CVE-2020-14873: Oracle Critical Patch Update Advisory - October 2020

No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

• Check the spelling of your keyword search.
• Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
• Try one of the popular searches shown below.
• Start a new search.

Trending Questions

Close

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Starting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product’s risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the “traditional” advisory follows the same format as the previous advisories. The “traditional” advisory is published at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions

Patch Availability Document

Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0

Enterprise Manager

Big Data Spatial and Graph, versions prior to 3.0

Database

Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0

Enterprise Manager

Enterprise Manager for Peoplesoft, version 13.4.1.1

Enterprise Manager

Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0

Enterprise Manager

Enterprise Manager Ops Center, version 12.4.0.0

Enterprise Manager

Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090

Systems

Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090

Systems

Hyperion Analytic Provider Services, version 11.1.2.4

Fusion Middleware

Hyperion BI+, version 11.1.2.4

Fusion Middleware

Hyperion Essbase, version 11.1.2.4

Fusion Middleware

Hyperion Infrastructure Technology, version 11.1.2.4

Fusion Middleware

Hyperion Lifecycle Management, version 11.1.2.4

Fusion Middleware

Hyperion Planning, version 11.1.2.4

Fusion Middleware

Identity Manager Connector, version 9.0

Fusion Middleware

Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3

Oracle Construction and Engineering Suite

Management Pack for Oracle GoldenGate, version 12.2.1.2.0

Fusion Middleware

MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior

MySQL

MySQL Enterprise Monitor, versions 8.0.21 and prior

MySQL

MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

MySQL

MySQL Workbench, versions 8.0.21 and prior

MySQL

Oracle Access Manager, version 11.1.2.3.0

Fusion Middleware

Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6

Oracle Supply Chain Products

Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0

Oracle Supply Chain Products

Oracle Application Express, versions prior to 20.2

Database

Oracle Application Testing Suite, version 13.3.0.1

Enterprise Manager

Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0

Oracle Financial Services Applications

Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1

Oracle Financial Services Applications

Oracle Banking Payments, versions 14.1.0-14.4.0

Oracle Financial Services Applications

Oracle Banking Platform, versions 2.4.0-2.10.0

Oracle Banking Platform

Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1

Oracle Communications Application Session Controller

Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0

Oracle Communications Billing and Revenue Management

Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0

Oracle Communications BRM - Elastic Charging Engine

Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2

Oracle Communications Diameter Signaling Router

Oracle Communications EAGLE Software, versions 46.6.0-46.8.2

Oracle Communications EAGLE

Oracle Communications Element Manager, versions 8.2.0-8.2.2

Oracle Communications Element Manager

Oracle Communications Evolved Communications Application Server, version 7.1

Oracle Communications Evolved Communications Application Server

Oracle Communications Messaging Server, version 8.1

Oracle Communications Messaging Server

Oracle Communications Offline Mediation Controller, version 12.0.0.3.0

Oracle Communications Offline Mediation Controller

Oracle Communications Services Gatekeeper, version 7

Oracle Communications Services Gatekeeper

Oracle Communications Session Border Controller, versions 8.2-8.4

Oracle Communications Session Border Controller

Oracle Communications Session Report Manager, versions 8.2.0-8.2.2

Oracle Communications Session Report Manager

Oracle Communications Session Route Manager, versions 8.2.0-8.2.2

Oracle Communications Session Route Manager

Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0

Oracle Communications Unified Inventory Management

Oracle Communications WebRTC Session Controller, version 7.2

Oracle Communications WebRTC Session Controller

Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0

Fusion Middleware

Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

Database

Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10

E-Business Suite

Oracle Endeca Information Discovery Integrator, version 3.2.0

Fusion Middleware

Oracle Endeca Information Discovery Studio, version 3.2.0

Fusion Middleware

Oracle Enterprise Repository, version 11.1.1.7.0

Fusion Middleware

Oracle Enterprise Session Border Controller, version 8.4

Oracle Enterprise Session Border Controller

Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0

Oracle Financial Services Analytical Applications Infrastructure

Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0

Oracle Financial Services Analytical Applications Reconciliation Framework

Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0

Oracle Financial Services Asset Liability Management

Oracle Financial Services Balance Sheet Planning, version 8.0.8

Oracle Financial Services Balance Sheet Planning

Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0

Oracle Financial Services Basel Regulatory Capital Basic

Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0

Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach

Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0

Oracle Financial Services Data Foundation

Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9

Oracle Financial Services Data Governance for US Regulatory Reporting

Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0

Oracle Financial Services Data Integration Hub

Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0

Oracle Financial Services Funds Transfer Pricing

Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0

Oracle Financial Services Hedge Management and IFRS Valuations

Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0

Oracle Financial Services Institutional Performance Analytics

Oracle Financial Services Liquidity Risk Management, version 8.0.6

Oracle Financial Services Liquidity Risk Management

Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0

Oracle Financial Services Liquidity Risk Measurement and Management

Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0

Oracle Financial Services Loan Loss Forecasting and Provisioning

Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0

Oracle Financial Services Market Risk Measurement and Management

Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7

Oracle Financial Services Price Creation And Discovery

Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0

Oracle Financial Services Profitability Management

Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0

Oracle Financial Services Regulatory Reporting for European Banking Authority

Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9

Oracle Financial Services Regulatory Reporting for US Federal Reserve

Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0

Oracle Financial Services Regulatory Reporting with AgileREPORTER

Oracle Financial Services Retail Customer Analytics, version 8.0.6

Oracle Financial Services Retail Customer Analytics

Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0

Oracle Financial Services Applications

Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3

Oracle Financial Services Applications

Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0

Oracle Financial Services Applications

Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0

Oracle Financial Services Applications

Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0

Fusion Middleware

Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0

Oracle GraalVM Enterprise Edition

Oracle Health Sciences Empirica Signal, version 9.0

Health Sciences

Oracle Healthcare Data Repository, version 7.0.1

Health Sciences

Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0

Health Sciences

Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1

Oracle Hospitality Guest Access

Oracle Hospitality Materials Control, version 18.1

Oracle Hospitality Materials Control

Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6

Oracle Hospitality OPERA 5 Property Services

Oracle Hospitality Reporting and Analytics, version 9.1.0

Oracle Hospitality Reporting and Analytics

Oracle Hospitality RES 3700, version 5.7

Oracle Hospitality RES

Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2

Oracle Hospitality Simphony

Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.14

Oracle Hospitality Suite8

Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Insurance Accounting Analyzer, version 8.0.9

Oracle Insurance Accounting Analyzer

Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0

Oracle Insurance Allocation Manager for Enterprise Profitability

Oracle Insurance Data Foundation, versions 8.0.6-8.1.0

Oracle Insurance Data Foundation

Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0

Oracle Insurance Applications

Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0

Oracle Insurance Applications

Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26

Oracle Insurance Applications

Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15

Java SE

Oracle Java SE Embedded, version 8u261

Java SE

Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle Outside In Technology, versions 8.5.4, 8.5.5

