542
Oracle Knowledge Management
Search, Browse
HTTP
No
6.5
Network
Low
High
None
Un changed
High
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3525
Oracle Applications Manager
Cookie Management
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
12.1.3
CVE-2016-3545
Oracle Application Object Library
Web based help screens
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3549
Oracle E-Business Suite Secure Enterprise Search
Search Integration Engine
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3548
Oracle Marketing
Marketing activity collateral
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3547
Oracle One-to-One Fulfillment
Content Manager
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3520
Oracle Application Object Library
AOL Diagnostic tests
HTTP
No
4.9
Network
Low
High
None
Un changed
High
None
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3558
Oracle Email Center
Email Center Agent Console
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3559
Oracle Email Center
Email Center Agent Console
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3534
Oracle Installed Base
Engineering Change Order
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3533
Oracle Knowledge Management
Search
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3523
Oracle Web Applications Desktop Integrator
Application Service
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 25 new security fixes for the Oracle Supply Chain Products Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3468
Oracle Agile Engineering Data Management
Install
HTPP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
6.1.3.0, 6.2.0.0
CVE-2016-3556
Oracle Agile PLM
EM Integration
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
9.3.4, 9.3.5
CVE-2016-3527
Oracle Demand Planning
ODPDA Servlet
HTTP
Yes
9.1
Network
Low
None
None
Un changed
High
High
None
12.1, 12.2
CVE-2016-3554
Oracle Agile PLM
PC / BOM, MCAD, Design
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.3.4, 9.3.5
CVE-2015-7501
Oracle Transportation Management
Web Container
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
CVE-2016-3526
Oracle Agile PLM
SDK
HTTP
Yes
7.5
Network
Low
None
None
Un changed
High
None
None
9.3.4, 9.3.5
CVE-2016-3561
Oracle Agile PLM
SDK
HTTP
Yes
7.3
Network
Low
None
None
Un changed
Low
Low
Low
9.3.4, 9.3.5
CVE-2016-3538
Oracle Agile PLM
File Folders / Attachment
HTTP
No
7.1
Network
Low
Low
None
Un changed
None
High
Low
9.3.4, 9.3.5
CVE-2016-3539
Oracle Agile PLM
File Folders / Attachment
HTTP
No
7.1
Network
Low
Low
None
Un changed
None
High
Low
9.3.4, 9.3.5
CVE-2016-3530
Oracle Agile PLM
PGC / Import
HTTP
No
7.1
Network
Low
Low
None
Un changed
None
High
Low
9.3.4, 9.3.5
CVE-2016-3470
Oracle Transportation Management
Install
HTTP
No
7.1
Network
Low
Low
None
Un changed
High
Low
None
6.4.1
CVE-2016-3537
Oracle Agile PLM
File Folders / Attachment
HTTP
No
6.5
Network
Low
Low
None
Un changed
High
None
None
9.3.4, 9.3.5
CVE-2016-3557
Oracle Agile PLM
File Load
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-3519
Oracle Agile PLM
PC / Get Shortcut
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-3555
Oracle Agile PLM
PGC / Excel Plugin
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-2107
Oracle Agile Engineering Data Management
Install
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
6.1.3.0, 6.2.0.0
CVE-2016-3529
Oracle Agile PLM
SDK
HTTP
Yes
5.8
Network
Low
None
None
Changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-3509
Oracle Agile PLM
File Folders / URL Attachment
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-3553
Oracle Agile PLM
PC Core
HTTP
No
5.4
Network
Low
Low
None
Un changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-3560
Oracle Agile PLM
SDK
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-3517
Oracle Agile PLM
PC / Get Shortcut
HTTP
Yes
4.3
Network
Low
None
Required
Un changed
None
Low
None
9.3.4, 9.3.5
CVE-2016-3507
Oracle Agile PLM
WebClient / Admin
HTTP
Yes
4.3
Network
Low
None
Required
Un changed
