Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE
#sql#vulnerability#web#ios#android#mac#windows#apple#google#linux#cisco#dos#apache#memcached#java#oracle#kubernetes#intel#ldap#bios#alibaba#auth#docker#ssl
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Critical Patch Update Advisory - July 2017****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 310 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2017 Critical Patch Update: Executive Summary and Analysis.

Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2017 Documentation Map, My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1

Database

Oracle REST Data Services, versions prior to 3.0.10.25.02.36

Database

Oracle API Gateway, version 11.1.2.4.0

Fusion Middleware

Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

Fusion Middleware

Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0

Fusion Middleware

Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0

Fusion Middleware

Oracle Enterprise Data Quality, version 8.1.13.0.0

Fusion Middleware

Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0

Fusion Middleware

Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2

Fusion Middleware

Oracle OpenSSO, version 3.0.0.8

Fusion Middleware

Oracle Outside In Technology, version 8.5.3.0

Fusion Middleware

Oracle Secure Enterprise Search, version 11.2.2.2.0

Fusion Middleware

Oracle Service Bus, version 11.1.1.9.0

Fusion Middleware

Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0

Fusion Middleware

Oracle Tuxedo, version 12.1.1

Fusion Middleware

Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0

Fusion Middleware

Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

Fusion Middleware

Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

Fusion Middleware

Hyperion Essbase, version 12.2.1.1

Fusion Middleware

Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0

Enterprise Manager

Enterprise Manager Ops Center, versions 12.2.2, 12.3.2

Enterprise Manager

Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3

Enterprise Manager

Oracle Business Transaction Management, versions 11.1.x, 12.1.x

Enterprise Manager

Oracle Configuration Manager, versions prior to 12.1.2.0.4

Enterprise Manager

Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0

E-Business Suite

Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

E-Business Suite

Oracle Agile PLM, versions 9.3.5, 9.3.6

Oracle Supply Chain Products

Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2

Oracle Supply Chain Products

PeopleSoft Enterprise FSCM, version 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55

PeopleSoft

PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0

PeopleSoft

Siebel Applications, versions 16.0, 17.0

Siebel

Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2

Oracle Commerce

Oracle iLearning, version 6.2

iLearning

Oracle Fusion Applications, versions 11.1.2 through 11.1.9

Fusion Applications

Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0

Oracle Communications BRM - Elastic Charging Engine

Oracle Communications Convergence, versions 3.0, 3.0.1

Oracle Communications Convergence

Oracle Communications EAGLE LNP Application Processor, version 10.0

Oracle Communications EAGLE LNP Application Processor

Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0

Oracle Communications Network Charging and Control

Oracle Communications Policy Management, version 11.5

Oracle Communications Policy Management

Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740

Oracle Communications Session Router

Oracle Enterprise Communications Broker, version PCZ210

Oracle Enterprise Communications Broker

Oracle Enterprise Session Border Controller, version ECZ7.3.0

Oracle Enterprise Session Border Controller

Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2

Oracle Financial Services Applications

Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5

Oracle Banking Platform

Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3

Oracle Financial Services Applications

Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1

Oracle Financial Services Applications

Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

Oracle Financial Services Applications

Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1

Hospitality Hotel Mobile

Hospitality Property Interfaces, version 8.10.x

Hospitality Property Interfaces

Hospitality Suite8, version 8.10.x

Hospitality Suite8

Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x

Hospitality WebSuite8 Cloud Service

MICROS BellaVita, version 2.7.x

MICROS BellaVita

MICROS PC Workstation 2015, versions Prior to O1302h

MICROS PC Workstation

MICROS Workstation 650, versions Prior to E1500n

MICROS Workstation

Oracle Hospitality 9700, version 4.0

Oracle Hospitality 9700

Oracle Hospitality Cruise AffairWhere, version 2.2.05.062

Hospitality Cruise AffairWhere

Oracle Hospitality Cruise Dining Room Management, version 8.0.75

Oracle Hospitality Cruise Dining Room Management

Oracle Hospitality Cruise Fleet Management, version 9.0

Oracle Hospitality Cruise Fleet Management

Oracle Hospitality Cruise Materials Management, version 7.30.562

Oracle Hospitality Cruise Materials Management

Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0

Oracle Hospitality Cruise Shipboard Property Management System

Oracle Hospitality e7, version 4.2.1

Oracle Hospitality e7

Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0

Oracle Hospitality Guest Access

Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0

Oracle Hospitality Inventory Management

Oracle Hospitality Materials Control, versions 8.31.4, 8.32.0

Oracle Hospitality Materials Control

Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x

Oracle Hospitality OPERA 5 Property Services

Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0

Oracle Hospitality Reporting and Analytics

Oracle Hospitality RES 3700, version 5.5

Oracle Hospitality RES

Oracle Hospitality Simphony, versions 2.8, 2.9

Oracle Hospitality Simphony

Oracle Hospitality Simphony First Edition, version 1.7.1

Hospitality Simphony First Edition

Oracle Hospitality Simphony First Edition Venue Management, version 3.9

Hospitality Simphony First Edition Venue Management

Oracle Hospitality Suites Management, version 3.7

Hospitality Suites Management

Oracle Payment Interface, version 6.1.1

Oracle Payment Interface

Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1

Retail Applications

Oracle Retail Customer Insights, versions 15.0, 16.0

Retail Applications

Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

Retail Applications

Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1

Retail Applications

Oracle Retail Workforce Management, versions 1.60.7, 1.64.0

Retail Applications

Oracle Retail Xstore Point of Service, versions 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0

Retail Applications

Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

Oracle Policy Automation

Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2

Oracle Primavera Products Suite

Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2

Oracle Primavera Products Suite

Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

Oracle Primavera Products Suite

Java Advanced Management Console, version 2.6

Oracle Java SE

Oracle Java SE, versions 6u151, 7u141, 8u131

Oracle Java SE

Oracle Java SE Embedded, version 8u131

Oracle Java SE

Oracle JRockit, version R28.3.14

Oracle Java SE

Solaris, versions 10, 11

Oracle and Sun Systems Products Suite

Solaris Cluster, version 4

Oracle and Sun Systems Products Suite

Sun ZFS Storage Appliance Kit (AK), version AK 2013

Oracle and Sun Systems Products Suite

Oracle VM VirtualBox, versions prior to 5.1.24

Oracle Linux and Virtualization

MySQL Cluster, versions 7.3.5 and prior

Oracle MySQL Product Suite

MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior

Oracle MySQL Product Suite

MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior

Oracle MySQL Product Suite

MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior

Oracle MySQL Product Suite

Oracle Explorer, versions prior to 8.16

Oracle Support Tools

Note:

  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here .