Fusion Middleware

Oracle Policy Automation, versions 12.2.0-12.2.20

Oracle Policy Automation

Oracle Policy Automation Connector for Siebel, version 10.4.6

Oracle Policy Automation

Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20

Oracle Policy Automation

Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1

Database

Oracle Retail Advanced Inventory Planning, version 14.1

Retail Applications

Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0

Retail Applications

Oracle Retail Back Office, versions 14.0, 14.1

Retail Applications

Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0

Retail Applications

Oracle Retail Central Office, versions 14.0, 14.1

Retail Applications

Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0

Retail Applications

Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0

Retail Applications

Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3

Retail Applications

Oracle Retail Point-of-Service, versions 14.0, 14.1

Retail Applications

Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0

Retail Applications

Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0

Retail Applications

Oracle Retail Returns Management, versions 14.0, 14.1

Retail Applications

Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0

Retail Applications

Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1

Retail Applications

Oracle Solaris, versions 10, 11

Systems

Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0

Database

Oracle Transportation Management, version 6.3.7

Oracle Supply Chain Products

Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Oracle Utilities Applications

Oracle VM VirtualBox, versions prior to 6.1.16

Virtualization

Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

Fusion Middleware

Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Fusion Middleware

Oracle ZFS Storage Appliance Kit, version 8.8

Systems

PeopleSoft Enterprise HCM Global Payroll Core, version 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58

PeopleSoft

PeopleSoft Enterprise SCM eSupplier Connection, version 9.2

PeopleSoft

Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8

Oracle Construction and Engineering Suite

Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12

Oracle Construction and Engineering Suite

Siebel Applications, versions 20.7, 20.8

Siebel

Note:

• Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
• Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
• Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
• Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

• 0rich1 Ant Security FG Lab: CVE-2020-14841
• Aaron Carreras of FireEye: CVE-2020-14871
• Abdulrahman Nour of Redforce: CVE-2020-14823
• Ahmed Elhady Mohamed of Ahmed Mohamed: CVE-2020-14768
• Akshay Gaikwad: CVE-2020-14762
• Alessandro Bosco of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
• Alves Christopher of Telecom Nancy: CVE-2020-14867
• Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14778
• Amy Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
• Andrej Simko of Accenture: CVE-2020-14774, CVE-2020-14808
• Anonymous researcher working with Trend Micro’s Zero Day Initiative: CVE-2020-14841, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886
• Bui Duong from Viettel Cyber Security: CVE-2020-14879, CVE-2020-14880
• Chi Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
• codeplutos of AntGroup FG Security Lab: CVE-2020-14825
• Damian Bury: CVE-2020-14767, CVE-2020-14770
• Darragh Duffy: CVE-2020-14744
• Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
• Edoardo Predieri of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• Fabio Minarelli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• Filip Ceglik: CVE-2020-14772
• Francesco Russo of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• François Goichon of Google: CVE-2020-14735
• Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14892
• Graham Rymer of University Information Services, University of Cambridge: CVE-2020-14840
• Hangfan Zhang: CVE-2020-14828
• Ioannis Charalambous of NCC Group: CVE-2020-14787, CVE-2020-14788
• Ivo Palazzolo of Daimler TSS: CVE-2020-14864
• Jacob Thompson of FireEye: CVE-2020-14871
• Jakub Palaczynski: CVE-2020-14740, CVE-2020-14752
• Jakub Plusczok: CVE-2020-14854
• Jeffrey Martin of Rapid7: CVE-2020-14871
• Joe Almeida of Globlue Technologies: CVE-2020-14815
• Julien Zhan of Telecom Nancy: CVE-2020-14867
• Khuyen Nguyen of secgit.com: CVE-2020-14816, CVE-2020-14817, CVE-2020-14819, CVE-2020-14835
• Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14778
• Kylinking of NSFocus Security Team: CVE-2020-14841
• Larry W. Cashdollar: CVE-2020-14758, CVE-2020-14759
• Le Xuan Tuyen - VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14841, CVE-2020-14859
• Long Nguyễn Hữu Vũ: CVE-2020-14863
• Longofo of Knownsec 404 Team: CVE-2020-14841
• Luca Di Giuseppe of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• Markus Loewe: CVE-2020-14796, CVE-2020-14797, CVE-2020-14798
• Massimiliano Brolli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
• Mateusz Dabrowski: CVE-2020-14784
• Philippe Antoine of Telecom Nancy: CVE-2020-14867
• Piotr Madej of ING Tech Poland: CVE-2020-14740
• Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14778
• Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14825
• r0 from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14841
• Roger Meyer: CVE-2020-14745
• Rui Zhong: CVE-2020-14828
• Sergey Ostanin: CVE-2020-14781
• Shiva Gupta of Shiva Hacker One: CVE-2020-14890, CVE-2020-14897
• Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14764
• Thai Nguyen of ECQ: CVE-2020-14826
• thiscodecc: CVE-2020-14825
• Tomasz Stachowicz: CVE-2020-14780
• Trung Le: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
• Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14855, CVE-2020-14862, CVE-2020-14875
• Tuan Anh Nguyen of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2020-14876
• Ved Prabhu: CVE-2020-14762, CVE-2020-14763, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900
• Venustech ADLab: CVE-2020-14820
• Viktor Gazdag of NCC Group: CVE-2020-14787, CVE-2020-14788
• voidfyoo of Chaitin Security Research Lab: CVE-2020-14882, CVE-2020-14883
• Walid Faour: CVE-2020-14783
• Xingwei Lin of Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14889, CVE-2020-14892
• Xinlei Ying of Ant Security Light-Year Lab: CVE-2020-14892
• Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-14841
• Yaoguang Chen of Ant Security Light-Year Lab: CVE-2020-14828, CVE-2020-14861, CVE-2020-14893
• Yi Ren of Alibaba: CVE-2020-14790, CVE-2020-14828
• Yongheng Chen: CVE-2020-14828
• Yu Wang of BMH Security Team: CVE-2020-14841
• Yuyue Wang of Alibaba: CVE-2020-14828
• Zhiqiang Zang of University of Texas at Austin: CVE-2020-14792
• Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2020-14867

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:

• Amy Tran [35 reports]
• Chi Tran [35 reports]
• David Wilkins
• Markus Loewe [2 reports]
• Mateusz Dabrowski
• Trung Le [35 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:

• Abdulrahman Ahmed [3 reports]
• Abhishek Morla
• Adam Willard [2 reports]
• Adam Willard of Raytheon Foreground Security
• Adarsh VS Mannarakkal
• Ahmed Elmalky
• Ahmed Omer Morve
• Ai Ho (j3ssiejjj)
• Alex Munene
• Alisha Sheikh
• Anil Bhatt
• Anurag Kumar Rawat (A1C3VENOM)
• Ayan Saha
• Badal Sardhara
• Bindiya Sardhara
• Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp).
• Danny
• Dhiraj Mishra
• Funny Tech
• Gaurav Kumar
• Gourab Sadhukhan
• Harsh Mukeshbhai Joshi [2 reports]
• Himanshu Phulwariya
• Karthick Selvaraj
• Kartik Sharma
• Kaustubh Kale
• Kirtan Patel
• Kryptos Logic - Threat Intelligence Platform
• Kunal Gambhir
• Magrabur Alam Sofily
• Mansouri Badis
• Marwan Ali Albahar [2 reports]
• Matthew Harlow of EthicalHacker 20
• Mayank Kumar
• Mayank Malik, Kartik Sharma
• Micah Van Deusen
• Omkar Ghaisas
• Osman Ahmed Hassan
• Pankaj Kumar Thakur from Nepal [3 reports]
• Pratish Bhansali
• Ria from iZOOlogic
• Riccardo Donini
• Rick Verdoes & Danny de Weille of HackDefense
• Robert Lee Dick [2 reports]
• Roger Meyer
• Ronak Nahar
• Rudi Andriano
• Ryan awsmhacks Preston
• Sai Prashanth Pulisetti
• Sameer Goyal
• Shahid Ahmed [2 reports]
• Shivang Trivedi [2 reports]
• Shubham Kalaria
• Shubham Maheshwari
• Sidney Omondi of Salaam Technology
• Siva Pathela
• Soumajit Mukherjee
• Sparsh Gupta
• Srikar V - exp1o1t9r
• Sumit Sah
• Supun Madubashana Halangoda
• Suresh Nadar
• Swapnil Maurya - “swapmaurya20”
• Syed Muhammad Asim [2 reports]
• Vaibhav Gaikwad of Knock Security Solutions
• Venkata Sateesh Netti (str4n63r)
• Walid Hossain
• Yassine Triki
• Yatin Sharma

