Headline
CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - July 2017****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 310 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2017 Critical Patch Update: Executive Summary and Analysis.
Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.
For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2017 Documentation Map, My Oracle Support Note.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
Database
Oracle REST Data Services, versions prior to 3.0.10.25.02.36
Database
Oracle API Gateway, version 11.1.2.4.0
Fusion Middleware
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
Fusion Middleware
Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
Fusion Middleware
Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0
Fusion Middleware
Oracle Enterprise Data Quality, version 8.1.13.0.0
Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
Fusion Middleware
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2
Fusion Middleware
Oracle OpenSSO, version 3.0.0.8
Fusion Middleware
Oracle Outside In Technology, version 8.5.3.0
Fusion Middleware
Oracle Secure Enterprise Search, version 11.2.2.2.0
Fusion Middleware
Oracle Service Bus, version 11.1.1.9.0
Fusion Middleware
Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0
Fusion Middleware
Oracle Tuxedo, version 12.1.1
Fusion Middleware
Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0
Fusion Middleware
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
Fusion Middleware
Hyperion Essbase, version 12.2.1.1
Fusion Middleware
Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0
Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.2
Enterprise Manager
Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3
Enterprise Manager
Oracle Business Transaction Management, versions 11.1.x, 12.1.x
Enterprise Manager
Oracle Configuration Manager, versions prior to 12.1.2.0.4
Enterprise Manager
Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0
E-Business Suite
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
E-Business Suite
Oracle Agile PLM, versions 9.3.5, 9.3.6
Oracle Supply Chain Products
Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2
Oracle Supply Chain Products
PeopleSoft Enterprise FSCM, version 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55
PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0
PeopleSoft
Siebel Applications, versions 16.0, 17.0
Siebel
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2
Oracle Commerce
Oracle iLearning, version 6.2
iLearning
Oracle Fusion Applications, versions 11.1.2 through 11.1.9
Fusion Applications
Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0
Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Convergence, versions 3.0, 3.0.1
Oracle Communications Convergence
Oracle Communications EAGLE LNP Application Processor, version 10.0
Oracle Communications EAGLE LNP Application Processor
Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0
Oracle Communications Network Charging and Control
Oracle Communications Policy Management, version 11.5
Oracle Communications Policy Management
Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740
Oracle Communications Session Router
Oracle Enterprise Communications Broker, version PCZ210
Oracle Enterprise Communications Broker
Oracle Enterprise Session Border Controller, version ECZ7.3.0
Oracle Enterprise Session Border Controller
Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2
Oracle Financial Services Applications
Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5
Oracle Banking Platform
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1
Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
Oracle Financial Services Applications
Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1
Hospitality Hotel Mobile
Hospitality Property Interfaces, version 8.10.x
Hospitality Property Interfaces
Hospitality Suite8, version 8.10.x
Hospitality Suite8
Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x
Hospitality WebSuite8 Cloud Service
MICROS BellaVita, version 2.7.x
MICROS BellaVita
MICROS PC Workstation 2015, versions Prior to O1302h
MICROS PC Workstation
MICROS Workstation 650, versions Prior to E1500n
MICROS Workstation
Oracle Hospitality 9700, version 4.0
Oracle Hospitality 9700
Oracle Hospitality Cruise AffairWhere, version 2.2.05.062
Hospitality Cruise AffairWhere
Oracle Hospitality Cruise Dining Room Management, version 8.0.75
Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0
Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Materials Management, version 7.30.562
Oracle Hospitality Cruise Materials Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0
Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality e7, version 4.2.1
Oracle Hospitality e7
Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0
Oracle Hospitality Guest Access
Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0
Oracle Hospitality Inventory Management
Oracle Hospitality Materials Control, versions 8.31.4, 8.32.0
Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x
Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.5
Oracle Hospitality RES
Oracle Hospitality Simphony, versions 2.8, 2.9
Oracle Hospitality Simphony
Oracle Hospitality Simphony First Edition, version 1.7.1
Hospitality Simphony First Edition
Oracle Hospitality Simphony First Edition Venue Management, version 3.9
Hospitality Simphony First Edition Venue Management
Oracle Hospitality Suites Management, version 3.7
Hospitality Suites Management
Oracle Payment Interface, version 6.1.1
Oracle Payment Interface
Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1
Retail Applications
Oracle Retail Customer Insights, versions 15.0, 16.0
Retail Applications
Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
Retail Applications
Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1
Retail Applications
Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
Retail Applications
Oracle Retail Xstore Point of Service, versions 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
Retail Applications
Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Oracle Policy Automation
Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
Oracle Primavera Products Suite
Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
Oracle Primavera Products Suite
Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
Oracle Primavera Products Suite
Java Advanced Management Console, version 2.6
Oracle Java SE
Oracle Java SE, versions 6u151, 7u141, 8u131
Oracle Java SE
Oracle Java SE Embedded, version 8u131
Oracle Java SE
Oracle JRockit, version R28.3.14
Oracle Java SE
Solaris, versions 10, 11
Oracle and Sun Systems Products Suite
Solaris Cluster, version 4
Oracle and Sun Systems Products Suite
Sun ZFS Storage Appliance Kit (AK), version AK 2013
Oracle and Sun Systems Products Suite
Oracle VM VirtualBox, versions prior to 5.1.24
Oracle Linux and Virtualization
MySQL Cluster, versions 7.3.5 and prior
Oracle MySQL Product Suite
MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior
Oracle MySQL Product Suite
MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior
Oracle MySQL Product Suite
MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior
Oracle MySQL Product Suite
Oracle Explorer, versions prior to 8.16
Oracle Support Tools
Note:
- Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
- Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here .