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible . Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2017 Availability Document, My Oracle Support Note 2261562.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Adam Willard of Blue Canopy: CVE-2017-10040
  • Antonio Sanso: CVE-2017-10176
  • Ary Dobrovolskiy of Citadel: CVE-2017-10119
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10141, CVE-2017-10196
  • CERT/CC: CVE-2017-10042
  • Che-Chun Kuo of Divergent Security: CVE-2017-10137
  • Daniel Bleichenbacher of Google: CVE-2017-10115, CVE-2017-10118
  • David Litchfield of Apple: CVE-2017-10120
  • Deniz Cevik of Biznet Bilisim A.S: CVE-2017-10063
  • Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10106, CVE-2017-10146
  • Emiliano J. Fausto of Onapsis: CVE-2017-10192
  • Federico Dobal of Onapsis: CVE-2017-10192
  • Gaston Traberg of Onapsis: CVE-2017-10108, CVE-2017-10109, CVE-2017-10180
  • Hassan El Hadary - Secure Misr: CVE-2017-10181
  • Ilya Maykov: CVE-2017-10135
  • Jakub Palaczynski of ING Services Polska: CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10156, CVE-2017-10157
  • James Forshaw: CVE-2017-10129, CVE-2017-10204
  • Jayson Grace of Sandia National Laboratories: CVE-2017-10017
  • John Lightsey: CVE-2017-3636
  • Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10244, CVE-2017-10245
  • Justin Ng of Spark: CVE-2017-10134
  • Li Qiang of the Qihoo 360 Gear Team: CVE-2017-10187, CVE-2017-10209, CVE-2017-10210, CVE-2017-10236, CVE-2017-10237, CVE-2017-10238, CVE-2017-10239, CVE-2017-10240, CVE-2017-10241, CVE-2017-10242
  • Luca Napolitano of Hewlett Packard Enterprise: CVE-2017-10058
  • Lucas Molas of Fundación Sadosky: CVE-2017-10235
  • Lukasz Mikula: CVE-2017-10059
  • Marcin Wołoszyn of ING Services Polska: CVE-2017-10024, CVE-2017-10030, CVE-2017-10035, CVE-2017-10043, CVE-2017-10091
  • Marcus Mengs: CVE-2017-10125
  • Marios Nicolaides of RUNESEC: CVE-2017-10046
  • Maris Elsins of Pythian: CVE-2017-3562
  • Matias Mevied of Onapsis: CVE-2017-10184, CVE-2017-10185, CVE-2017-10186, CVE-2017-10191
  • Mohit Rawat: CVE-2017-10041
  • Moritz Bechler: CVE-2017-10102, CVE-2017-10116
  • Or Hanuka of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
  • Owais Mehtab of IS: CVE-2017-10075
  • Reno Robert: CVE-2017-10210, CVE-2017-10233, CVE-2017-10236, CVE-2017-10239, CVE-2017-10240
  • Roman Shalymov of ERPScan: CVE-2017-10061
  • Sarath Nair: CVE-2017-10246
  • Sean Gambles: CVE-2017-10025
  • Sergio Abraham of Onapsis: CVE-2017-10192
  • Shannon Hickey of Adobe: CVE-2017-10053
  • Sule Bekin of Turk Telekom: CVE-2017-10028
  • Takeshi Terada of Mitsui Bussan Secure Directions, Inc.: CVE-2017-10178
  • Tayeeb Rana of IS: CVE-2017-10075
  • Tzachy Horesh of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160
  • Tzachy Horesh of Palantir Security: CVE-2017-10092, CVE-2017-10093, CVE-2017-10094
  • Ubais PK of EY Global Delivery Services: CVE-2017-10073
  • Vahagn Vardanyan of ERPScan: CVE-2017-10147, CVE-2017-10148
  • Zuozhi Fan formerly of Alibaba: CVE-2017-3640, CVE-2017-3641

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

  • Christopher Tarquini
  • Francis Alexander
  • Francisco Correa
  • George Argyros of Columbia University
  • Jesse Wilson of Square
  • Kexin Pei of Columbia University
  • Nick Bloor of NCC Group
  • Pham Van Khanh of Viettel Information Security Center
  • Prof. Angelos D. Keromytis of Columbia University
  • Prof. Suman Jana of Columbia University
  • Suphannee Sivakorn of Columbia University

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

  • Adam Willard of Blue Canopy
  • Adesh Nandkishor Kolte
  • Ahsan Khan
  • Amin Achour of Trading House
  • Ashish Gautam Kamble
  • Guifre Ruiz
  • Haider Kamal
  • Jolan Saluria
  • Muhammad Uwais
  • Nithin R
  • Pratik Luhana
  • Rodolfo Godalle Jr.
  • Sadik Shaikh of extremehacking.org
  • Willy Gaston Lindo

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 October 2017
  • 16 January 2018
  • 17 April 2018
  • 17 July 2018

References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network]
  • Critical Patch Update - July 2017 Documentation Map [ My Oracle Support Note]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ]
  • Risk Matrix definitions [ Risk Matrix Definitions]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring]
  • English text version of the risk matrices [ Oracle Technology Network]
  • CVRF XML version of the risk matrices [ Oracle Technology Network ]
  • The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog]
  • List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network]
  • Software Error Correction Support Policy [ My Oracle Support Note 209768.1]

Modification History

Date

Note

2017-July-18

Rev 1. Initial Release.

2017-August-1

Rev 2. Credit Statement Update.

2017-August-9

Rev 3. Updated CVSS score for CVE-2017-10183.

2017-August-10

Rev 4. Added CVE-2017-10008 and CVE-2017-10064.

2018-January-29

Rev 5. Credit Statement Update.

2018-March-20

Rev 6. Credit Statement Update.