None
Low
None
9.3.4, 9.3.5
CVE-2016-3531
Oracle Agile PLM
PC / Notification
HTTP
No
3.5
Network
Low
Low
Required
Un changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-5473
Oracle Agile PLM
File Folders / Attachment
HTTP
No
3.1
Network
High
Low
None
Un changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-3490
Oracle Transportation Management
Database
HTTP
No
3.0
Network
High
Low
Required
Changed
Low
None
None
6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 7 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5465
PeopleSoft Enterprise PeopleTools
Panel Processor
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
8.53, 8.54, 8.55
CVE-2016-5472
PeopleSoft Enterprise PeopleTools
Install and Packaging
None
No
7.8
Local
Low
Low
None
Un changed
High
High
High
8.54, 8.55
CVE-2016-3483
PeopleSoft Enterprise PeopleTools
File Processing
HTTP
Yes
7.2
Network
Low
None
None
Changed
Low
None
Low
8.53, 8.54, 8.55
CVE-2016-5470
PeopleSoft Enterprise PeopleTools
Application Designer
HTTP
Yes
6.5
Network
Low
None
Required
Un changed
High
None
None
8.54, 8.55
CVE-2016-3478
PeopleSoft Enterprise PeopleTools
File Processing
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.53, 8.54, 8.55
CVE-2016-2107
PeopleSoft Enterprise PeopleTools
Security
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
8.53, 8.54, 8.55
CVE-2016-5467
PeopleSoft Enterprise FSCM
eProcurement
HTTP
No
5.4
Network
Low
Low
None
Un changed
Low
Low
None
9.1, 9.2
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
Oracle JD Edwards Products Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle JD Edwards Products Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3197
JD Edwards EnterpriseOne Tools
Enterprise Infrastructure SEC
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
9.2.0.5
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 16 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Siebel CRM Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5451
Siebel UI Framework
EAI
HTTP
No
8.1
Network
Low
Low
None
Un changed
High
High
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3476
Oracle Knowledge
Information Manager Console
HTTP
Yes
6.5
Network
Low
None
None
Un changed
Low
Low
None
8.5.x
CVE-2016-5461
Siebel Core - Server Framework
Object Manager
HTTP
No
6.5
Network
Low
Low
None
Un changed
High
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3472
Siebel Engineering - Installer and Deployment
Web Server
HTTP
No
5.7
Network
Low
Low
Required
Un changed
High
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5468
Siebel UI Framework
EAI
HTTP
No
5.4
Network
Low
Low
None
Un changed
Low
Low
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5456
Siebel Core - Server Framework
Services
HTTP
No
5.3
Network
High
Low
None
Un changed
High
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5459
Siebel Core - Common Components
iHelp
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5450
Siebel UI Framework
UIF Open UI
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3475
Oracle Knowledge
Information Manager Console
HTTP
No
4.3
Network
Low
Low
None
Un changed
Low
None
None
8.5.x
CVE-2016-5463
Siebel UI Framework
SWSE Server
HTTP
No
4.1
Network
Low
Low
Required
Changed
None
Low
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5464
Siebel UI Framework
SWSE Server
HTTP
No
4.1
Network
Low
Low
Required
Changed
None
Low
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3450
Siebel Core - Server Framework
Services
HTTP
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5460
Siebel Core - Server Framework
Services
HTTP
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5466
Siebel Core - Server Framework
Services
HTTP
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3469
Siebel Core - Server Framework
Services
None
No
3.3
Local
Low
Low
None
Un changed
Low
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5462
Siebel Core - Server Framework
Workspaces
HTTP
No
2.7
Network
Low
High
None
Un changed
Low
None
None
8.1.1, 8.2.2, IP2014, IP2015, IP2016