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible . Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2017 Availability Document, My Oracle Support Note 2261562.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:
- Adam Willard of Blue Canopy: CVE-2017-10040
- Antonio Sanso: CVE-2017-10176
- Ary Dobrovolskiy of Citadel: CVE-2017-10119
- Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10141, CVE-2017-10196
- CERT/CC: CVE-2017-10042
- Che-Chun Kuo of Divergent Security: CVE-2017-10137
- Daniel Bleichenbacher of Google: CVE-2017-10115, CVE-2017-10118
- David Litchfield of Apple: CVE-2017-10120
- Deniz Cevik of Biznet Bilisim A.S: CVE-2017-10063
- Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10106, CVE-2017-10146
- Emiliano J. Fausto of Onapsis: CVE-2017-10192
- Federico Dobal of Onapsis: CVE-2017-10192
- Gaston Traberg of Onapsis: CVE-2017-10108, CVE-2017-10109, CVE-2017-10180
- Hassan El Hadary - Secure Misr: CVE-2017-10181
- Ilya Maykov: CVE-2017-10135
- Jakub Palaczynski of ING Services Polska: CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10156, CVE-2017-10157
- James Forshaw: CVE-2017-10129, CVE-2017-10204
- Jayson Grace of Sandia National Laboratories: CVE-2017-10017
- John Lightsey: CVE-2017-3636
- Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10244, CVE-2017-10245
- Justin Ng of Spark: CVE-2017-10134
- Li Qiang of the Qihoo 360 Gear Team: CVE-2017-10187, CVE-2017-10209, CVE-2017-10210, CVE-2017-10236, CVE-2017-10237, CVE-2017-10238, CVE-2017-10239, CVE-2017-10240, CVE-2017-10241, CVE-2017-10242
- Luca Napolitano of Hewlett Packard Enterprise: CVE-2017-10058
- Lucas Molas of Fundación Sadosky: CVE-2017-10235
- Lukasz Mikula: CVE-2017-10059
- Marcin Wołoszyn of ING Services Polska: CVE-2017-10024, CVE-2017-10030, CVE-2017-10035, CVE-2017-10043, CVE-2017-10091
- Marcus Mengs: CVE-2017-10125
- Marios Nicolaides of RUNESEC: CVE-2017-10046
- Maris Elsins of Pythian: CVE-2017-3562
- Matias Mevied of Onapsis: CVE-2017-10184, CVE-2017-10185, CVE-2017-10186, CVE-2017-10191
- Mohit Rawat: CVE-2017-10041
- Moritz Bechler: CVE-2017-10102, CVE-2017-10116
- Or Hanuka of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
- Owais Mehtab of IS: CVE-2017-10075
- Reno Robert: CVE-2017-10210, CVE-2017-10233, CVE-2017-10236, CVE-2017-10239, CVE-2017-10240
- Roman Shalymov of ERPScan: CVE-2017-10061
- Sarath Nair: CVE-2017-10246
- Sean Gambles: CVE-2017-10025
- Sergio Abraham of Onapsis: CVE-2017-10192
- Shannon Hickey of Adobe: CVE-2017-10053
- Sule Bekin of Turk Telekom: CVE-2017-10028
- Takeshi Terada of Mitsui Bussan Secure Directions, Inc.: CVE-2017-10178
- Tayeeb Rana of IS: CVE-2017-10075
- Tzachy Horesh of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
- Tzachy Horesh of Palantir Security: CVE-2017-10092, CVE-2017-10093, CVE-2017-10094
- Ubais PK of EY Global Delivery Services: CVE-2017-10073
- Vahagn Vardanyan of ERPScan: CVE-2017-10147, CVE-2017-10148
- Zuozhi Fan formerly of Alibaba: CVE-2017-3640, CVE-2017-3641
Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:
- Christopher Tarquini
- Francis Alexander
- Francisco Correa
- George Argyros of Columbia University
- Jesse Wilson of Square
- Kexin Pei of Columbia University
- Nick Bloor of NCC Group
- Pham Van Khanh of Viettel Information Security Center
- Prof. Angelos D. Keromytis of Columbia University
- Prof. Suman Jana of Columbia University
- Suphannee Sivakorn of Columbia University
On-Line Presence Security Contributors
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:
- Adam Willard of Blue Canopy
- Adesh Nandkishor Kolte
- Ahsan Khan
- Amin Achour of Trading House
- Ashish Gautam Kamble
- Guifre Ruiz
- Haider Kamal
- Jolan Saluria
- Muhammad Uwais
- Nithin R
- Pratik Luhana
- Rodolfo Godalle Jr.
- Sadik Shaikh of extremehacking.org
- Willy Gaston Lindo
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 17 October 2017
- 16 January 2018
- 17 April 2018
- 17 July 2018
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network]
- Critical Patch Update - July 2017 Documentation Map [ My Oracle Support Note]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ]
- Risk Matrix definitions [ Risk Matrix Definitions]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring]
- English text version of the risk matrices [ Oracle Technology Network]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1]
Modification History
Date
Note
2017-July-18
Rev 1. Initial Release.
2017-August-1
Rev 2. Credit Statement Update.
2017-August-9
Rev 3. Updated CVSS score for CVE-2017-10183.
2017-August-10
Rev 4. Added CVE-2017-10008 and CVE-2017-10064.
2018-January-29
Rev 5. Credit Statement Update.
2018-March-20
Rev 6. Credit Statement Update.
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 5 new security fixes for the Oracle Database Server divided as follows:
- 4 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
- 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Package and/or Privilege Required
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10202
OJVM
Create Session, Create Procedure
Multiple
No
9.9
Network
Low
Low
None
Changed
High
High
High
11.2.0.4, 12.1.0.2, 12.2.0.1
See Note 1
CVE-2014-3566
DBMS_LDAP
None
LDAP
Yes
6.8
Network
High
None
None
Changed
High
None
None
11.2.0.4, 12.1.0.2
CVE-2016-2183
Real Application Clusters
None
SSL/TLS
Yes
6.8
Network
High
None
Required
Un- changed
High
High
None
11.2.0.4, 12.1.0.2
CVE-2017-10120
RDBMS Security
Create Session, Select Any Dictionary
Oracle Net
No
1.9
Local
High
High
None
Un- changed
None
Low
None
12.1.0.2
Notes:
- This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8.
Oracle REST Data Services Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle REST Data Services Risk Matrix
CVE#
Component
Package and/or Privilege Required
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3092
Oracle REST Data Services
None
Multiple
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
Prior to 3.0.10.25.02.36
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.