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server divided as follows:

  • 4 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
  • 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Package and/or Privilege Required

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10202

OJVM

Create Session, Create Procedure

Multiple

No

9.9

Network

Low

Low

None

Changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1

See Note 1

CVE-2014-3566

DBMS_LDAP

None

LDAP

Yes

6.8

Network

High

None

None

Changed

High

None

None

11.2.0.4, 12.1.0.2

CVE-2016-2183

Real Application Clusters

None

SSL/TLS

Yes

6.8

Network

High

None

Required

Un- changed

High

High

None

11.2.0.4, 12.1.0.2

CVE-2017-10120

RDBMS Security

Create Session, Select Any Dictionary

Oracle Net

No

1.9

Local

High

High

None

Un- changed

None

Low

None

12.1.0.2

Notes:

  1. This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8.

Oracle REST Data Services Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle REST Data Services Risk Matrix

CVE#

Component

Package and/or Privilege Required

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-3092

Oracle REST Data Services

None

Multiple

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

Prior to 3.0.10.25.02.36

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10137

Oracle WebLogic Server

JNDI

HTTP

Yes

10.0

Network

Low

None

None

Changed

High

High

High

10.3.6.0, 12.1.3.0

CVE-2015-3253

Oracle Enterprise Data Quality

General (Apache Groovy)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

8.1.13.0.0

CVE-2015-5254

Oracle Enterprise Repository

Security Subsystem (Apache ActiveMQ)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

11.1.1.7.0, 12.1.3.0.0

CVE-2017-5638

Oracle WebLogic Server

Sample apps (Struts 2)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2015-7501

Oracle Data Integrator

Studio

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0

CVE-2015-7501

Oracle Endeca Server

Core (Apache Commons Collections)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

7.6.0.0, 7.6.1.0

CVE-2015-7501

Oracle Enterprise Data Quality

General (Apache Commons Fileupload)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

8.1.13.0.0

CVE-2015-7501

Oracle Enterprise Repository

Security

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

12.1.3.0.0

CVE-2016-0635

Oracle Enterprise Repository

Security Subsystem

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

12.1.3.0.0

CVE-2016-2834

Oracle OpenSSO

Web Agents (NSS)

HTTPS

Yes

8.8

Network

Low

None

Required

Un- changed

High

High

High

3.0.0.8

CVE-2016-2834

Oracle Traffic Director

Security (NSS)

HTTPS

Yes

8.8

Network

Low

None

Required

Un- changed

High

High

High

11.1.1.7.0, 11.1.1.9.0

CVE-2015-7501

Oracle Tuxedo System and Applications Monitor

General (Apache Commons Collections)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0

CVE-2016-0635

Oracle Tuxedo System and Applications Monitor

General (Spring)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0

CVE-2017-10147

Oracle WebLogic Server

Core Components

T3

Yes

8.6

Network

Low

None

None

Changed

None

None

High

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2017-10025

BI Publisher

BI Publisher Security

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

High

Low

None

11.1.1.7.0

CVE-2017-10043

BI Publisher

BI Publisher Security

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0, 11.1.1.9.0

CVE-2017-10156

BI Publisher

BI Publisher Security

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2017-10024

BI Publisher

Layout Tools

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0

CVE-2017-10028

BI Publisher

Web Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0

CVE-2017-10029

BI Publisher

Web Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0

CVE-2017-10030

BI Publisher

Web Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0

CVE-2017-10035

BI Publisher

Web Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0, 11.1.1.9.0

CVE-2017-10048

Oracle Enterprise Repository

Web Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.7.0, 12.1.3.0.0

CVE-2017-10141

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

None

Low

High

8.5.3.0

CVE-2017-10196

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

None

Low

High

8.5.3.0

CVE-2017-10040

Oracle WebCenter Content

Content Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

Low

High

None

11.1.1.9.0, 12.2.1.1.0

CVE-2017-10075

Oracle WebCenter Content

Content Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2017-10059

BI Publisher

Mobile Service

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

11.1.1.7.0

CVE-2017-10041

BI Publisher

Web Server

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2017-10119

Oracle Service Bus

OSB Web Console Design, Admin

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

11.1.1.9.0

CVE-2016-3092

BI Publisher

Web Server (Apache Commons Fileupload)

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2015-7940

Oracle Enterprise Repository

Security Subsystem (Bouncy Castle)

HTTPS

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

12.1.3.0.0

CVE-2015-7940

Oracle Secure Enterprise Search

Generic (Bouncy Castle)

HTTPS

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

11.2.2.2.0

CVE-2017-10058

Oracle Business Intelligence Enterprise Edition

Analytics Web Administration

HTTP

No

6.9

Network

Low

High

Required

Changed

Low

High

None

11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2017-10157

BI Publisher

BI Publisher Security

HTTP

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

CVE-2017-10178

Oracle WebLogic Server

Web Container

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2017-3732

Oracle API Gateway

OAG (OpenSSL)

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

11.1.2.4.0

CVE-2017-3732

Oracle Endeca Server

Core (OpenSSL)

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0

CVE-2017-3732

Oracle Tuxedo

SSL Module (OpenSSL)

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

12.1.1

CVE-2013-2027

Oracle WebLogic Server

WLST

None

No

5.9

Local

Low

None

None

Un- changed

Low

Low

Low

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2017-10148

Oracle WebLogic Server

Core Components

T3

Yes

5.8

Network

Low

None

None

Changed

None

Low

None

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2017-10063

Oracle WebLogic Server

Web Services

HTTP

Yes

4.8

Network

High

None

None

Un- changed

None

Low

Low

10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

CVE-2017-10123

Oracle WebLogic Server

Web Container

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

12.1.3.0

CVE-2014-3566

Oracle Endeca Server

Core (OpenSSL)

HTTPS

Yes

3.4

Network

High

None

Required

Changed

Low

None

None

7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0

Additional CVEs addressed are below:

  • The fix for CVE-2015-7501 also addresses CVE-2011-2730.
  • The fix for CVE-2015-7940 also addresses CVE-2015-7501, and CVE-2016-5019.
  • The fix for CVE-2016-2834 also addresses CVE-2016-1950, and CVE-2016-1979.
  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-0635

Hyperion Essbase

Java Based Agent (Spring)

Multiple

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

See Note 1

Notes:

  1. Fixed in all versions from 12.2.1.1 onward.

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Enterprise Manager Grid Control. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5387

Enterprise Manager Ops Center

Satellite Framework

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

12.2.2, 12.3.2

CVE-2016-1181

Oracle Application Testing Suite

Installation

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

12.5.0.2, 12.5.0.3

CVE-2017-10091

Enterprise Manager Base Platform

UI Framework

HTTP

No

7.7

Network

Low

Low

None

Changed

None

High

None

12.1.0, 13.1.0, 13.2.0

CVE-2015-7940

Oracle Business Transaction Management

Security

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

11.1.x, 12.1.x

CVE-2016-2381

Oracle Configuration Manager

Installation

Multiple

No

6.5

Network

Low

Low

None

Un- changed

None

High

None

Prior to 12.1.2.0.4

CVE-2017-3732

Enterprise Manager Base Platform

Discovery Framework

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

12.1.0, 13.1.0, 13.2.0

CVE-2017-3732

Enterprise Manager Ops Center

Networking

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

12.2.2, 12.3.2

CVE-2016-3092

Enterprise Manager Ops Center

Hosted Framework

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

12.2.2, 12.3.2

Additional CVEs addressed are below:

  • The fix for CVE-2016-2381 also addresses CVE-2015-8607, and CVE-2015-8608.
  • The fix for CVE-2016-5387 also addresses CVE-2016-5385, CVE-2016-5386, and CVE-2016-5388.