Appendix - Oracle Communications Applications****Oracle Communications Applications Executive Summary
This Critical Patch Update contains 16 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Communications Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-0235
Oracle Communications EAGLE Application Processor
Other
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
16.0
CVE-2015-7182
Oracle Communications Messaging Server
Security
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
Prior to 7.0.5.37.0 and 8.0.1.1.0
CVE-2015-7501
Oracle Communications ASAP
Service request translator
T3
No
8.8
Network
Low
Low
None
Un changed
High
High
High
7.0, 7.2, 7.3
CVE-2014-3571
Oracle Communications Core Session Manager
Routing
TLS
Yes
7.5
Network
Low
None
None
Un changed
None
None
High
7.2.5, 7.3.5
CVE-2016-3515
Oracle Enterprise Communications Broker
Crash, network, system, admin
HTTP
Yes
7.5
Network
Low
None
None
Un changed
High
None
None
Prior to PCz 2.0.0m4p1
CVE-2016-3513
Oracle Communications Operations Monitor
Infrastructure
HTTPS
No
6.5
Network
Low
Low
None
Un changed
High
None
None
Prior to 3.3.92.0.0
CVE-2016-3514
Oracle Enterprise Communications Broker
GUI
HTTP
No
6.5
Network
Low
Low
None
Un changed
High
None
None
Prior to PCz 2.0.0m4p1
CVE-2016-5458
Oracle Communications EAGLE Application Processor
APPL
HTTP
No
6.4
Network
Low
Low
None
Changed
Low
Low
None
16.0
CVE-2015-3197
Oracle Communications Network Charging and Control
DAP, OSD, PI
TLS/SSL
Yes
5.9
Network
High
None
None
Un changed
High
None
None
5.0.2.0.0, 5.0.1.0.0, 5.0.0.2.0, 5.0.0.1.0, 4.4.1.5.0
CVE-2016-2107
Oracle Communications Unified Session Manager
Routing
TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
7.2.5, 7.3.5
CVE-2016-5455
Oracle Communications Messaging Server
Multiplexor
HTTP
Yes
5.3
Network
Low
None
None
Un changed
Low
None
None
6.3, 7.0, 8.0
CVE-2014-9708
Oracle Enterprise Communications Broker
GUI
HTTP
Yes
5.3
Network
Low
None
None
Un changed
None
None
Low
Prior to PCz 2.0.0m4p1
CVE-2016-0702
Oracle Communications Session Border Controller
Encryption
TLS
Yes
4.8
Network
High
None
None
Un changed
Low
Low
None
7.2.0, 7.3.0
CVE-2015-2808
Oracle Communications Policy Management
Security
HTTP
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
Prior to 9.9.2
CVE-2015-5300
Oracle Communications Session Border Controller
System
NTP
No
3.7
Adjacent Network
High
Low
None
Un changed
Low
None
Low
7.2.0, 7.3.0
CVE-2016-3516
Oracle Enterprise Communications Broker
GUI
HTTP
No
3.1
Network
High
Low
None
Un changed
Low
None
None
Prior to PCz 2.0.0m4p1
Additional CVEs addressed:
- The fix for CVE-2014-3571 also addresses CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206.
- The fix for CVE-2015-5300 also addresses CVE-2015-7704, and CVE-2015-8138.
- The fix for CVE-2015-7182 also addresses CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
- The fix for CVE-2016-0702 also addresses CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, and CVE-2016-0800.
- The fix for CVE-2016-5455 also addresses CVE-2015-7181, CVE-2015-7183, CVE-2015-7575, CVE-2016-1938, and CVE-2016-1978.
Appendix - Oracle Financial Services Applications****Oracle Financial Services Applications Executive Summary
This Critical Patch Update contains 4 new security fixes for Oracle Financial Services Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Financial Services Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle Banking Platform
Rules collections
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
2.3.0, 2.4.0, 2.4.1
CVE-2014-0224
Oracle Financial Services Lending and Leasing
Admin and setup
HTTP
Yes
7.3
Network
Low
None
None
Un changed
Low
Low
Low
14.1 , 14.2
CVE-2016-3589
Oracle FLEXCUBE Direct Banking
Base
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.0.1, 12.0.2, 12.0.3
CVE-2016-1181
Oracle Banking Platform
OPS
HTTP
Yes
3.1
Network
High
None
Required
Un changed
None
Low
None
2.3.0, 2.4.0, 2.4.1, 2.5.0
Additional CVEs addressed:
- The fix for CVE-2016-1181 also addresses CVE-2016-1182.