Oracle Fusion Middleware Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10137
Oracle WebLogic Server
JNDI
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
10.3.6.0, 12.1.3.0
CVE-2015-3253
Oracle Enterprise Data Quality
General (Apache Groovy)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
8.1.13.0.0
CVE-2015-5254
Oracle Enterprise Repository
Security Subsystem (Apache ActiveMQ)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
11.1.1.7.0, 12.1.3.0.0
CVE-2017-5638
Oracle WebLogic Server
Sample apps (Struts 2)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2015-7501
Oracle Data Integrator
Studio
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
CVE-2015-7501
Oracle Endeca Server
Core (Apache Commons Collections)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
7.6.0.0, 7.6.1.0
CVE-2015-7501
Oracle Enterprise Data Quality
General (Apache Commons Fileupload)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
8.1.13.0.0
CVE-2015-7501
Oracle Enterprise Repository
Security
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
12.1.3.0.0
CVE-2016-0635
Oracle Enterprise Repository
Security Subsystem
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
12.1.3.0.0
CVE-2016-2834
Oracle OpenSSO
Web Agents (NSS)
HTTPS
Yes
8.8
Network
Low
None
Required
Un- changed
High
High
High
3.0.0.8
CVE-2016-2834
Oracle Traffic Director
Security (NSS)
HTTPS
Yes
8.8
Network
Low
None
Required
Un- changed
High
High
High
11.1.1.7.0, 11.1.1.9.0
CVE-2015-7501
Oracle Tuxedo System and Applications Monitor
General (Apache Commons Collections)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0
CVE-2016-0635
Oracle Tuxedo System and Applications Monitor
General (Spring)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0
CVE-2017-10147
Oracle WebLogic Server
Core Components
T3
Yes
8.6
Network
Low
None
None
Changed
None
None
High
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10025
BI Publisher
BI Publisher Security
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
High
Low
None
11.1.1.7.0
CVE-2017-10043
BI Publisher
BI Publisher Security
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0, 11.1.1.9.0
CVE-2017-10156
BI Publisher
BI Publisher Security
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10024
BI Publisher
Layout Tools
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0
CVE-2017-10028
BI Publisher
Web Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0
CVE-2017-10029
BI Publisher
Web Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0
CVE-2017-10030
BI Publisher
Web Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0
CVE-2017-10035
BI Publisher
Web Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0, 11.1.1.9.0
CVE-2017-10048
Oracle Enterprise Repository
Web Interface
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.7.0, 12.1.3.0.0
CVE-2017-10141
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
None
Low
High
8.5.3.0
CVE-2017-10196
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
None
Low
High
8.5.3.0
CVE-2017-10040
Oracle WebCenter Content
Content Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
Low
High
None
11.1.1.9.0, 12.2.1.1.0
CVE-2017-10075
Oracle WebCenter Content
Content Server
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10059
BI Publisher
Mobile Service
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
11.1.1.7.0
CVE-2017-10041
BI Publisher
Web Server
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10119
Oracle Service Bus
OSB Web Console Design, Admin
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
11.1.1.9.0
CVE-2016-3092
BI Publisher
Web Server (Apache Commons Fileupload)
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2015-7940
Oracle Enterprise Repository
Security Subsystem (Bouncy Castle)
HTTPS
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
12.1.3.0.0
CVE-2015-7940
Oracle Secure Enterprise Search
Generic (Bouncy Castle)
HTTPS
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
11.2.2.2.0
CVE-2017-10058
Oracle Business Intelligence Enterprise Edition
Analytics Web Administration
HTTP
No
6.9
Network
Low
High
Required
Changed
Low
High
None
11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10157
BI Publisher
BI Publisher Security
HTTP
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
CVE-2017-10178
Oracle WebLogic Server
Web Container
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-3732
Oracle API Gateway
OAG (OpenSSL)
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
11.1.2.4.0
CVE-2017-3732
Oracle Endeca Server
Core (OpenSSL)
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0
CVE-2017-3732
Oracle Tuxedo
SSL Module (OpenSSL)
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
12.1.1
CVE-2013-2027
Oracle WebLogic Server
WLST
None
No
5.9
Local
Low
None
None
Un- changed
Low
Low
Low
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10148
Oracle WebLogic Server
Core Components
T3
Yes
5.8
Network
Low
None
None
Changed
None
Low
None
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10063
Oracle WebLogic Server
Web Services
HTTP
Yes
4.8
Network
High
None
None
Un- changed
None
Low
Low
10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
CVE-2017-10123
Oracle WebLogic Server
Web Container
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
12.1.3.0
CVE-2014-3566
Oracle Endeca Server
Core (OpenSSL)
HTTPS
Yes
3.4
Network
High
None
Required
Changed
Low
None
None
7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0
Additional CVEs addressed are below:
- The fix for CVE-2015-7501 also addresses CVE-2011-2730.
- The fix for CVE-2015-7940 also addresses CVE-2015-7501, and CVE-2016-5019.
- The fix for CVE-2016-2834 also addresses CVE-2016-1950, and CVE-2016-1979.
- The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.
Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Hyperion Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-0635
Hyperion Essbase
Java Based Agent (Spring)
Multiple
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
See Note 1
Notes:
- Fixed in all versions from 12.2.1.1 onward.
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle Enterprise Manager Grid Control. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5387
Enterprise Manager Ops Center
Satellite Framework
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
12.2.2, 12.3.2
CVE-2016-1181
Oracle Application Testing Suite
Installation
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
12.5.0.2, 12.5.0.3
CVE-2017-10091
Enterprise Manager Base Platform
UI Framework
HTTP
No
7.7
Network
Low
Low
None
Changed
None
High
None
12.1.0, 13.1.0, 13.2.0
CVE-2015-7940
Oracle Business Transaction Management
Security
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
11.1.x, 12.1.x
CVE-2016-2381
Oracle Configuration Manager
Installation
Multiple
No
6.5
Network
Low
Low
None
Un- changed
None
High
None
Prior to 12.1.2.0.4
CVE-2017-3732
Enterprise Manager Base Platform
Discovery Framework
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
12.1.0, 13.1.0, 13.2.0
CVE-2017-3732
Enterprise Manager Ops Center
Networking
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
12.2.2, 12.3.2
CVE-2016-3092
Enterprise Manager Ops Center
Hosted Framework
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
12.2.2, 12.3.2
Additional CVEs addressed are below:
- The fix for CVE-2016-2381 also addresses CVE-2015-8607, and CVE-2015-8608.