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 22 new security fixes for the Oracle E-Business Suite. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2017), My Oracle Support Note 2270270.1. Some of the risk matrix rows in this section are assigned multiple CVE#s. In these cases, additional CVEs are listed below the risk matrix to improve readability. Each group of CVE identifiers share the same description, vulnerability type, Component, Sub-Component and affected versions listed in the risk matrix entry, but occur in different code sections within a Sub-Component.

Oracle E-Business Suite Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10246

Oracle Application Object Library

iHelp

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

High

Low

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10180

Oracle CRM Technical Foundation

CMRO

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10143

Oracle CRM Technical Foundation

Preferences

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10185

Oracle CRM Technical Foundation

User Management

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10113

Oracle Common Applications

CRM User Management Framework

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10170

Oracle Field Service

Wireless/WAP

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3

CVE-2017-10171

Oracle Marketing

Home Page

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10191

Oracle Web Analytics

Common Libraries

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10112

Oracle iStore

User Registration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10174

Oracle iSupport

Service Request

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10177

Oracle Application Object Library

Flexfields

HTTP

No

8.1

Network

Low

Low

None

Un- changed

High

High

None

12.2.6

CVE-2017-10130

Oracle iStore

User Management

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-6304

Application Server

OpenSSL

HTTPS

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

12.1.3

CVE-2017-10144

Oracle Applications Manager

Oracle Diagnostics Interfaces

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

12.1.3

CVE-2017-10245

Oracle General Ledger

Account Hierarchy Manager

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10179

Application Management Pack for Oracle E-Business Suite

User Monitoring

HTTP

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

AMP 12.1.0.4.0, AMP 13.1.1.1.0

CVE-2017-3562

Oracle Applications DBA

AD Utilities

HTTP

No

6.5

Network

Low

High

None

Un- changed

High

High

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10244

Oracle Application Object Library

Attachments

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10184

Oracle Field Service

Wireless/WAP

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10192

Oracle iStore

Shopping Cart

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10186

Oracle iStore

User and Company Profile

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2017-10175

Oracle iSupport

Profiles

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

Additional CVEs addressed are below:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10039

Oracle Agile PLM

Web Client

HTTP

No

6.8

Network

Low

Low

Required

Changed

High

None

None

9.3.5, 9.3.6

CVE-2017-10052

Oracle Agile PLM

PCMServlet

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.3.5, 9.3.6

CVE-2017-10080

Oracle Agile PLM

Security

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.3.5, 9.3.6

CVE-2017-10082

Oracle Agile PLM

Security

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.3.5, 9.3.6

CVE-2017-10092

Oracle Agile PLM

Security

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.3.5, 9.3.6

CVE-2017-3732

Oracle Transportation Management

Apache Webserver

HTTP

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

6.1, 6.2

CVE-2017-10094

Oracle Agile PLM

Security

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.3.5, 9.3.6

CVE-2017-10032

Oracle Transportation Management

Access Control List

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2

CVE-2017-10093

Oracle Agile PLM

Security

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.3.5, 9.3.6

CVE-2017-10088

Oracle Agile PLM

Security

None

No

3.4

Local

Low

High

None

Un- changed

Low

Low

None

9.3.5, 9.3.6

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle PeopleSoft Products. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10061

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

8.3

Network

Low

None

None

Changed

Low

Low

Low

8.54, 8.55

CVE-2017-10146

PeopleSoft Enterprise PeopleTools

Portal

HTTP

Yes

8.3

Network

Low

None

None

Changed

Low

Low

Low

8.54, 8.55

CVE-2017-10019

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

7.4

Network

Low

None

Required

Changed

High

None

None

8.54, 8.55

CVE-2017-10258

PeopleSoft Enterprise PRTL Interaction Hub

Add New Image

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10257

PeopleSoft Enterprise PRTL Interaction Hub

Browse Folder Hierarchy

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10215

PeopleSoft Enterprise PRTL Interaction Hub

EPPCM_DEFN_CATG

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10248

PeopleSoft Enterprise PRTL Interaction Hub

EPPCM_HIER_TOP

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10255

PeopleSoft Enterprise PRTL Interaction Hub

EPPCM_HIER_TOP

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10256

PeopleSoft Enterprise PRTL Interaction Hub

EPPCM_HIER_TOP

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10100

PeopleSoft Enterprise PRTL Interaction Hub

HTML Area

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10126

PeopleSoft Enterprise PRTL Interaction Hub

HTML Area

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10247

PeopleSoft Enterprise PRTL Interaction Hub

HTML Area

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10070

PeopleSoft Enterprise PRTL Interaction Hub

Maintenance Folders

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10249

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-10021

PeopleSoft Enterprise PeopleTools

PIA Search

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-10253

PeopleSoft Enterprise PeopleTools

Pivot Grid

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-10106

PeopleSoft Enterprise PeopleTools

Portal

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-10017

PeopleSoft Enterprise PeopleTools

Workcenter

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-3731

PeopleSoft Enterprise PeopleTools

Security

HTTP

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10134

PeopleSoft Enterprise FSCM

eProcurement

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.2

CVE-2017-10057

PeopleSoft Enterprise PRTL Interaction Hub

Discussion Forum

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

9.1.0

CVE-2017-10027

PeopleSoft Enterprise PeopleTools

Fluid Homepage & Navigation

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2017-10045

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

5.3

Network

High

None

Required

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10015

PeopleSoft Enterprise PeopleTools

Application Designer

None

No

4.7

Local

High

Low

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10251

PeopleSoft Enterprise PeopleTools

Test Framework

None

No

4.7

Local

High

Low

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10250

PeopleSoft Enterprise PeopleTools

Tuxedo

None

No

4.7

Local

High

Low

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10020

PeopleSoft Enterprise PeopleTools

Updates Change Assistant

None

No

4.7

Local

High

Low

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10252

PeopleSoft Enterprise PeopleTools

Updates Change Assistant

None

No

4.7

Local

High

Low

None

Un- changed

High

None

None

8.54, 8.55

CVE-2017-10018

PeopleSoft Enterprise FSCM

Strategic Sourcing

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

9.2

CVE-2017-10254

PeopleSoft Enterprise FSCM

Staffing Front Office

HTTP

No

2.7

Network

Low

High

None

Un- changed

Low

None

None

9.2

Additional CVEs addressed are below:

  • The fix for CVE-2017-3731 also addresses CVE-2016-7055.