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

• 19 January 2021
• 20 April 2021
• 20 July 2021
• 19 October 2021

References

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• Critical Patch Update - October 2020 Documentation Map
• Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
• Risk Matrix Definitions
• Use of Common Vulnerability Scoring System (CVSS) by Oracle
• English text version of the risk matrices
• CVRF XML version of the risk matrices
• Map of CVE to Advisory/Alert
• Software Error Correction Support Policy
• Oracle Lifetime support Policy
• JEP 290 Reference Blocklist Filter

Modification History

Date

Note

2020-December-8

Rev 6. Added a note for CVE-2020-14871.

2020-November-16

Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871.

2020-October-29

Rev 4. Added CVE-2018-2765.

2020-October-27

Rev 3. Credit statement update.

2020-October-22

Rev 2. Affected versions change for CVE-2020-14807, CVE-2020-14810 and credit statement update.

2020-October-20

Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:

• 19 new security patches for Oracle Database Products
• 1 new security patch for Oracle Big Data Graph
• 5 new security patches for Oracle REST Data Services
• 4 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches plus additional third party patches noted below for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#

Component

Package and/or Privilege Required

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-12900

Core RDBMS (bzip2)

DBA Level Account

Oracle Net

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2020-14735

Scheduler

Local Logon

None

No

8.8

Local

Low

Low

None

Changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2020-14734

Oracle Text

None

Oracle Net

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2018-2765

Oracle SSL API

None

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

11.2.0.4, 12.1.0.2, 12.2.0.1

CVE-2020-13935

Workload Manager (Apache Tomcat)

None

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.0.1, 18c, 19c

CVE-2020-11023

Oracle Application Express (jQuery)

None

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-11023

ORDS (jQuery)

None

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

See Note 1

CVE-2020-14762

Oracle Application Express

SQL Workshop

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-9281

Oracle Application Express

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-14899

Oracle Application Express Data Reporter

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-14900

Oracle Application Express Group Calendar

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-14898

Oracle Application Express Packaged Apps

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-14763

Oracle Application Express Quick Poll

Valid User Account

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

Prior to 20.2

CVE-2020-14741

Database Filesystem

Resource, Create Table, Create View, Create Procedure, Dbfs_role

Oracle Net

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

11.2.0.4, 12.1.0.2, 12.2.0.1

CVE-2020-14901

RDBMS Security

Analyze Any

Oracle Net

No

4.9

Network

Low

High

None

Un-
changed

High

None

None

19c

CVE-2020-14736

Database Vault

Create Public Synonym

Oracle Net

No

3.8

Network

Low

High

None

Un-
changed

Low

Low

None

11.2.0.4, 12.1.0.2, 12.2.0.1

CVE-2020-14743

Java VM

Create Procedure

Multiple

No

3.1

Network

High

Low

None

Un-
changed

None

Low

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

CVE-2020-14740

SQL Developer Install

Client Computer User Account

Local Logon

No

2.8

Local

Low

Low

Required

Un-
changed

Low

None

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

CVE-2020-14742

Core RDBMS

SYSDBA level account

Oracle Net

No

2.7

Network

Low

High

None

Un-
changed

None

Low

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

1. Additional ORDS bugs are documented in the risk matrix “Oracle REST Data Services Risk Matrix”

Additional CVEs addressed are:

• The patch for CVE-2019-12900 also addresses CVE-2016-3189
• The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
• The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
• The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

• Core RDBMS (LZ4): CVE-2019-17543
• Core RDBMS (Zstandard): CVE-2019-11922
• Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
• Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
• Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
• Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
• SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
• SQL Developer (Apache Log4j): CVE-2017-5645
• SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
• SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
• SQL Developer (JCraft JSch): CVE-2016-5725
• SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382

Oracle Database Server Client-Only Installations

• The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-0192

Big Data Spatial and Graph

Property Graph Analytics (Apache Solr)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 3.0

Additional CVEs addressed are:

• The patch for CVE-2019-0192 also addresses CVE-2017-3164

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

• Big Data Spatial and Graph
  • Property Graph Analytics (jQuery): CVE-2015-9251
  • Property Graph Analytics (jackson-databind): CVE-2020-9546, CVE-2015-9251, CVE-2017-5645, CVE-2018-12023, CVE-2018-14718, CVE-2018-7489, CVE-2019-10744, CVE-2019-12086, CVE-2019-14379, CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14195, CVE-2020-9547 and CVE-2020-9548
  • Property Graph Analytics (lodash): CVE-2019-10744
  • Property Graph Analytics (Apache Log4j): CVE-2017-5645

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle REST Data Services. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2017-7658

Oracle REST Data Services

General (Eclipse Jetty)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

CVE-2016-1000031

Oracle REST Data Services

General (Apache Commons FileUpload)

HTTP

No

8.0

Network

Low

Low

Required

Un-
changed

High

High

High

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

CVE-2020-14744

Oracle REST Data Services

General

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1

CVE-2020-11023

Oracle REST Data Services

General (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1

CVE-2020-14745

Oracle REST Data Services

General

HTTP

No

4.3

Network

Low

Low

None

Un-
changed

Low

None

None

11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1

Additional CVEs addressed are:

• The patch for CVE-2017-7658 also addresses CVE-2016-4800, CVE-2017-7656, CVE-2017-7657, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241, CVE-2019-10246, CVE-2019-10247 and CVE-2019-17632
• The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

• Oracle REST Data Services
  • General (Apache Batik): CVE-2018-8013 and CVE-2017-5662
  • General (jackson-databind): CVE-2019-16335, CVE-2019-12814, CVE-2019-14540, CVE-2019-14893, CVE-2019-17531, CVE-2019-20330, CVE-2020-11113, CVE-2020-11620 and CVE-2020-8840

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2018-11058

Oracle TimesTen In-Memory Database

EM TimesTen plugin (RSA BSAFE Crypto-C)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 18.1.4.1.0

CVE-2017-5645

Oracle TimesTen In-Memory Database

Install (Apache Log4j)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

Prior to 11.2.2.8.49

CVE-2019-1010239

Oracle TimesTen In-Memory Database

Install (Dave Gamble/cJSON)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to 18.1.3.1.0

CVE-2019-0201

Oracle TimesTen In-Memory Database

Install (Apache ZooKeeper)

ZAB

Yes

5.9

Network

High

None

None

Un-
changed

High

None

None

Prior to 18.1.3.1.0

Additional CVEs addressed are:

• The patch for CVE-2017-5645 also addresses CVE-2020-1945
• The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
• The patch for CVE-2019-1010239 also addresses CVE-2019-11834 and CVE-2019-11835

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-10173

Oracle Communications BRM - Elastic Charging Engine

Diameter Gateway and SDK (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.3.0.9.0, 12.0.0.3.0

CVE-2020-10683

Oracle Communications Unified Inventory Management

Core (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.3.0, 7.4.0

CVE-2019-10173

Oracle Communications Unified Inventory Management

Core (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.3.0, 7.4.0

CVE-2020-10878

Oracle Communications Billing and Revenue Management

Core (Perl)

TCP

Yes

8.6

Network

Low

None

None

Un-
changed

Low

Low

High

12.0.0.2.0, 12.0.0.3.0

CVE-2020-11022

Oracle Communications Billing and Revenue Management

Billing Operation Center and Oracle Communication Billing Care (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

7.5.0.23.0, 12.0.0.3.0

CVE-2020-9489

Oracle Communications Messaging Server

Core (Apache Tika)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

8.1

CVE-2020-9488

Oracle Communications Billing and Revenue Management

Billing Operation Center and Oracle Communication Billing Care (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

7.5.0.23.0, 12.0.0.3.0

CVE-2020-9488

Oracle Communications Offline Mediation Controller

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

12.0.0.3.0

CVE-2020-9488

Oracle Communications Unified Inventory Management

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

7.3.0, 7.4.0

Additional CVEs addressed are:

• The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723
• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Communications Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Communications. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-10683

Oracle Communications Application Session Controller

WS and WEB (dom4j)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

3.9m0p1

CVE-2020-11973

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Apache Camel)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

IDIH: 8.0.0-8.2.2

CVE-2020-2555

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Oracle Coherence)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

IDIH: 8.0.0-8.2.2

CVE-2020-10683

Oracle Communications Diameter Signaling Router (DSR)

IDIH (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

IDIH: 8.0.0-8.2.2

CVE-2019-2904

Oracle Communications Diameter Signaling Router (DSR)

Platform (Application Development Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.0.0-8.4.0.5

CVE-2019-12260

Oracle Communications EAGLE Software

Network Stack (Wind River VxWorks)

TCP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

46.6.0-46.8.2

CVE-2020-11984

Oracle Communications Element Manager

Core (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-11984

Oracle Communications Session Report Manager

Core (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-11984

Oracle Communications Session Route Manager

Core (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2019-13990

Oracle Communications Session Route Manager

Core (Quartz Scheduler)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2019-17638

Oracle Communications Application Session Controller

WS and WEB (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

3.9m0p1

CVE-2019-17638

Oracle Communications Element Manager

Core (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

8.2.0-8.2.2

CVE-2019-17638

Oracle Communications Session Report Manager

Core (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

8.2.0-8.2.2

CVE-2019-17638

Oracle Communications Session Route Manager

Core (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

8.2.0-8.2.2

CVE-2020-14195

Oracle Communications Diameter Signaling Router (DSR)

IDIH (jackson-databind)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

IDIH: 8.0.0-8.2.2

CVE-2020-14195

Oracle Communications Element Manager

Core (jackson-databind)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-14195

Oracle Communications Evolved Communications Application Server

Universal Data Record (jackson-databind)

XCAP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

7.1

CVE-2020-14195

Oracle Communications Session Report Manager

Core (jackson-databind)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-14195

Oracle Communications Session Route Manager

Core (jackson-databind)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-5398

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

IDIH: 8.0.0-8.2.2

CVE-2019-17359

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Bouncy Castle Java Library)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

IDIH: 8.0.0-8.2.2

CVE-2019-12402

Oracle Communications Element Manager

Core (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.2.0-8.2.2

CVE-2020-11080

Oracle Communications Session Border Controller

System (http2)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.3, 8.4

CVE-2019-12402

Oracle Communications Session Report Manager

Core (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.2.0-8.2.2

CVE-2019-12402

Oracle Communications Session Route Manager

Core (Apache Commons Compress)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.2.0-8.2.2

CVE-2019-17359

Oracle Communications Session Route Manager

Core (Bouncy Castle Java Library)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.2.0-8.2.2

CVE-2019-10173

Oracle Communications Diameter Signaling Router (DSR)

IDIH (xstream)

HTTP

Yes

7.3

Network

Low

None

None

Un-
changed

Low

Low

Low

IDIH: 8.0.0-8.2.2

CVE-2020-9484

Oracle Communications Diameter Signaling Router (DSR)

Core (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

8.0.0.0-8.4.0.5

CVE-2020-9484

Oracle Communications Element Manager

Core (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-9484

Oracle Communications Session Report Manager

Core (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-9484

Oracle Communications Session Route Manager

Core (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

8.2.0-8.2.2

CVE-2020-1945

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Apache Ant)

None

No

6.7

Local

High

None

None

Un-
changed

High

High

None

IDIH: 8.0.0-8.2.2

CVE-2020-10722

Oracle Communications Session Border Controller

Platform (DPDK)

None

No

6.7

Local

Low

High

None

Un-
changed

High

High

High

8.2-8.4

CVE-2020-5408

Oracle Communications Element Manager

Core (Spring Security)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-5408

Oracle Communications Session Report Manager

Core (Spring Security)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-5408

Oracle Communications Session Route Manager

Core (Spring Security)

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-11022

Oracle Communications Application Session Controller

Core (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

3.8m0

CVE-2020-1941

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Apache ActiveMQ)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

IDIH: 8.0.0-8.2.2

CVE-2020-11022

Oracle Communications Diameter Signaling Router (DSR)

IDIH (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

IDIH: 8.0.0-8.2.2

CVE-2019-17091

Oracle Communications Diameter Signaling Router (DSR)

Platform (Eclipse Mojarra)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.0.0-8.4.0.5

CVE-2020-14788

Oracle Communications Diameter Signaling Router (DSR)

User Interface

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.0.0-8.4.0.5

CVE-2020-11022

Oracle Communications WebRTC Session Controller

ME (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

7.2

CVE-2020-11022

Oracle Enterprise Session Border Controller

Core (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.4

CVE-2019-12415

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Apache POI)

None

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

IDIH: 8.0.0-8.2.2

CVE-2020-14787

Oracle Communications Diameter Signaling Router (DSR)

User Interface

HTTP

No

5.4

Network

Low

Low

Required

Changed

Low

Low

None

8.0.0.0-8.4.0.5

CVE-2019-11048

Oracle Communications Diameter Signaling Router (DSR)

Core (PHP)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

8.0.0.0-8.4.0.5

CVE-2020-1954

Oracle Communications Diameter Signaling Router (DSR)

IDIH (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

IDIH: 8.0.0-8.2.2

CVE-2020-1954

Oracle Communications Element Manager

Core (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-1954

Oracle Communications Session Report Manager

Core (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-1954

Oracle Communications Session Route Manager

Core (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

8.2.0-8.2.2

CVE-2020-9488

Oracle Communications Application Session Controller

WS and WEB (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

3.9m0p1

CVE-2020-9488

Oracle Communications Services Gatekeeper

Media Control UI (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

7

Additional CVEs addressed are:

• The patch for CVE-2019-11048 also addresses CVE-2020-7067
• The patch for CVE-2019-12260 also addresses CVE-2019-12261
• The patch for CVE-2019-13990 also addresses CVE-2019-5427
• The patch for CVE-2019-17638 also addresses CVE-2019-17632
• The patch for CVE-2020-10722 also addresses CVE-2020-10723 and CVE-2020-10724
• The patch for CVE-2020-11022 also addresses CVE-2020-11023
• The patch for CVE-2020-11080 also addresses CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-9511 and CVE-2019-9513
• The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
• The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
• The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548
• The patch for CVE-2020-1941 also addresses CVE-2020-13920
• The patch for CVE-2020-1945 also addresses CVE-2017-5645
• The patch for CVE-2020-1954 also addresses CVE-2019-12423
• The patch for CVE-2020-5398 also addresses CVE-2020-5397
• The patch for CVE-2020-5408 also addresses CVE-2020-5407

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-11984

Instantis EnterpriseTrack

Core (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

17.1, 17.2, 17.3

CVE-2019-17495

Primavera Gateway

Admin (Swagger UI)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

16.2.0-16.2.11, 17.12.0-17.12.8

CVE-2015-1832

Primavera Unifier

Platform (Apache Derby)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

None

High

16.1, 16.2, 17.7-17.12, 18.8, 19.12

CVE-2017-9096

Primavera Unifier

Platform (iText)

HTTP

Yes

8.8

Network

Low

None

Required

Un-
changed

High

High

High

16.1, 16.2, 17.7-17.12, 18.8, 19.12

CVE-2020-13935

Instantis EnterpriseTrack

Core (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

17.1, 17.2, 17.3

CVE-2019-17558

Primavera Unifier

Platform (Apache Solr)

HTTP

No

7.5

Network

High

Low

None

Un-
changed

High

High

High

16.1, 16.2, 17.7-17.12, 18.8, 19.12

CVE-2018-17196

Primavera Unifier

Core (Apache Kafka)

HTTP

Yes

7.0

Network

High

None

None

Un-
changed

High

Low

Low

18.8, 19.12

CVE-2020-9489

Primavera Unifier

Platform (Apache Tika)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

16.1, 16.2, 17.7-17.12, 18.8, 19.12

CVE-2020-9488

Primavera Unifier

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

18.8, 19.12

Additional CVEs addressed are:

• The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
• The patch for CVE-2020-13935 also addresses CVE-2020-13934

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14855

Oracle Universal Work Queue

Work Provider Administration

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.1.3

CVE-2020-14805

Oracle E-Business Suite Secure Enterprise Search

Search Integration Engine

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14875

Oracle Marketing

Marketing Administration

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14876

Oracle Trade Management

User Interface

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14862

Oracle Universal Work Queue

Internal Operations

HTTP

No

8.8

Network

Low

Low

None

Un-
changed

High

High

High

12.2.3 - 12.2.9

CVE-2020-14850

Oracle CRM Technical Foundation

Flex Fields

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14816

Oracle Marketing

Marketing Administration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14817

Oracle Marketing

Marketing Administration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14831

Oracle Marketing

Marketing Administration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14835

Oracle Marketing

Marketing Administration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3

CVE-2020-14849

Oracle Marketing

Marketing Administration

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14819

Oracle One-to-One Fulfillment

Print Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3

CVE-2020-14863

Oracle One-to-One Fulfillment

Print Server

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3

CVE-2020-14808

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14833

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14834

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14851

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14856

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14857

Oracle Trade Management

User Interface

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14774

Oracle CRM Technical Foundation

Preferences

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

CVE-2020-14761

Oracle Applications Manager

Oracle Diagnostics Interfaces

HTTP

Yes

6.5

Network

Low

None

None

Un-
changed

Low

Low

None

12.1.3, 12.2.3 - 12.2.7

CVE-2020-14823

Oracle CRM Technical Foundation

Preferences

HTTP

No

6.5

Network

Low

High

None

Un-
changed

High

High

None

12.2.3 - 12.2.10

CVE-2020-14811

Oracle Applications Manager

AMP EBS Integration

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14826

Oracle Applications Manager

SQL Extensions

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14840

Oracle Application Object Library

Diagnostics

HTTP

Yes

4.7

Network

Low

None

Required

Changed

None

Low

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14746

Oracle Applications Framework

Popup windows

HTTP

Yes

4.7

Network

Low

None

Required

Changed

None

Low

None

12.1.3, 12.2.3 - 12.2.10

CVE-2020-14822

Oracle Installed Base

APIs

HTTP

Yes

4.7

Network

Low

None

Required

Changed

None

Low

None

12.1.1 - 12.1.3, 12.2.3 - 12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-13990

Enterprise Manager Ops Center

Agent Provisioning (Quartz Scheduler)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.4.0.0

CVE-2018-11058

Oracle Application Testing Suite

Load Testing for Web Apps (RSA BSAFE Crypto-C)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

13.3.0.1

CVE-2019-17638

Oracle Application Testing Suite

Load Testing for Web Apps (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

13.3.0.1

CVE-2020-5398

Enterprise Manager Base Platform

Connector Framework (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

13.2.1.0

CVE-2020-1967

Enterprise Manager for Storage Management

Privilege Management (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

13.3.0.0, 13.4.0.0

CVE-2020-5398

Oracle Application Testing Suite

Load Testing for Web Apps (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

13.3.0.1

CVE-2019-3740

Application Performance Management (APM)

Comp Management and Life Cycle Management (RSA BSAFE Crypto-J)

HTTPS

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

13.3.0.0, 13.4.0.0

CVE-2019-2897

Enterprise Manager Base Platform

Event Management

HTTP

No

6.4

Network

Low

Low

None

Changed

Low

Low

None

13.3.0.0, 13.4.0.0

CVE-2020-11022

Enterprise Manager Ops Center

Reports in Ops Center (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.4.0.0

CVE-2020-1954

Enterprise Manager Base Platform

Connector Framework (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

13.2.1.0

CVE-2020-9488

Enterprise Manager for Peoplesoft

PSEM Plugin (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

13.4.1.1

Additional CVEs addressed are:

• The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
• The patch for CVE-2019-13990 also addresses CVE-2019-5427
• The patch for CVE-2019-17638 also addresses CVE-2019-17632
• The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
• The patch for CVE-2020-1954 also addresses CVE-2019-12419
• The patch for CVE-2020-5398 also addresses CVE-2020-5397

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-17495

Oracle Banking Platform

Collections (Swagger UI)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.4.0-2.10.0

CVE-2020-10683

Oracle Banking Platform

Collections (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.4.0-2.10.0

CVE-2019-10173

Oracle Banking Platform

Collections (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.4.0-2.10.0

CVE-2020-10683

Oracle Financial Services Analytical Applications Infrastructure

Infrastructure (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.6-8.1.0

CVE-2020-9546

Oracle Financial Services Analytical Applications Infrastructure

Infrastructure (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.6-8.1.0

CVE-2020-9546

Oracle Financial Services Institutional Performance Analytics

User Interface (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.6, 8.7.0, 8.1.0

CVE-2020-9546

Oracle Financial Services Price Creation and Discovery

User Interface (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.6, 8.0.7

CVE-2017-5645

Oracle Financial Services Regulatory Reporting with AgileREPORTER

Core (Apache Ant)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.9.2.0

CVE-2020-9546

Oracle Financial Services Retail Customer Analytics

User Interface (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.0.6

CVE-2020-11973

Oracle FLEXCUBE Private Banking

Core (Apache Camel)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.0.0, 12.1.0