- The fix for CVE-2016-5387 also addresses CVE-2016-5385, CVE-2016-5386, and CVE-2016-5388.
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 22 new security fixes for the Oracle E-Business Suite. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2017), My Oracle Support Note 2270270.1. Some of the risk matrix rows in this section are assigned multiple CVE#s. In these cases, additional CVEs are listed below the risk matrix to improve readability. Each group of CVE identifiers share the same description, vulnerability type, Component, Sub-Component and affected versions listed in the risk matrix entry, but occur in different code sections within a Sub-Component.
Oracle E-Business Suite Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10246
Oracle Application Object Library
iHelp
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10180
Oracle CRM Technical Foundation
CMRO
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10143
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10185
Oracle CRM Technical Foundation
User Management
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10113
Oracle Common Applications
CRM User Management Framework
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10170
Oracle Field Service
Wireless/WAP
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3
CVE-2017-10171
Oracle Marketing
Home Page
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10191
Oracle Web Analytics
Common Libraries
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10112
Oracle iStore
User Registration
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10174
Oracle iSupport
Service Request
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10177
Oracle Application Object Library
Flexfields
HTTP
No
8.1
Network
Low
Low
None
Un- changed
High
High
None
12.2.6
CVE-2017-10130
Oracle iStore
User Management
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-6304
Application Server
OpenSSL
HTTPS
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
12.1.3
CVE-2017-10144
Oracle Applications Manager
Oracle Diagnostics Interfaces
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
12.1.3
CVE-2017-10245
Oracle General Ledger
Account Hierarchy Manager
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10179
Application Management Pack for Oracle E-Business Suite
User Monitoring
HTTP
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
AMP 12.1.0.4.0, AMP 13.1.1.1.0
CVE-2017-3562
Oracle Applications DBA
AD Utilities
HTTP
No
6.5
Network
Low
High
None
Un- changed
High
High
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10244
Oracle Application Object Library
Attachments
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10184
Oracle Field Service
Wireless/WAP
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10192
Oracle iStore
Shopping Cart
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10186
Oracle iStore
User and Company Profile
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10175
Oracle iSupport
Profiles
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
Additional CVEs addressed are below:
- The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 10 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10039
Oracle Agile PLM
Web Client
HTTP
No
6.8
Network
Low
Low
Required
Changed
High
None
None
9.3.5, 9.3.6
CVE-2017-10052
Oracle Agile PLM
PCMServlet
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.5, 9.3.6
CVE-2017-10080
Oracle Agile PLM
Security
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.5, 9.3.6
CVE-2017-10082
Oracle Agile PLM
Security
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.5, 9.3.6
CVE-2017-10092
Oracle Agile PLM
Security
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.5, 9.3.6
CVE-2017-3732
Oracle Transportation Management
Apache Webserver
HTTP
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
6.1, 6.2
CVE-2017-10094
Oracle Agile PLM
Security
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.3.5, 9.3.6
CVE-2017-10032
Oracle Transportation Management
Access Control List
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2
CVE-2017-10093
Oracle Agile PLM
Security
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.3.5, 9.3.6
CVE-2017-10088
Oracle Agile PLM
Security
None
No
3.4
Local
Low
High
None
Un- changed
Low
Low
None
9.3.5, 9.3.6
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 30 new security fixes for Oracle PeopleSoft Products. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10061
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
8.54, 8.55
CVE-2017-10146
PeopleSoft Enterprise PeopleTools
Portal
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
8.54, 8.55
CVE-2017-10019
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
7.4
Network
Low
None
Required
Changed
High
None
None
8.54, 8.55
CVE-2017-10258
PeopleSoft Enterprise PRTL Interaction Hub
Add New Image
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10257
PeopleSoft Enterprise PRTL Interaction Hub
Browse Folder Hierarchy
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10215
PeopleSoft Enterprise PRTL Interaction Hub
EPPCM_DEFN_CATG
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10248
PeopleSoft Enterprise PRTL Interaction Hub
EPPCM_HIER_TOP
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10255
PeopleSoft Enterprise PRTL Interaction Hub
EPPCM_HIER_TOP
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10256
PeopleSoft Enterprise PRTL Interaction Hub
EPPCM_HIER_TOP
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10100
PeopleSoft Enterprise PRTL Interaction Hub
HTML Area
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10126
PeopleSoft Enterprise PRTL Interaction Hub
HTML Area
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10247
PeopleSoft Enterprise PRTL Interaction Hub
HTML Area
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10070
PeopleSoft Enterprise PRTL Interaction Hub
Maintenance Folders
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10249
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-10021
PeopleSoft Enterprise PeopleTools
PIA Search
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-10253
PeopleSoft Enterprise PeopleTools
Pivot Grid
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-10106
PeopleSoft Enterprise PeopleTools
Portal
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-10017
PeopleSoft Enterprise PeopleTools
Workcenter
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-3731
PeopleSoft Enterprise PeopleTools
Security
HTTP
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10134
PeopleSoft Enterprise FSCM
eProcurement
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.2
CVE-2017-10057
PeopleSoft Enterprise PRTL Interaction Hub
Discussion Forum
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
9.1.0
CVE-2017-10027
PeopleSoft Enterprise PeopleTools
Fluid Homepage & Navigation
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2017-10045
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
5.3
Network
High
None
Required
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10015
PeopleSoft Enterprise PeopleTools
Application Designer
None
No
4.7
Local
High
Low
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10251
PeopleSoft Enterprise PeopleTools
Test Framework
None
No
4.7
Local
High
Low
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10250
PeopleSoft Enterprise PeopleTools
Tuxedo
None
No
4.7
Local
High
Low
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10020
PeopleSoft Enterprise PeopleTools
Updates Change Assistant
None
No
4.7
Local
High
Low
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10252
PeopleSoft Enterprise PeopleTools
Updates Change Assistant
None
No
4.7
Local
High
Low
None
Un- changed
High
None
None
8.54, 8.55
CVE-2017-10018
PeopleSoft Enterprise FSCM
Strategic Sourcing
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
9.2
CVE-2017-10254
PeopleSoft Enterprise FSCM
Staffing Front Office
HTTP
No
2.7
Network
Low
High
None
Un- changed
Low
None
None
9.2
Additional CVEs addressed are below:
- The fix for CVE-2017-3731 also addresses CVE-2016-7055.