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10049

Siebel Core CRM

Search

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

16.0, 17.0

Oracle Commerce Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Commerce. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Commerce Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-3732

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

Platform Services

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

6.1.4, 11.0, 11.1, 11.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10199

Oracle iLearning

Learner Pages

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

6.2

Appendix - Oracle Communications Applications****Oracle Communications Applications Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-3253

Oracle Communications BRM

Elastic Charging Engine (Apache Groovy)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

11.2.0.0.0, 11.3.0.0.0

CVE-2015-0235

Oracle Communications Policy Management

Platform (GlibC)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

11.5

CVE-2015-7501

Oracle Communications BRM

Elastic Charging Engine (Apache Commons Collections)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.2.0.0.0

CVE-2016-0635

Oracle Communications BRM

Elastic Charging Engine (Spring)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.2.0.0.0, 11.3.0.0.0

CVE-2016-2107

Oracle Communications Session Router

Routing (OpenSSL)

TLS

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

SCZ730, SCZ740, ECZ730

CVE-2016-2107

Oracle Enterprise Communications Broker

Routing (OpenSSL)

TLS

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

PCZ210

CVE-2015-7940

Oracle Communications Convergence

Mail Proxy (Bouncy Castle)

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

3.0, 3.0.1

CVE-2016-6304

Oracle Enterprise Session Border Controller

Routing (OpenSSL)

TLS

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

ECZ7.3.0

CVE-2017-10031

Oracle Communications Convergence

Mail Proxy (dojo)

HTTP

Yes

7.2

Network

Low

None

None

Changed

Low

Low

None

3.0, 3.0.1

CVE-2016-2107

Oracle Communications EAGLE LNP Application Processor

Platform (OpenSSL)

TLS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

10.0

CVE-2017-3732

Oracle Communications Network Charging and Control

Common fns (OpenSSL)

TLS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0

Additional CVEs addressed are below:

  • The fix for CVE-2016-2107 also addresses CVE-2014-0224, CVE-2014-3571, CVE-2015-0286, CVE-2015-0286, CVE-2015-1788, CVE-2015-1788, CVE-2015-1789, CVE-2015-1789, CVE-2015-1790, CVE-2015-1790, CVE-2015-1791, CVE-2015-1791, CVE-2015-1792, CVE-2015-1792, CVE-2015-3195, CVE-2015-3195, CVE-2015-3197, CVE-2015-3197, CVE-2016-2105, CVE-2016-2105, CVE-2016-2106, CVE-2016-2106, CVE-2016-2108, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2109.
  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Appendix - Oracle Financial Services Applications****Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-0635

Financial Services Behavior Detection Platform

Admin Tool (Spring)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

8.0.1, 8.0.2

CVE-2016-3092

Oracle Banking Platform

Collections (Apache Commons FileUpload)

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

2.3, 2.4, 2.4.1, 2.5

CVE-2017-10085

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

No

7.1

Network

Low

Low

None

Un- changed

High

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10181

Oracle FLEXCUBE Direct Banking

Forgot Password

HTTP

No

6.8

Network

Low

Low

Required

Un- changed

Low

Low

High

12.0.2, 12.0.3

CVE-2017-10006

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

No

6.5

Network

Low

Low

None

Un- changed

None

High

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10103

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10023

Oracle FLEXCUBE Private Banking

Operations

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10084

Oracle FLEXCUBE Universal Banking

Report Generator

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10005

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10083

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10011

Oracle FLEXCUBE Private Banking

Miscellaneous

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10012

Oracle FLEXCUBE Private Banking

Operations

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10072

Oracle FLEXCUBE Universal Banking

All Modules

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10073

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10098

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

CVE-2017-10010

Oracle FLEXCUBE Private Banking

FileUploads

HTTP

No

4.6

Network

Low

Low

Required

Un- changed

Low

Low

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10009

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10007

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10008

Oracle FLEXCUBE Private Banking

Miscellaneous

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10022

Oracle FLEXCUBE Private Banking

Operations

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

2.0.0, 2.0.1, 2.2.0, 12.0.1

CVE-2017-10071

Oracle FLEXCUBE Universal Banking

All Modules

HTTP

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

Appendix - Oracle Hospitality Applications****Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 48 new security fixes for Oracle Hospitality Applications. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-5689