CVE-2020-14824

Oracle Financial Services Analytical Applications Infrastructure

Infrastructure

HTTP

Yes

8.6

Network

Low

None

None

Changed

None

None

High

8.0.6-8.1.0

CVE-2020-14195

Oracle Banking Digital Experience

Framework (jackson-databind)

HTTPS

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

18.1, 18.2, 18.3, 19.1, 19.2, 20.1

CVE-2020-5398

Oracle Financial Services Regulatory Reporting with AgileREPORTER

Core (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

8.0.9.2.0

CVE-2020-5398

Oracle FLEXCUBE Private Banking

Core (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

12.0.0, 12.1.0

CVE-2020-14894

Oracle Banking Corporate Lending

Core

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

12.3.0, 14.0.0-14.4.0

CVE-2020-14896

Oracle Banking Payments

Core

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

14.1.0-14.4.0

CVE-2020-14890

Oracle FLEXCUBE Direct Banking

Pre Login

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

12.0.1, 12.0.2, 12.0.3

CVE-2020-14897

Oracle FLEXCUBE Direct Banking

Pre Login

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

12.0.1, 12.0.2, 12.0.3

CVE-2020-14887

Oracle FLEXCUBE Universal Banking

Infrastructure

HTTP

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

12.3.0, 14.0.0-14.4.0

CVE-2020-11022

Oracle Banking Digital Experience

Framework (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

18.1, 18.2, 18.3, 19.1, 19.2, 20.1

CVE-2020-11022

Oracle Financial Services Analytical Applications Infrastructure

Infrastructure (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.1.0

CVE-2020-11022

Oracle Financial Services Analytical Applications Reconciliation Framework

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Asset Liability Management

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7, 8.1.0

CVE-2020-11022

Oracle Financial Services Balance Sheet Planning

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.8

CVE-2020-11022

Oracle Financial Services Basel Regulatory Capital Basic

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Data Foundation

Infrastructure (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.1.0

CVE-2020-11022

Oracle Financial Services Data Governance for US Regulatory Reporting

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.9

CVE-2020-11022

Oracle Financial Services Data Integration Hub

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7, 8.1.0

CVE-2020-11022

Oracle Financial Services Funds Transfer Pricing

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7, 8.1.0

CVE-2020-11022

Oracle Financial Services Hedge Management and IFRS Valuations

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Institutional Performance Analytics

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7, 8.1.0

CVE-2020-11022

Oracle Financial Services Liquidity Risk Management

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6

CVE-2020-11022

Oracle Financial Services Liquidity Risk Measurement and Management

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.7, 8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Loan Loss Forecasting and Provisioning

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.8, 8.1.0

CVE-2020-11022

Oracle Financial Services Market Risk Measurement and Management

Infrastructure (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.8

CVE-2020-11022

Oracle Financial Services Price Creation and Discovery

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7

CVE-2020-11022

Oracle Financial Services Profitability Management

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6, 8.0.7, 8.1.0

CVE-2020-11022

Oracle Financial Services Regulatory Reporting for European Banking Authority

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.1.0

CVE-2020-11022

Oracle Financial Services Regulatory Reporting for US Federal Reserve

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.0.9

CVE-2020-1941

Oracle FLEXCUBE Private Banking

Core (Apache ActiveMQ)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.0.0, 12.1.0

CVE-2020-11022

Oracle Insurance Accounting Analyzer

IFRS17 (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.9

CVE-2020-11022

Oracle Insurance Allocation Manager for Enterprise Profitability

User Interface (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.8, 8.1.0

CVE-2020-11022

Oracle Insurance Data Foundation

Infrastructure (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.0.6-8.1.0

CVE-2020-1951

Oracle FLEXCUBE Private Banking

Core (Apache Tika)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

12.0.0, 12.1.0

CVE-2019-10247

Oracle FLEXCUBE Core Banking

Core (Eclipse Jetty)

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

5.2.0, 11.5.0-11.7.0

CVE-2020-9488

Oracle Financial Services Analytical Applications Infrastructure

Infrastructure (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.0.6-8.1.0

CVE-2020-9488

Oracle Financial Services Institutional Performance Analytics

User Interface (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.0.6, 8.7.0, 8.1.0

CVE-2020-9488

Oracle Financial Services Market Risk Measurement and Management

Infrastructure (Apache log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.0.6, 8.0.8, 8.1.0

CVE-2020-9488

Oracle Financial Services Price Creation and Discovery

User Interface (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.0.6, 8.0.7

CVE-2020-9488

Oracle Financial Services Retail Customer Analytics

User Interface (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.0.6

CVE-2020-9488

Oracle FLEXCUBE Core Banking

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

5.2.0, 11.5.0-11.7.0

CVE-2020-9488

Oracle FLEXCUBE Private Banking

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

12.0.0, 12.1.0

Additional CVEs addressed are:

• The patch for CVE-2019-10173 also addresses CVE-2013-7285
• The patch for CVE-2019-10247 also addresses CVE-2019-10246
• The patch for CVE-2020-11022 also addresses CVE-2020-11023
• The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
• The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062
• The patch for CVE-2020-1941 also addresses CVE-2020-13920
• The patch for CVE-2020-1951 also addresses CVE-2020-1950
• The patch for CVE-2020-5398 also addresses CVE-2020-5397
• The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-11022

Oracle Hospitality Materials Control

Mobile Authorization (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

18.1

CVE-2020-11022

Oracle Hospitality Simphony

Simphony Apps (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

18.1, 18.2, 19.1.0-19.1.2

CVE-2020-14753

Oracle Hospitality Reporting and Analytics

Installation

None

No

5.9

Local

Low

Low

Required

Changed

High

None

None

9.1.0

CVE-2020-14783

Oracle Hospitality RES 3700

CAL

TCP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

5.7

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2017-5645

Identity Manager Connector

General and Misc (Apache Log4j)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

9.0

CVE-2018-11058

Oracle Access Manager

Web Server Plugin (RSA BSafe)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.1.2.3.0

CVE-2017-9800

Oracle Data Integrator

Install, config, upgrade (Apache HTTP Server)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0

CVE-2020-10683

Oracle Endeca Information Discovery Integrator

Integrator ETL (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

3.2.0

CVE-2019-10173

Oracle Endeca Information Discovery Studio

Endeca Server (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

3.2.0

CVE-2019-2904

Oracle Enterprise Repository

Security Subsystem - 12c (Application Development Framework)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.1.1.7.0

CVE-2018-8088

Oracle GoldenGate Application Adapters

Application Adapters (SLF4J)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.3.2.1.0

CVE-2019-17531

Oracle GoldenGate Application Adapters

Build Request (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

19.1.0.0.0

CVE-2018-11058

Oracle GoldenGate Application Adapters

Security Service (RSA BSAFE)

HTTPS

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.3.2.1.0

CVE-2019-5482

Oracle HTTP Server

Web Listener (cURL)

TFTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-10683

Oracle WebCenter Portal

Portlet Services (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-2555

Oracle WebCenter Portal

Security Framework (Oracle Coherence)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2019-10173