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Siebel CRM Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10049
Siebel Core CRM
Search
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.0, 17.0
Oracle Commerce Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Commerce. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Commerce Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-3732
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
Platform Services
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
6.1.4, 11.0, 11.1, 11.2
Oracle iLearning Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle iLearning Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10199
Oracle iLearning
Learner Pages
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
6.2
Appendix - Oracle Communications Applications****Oracle Communications Applications Executive Summary
This Critical Patch Update contains 11 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Communications Applications Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3253
Oracle Communications BRM
Elastic Charging Engine (Apache Groovy)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
11.2.0.0.0, 11.3.0.0.0
CVE-2015-0235
Oracle Communications Policy Management
Platform (GlibC)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
11.5
CVE-2015-7501
Oracle Communications BRM
Elastic Charging Engine (Apache Commons Collections)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.2.0.0.0
CVE-2016-0635
Oracle Communications BRM
Elastic Charging Engine (Spring)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.2.0.0.0, 11.3.0.0.0
CVE-2016-2107
Oracle Communications Session Router
Routing (OpenSSL)
TLS
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
SCZ730, SCZ740, ECZ730
CVE-2016-2107
Oracle Enterprise Communications Broker
Routing (OpenSSL)
TLS
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
PCZ210
CVE-2015-7940
Oracle Communications Convergence
Mail Proxy (Bouncy Castle)
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
3.0, 3.0.1
CVE-2016-6304
Oracle Enterprise Session Border Controller
Routing (OpenSSL)
TLS
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
ECZ7.3.0
CVE-2017-10031
Oracle Communications Convergence
Mail Proxy (dojo)
HTTP
Yes
7.2
Network
Low
None
None
Changed
Low
Low
None
3.0, 3.0.1
CVE-2016-2107
Oracle Communications EAGLE LNP Application Processor
Platform (OpenSSL)
TLS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
10.0
CVE-2017-3732
Oracle Communications Network Charging and Control
Common fns (OpenSSL)
TLS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0
Additional CVEs addressed are below:
- The fix for CVE-2016-2107 also addresses CVE-2014-0224, CVE-2014-3571, CVE-2015-0286, CVE-2015-0286, CVE-2015-1788, CVE-2015-1788, CVE-2015-1789, CVE-2015-1789, CVE-2015-1790, CVE-2015-1790, CVE-2015-1791, CVE-2015-1791, CVE-2015-1792, CVE-2015-1792, CVE-2015-3195, CVE-2015-3195, CVE-2015-3197, CVE-2015-3197, CVE-2016-2105, CVE-2016-2105, CVE-2016-2106, CVE-2016-2106, CVE-2016-2108, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2109.
- The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.
Appendix - Oracle Financial Services Applications****Oracle Financial Services Applications Executive Summary
This Critical Patch Update contains 20 new security fixes for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Financial Services Applications Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-0635
Financial Services Behavior Detection Platform
Admin Tool (Spring)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
8.0.1, 8.0.2
CVE-2016-3092
Oracle Banking Platform
Collections (Apache Commons FileUpload)
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
2.3, 2.4, 2.4.1, 2.5
CVE-2017-10085
Oracle FLEXCUBE Universal Banking
Infrastructure
HTTP
No
7.1
Network
Low
Low
None
Un- changed
High
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10181
Oracle FLEXCUBE Direct Banking
Forgot Password
HTTP
No
6.8
Network
Low
Low
Required
Un- changed
Low
Low
High
12.0.2, 12.0.3
CVE-2017-10006
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
No
6.5
Network
Low
Low
None
Un- changed
None
High
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10103
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10023
Oracle FLEXCUBE Private Banking
Operations
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10084
Oracle FLEXCUBE Universal Banking
Report Generator
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10005
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10083
Oracle FLEXCUBE Universal Banking
Infrastructure
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10011
Oracle FLEXCUBE Private Banking
Miscellaneous
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10012
Oracle FLEXCUBE Private Banking
Operations
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10072
Oracle FLEXCUBE Universal Banking
All Modules
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10073
Oracle FLEXCUBE Universal Banking
Infrastructure
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10098
Oracle FLEXCUBE Universal Banking
Infrastructure
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
CVE-2017-10010
Oracle FLEXCUBE Private Banking
FileUploads
HTTP
No
4.6
Network
Low
Low
Required
Un- changed
Low
Low
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10009
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10007
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10008
Oracle FLEXCUBE Private Banking
Miscellaneous
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10022
Oracle FLEXCUBE Private Banking
Operations
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
2.0.0, 2.0.1, 2.2.0, 12.0.1
CVE-2017-10071
Oracle FLEXCUBE Universal Banking
All Modules
HTTP
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
Appendix - Oracle Hospitality Applications****Oracle Hospitality Applications Executive Summary
This Critical Patch Update contains 48 new security fixes for Oracle Hospitality Applications. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Hospitality Applications Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-5689
MICROS PC Workstation 2015
BIOS (Intel AMT)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
Prior to O1302h
See Note 1
CVE-2017-5689
MICROS Workstation 650
BIOS (Intel AMT)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
Prior to E1500n
See Note 2
CVE-2017-10000
Oracle Hospitality Reporting and Analytics
Reporting
HTTP
No
7.7
Network
Low
Low
None
Changed
None
None
High
8.5.1, 9.0.0
CVE-2017-10232
Hospitality WebSuite8 Cloud Service
General
HTTP
No
7.6
Network
Low
Low
None
Un- changed
High
Low
Low
8.9.6, 8.10.x
CVE-2017-10001
Oracle Hospitality Simphony First Edition
Core
HTTP
No
7.6
Network
Low
Low
Required
Un- changed
High
Low
High
1.7.1
CVE-2017-10136
Oracle Hospitality Simphony
Import/Export
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
2.9
CVE-2017-10206
Oracle Hospitality Simphony
Engagement
HTTP
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
2.9
CVE-2017-10226