Appendix - Oracle Health Sciences Applications****Oracle Health Sciences Applications Executive Summary
This Critical Patch Update contains 5 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Health Sciences Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3253
Oracle Health Sciences Clinical Development Center
Installation and configuration
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
3.1.1.x, 3.1.2.x
CVE-2015-7501
Oracle Health Sciences Clinical Development Center
Installation and configuration
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
3.1.1.x, 3.1.2.x
CVE-2016-0635
Oracle Health Sciences Information Manager
Health Policy Monitor
TLS, UDP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
1.2.8.3, 2.0.2.3, 3.0.1.0
CVE-2015-7501
Oracle Healthcare Analytics Data Integration
Self Service Analytics
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
3.1.0.0.0
CVE-2016-0635
Oracle Healthcare Master Person Index
Internal operations
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
2.0.12, 3.0.0, 4.0.1
Appendix - Oracle Insurance Applications****Oracle Insurance Applications Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle Insurance Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Insurance Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle Documaker
Development tools
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
Prior to 12.5
CVE-2016-0635
Oracle Documaker
Development tools
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
Prior to 12.5
CVE-2015-7501
Oracle Insurance Calculation Engine
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.7.1, 10.1.2, 10.2.2
CVE-2016-0635
Oracle Insurance Calculation Engine
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.7.1, 10.1.2, 10.2.2
CVE-2015-7501
Oracle Insurance Policy Administration J2EE
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635
Oracle Insurance Policy Administration J2EE
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2015-7501
Oracle Insurance Rules Palette
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635
Oracle Insurance Rules Palette
Architecture
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Appendix - Oracle Retail Applications****Oracle Retail Applications Executive Summary
This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Retail Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3444
Oracle Retail Integration Bus
Install
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2015-3253
Oracle Retail Order Broker
System Administration
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
4.1, 5.1, 5.2, 15.0
CVE-2015-3253
Oracle Retail Service Backbone
Install
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2015-3253
Oracle Retail Store Inventory Management
SIMINT
HTTP
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
13.2, 14.0, 14.1
CVE-2015-7501
MICROS Retail XBRi Loss Prevention
Retail
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2015-7501
Oracle Retail Central, Back Office, Returns Management
Install
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
12.0 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
CVE-2016-0635
Oracle Retail Integration Bus
Install
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
15.0
CVE-2016-0635
Oracle Retail Order Broker
Order Broker Foundation
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
5.1, 5.2, 15.0
CVE-2015-7501
Oracle Retail Service Backbone
Install
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
15.0
CVE-2016-5474
Oracle Retail Service Backbone
RSB Kernel
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
14.0, 14.1, 15.0
CVE-2016-3081
MICROS Retail XBRi Loss Prevention
Retail
HTTP
Yes
8.1
Network
High
None
None
Un changed
High
High
High
10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2016-5476
Oracle Retail Integration Bus
Install
HTTP
No
7.6
Network
Low
Low
None
Un changed
High
Low
Low
13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2016-3565
Oracle Retail Order Broker
System Administration
HTTP
No
7.6
Network
Low
Low
None
Un changed
Low
High
Low
5.1, 5.2
CVE-2016-5475
Oracle Retail Service Backbone
Install
HTTP
No
7.6
Network
Low
Low
None
Un changed
High
Low
Low
14.0, 14.1, 15.0
CVE-2015-7501
Oracle Retail Store Inventory Management
SIMINT
HTTP
No
6.3
Network
Low
Low
None
Un changed
Low
Low
Low
12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2016-3611
Oracle Retail Order Broker
System Administration
HTTP
Yes
5.4
Network
Low
None
Required
Un changed
Low
Low
None
15.0