Oracle WebCenter Portal

Security Framework (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.1.1.9.0, 12.2.1.3.0

CVE-2019-17267

Oracle WebLogic Server

Centralized Thirdparty Jars (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0

CVE-2020-14882

Oracle WebLogic Server

Console

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-14841

Oracle WebLogic Server

Core

IIOP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-14825

Oracle WebLogic Server

Core

IIOP, T3

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-14859

Oracle WebLogic Server

Core

IIOP, T3

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-14879

BI Publisher

E-Business Suite - XDO

HTTP

No

8.5

Network

Low

Low

None

Changed

High

Low

None

5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14880

BI Publisher

E-Business Suite - XDO

HTTP

No

8.5

Network

Low

Low

None

Changed

High

Low

None

5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14842

BI Publisher

BI Publisher Security

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14784

Oracle BI Publisher

Mobile Service

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14815

Oracle Business Intelligence Enterprise Edition

Analytics Actions

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2016-2510

Oracle Data Integrator

Jave APIs (BeanShell)

HTTP

Yes

8.1

Network

High

None

None

Un-
changed

High

High

High

11.1.1.9.0, 12.2.1.3.0

CVE-2020-3235

Management Pack for Oracle GoldenGate

Monitor (SNMP)

SNMP

No

7.7

Network

Low

Low

None

Changed

None

None

High

12.2.1.2.0

CVE-2020-14864

Oracle Business Intelligence Enterprise Edition

Installation

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-1967

Oracle HTTP Server

SSL Module (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

12.2.1.4.0

CVE-2020-14820

Oracle WebLogic Server

Core

IIOP, T3

Yes

7.5

Network

Low

None

None

Un-
changed

High

None

None

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2019-10097

Oracle HTTP Server

Core (Apache HTTP Server)

HTTP

No

7.2

Network

Low

High

None

Un-
changed

High

High

High

12.2.1.4.0

CVE-2020-14883

Oracle WebLogic Server

Console

HTTP

No

7.2

Network

Low

High

None

Un-
changed

High

High

High

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-14780

BI Publisher

BI Publisher Security

HTTP

Yes

7.1

Network

Low

None

Required

Un-
changed

High

Low

None

5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14843

Oracle Business Intelligence Enterprise Edition

Analytics Actions

HTTP

Yes

7.1

Network

Low

None

Required

Changed

Low

Low

Low

5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-14766

Oracle Business Intelligence Enterprise Edition

Analytics Web Administration

HTTP

No

7.1

Network

Low

Low

None

Un-
changed

High

Low

None

5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-9484

Oracle Managed File Transfer

MFT Runtime Server (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-14757

Oracle WebLogic Server

Web Services

HTTP

Yes

6.8

Network

High

None

Required

Un-
changed

High

High

None

12.2.1.3.0

CVE-2020-15389

Oracle Outside In Technology

Installation (OpenJPEG)

HTTP

Yes

6.5

Network

High

None

None

Un-
changed

Low

None

High

8.5.5, 8.5.4

See Note 1

CVE-2020-1945

Oracle Business Process Management Suite

Runtime Engine (Apache Ant)

None

No

6.3

Local

High

Low

None

Un-
changed

High

High

None

12.2.1.3.0, 12.2.1.4.0

CVE-2019-11358

BI Publisher

BI Publisher Security (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2019-11358

Oracle Business Process Management Suite

Runtime Engine (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0

CVE-2019-2904

Oracle Business Process Management Suite

Runtime Engine (Application Development Framework)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.1.3.0, 12.2.1.4.0

CVE-2020-11022

Oracle JDeveloper

ADF Faces (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-9281

Oracle WebCenter Portal

Blogs and Wikis (CKEditor)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

CVE-2020-11022

Oracle WebLogic Server

Console (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

CVE-2020-1951

Oracle Business Process Management Suite

Document Service (Apache Tika)

None

No

5.5

Local

Low

None

Required

Un-
changed

None

None

High

12.2.1.3.0, 12.2.1.4.0

CVE-2020-13631

Oracle Outside In Technology

Installation (SQLite)

None

No

5.5

Local

Low

Low

None

Un-
changed

None

High

None

8.5.5, 8.5.4

See Note 1

CVE-2020-9488

Oracle WebLogic Server

Core (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

10.3.6.0.0

Notes:

1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

• The patch for CVE-2017-9800 also addresses CVE-2016-2167, CVE-2016-2168 and CVE-2016-8734
• The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
• The patch for CVE-2019-17267 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943
• The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267 and CVE-2019-20330
• The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481
• The patch for CVE-2020-11022 also addresses CVE-2020-11023
• The patch for CVE-2020-13631 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
• The patch for CVE-2020-1951 also addresses CVE-2020-1950

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle GraalVM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14803

Oracle GraalVM Enterprise Edition

Java

Multiple

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

19.3.3, 20.2.0

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-1953

Oracle Healthcare Foundation

Self Service Analytics (Apache Commons Configuration)

HTTP

Yes

10.0

Network

Low

None

None

Changed

High

High

High

7.1.1, 7.2.0, 7.2.1, 7.3.0

CVE-2020-10683

Oracle Health Sciences Empirica Signal

User Interface (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

9.0

CVE-2020-2555

Oracle Healthcare Data Repository

Database Module (Oracle Coherence)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.0.1

CVE-2020-11022

Oracle Healthcare Foundation

Admin Console (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

7.1.1, 7.2.0, 7.2.1, 7.3.0

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-17638

Oracle Hospitality Guest Access

Base (Eclipse Jetty)

HTTP

Yes

9.4

Network

Low

None

None

Un-
changed

High

High

Low

4.2.0, 4.2.1

CVE-2020-14807

Oracle Hospitality Suite8

WebConnect

HTTP

Yes

7.1

Network

Low

None

Required

Un-
changed

High

Low

None

8.10.2, 8.11-8.14

CVE-2020-9484

Oracle Hospitality Guest Access

Base (Apache Tomcat)

None

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

4.2.0, 4.2.1

CVE-2020-14858

Oracle Hospitality OPERA 5 Property Services

Logging

HTTP

No

6.8

Network

Low

High

Required

Un-
changed

High

High

High

5.5, 5.6

CVE-2020-14877

Oracle Hospitality OPERA 5 Property Services

Logging

HTTP

No

6.5

Network

Low

High

None

Un-
changed

High

High

None

5.5, 5.6

CVE-2020-14810

Oracle Hospitality Suite8

WebConnect

HTTP

Yes

5.4

Network

Low

None

Required

Un-
changed

Low

Low

None

8.10.2, 8.11-8.14

Additional CVEs addressed are:

• The patch for CVE-2019-17638 also addresses CVE-2019-17632

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-5482

Hyperion Essbase

Security and Provisioning (cURL)

TFTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.1.2.4

CVE-2020-14854

Hyperion Infrastructure Technology

UI and Visualization

HTTP

No

6.1

Network

Low

High

Required

Un-
changed

High

High

None

11.1.2.4

CVE-2019-1547

Hyperion Essbase

Security and Provisioning (OpenSSL)