Oracle Hospitality Cruise Fleet Management
Fleet Management System Suite
HTTP
No
7.1
Network
Low
Low
None
Un- changed
High
Low
None
9.0
CVE-2017-10225
Oracle Hospitality RES 3700
OPS Operations
NA
No
7.0
Physical
High
Low
None
Changed
High
High
Low
5.5
CVE-2017-10216
Hospitality Property Interfaces
Parser
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
8.10.x
CVE-2017-10212
Hospitality Suite8
WebConnect
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
8.10.x
CVE-2017-10047
MICROS BellaVita
Interface
HTTP
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
2.7.x
CVE-2017-10224
Oracle Hospitality Inventory Management
Inventory and Count Cycle
HTTP
No
6.4
Network
Low
Low
None
Changed
Low
Low
None
8.5.1, 9.0.0
CVE-2017-10076
Oracle Hospitality Simphony First Edition Venue Management
Core
HTTP
No
6.4
Network
Low
Low
None
Changed
Low
Low
None
3.9
CVE-2017-10211
Hospitality Suite8
WebConnect
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.10.x
CVE-2017-10128
Hospitality WebSuite8 Cloud Service
General
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.9.6, 8.10.x
CVE-2017-10064
Hospitality WebSuite8 Cloud Service
General
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.9.6, 8.10.x
CVE-2017-10097
Oracle Hospitality Reporting and Analytics
Reporting
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.5.1, 9.0.0
CVE-2017-10079
Oracle Hospitality Suites Management
Core
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
3.7
CVE-2017-10188
Hospitality Hotel Mobile
Suite 8/Android
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
1.01
CVE-2017-10189
Hospitality Suite8
Leisure
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
8.10.x
CVE-2017-10169
Oracle Hospitality 9700
Operation Security
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
4.0
CVE-2017-10056
Oracle Hospitality 9700
Property Management Systems
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
4.0
CVE-2017-10231
Oracle Hospitality Cruise AffairWhere
AWExport
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
2.2.05.062
CVE-2017-10219
Oracle Hospitality Guest Access
Base
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
4.2.0.0, 4.2.1.0
CVE-2017-10201
Oracle Hospitality e7
Other
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
4.2.1
CVE-2017-10230
Oracle Hospitality Cruise Dining Room Management
SilverWhere
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.0.75
CVE-2017-10229
Oracle Hospitality Cruise Materials Management
Event Viewer
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
7.30.562
CVE-2017-10228
Oracle Hospitality Cruise Shipboard Property Management System
Module
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.0.0.0
CVE-2017-10002
Oracle Hospitality Inventory Management
Settings and Config
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.5.1, 9.0.0
CVE-2017-10222
Oracle Hospitality Materials Control
Production Tool
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.31.4, 8.32.0
CVE-2017-10223
Oracle Hospitality Materials Control
Purchasing
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.31.4, 8.32.0
CVE-2017-10142
Oracle Hospitality Reporting and Analytics
Mobile Apps
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.5.1, 9.0.0
CVE-2017-10044
Oracle Hospitality Reporting and Analytics
Reporting
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.5.1, 9.0.0
CVE-2017-10207
Oracle Hospitality Simphony
Utilities
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
2.9
CVE-2017-10069
Oracle Payment Interface
Core
HTTP
No
5.3
Network
High
Low
None
Un- changed
High
None
None
6.1.1
CVE-2017-10221
Oracle Hospitality RES 3700
OPS Operations
None
No
5.0
Local
High
Low
Required
Changed
Low
Low
Low
5.5
CVE-2017-10168
Hospitality Hotel Mobile
Suite 8/Windows
NA
No
4.6
Physical
High
Low
None
Un- changed
High
None
Low
1.1
CVE-2017-10182
Oracle Hospitality OPERA 5 Property Services
OPERA Export Functionality
HTTP
No
4.4
Network
High
High
None
Un- changed
High
None
None
5.4.0.x, 5.4.1.x, 5.4.3.x
CVE-2017-10200
Oracle Hospitality e7
Other
None
No
4.4
Local
Low
Low
None
Un- changed
Low
Low
None
4.2.1
CVE-2017-10133
Hospitality Hotel Mobile
Suite8/RestAPI
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
1.1
CVE-2017-10132
Hospitality Hotel Mobile
Suite8/iOS
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
1.05
CVE-2017-10217
Oracle Hospitality Guest Access
Base
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
4.2.0.0, 4.2.1.0
CVE-2017-10218
Oracle Hospitality Guest Access
Base
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
4.2.0.0, 4.2.1.0
CVE-2017-10205
Oracle Hospitality Simphony
Enterprise Management Console
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
2.9
CVE-2017-10195
Oracle Hospitality Simphony
Import/Export
HTTP
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
2.8
CVE-2017-10208
Oracle Hospitality e7
Other
SMTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
4.2.1
CVE-2017-10220
Hospitality Property Interfaces
Parser
None
No
4.0
Local
Low
None
None
Un- changed
Low
None
None
8.10.x
CVE-2017-10213
Hospitality Suite8
WebConnect
None
No
4.0
Local
Low
None
None
Un- changed
Low
None
None
8.10.x
Notes:
- MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
- MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.
Appendix - Oracle Retail Applications****Oracle Retail Applications Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Retail Applications Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-5689
MICROS PC Workstation 2015
BIOS (Intel AMT)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
Prior to O1302h
See Note 1
CVE-2017-5689
MICROS Workstation 650
BIOS (Intel AMT)
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
Prior to E1500n
See Note 2
CVE-2016-6814
Oracle Retail Allocation
Manage Allocation
HTTP
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1
CVE-2016-6814
Oracle Retail Customer Insights
ODI Configuration
HTTP
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
15.0, 16.0
CVE-2017-10214
Oracle Retail Xstore Point of Service
Xstore Office
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
High
Low
None
6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
CVE-2016-3506
Oracle Retail Warehouse Management System
Installers
Oracle Net
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
14.0.4, 14.1.3, 15.0.1
CVE-2016-3506
Oracle Retail Workforce Management
Installation
Oracle Net
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
1.60.7, 1.64.0
CVE-2017-10183
Oracle Retail Xstore Point of Service
Point of Sale
HTTP
Yes
6.5
Network
High
None
None
Changed
Low
Low
Low
6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
CVE-2017-10172
Oracle Retail Open Commerce Platform
Framework
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
CVE-2017-10173
Oracle Retail Open Commerce Platform
Website
HTTP
Yes
5.8
Network
Low
None
None
Changed
None
Low
None
5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
Notes:
- MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
- MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.