MICROS PC Workstation 2015

BIOS (Intel AMT)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

Prior to O1302h

See Note 1

CVE-2017-5689

MICROS Workstation 650

BIOS (Intel AMT)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

Prior to E1500n

See Note 2

CVE-2017-10000

Oracle Hospitality Reporting and Analytics

Reporting

HTTP

No

7.7

Network

Low

Low

None

Changed

None

None

High

8.5.1, 9.0.0

CVE-2017-10232

Hospitality WebSuite8 Cloud Service

General

HTTP

No

7.6

Network

Low

Low

None

Un- changed

High

Low

Low

8.9.6, 8.10.x

CVE-2017-10001

Oracle Hospitality Simphony First Edition

Core

HTTP

No

7.6

Network

Low

Low

Required

Un- changed

High

Low

High

1.7.1

CVE-2017-10136

Oracle Hospitality Simphony

Import/Export

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

2.9

CVE-2017-10206

Oracle Hospitality Simphony

Engagement

HTTP

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

2.9

CVE-2017-10226

Oracle Hospitality Cruise Fleet Management

Fleet Management System Suite

HTTP

No

7.1

Network

Low

Low

None

Un- changed

High

Low

None

9.0

CVE-2017-10225

Oracle Hospitality RES 3700

OPS Operations

NA

No

7.0

Physical

High

Low

None

Changed

High

High

Low

5.5

CVE-2017-10216

Hospitality Property Interfaces

Parser

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

8.10.x

CVE-2017-10212

Hospitality Suite8

WebConnect

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

8.10.x

CVE-2017-10047

MICROS BellaVita

Interface

HTTP

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

2.7.x

CVE-2017-10224

Oracle Hospitality Inventory Management

Inventory and Count Cycle

HTTP

No

6.4

Network

Low

Low

None

Changed

Low

Low

None

8.5.1, 9.0.0

CVE-2017-10076

Oracle Hospitality Simphony First Edition Venue Management

Core

HTTP

No

6.4

Network

Low

Low

None

Changed

Low

Low

None

3.9

CVE-2017-10211

Hospitality Suite8

WebConnect

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.10.x

CVE-2017-10128

Hospitality WebSuite8 Cloud Service

General

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.9.6, 8.10.x

CVE-2017-10064

Hospitality WebSuite8 Cloud Service

General

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.9.6, 8.10.x

CVE-2017-10097

Oracle Hospitality Reporting and Analytics

Reporting

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.5.1, 9.0.0

CVE-2017-10079

Oracle Hospitality Suites Management

Core

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

3.7

CVE-2017-10188

Hospitality Hotel Mobile

Suite 8/Android

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

1.01

CVE-2017-10189

Hospitality Suite8

Leisure

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

8.10.x

CVE-2017-10169

Oracle Hospitality 9700

Operation Security

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

4.0

CVE-2017-10056

Oracle Hospitality 9700

Property Management Systems

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

4.0

CVE-2017-10231

Oracle Hospitality Cruise AffairWhere

AWExport

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

2.2.05.062

CVE-2017-10219

Oracle Hospitality Guest Access

Base

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

4.2.0.0, 4.2.1.0

CVE-2017-10201

Oracle Hospitality e7

Other

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

4.2.1

CVE-2017-10230

Oracle Hospitality Cruise Dining Room Management

SilverWhere

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.0.75

CVE-2017-10229

Oracle Hospitality Cruise Materials Management

Event Viewer

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

7.30.562

CVE-2017-10228

Oracle Hospitality Cruise Shipboard Property Management System

Module

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.0.0.0

CVE-2017-10002

Oracle Hospitality Inventory Management

Settings and Config

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.5.1, 9.0.0

CVE-2017-10222

Oracle Hospitality Materials Control

Production Tool

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.31.4, 8.32.0

CVE-2017-10223

Oracle Hospitality Materials Control

Purchasing

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.31.4, 8.32.0

CVE-2017-10142

Oracle Hospitality Reporting and Analytics

Mobile Apps

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.5.1, 9.0.0

CVE-2017-10044

Oracle Hospitality Reporting and Analytics

Reporting

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.5.1, 9.0.0

CVE-2017-10207

Oracle Hospitality Simphony

Utilities

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

2.9

CVE-2017-10069

Oracle Payment Interface

Core

HTTP

No

5.3

Network

High

Low

None

Un- changed

High

None

None

6.1.1

CVE-2017-10221

Oracle Hospitality RES 3700

OPS Operations

None

No

5.0

Local

High

Low

Required

Changed

Low

Low

Low

5.5

CVE-2017-10168

Hospitality Hotel Mobile

Suite 8/Windows

NA

No

4.6

Physical

High

Low

None

Un- changed

High

None

Low

1.1

CVE-2017-10182

Oracle Hospitality OPERA 5 Property Services

OPERA Export Functionality

HTTP

No

4.4

Network

High

High

None

Un- changed

High

None

None

5.4.0.x, 5.4.1.x, 5.4.3.x

CVE-2017-10200

Oracle Hospitality e7

Other

None

No

4.4

Local

Low

Low

None

Un- changed

Low

Low

None

4.2.1

CVE-2017-10133

Hospitality Hotel Mobile

Suite8/RestAPI

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

1.1

CVE-2017-10132

Hospitality Hotel Mobile

Suite8/iOS

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

1.05

CVE-2017-10217

Oracle Hospitality Guest Access

Base

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

4.2.0.0, 4.2.1.0

CVE-2017-10218

Oracle Hospitality Guest Access

Base

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

4.2.0.0, 4.2.1.0

CVE-2017-10205

Oracle Hospitality Simphony

Enterprise Management Console

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

2.9

CVE-2017-10195

Oracle Hospitality Simphony

Import/Export

HTTP

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

2.8

CVE-2017-10208

Oracle Hospitality e7

Other

SMTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

4.2.1

CVE-2017-10220

Hospitality Property Interfaces

Parser

None

No

4.0

Local

Low

None

None

Un- changed

Low

None

None

8.10.x

CVE-2017-10213

Hospitality Suite8

WebConnect

None

No

4.0

Local

Low

None

None

Un- changed

Low

None

None

8.10.x

Notes:

  1. MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
  2. MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Retail Applications****Oracle Retail Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-5689

MICROS PC Workstation 2015

BIOS (Intel AMT)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

Prior to O1302h

See Note 1

CVE-2017-5689

MICROS Workstation 650

BIOS (Intel AMT)

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

Prior to E1500n

See Note 2

CVE-2016-6814

Oracle Retail Allocation

Manage Allocation

HTTP

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1

CVE-2016-6814

Oracle Retail Customer Insights

ODI Configuration

HTTP

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

15.0, 16.0

CVE-2017-10214

Oracle Retail Xstore Point of Service

Xstore Office

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

High

Low

None

6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0

CVE-2016-3506

Oracle Retail Warehouse Management System

Installers

Oracle Net

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

14.0.4, 14.1.3, 15.0.1

CVE-2016-3506

Oracle Retail Workforce Management

Installation

Oracle Net

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

1.60.7, 1.64.0

CVE-2017-10183

Oracle Retail Xstore Point of Service

Point of Sale

HTTP

Yes

6.5

Network

High

None

None

Changed

Low

Low

Low

6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0

CVE-2017-10172

Oracle Retail Open Commerce Platform

Framework

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

CVE-2017-10173

Oracle Retail Open Commerce Platform

Website

HTTP

Yes

5.8

Network

Low

None

None

Changed

None

Low

None

5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

Notes:

  1. MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device.
  2. MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Policy Automation****Oracle Policy Automation Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Policy Automation Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-3092

Oracle Policy Automation

Determinations Engine (Apache Commons FileUplaod)

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 9 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-6814

Primavera Gateway

Primavera Integration (Groovy)

HTTP

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2

CVE-2016-5019

Primavera P6 Enterprise Project Portfolio Management

Web Access (Apache Trinidad)

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

8.3, 8.4, 15.1, 15.2

CVE-2015-0254

Primavera Gateway

Primavera Integration (Standard)

HTTP

No

6.5

Network

Low

Low

Required

Changed

Low

Low

Low

1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2

CVE-2017-10038

Primavera P6 Enterprise Project Portfolio Management

Web Access

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

15.1, 15.2, 16.1, 16.2

CVE-2017-10131

Primavera P6 Enterprise Project Portfolio Management

Web Access

HTTP

No

6.5

Network

Low

Low

Required

Changed

Low

Low

Low

8.3, 8.4, 15.1, 15.2, 16.1, 16.2

CVE-2017-10046

Primavera P6 Enterprise Project Portfolio Management

Web Access

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

8.3, 8.4, 15.1, 15.2, 16.1

CVE-2017-10149

Primavera Unifier

Platform

HTTP

No

4.8

Network

Low

High

Required

Changed

Low

Low

None

9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

CVE-2017-10160

Primavera P6 Enterprise Project Portfolio Management

Web Access

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

8.3, 8.4, 15.1, 15.2, 16.1, 16.2

CVE-2017-10150

Primavera Unifier

Platform

HTTP

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 32 new security fixes for Oracle Java SE. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10110