Appendix - Oracle Utilities Applications****Oracle Utilities Applications Executive Summary
This Critical Patch Update contains 3 new security fixes for Oracle Utilities Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Utilities Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle Utilities Framework
System wide
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
CVE-2015-7501
Oracle Utilities Network Management System
System wide
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
CVE-2015-7501
Oracle Utilities Work and Asset Management
Integrations
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
1.9.1.2.8
Appendix - Oracle Policy Automation****Oracle Policy Automation Executive Summary
This Critical Patch Update contains 4 new security fixes for Oracle Policy Automation. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Policy Automation Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle In-Memory Policy Analytics
Analysis Server
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
12.0.1
CVE-2015-7501
Oracle Policy Automation
Determinations Engine
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
CVE-2015-7501
Oracle Policy Automation Connector for Siebel
Determinations Server
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
CVE-2015-7501
Oracle Policy Automation for Mobile Devices
Mobile Application
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
12.1.1
Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary
This Critical Patch Update contains 15 new security fixes for the Oracle Primavera Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Primavera Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Primavera Contract Management
PCM application
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
14.2
CVE-2016-0635
Primavera Contract Management
PCM web services
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
14.2
CVE-2015-7501
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-0635
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
No
8.8
Network
Low
Low
None
Un changed
High
High
High
8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2015-1791
Primavera P6 Enterprise Project Portfolio Management
Project manager
HTTP
Yes
6.5
Network
High
None
None
Changed
Low
Low
Low
8.3, 8.4, 15.1
CVE-2016-3572
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
6.4
Network
Low
Low
None
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2012-3137
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
No
6.3
Network
Low
Low
None
Un changed
Low
Low
Low
8.2, 8.3, 8.4
CVE-2016-3566
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3568
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3569
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3570
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3571
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3573
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2015-3197
Primavera P6 Enterprise Project Portfolio Management
Project manager
HTTP
Yes
5.9
Network
High
None
None
Un changed
High
None
None
8.3, 8.4, 15.1, 15.2
CVE-2016-3567
Primavera P6 Enterprise Project Portfolio Management
Web access
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
Additional CVEs addressed:
- The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, and CVE-2015-1792.
- The fix for CVE-2015-3197 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, and CVE-2016-0701.
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 13 new security fixes for Oracle Java SE. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.
Oracle Java SE Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3587
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3606
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 7u101, 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3598
Java SE, Java SE Embedded
Libraries
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3610
Java SE, Java SE Embedded
Libraries
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3552
Java SE
Install
None
No
8.1
Local
High
None
None
Changed
High
High
High
Java SE: 8u92
See Note 2
CVE-2016-3511
Java SE
Deployment
None
No
7.7
Local
High
None
Required
Changed
High
High
High
Java SE: 7u101, 8u92
See Note 1
CVE-2016-3503
Java SE
Install
None
No
7.7
Local
High
None
Required
Changed
High
High
High
Java SE: 6u115, 7u101, 8u92
See Note 2
CVE-2016-3498
Java SE
JavaFX
Multiple
Yes
5.3
Network
Low
None
None
Un changed
None
None
Low
Java SE: 7u101, 8u92
See Note 1
CVE-2016-3500
Java SE, Java SE Embedded, JRockit
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un changed