Appendix - Oracle Policy Automation****Oracle Policy Automation Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Policy Automation Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3092
Oracle Policy Automation
Determinations Engine (Apache Commons FileUplaod)
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary
This Critical Patch Update contains 9 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Primavera Products Suite Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-6814
Primavera Gateway
Primavera Integration (Groovy)
HTTP
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
CVE-2016-5019
Primavera P6 Enterprise Project Portfolio Management
Web Access (Apache Trinidad)
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
8.3, 8.4, 15.1, 15.2
CVE-2015-0254
Primavera Gateway
Primavera Integration (Standard)
HTTP
No
6.5
Network
Low
Low
Required
Changed
Low
Low
Low
1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
CVE-2017-10038
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
15.1, 15.2, 16.1, 16.2
CVE-2017-10131
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
6.5
Network
Low
Low
Required
Changed
Low
Low
Low
8.3, 8.4, 15.1, 15.2, 16.1, 16.2
CVE-2017-10046
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
8.3, 8.4, 15.1, 15.2, 16.1
CVE-2017-10149
Primavera Unifier
Platform
HTTP
No
4.8
Network
Low
High
Required
Changed
Low
Low
None
9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
CVE-2017-10160
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
8.3, 8.4, 15.1, 15.2, 16.1, 16.2
CVE-2017-10150
Primavera Unifier
Platform
HTTP
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 32 new security fixes for Oracle Java SE. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.
Oracle Java SE Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10110
Java SE
AWT
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131
See Note 1
CVE-2017-10089
Java SE
ImageIO
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131
See Note 1
CVE-2017-10086
Java SE
JavaFX
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 7u141, 8u131
See Note 1
CVE-2017-10096
Java SE, Java SE Embedded
JAXP
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10101
Java SE, Java SE Embedded
JAXP
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10087
Java SE, Java SE Embedded
Libraries
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10090
Java SE, Java SE Embedded
Libraries
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10111
Java SE, Java SE Embedded
Libraries
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10107
Java SE, Java SE Embedded
RMI
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10102
Java SE, Java SE Embedded
RMI
Multiple
Yes
9.0
Network
High
None
None
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 2
CVE-2017-10114
Java SE
JavaFX
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 7u141, 8u131
See Note 1
CVE-2017-10074
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10116
Java SE, Java SE Embedded, JRockit
Security
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10078
Java SE
Scripting
Multiple
No
8.1
Network
Low
Low
None
Un- changed
High
High
None
Java SE: 8u131
See Note 3
CVE-2017-10067
Java SE
Security
Multiple
Yes
7.5
Network
High
None
Required
Un- changed
High
High
High
Java SE: 6u151, 7u141, 8u131
See Note 1
CVE-2017-10115
Java SE, Java SE Embedded, JRockit
JCE
Multiple
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10118
Java SE, Java SE Embedded, JRockit
JCE
Multiple
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10176
Java SE, Java SE Embedded, JRockit
Security
Multiple
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10104
Java Advanced Management Console
Server
HTTP
No
7.4
Network
Low
Low
None
Changed
Low
Low
Low
Java Advanced Management Console: 2.6
CVE-2017-10145
Java Advanced Management Console
Server
Multiple
No
7.4
Network
Low
Low
None
Changed
Low
Low
Low
Java Advanced Management Console: 2.6
CVE-2017-10125
Java SE
Deployment
None
No
7.1
Physical
High
None
None
Changed
High
High
High
Java SE: 7u141, 8u131
See Note 4
CVE-2017-10198
Java SE, Java SE Embedded, JRockit
Security
Multiple
Yes
6.8
Network
High
None
None
Changed
High
None
None
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10243
Java SE, Java SE Embedded, JRockit
JAX-WS
Multiple
Yes
6.5
Network
Low
None
None
Un- changed
Low
None
Low
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10121
Java Advanced Management Console
Server
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
Java Advanced Management Console: 2.6
CVE-2017-10135
Java SE, Java SE Embedded, JRockit
JCE
Multiple
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10117
Java Advanced Management Console
Server
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
Java Advanced Management Console: 2.6
CVE-2017-10053
Java SE, Java SE Embedded, JRockit
2D
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10108
Java SE, Java SE Embedded, JRockit
Serialization
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 3
CVE-2017-10109
Java SE, Java SE Embedded, JRockit
Serialization
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14
See Note 1
CVE-2017-10105
Java SE
Deployment
Multiple
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
Java SE: 6u151, 7u141, 8u131
See Note 1
CVE-2017-10081
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
CVE-2017-10193
Java SE, Java SE Embedded
Security
Multiple
Yes
3.1
Network
High
None
Required
Un- changed
Low
None
None
Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131
See Note 1
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
- This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
- This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Applies to deployment of Java where the Java Auto Update is enabled.
Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Sun Systems Products Suite Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-3632
Solaris
CDE Calendar
TCP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10, 11
See Note 1
CVE-2017-10013
Sun ZFS Storage Appliance Kit (AK)
User Interface
HTTP
Yes
8.3
Network
High
None
Required
Changed
High
High
High
AK 2013
CVE-2017-10042
Solaris
IKE
IKE
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
10, 11
CVE-2017-10036
Solaris
NFSv4
NFSv4
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
10, 11
CVE-2017-10016
Sun ZFS Storage Appliance Kit (AK)
User Interface
HTTP
Yes
7.5
Network
High
None
Required
Un- changed
High
High
High
AK 2013
CVE-2017-10234
Solaris Cluster
NAS device addition
None
No
7.3
Local
Low
Low
Required
Un- changed
High
High
High
4
CVE-2017-10004
Solaris
Kernel
None
No
6.7
Local
Low
High
None
Un- changed
High
High
High
10, 11
CVE-2017-10062
Solaris
Oracle Java Web Console
None
No
5.3
Local
Low
Low
None
Un- changed
Low
Low
Low
10
CVE-2017-10003
Solaris
Network Services Library
None
No
4.5
Local
High
Low
None
Un- changed
Low
Low
Low
10
CVE-2017-10095
Solaris
Kernel
None
No
3.3
Local
Low
None
Required
Un- changed
None
Low
None
11
CVE-2017-10122
Solaris
Kernel
None
No
1.8
Local
High
High
Required
Un- changed
None
Low
None
10, 11
Notes:
- CVE-2017-3632 is assigned to the “EASYSTREET” vulnerability.