Java SE

AWT

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131

See Note 1

CVE-2017-10089

Java SE

ImageIO

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131

See Note 1

CVE-2017-10086

Java SE

JavaFX

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 7u141, 8u131

See Note 1

CVE-2017-10096

Java SE, Java SE Embedded

JAXP

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10101

Java SE, Java SE Embedded

JAXP

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10087

Java SE, Java SE Embedded

Libraries

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10090

Java SE, Java SE Embedded

Libraries

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10111

Java SE, Java SE Embedded

Libraries

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10107

Java SE, Java SE Embedded

RMI

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10102

Java SE, Java SE Embedded

RMI

Multiple

Yes

9.0

Network

High

None

None

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 2

CVE-2017-10114

Java SE

JavaFX

Multiple

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Java SE: 7u141, 8u131

See Note 1

CVE-2017-10074

Java SE, Java SE Embedded

Hotspot

Multiple

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10116

Java SE, Java SE Embedded, JRockit

Security

Multiple

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10078

Java SE

Scripting

Multiple

No

8.1

Network

Low

Low

None

Un- changed

High

High

None

Java SE: 8u131

See Note 3

CVE-2017-10067

Java SE

Security

Multiple

Yes

7.5

Network

High

None

Required

Un- changed

High

High

High

Java SE: 6u151, 7u141, 8u131

See Note 1

CVE-2017-10115

Java SE, Java SE Embedded, JRockit

JCE

Multiple

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10118

Java SE, Java SE Embedded, JRockit

JCE

Multiple

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10176

Java SE, Java SE Embedded, JRockit

Security

Multiple

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10104

Java Advanced Management Console

Server

HTTP

No

7.4

Network

Low

Low

None

Changed

Low

Low

Low

Java Advanced Management Console: 2.6

CVE-2017-10145

Java Advanced Management Console

Server

Multiple

No

7.4

Network

Low

Low

None

Changed

Low

Low

Low

Java Advanced Management Console: 2.6

CVE-2017-10125

Java SE

Deployment

None

No

7.1

Physical

High

None

None

Changed

High

High

High

Java SE: 7u141, 8u131

See Note 4

CVE-2017-10198

Java SE, Java SE Embedded, JRockit

Security

Multiple

Yes

6.8

Network

High

None

None

Changed

High

None

None

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10243

Java SE, Java SE Embedded, JRockit

JAX-WS

Multiple

Yes

6.5

Network

Low

None

None

Un- changed

Low

None

Low

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10121

Java Advanced Management Console

Server

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Java Advanced Management Console: 2.6

CVE-2017-10135

Java SE, Java SE Embedded, JRockit

JCE

Multiple

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10117

Java Advanced Management Console

Server

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

Java Advanced Management Console: 2.6

CVE-2017-10053

Java SE, Java SE Embedded, JRockit

2D

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10108

Java SE, Java SE Embedded, JRockit

Serialization

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 3

CVE-2017-10109

Java SE, Java SE Embedded, JRockit

Serialization

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14

See Note 1

CVE-2017-10105

Java SE

Deployment

Multiple

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

Java SE: 6u151, 7u141, 8u131

See Note 1

CVE-2017-10081

Java SE, Java SE Embedded

Hotspot

Multiple

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

CVE-2017-10193

Java SE, Java SE Embedded

Security

Multiple

Yes

3.1

Network

High

None

Required

Un- changed

Low

None

None

Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131

See Note 1

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
  3. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. Applies to deployment of Java where the Java Auto Update is enabled.

Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-3632

Solaris

CDE Calendar

TCP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10, 11

See Note 1

CVE-2017-10013

Sun ZFS Storage Appliance Kit (AK)

User Interface

HTTP

Yes

8.3

Network

High

None

Required

Changed

High

High

High

AK 2013

CVE-2017-10042

Solaris

IKE

IKE

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

10, 11

CVE-2017-10036

Solaris

NFSv4

NFSv4

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

10, 11

CVE-2017-10016

Sun ZFS Storage Appliance Kit (AK)

User Interface

HTTP

Yes

7.5

Network

High

None

Required

Un- changed

High

High

High

AK 2013

CVE-2017-10234

Solaris Cluster

NAS device addition

None

No

7.3

Local

Low

Low

Required

Un- changed

High

High

High

4

CVE-2017-10004

Solaris

Kernel

None

No

6.7

Local

Low

High

None

Un- changed

High

High

High

10, 11

CVE-2017-10062

Solaris

Oracle Java Web Console

None

No

5.3

Local

Low

Low

None

Un- changed

Low

Low

Low

10

CVE-2017-10003

Solaris

Network Services Library

None

No

4.5

Local

High

Low

None

Un- changed

Low

Low

Low

10

CVE-2017-10095

Solaris

Kernel

None

No

3.3

Local

Low

None

Required

Un- changed

None

Low

None

11

CVE-2017-10122

Solaris

Kernel

None

No

1.8

Local

High

High

Required

Un- changed

None

Low

None

10, 11

Notes:

  1. CVE-2017-3632 is assigned to the “EASYSTREET” vulnerability.

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-10204

Oracle VM VirtualBox

Core

None

No

8.8

Local

Low

Low

None

Changed

High

High

High

Prior to 5.1.24

CVE-2017-10129

Oracle VM VirtualBox

Core

None

No

8.8

Local

Low

Low

None

Changed

High

High

High

Prior to 5.1.24

CVE-2017-10210

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10233

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

Low

None

Changed

None

Low

High

Prior to 5.1.24

CVE-2017-10236

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10237

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10238

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10239

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10240

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10241

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10242

Oracle VM VirtualBox

Core

None

No

7.3

Local

Low

High

None

Changed

Low

Low

High

Prior to 5.1.24

CVE-2017-10235

Oracle VM VirtualBox

Core

None

No

6.7

Local

Low

High

None

Changed

None

Low

High

Prior to 5.1.24

CVE-2017-10209

Oracle VM VirtualBox

Core

None

No

5.2

Local

Low

Low

None

Changed

Low

None

Low

Prior to 5.1.24

CVE-2017-10187

Oracle VM VirtualBox

Core

None

No

4.6

Local

Low

High

None

Changed

None

Low

Low

Prior to 5.1.24

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-4436

MySQL Enterprise Monitor

Monitor: General (Apache Struts 2)

HTTP over TLS

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

3.1.5.7958 and earlier, 3.2.5.1141 and earlier, 3.3.2.1162 and earlier,

CVE-2017-5651

MySQL Enterprise Monitor

Monitoring: Server (Apache Tomcat)