None
None
Low
Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10
See Note 3
CVE-2016-3508
Java SE, Java SE Embedded, JRockit
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un changed
None
None
Low
Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10
See Note 3
CVE-2016-3458
Java SE, Java SE Embedded
CORBA
Multiple
Yes
4.3
Network
Low
None
Required
Un changed
None
Low
None
Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3550
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
4.3
Network
Low
None
Required
Un changed
Low
None
None
Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91
See Note 1
CVE-2016-3485
Java SE, Java SE Embedded, JRockit
Networking
None
No
2.9
Local
High
None
None
Un changed
None
Low
None
Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10
See Note 3
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
- Applies to installation process on client deployment of Java.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 34 new security fixes for the Oracle Sun Systems Products Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Sun Systems Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5453
ILOM
IPMI
IPMI
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
3.0, 3.1, 3.2
CVE-2015-0235
Sun Data Center InfiniBand Switch 36
Firmware
Multiple
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
Versions prior to 2.2.2
CVE-2015-0235
Sun Network QDR InfiniBand Gateway Switch
Firmware
Multiple
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
Versions prior to 2.2.2
CVE-2016-5457
ILOM
LUMAIN
Multiple
No
8.8
Network
Low
Low
None
Un changed
High
High
High
3.0, 3.1, 3.2
CVE-2012-3410
ILOM
Restricted Shell
Multiple
No
8.8
Network
Low
Low
None
Un changed
High
High
High
3.0, 3.1, 3.2
CVE-2016-5445
ILOM
Authentication
Multiple
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
3.0, 3.1, 3.2
CVE-2015-5600
ILOM
SSH
SSH
Yes
8.2
Network
Low
None
None
Un changed
Low
None
High
3.0, 3.1, 3.2
CVE-2016-3481
ILOM
Web
HTTP
No
7.7
Network
Low
Low
None
Changed
None
None
High
3.0, 3.1, 3.2
CVE-2016-5447
ILOM
Backup-Restore
HTTP
No
7.6
Network
Low
Low
None
Un changed
High
Low
Low
3.0, 3.1, 3.2
CVE-2016-5449
ILOM
Console Redirection
HTTP
Yes
7.5
Network
Low
None
None
Un changed
None
None
High
3.0, 3.1, 3.2
CVE-2016-3585
ILOM
Emulex
HTTPS
Yes
7.4
Network
High
None
None
Un changed
High
High
None
3.0, 3.1, 3.2
CVE-2016-5446
ILOM
Infrastructure
Multiple
Yes
7.3
Network
Low
None
None
Un changed
Low
Low
Low
3.0, 3.1, 3.2
CVE-2016-3584
Solaris
Libadimalloc
None
No
7.0
Local
High
Low
None
Un changed
High
High
High
11.3
CVE-2016-5448
ILOM
SNMP
SNMP
Yes
6.5
Network
Low
None
None
Un changed
None
Low
Low
3.0, 3.1, 3.2
CVE-2015-1793
ILOM
OpenSSL
SSL/TLS
Yes
6.5
Network
Low
None
None
Un changed
Low
Low
None
3.0, 3.1, 3.2
CVE-2015-3183
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers
XCP Firmware
HTTP
Yes
6.5
Network
Low
None
Required
Un changed
None
High
None
XCP prior to XCP1121
CVE-2015-8104
Solaris
Solaris Kernel Zones
None
No
6.5
Local
Low
Low
None
Changed
None
None
High
11.3
CVE-2016-5454
Solaris
Verified Boot
None
No
6.4
Local
High
Low
None
Changed
None
Low
High
11.3
CVE-2015-3197
40G 10G 72/64 Ethernet Switch
Firmware
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
2.0.0
CVE-2015-3197
Oracle Switch ES1-24
Firmware
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
1.3
CVE-2015-3197
Sun Blade 6000 Ethernet Switched NEM 24P 10GE
Firmware
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
1.2
CVE-2015-3197
Sun Network 10GE Switch 72p
Firmware
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
1.2
CVE-2016-3453
Solaris
Kernel
None
No
5.5
Local
Low
Low
None
Un changed
None
None
High
10
CVE-2016-3497
Solaris
Kernel
None
No
5.5
Local
Low
Low
None
Un changed
None
None
High
11.3
CVE-2016-5469
Solaris
Kernel
None
No
5.5
Local
Low
Low
None
Un changed
None
None
High
11.3
CVE-2016-5471
Solaris
Kernel
None
No
5.5
Local
Low
Low
None
Un changed
None
None
High
11.3
CVE-2016-5452
Solaris
Verified Boot
None
No
5.5
Local
Low
Low
None
Un changed
High
None
None
11.3
CVE-2013-2566
Fujitsu M10-1, M10-4, M10-4S Servers
XCP Firmware
SSL/TLS
Yes
5.3
Network
High
None
Required
Un changed
High
None
None
XCP prior to XCP2280
CVE-2016-0800
Fujitsu M10-1, M10-4, M10-4S Servers
XCP Firmware
SSL/TLS
Yes
5.3
Network
High
None
Required
Un changed
High
None
None
XCP prior to XCP2320
CVE-2015-2808
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers
XCP Firmware
SSL/TLS
Yes
5.3
Network
High
None
Required
Un changed