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-10204
Oracle VM VirtualBox
Core
None
No
8.8
Local
Low
Low
None
Changed
High
High
High
Prior to 5.1.24
CVE-2017-10129
Oracle VM VirtualBox
Core
None
No
8.8
Local
Low
Low
None
Changed
High
High
High
Prior to 5.1.24
CVE-2017-10210
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10233
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
Low
None
Changed
None
Low
High
Prior to 5.1.24
CVE-2017-10236
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10237
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10238
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10239
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10240
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10241
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10242
Oracle VM VirtualBox
Core
None
No
7.3
Local
Low
High
None
Changed
Low
Low
High
Prior to 5.1.24
CVE-2017-10235
Oracle VM VirtualBox
Core
None
No
6.7
Local
Low
High
None
Changed
None
Low
High
Prior to 5.1.24
CVE-2017-10209
Oracle VM VirtualBox
Core
None
No
5.2
Local
Low
Low
None
Changed
Low
None
Low
Prior to 5.1.24
CVE-2017-10187
Oracle VM VirtualBox
Core
None
No
4.6
Local
Low
High
None
Changed
None
Low
Low
Prior to 5.1.24
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-4436
MySQL Enterprise Monitor
Monitor: General (Apache Struts 2)
HTTP over TLS
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
3.1.5.7958 and earlier, 3.2.5.1141 and earlier, 3.3.2.1162 and earlier,
CVE-2017-5651
MySQL Enterprise Monitor
Monitoring: Server (Apache Tomcat)
HTTP over TLS
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
3.2.7.1204 and earlier, 3.3.3.1199 and earlier
CVE-2017-5647
MySQL Enterprise Monitor
Monitoring: Server (Apache Tomcat)
HTTP over TLS
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
3.3.3.1199 and earlier
CVE-2017-3633
MySQL Server
Server: Memcached
Memcached
Yes
6.5
Network
High
None
None
Un- changed
None
Low
High
5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3634
MySQL Server
Server: DML
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3732
MySQL Connectors
Connector/C (OpenSSL)
MySQL Protocol
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
6.1.9 and earlier
CVE-2017-3732
MySQL Connectors
Connector/ODBC (OpenSSL)
MySQL Protocol
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
5.3.7 and earlier
CVE-2017-3732
MySQL Server
Server: Security: Encryption (OpenSSL)
MySQL Protocol
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
5.6.35 and earlier, 5.7.17 and earlier
CVE-2017-3635
MySQL Connectors
Connector/C
MySQL Protocol
No
5.3
Network
High
Low
None
Un- changed
None
None
High
6.1.10 and earlier
See Note 1
CVE-2017-3635
MySQL Server
C API
MySQL Protocol
No
5.3
Network
High
Low
None
Un- changed
None
None
High
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
See Note 1
CVE-2017-3636
MySQL Server
Client programs
MySQL Protocol
No
5.3
Local
Low
Low
None
Un- changed
Low
Low
Low
5.5.56 and earlier, 5.6.36 and earlier
CVE-2017-3529
MySQL Server
Server: UDF
MySQL Protocol
No
5.3
Network
High
Low
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3637
MySQL Server
X Plugin
X Protocol
No
5.3
Network
High
Low
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3639
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3640
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3641
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3643
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3644
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3638
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3642
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3645
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.18 and earlier
CVE-2017-3646
MySQL Server
X Plugin
X Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.16 and earlier
CVE-2014-1912
MySQL Cluster
CLSTCONF (Python)
MySQL Protocol
Yes
4.8
Network
High
None
None
Un- changed
None
Low
Low
7.3.5 and earlier
CVE-2017-3648
MySQL Server
Server: Charsets
MySQL Protocol
No
4.4
Network
High
High
None
Un- changed
None
None
High
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3647
MySQL Server
Server: Replication
MySQL Protocol
No
4.4
Network
High
High
None
Un- changed
None
None
High
5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3649
MySQL Server
Server: Replication
MySQL Protocol
No
4.4
Network
High
High
None
Un- changed
None
None
High
5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3651
MySQL Server
Client mysqldump
MySQL Protocol
No
4.3
Network
Low
Low
None
Un- changed
None
Low
None
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3652
MySQL Server
Server: DDL
MySQL Protocol
No
4.2
Network
High
Low
None
Un- changed
Low
Low
None
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
CVE-2017-3650
MySQL Server
C API
MySQL Protocol
Yes
3.7
Network
High
None
None
Un- changed
Low
None
None
5.7.18 and earlier
CVE-2017-3653
MySQL Server
Server: DDL
MySQL Protocol
No
3.1
Network
High
Low
None
Un- changed
None
Low
None
5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier
Notes:
The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see:
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html
Additional CVEs addressed are below:
- The fix for CVE-2016-4436 also addresses CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, CVE-2016-4438, and CVE-2016-4465.
- The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.
- The fix for CVE-2017-5651 also addresses CVE-2017-5650.
Appendix - Oracle Support Tools****Oracle Support Tools Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here .
Oracle Support Tools Risk Matrix
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2017-3732
Oracle Explorer
Tools (OpenSSL)
HTTP
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
Prior to 8.16
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
By Deeba Ahmed The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection. This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread
A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 228567.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.
The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email
Categories: News Tags: fix Tags: bug Tags: vulnerability Tags: exploit Tags: attack Tags: patch Tags: update Tags: OpenSSL Tags: v3 Tags: v1 Tags: 3.0.5. Version 3.0.7 of OpenSSL will fix the software's first critical issue for six years. (Read more...) The post Critical OpenSSL fix due Nov 1—what you need to know appeared first on Malwarebytes Labs.
Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.
An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the l...
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients ...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.