HTTP over TLS

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

3.2.7.1204 and earlier, 3.3.3.1199 and earlier

CVE-2017-5647

MySQL Enterprise Monitor

Monitoring: Server (Apache Tomcat)

HTTP over TLS

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

3.3.3.1199 and earlier

CVE-2017-3633

MySQL Server

Server: Memcached

Memcached

Yes

6.5

Network

High

None

None

Un- changed

None

Low

High

5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3634

MySQL Server

Server: DML

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3732

MySQL Connectors

Connector/C (OpenSSL)

MySQL Protocol

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

6.1.9 and earlier

CVE-2017-3732

MySQL Connectors

Connector/ODBC (OpenSSL)

MySQL Protocol

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

5.3.7 and earlier

CVE-2017-3732

MySQL Server

Server: Security: Encryption (OpenSSL)

MySQL Protocol

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

5.6.35 and earlier, 5.7.17 and earlier

CVE-2017-3635

MySQL Connectors

Connector/C

MySQL Protocol

No

5.3

Network

High

Low

None

Un- changed

None

None

High

6.1.10 and earlier

See Note 1

CVE-2017-3635

MySQL Server

C API

MySQL Protocol

No

5.3

Network

High

Low

None

Un- changed

None

None

High

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

See Note 1

CVE-2017-3636

MySQL Server

Client programs

MySQL Protocol

No

5.3

Local

Low

Low

None

Un- changed

Low

Low

Low

5.5.56 and earlier, 5.6.36 and earlier

CVE-2017-3529

MySQL Server

Server: UDF

MySQL Protocol

No

5.3

Network

High

Low

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3637

MySQL Server

X Plugin

X Protocol

No

5.3

Network

High

Low

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3639

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3640

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3641

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3643

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3644

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3638

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3642

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3645

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.18 and earlier

CVE-2017-3646

MySQL Server

X Plugin

X Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.16 and earlier

CVE-2014-1912

MySQL Cluster

CLSTCONF (Python)

MySQL Protocol

Yes

4.8

Network

High

None

None

Un- changed

None

Low

Low

7.3.5 and earlier

CVE-2017-3648

MySQL Server

Server: Charsets

MySQL Protocol

No

4.4

Network

High

High

None

Un- changed

None

None

High

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3647

MySQL Server

Server: Replication

MySQL Protocol

No

4.4

Network

High

High

None

Un- changed

None

None

High

5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3649

MySQL Server

Server: Replication

MySQL Protocol

No

4.4

Network

High

High

None

Un- changed

None

None

High

5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3651

MySQL Server

Client mysqldump

MySQL Protocol

No

4.3

Network

Low

Low

None

Un- changed

None

Low

None

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3652

MySQL Server

Server: DDL

MySQL Protocol

No

4.2

Network

High

Low

None

Un- changed

Low

Low

None

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

CVE-2017-3650

MySQL Server

C API

MySQL Protocol

Yes

3.7

Network

High

None

None

Un- changed

Low

None

None

5.7.18 and earlier

CVE-2017-3653

MySQL Server

Server: DDL

MySQL Protocol

No

3.1

Network

High

Low

None

Un- changed

None

Low

None

5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

Notes:

  1. The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see:

  2. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html,

  3. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html,

  4. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html,

  5. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html,

  6. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and

  7. https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html

Additional CVEs addressed are below:

  • The fix for CVE-2016-4436 also addresses CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, CVE-2016-4438, and CVE-2016-4465.
  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.
  • The fix for CVE-2017-5651 also addresses CVE-2017-5650.

Appendix - Oracle Support Tools****Oracle Support Tools Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here .

Oracle Support Tools Risk Matrix

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2017-3732

Oracle Explorer

Tools (OpenSSL)

HTTP

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

Prior to 8.16

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • News

  • Oracle CloudWorld

  • Oracle Supports Ukraine

  • Oracle Red Bull Racing

  • Oracle Sustainability

  • Employee Experience Platform

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

By Deeba Ahmed The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection. This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file

CVE-2023-49145: Apache NiFi Security Reports

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

CVE-2023-40037: Apache NiFi Security Reports

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2022-33159: Security Bulletin: IBM Security Directory Suite is vulnerable to multiple issues

IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 228567.

CVE-2023-34468: Apache NiFi Security Reports

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

Critical OpenSSL fix due Nov 1—what you need to know

Categories: News Tags: fix Tags: bug Tags: vulnerability Tags: exploit Tags: attack Tags: patch Tags: update Tags: OpenSSL Tags: v3 Tags: v1 Tags: 3.0.5. Version 3.0.7 of OpenSSL will fix the software's first critical issue for six years. (Read more...) The post Critical OpenSSL fix due Nov 1—what you need to know appeared first on Malwarebytes Labs.

CVE-2022-34009: Fossil: Change Log

Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.

CVE-2022-26482: Security Center

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

CVE-2022-21938: Product Security Advisories

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVE-2022-33140: Apache NiFi Security Reports

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-2369: Oracle Critical Patch Update Advisory - July 2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...

CVE-2020-17521: The Apache Groovy programming language

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

CVE-2020-14829: Oracle Critical Patch Update Advisory - October 2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-14829: Oracle Critical Patch Update Advisory - October 2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-9490: Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2019-2999: Oracle Critical Patch Update Advisory - October 2019

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...

CVE-2019-2808: Oracle Critical Patch Update Advisory - July 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-4136: Security Bulletin: IBM Cognos Controller 2019Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controller

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.

CVE-2019-2628: Oracle Critical Patch Update Advisory - April 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2455: Oracle Critical Patch Update Advisory - January 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2637: Oracle Critical Patch Update - January 2018

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...

CVE-2017-3738

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the l...

CVE-2017-5711: Security Center

Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2016-7055

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients ...

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2016-8735: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE-2016-6816: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-7052

crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.

CVE-2016-6308

statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.

CVE-2016-6304

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

CVE-2016-6303: Invalid Bug ID

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

CVE-2016-2183: Invalid Bug ID

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-5386: CERT/CC Vulnerability Note VU#797896

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

CVE-2016-3092: Invalid Bug ID

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

CVE-2016-2178

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE-2016-2105

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

CVE-2016-0642: Oracle Critical Patch Update Advisory - April 2016

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.

CVE-2016-0502: Oracle Critical Patch Update - January 2016

Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2015-4879: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-2582: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0235: oss-sec: Qualys Security Advisory CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0391: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-3566

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4260: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-0224

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

CVE-2012-0053: Apache HTTP Server 2.2 vulnerabilities

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVE-2011-2729: Apache Tomcat® - Apache Tomcat 7 vulnerabilities

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907