High
None
None
XCP prior to XCP1121
CVE-2016-3451
ILOM
Web
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
3.0, 3.1, 3.2
CVE-2016-3480
Solaris Cluster
HA for Postgresql
None
No
4.4
Local
Low
High
None
Un changed
High
None
None
3.3, 4.3
CVE-2014-3566
Sun Data Center InfiniBand Switch 36
Firmware
HTTPS
Yes
3.1
Network
High
None
Required
Un changed
Low
None
None
Versions prior to 2.2.2
CVE-2014-3566
Sun Network QDR InfiniBand Gateway Switch
Firmware
HTTPS
Yes
3.1
Network
High
None
Required
Un changed
Low
None
None
Versions prior to 2.2.2
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 4 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3613
Oracle Secure Global Desktop
OpenSSL
SSL/TLS
Yes
9.8
Network
Low
None
None
Un changed
High
High
High
4.63, 4.71, 5.2
CVE-2013-2064
Oracle Secure Global Desktop
X Server
X11
Yes
7.3
Network
Low
None
None
Un changed
Low
Low
Low
4.71, 5.2
CVE-2016-3612
Oracle VM VirtualBox
Core
SSL/TLS
Yes
5.9
Network
High
None
None
Un changed
High
None
None
VirtualBox prior to 5.0.22
CVE-2016-3597
Oracle VM VirtualBox
Core
None
No
5.5
Local
Low
Low
None
Un changed
None
None
High
VirtualBox prior to 5.0.26
Additional CVEs addressed:
- The fix for CVE-2016-3612 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176.
- The fix for CVE-2016-3613 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, and CVE-2016-2107.
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 22 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3477
MySQL Server
Server: Parser
None
No
8.1
Local
High
None
None
Changed
High
High
High
5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3440
MySQL Server
Server: Optimizer
MySQL Protocol
No
7.7
Network
Low
Low
None
Changed
None
None
High
5.7.11 and earlier
CVE-2016-2105
MySQL Server
Server: Security: Encryption
MySQL Protocol
Yes
7.5
Network
Low
None
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3471
MySQL Server
Server: Option
None
No
7.5
Local
High
High
None
Changed
High
High
High
5.5.45 and earlier, 5.6.26 and earlier
CVE-2016-3486
MySQL Server
Server: FTS
MySQL Protocol
No
6.5
Network
Low
Low
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3501
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3518
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-3521
MySQL Server
Server: Types
MySQL Protocol
No
6.5
Network
Low
Low
None
Un changed
None
None
High
5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3588
MySQL Server
Server: InnoDB
MySQL Protocol
No
5.9
Network
High
Low
None
Un changed
None
Low
High
5.7.12 and earlier
CVE-2016-3615
MySQL Server
Server: DML
MySQL Protocol
No
5.3
Network
High
Low
None
Un changed
None
None
High
5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3614
MySQL Server
Server: Security: Encryption
MySQL Protocol
No
5.3
Network
High
Low
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5436
MySQL Server
Server: InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-3459
MySQL Server
Server: InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5437
MySQL Server
Server: Log
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-3424
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-5439
MySQL Server
Server: Privileges
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5440
MySQL Server
Server: RBR
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5441
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-5442
MySQL Server
Server: Security: Encryption
MySQL Protocol
No
4.9
Network
Low
High
None
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-5443
MySQL Server
Server: Connection
None
No
4.7
Local
High
None
Required
Un changed
None
None
High
5.7.12 and earlier
CVE-2016-5444
MySQL Server
Server: Connection
MySQL Protocol
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-3452
MySQL Server
Server: Security: Encryption
MySQL Protocol
Yes
3.7
Network
High
None
None
Un changed
Low
None
None
5.5.48 and earlier, 5.6.29 and earlier, 5.7.10 and earlier
Additional CVEs addressed:
- The fix for CVE-2016-2105 also addresses CVE-2016-2106.
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.
PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.
Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.
An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the l...
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Embedthis Appweb before 4.6.6 and 5.x before 5.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a Range header with an empty value, as demonstrated by "Range: x=,".
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.