None

No

4.7

Local

High

Low

None

Un-
changed

High

None

None

11.1.2.4

CVE-2020-14768

Hyperion Analytic Provider Services

Smart View Provider

HTTP

No

4.3

Adjacent
Network

High

Low

Required

Un-
changed

Low

Low

Low

11.1.2.4

CVE-2020-14767

Hyperion BI+

IQR-Foundation service

Multiple

No

4.2

Network

High

High

Required

Un-
changed

High

None

None

11.1.2.4

CVE-2020-14752

Hyperion Lifecycle Management

Shared Services

HTTP

No

4.2

Network

High

High

Required

Un-
changed

None

High

None

11.1.2.4

CVE-2020-14772

Hyperion Lifecycle Management

Shared Services

HTTP

No

4.2

Network

High

High

Required

Un-
changed

None

High

None

11.1.2.4

CVE-2020-14764

Hyperion Planning

Application Development Framework

HTTP

No

4.2

Network

High

High

Required

Un-
changed

None

High

None

11.1.2.4

CVE-2020-14770

Hyperion BI+

IQR-Foundation service

Multiple

No

2.0

Network

High

High

Required

Un-
changed

Low

None

None

11.1.2.4

Additional CVEs addressed are:

• The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563
• The patch for CVE-2019-5482 also addresses CVE-2019-5481

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-9546

Oracle Insurance Policy Administration J2EE

Architecture (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

11.0.2.25, 11.1.0.15

CVE-2020-5398

Oracle Insurance Policy Administration J2EE

Admin Console (Spring Framework)

HTTP

Yes

7.5

Network

High

None

Required

Un-
changed

High

High

High

11.2.2.0

CVE-2020-11022

Oracle Insurance Insbridge Rating and Underwriting

Framework Administrator IBFA (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

5.0.0.0 - 5.6.0.0, 5.6.1.0

CVE-2020-9488

Oracle Insurance Insbridge Rating and Underwriting

Framework Administrator IBFA (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

5.0.0.0 - 5.6.0.0, 5.6.1.0

CVE-2020-9488

Oracle Insurance Policy Administration J2EE

Architecture (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26

CVE-2020-9488

Oracle Insurance Rules Palette

Architecture (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023
• The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14803

Java SE

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

Java SE: 11.0.8, 15

See Note 1

CVE-2020-14792

Java SE, Java SE Embedded

Hotspot

Multiple

Yes

4.2

Network

High

None

Required

Un-
changed

Low

Low

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 2

CVE-2020-14781

Java SE, Java SE Embedded

JNDI

Multiple

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 2

CVE-2020-14782

Java SE, Java SE Embedded

Libraries

Multiple

Yes

3.7

Network

High

None

None

Un-
changed

None

Low

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 2

CVE-2020-14797

Java SE, Java SE Embedded

Libraries

Multiple

Yes

3.7

Network

High

None

None

Un-
changed

None

Low

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 2

CVE-2020-14779

Java SE, Java SE Embedded

Serialization

Multiple

Yes

3.7

Network

High

None

None

Un-
changed

None

None

Low

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 2

CVE-2020-14796

Java SE, Java SE Embedded

Libraries

Multiple

Yes

3.1

Network

High

None

Required

Un-
changed

Low

None

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 1

CVE-2020-14798

Java SE, Java SE Embedded

Libraries

Multiple

Yes

3.1

Network

High

None

Required

Un-
changed

None

Low

None

Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261

See Note 1

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 53 new security patches plus additional third party patches noted below for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-8174

MySQL Cluster

Cluster: JS module (Node.js)

Multiple

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior

CVE-2020-14878

MySQL Server

Server: Security: LDAP Auth

MySQL Protocol

No

8.0

Adjacent
Network

Low

Low

None

Un-
changed

High

High

High

8.0.21 and prior

CVE-2020-13935

MySQL Enterprise Monitor

Monitoring: General (Apache Tomcat)

HTTPS

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-1967

MySQL Workbench

Workbench: Security: Encryption (OpenSSL)

MySQL Workbench

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14828

MySQL Server

Server: DML

MySQL Protocol

No

7.2

Network

Low

High

None

Un-
changed

High

High

High

8.0.21 and prior

CVE-2020-14775

MySQL Server

InnoDB

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14765

MySQL Server

Server: FTS

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14769

MySQL Server

Server: Optimizer

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14830

MySQL Server

Server: Optimizer

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14836

MySQL Server

Server: Optimizer

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14846

MySQL Server

Server: Optimizer

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14800

MySQL Server

Server: Security: Encryption

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14827

MySQL Server

Server: Security: LDAP Auth

MySQL Protocol

No

6.5

Network

Low

Low

None

Un-
changed

High

None

None

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14760

MySQL Server

Server: Optimizer

MySQL Protocol

No

5.5

Network

Low

High

None

Un-
changed

None

Low

High

5.7.31 and prior

CVE-2020-1730

MySQL Workbench

MySQL Workbench (libssh)

MySQL Workbench

Yes

5.3

Network

Low

None

None

Un-
changed

None

None

Low

8.0.21 and prior

CVE-2020-14776

MySQL Server

InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14821

MySQL Server

InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14829

MySQL Server

InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14848

MySQL Server

InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14852

MySQL Server

Server: Charsets

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14814

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14789

MySQL Server

Server: FTS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14804

MySQL Server

Server: FTS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14812

MySQL Server

Server: Locking

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14773

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14777

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14785

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14793

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14794

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14809

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14837

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14839

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14845

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14861

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14866

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14868

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14888

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14891

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14893

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14786

MySQL Server

Server: PS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14790

MySQL Server

Server: PS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14844

MySQL Server

Server: PS

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14799

MySQL Server

Server: Security: Encryption

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.20 and prior

CVE-2020-14869

MySQL Server

Server: Security: LDAP Auth

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.7.31 and prior, 8.0.21 and prior

CVE-2020-14672

MySQL Server

Server: Stored Procedure

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14870

MySQL Server

Server: X Plugin

MySQL Protocol

No

4.9

Network

Low

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14853

MySQL Cluster

Cluster: NDBCluster Plugin

Multiple

No

4.6

Network

Low

Low

Required

Un-
changed

None

Low

Low

8.0.21 and prior

CVE-2020-14867

MySQL Server

Server: DDL

MySQL Protocol

No

4.4

Network

High

High

None

Un-
changed

None

None

High

5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior

CVE-2020-14873

MySQL Server

Server: Logging

MySQL Protocol

No

4.4

Network

High

High

None

Un-
changed

None

None

High

8.0.21 and prior

CVE-2020-14838

MySQL Server

Server: Security: Privileges

MySQL Protocol

No

4.3

Network

Low

Low

None

Un-
changed

Low

None

None

8.0.21 and prior

CVE-2020-14860

MySQL Server

Server: Security: Roles

MySQL Protocol

No

2.7

Network

Low

High

None

Un-
changed

None

Low

None

8.0.21 and prior

CVE-2020-14791

MySQL Server

InnoDB

MySQL Protocol

No

2.2

Network

High

High

None

Un-
changed

None

None

Low

8.0.21 and prior

CVE-2020-14771

MySQL Server

Server: Security: LDAP Auth

MySQL Protocol

No

2.2

Network

High

High

None

Un-
changed

None

None

Low

5.7.31 and prior, 8.0.21 and prior

Additional CVEs addressed are:

• The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
• The patch for CVE-2020-8174 also addresses CVE-2020-11080 and CVE-2020-8172

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

• MySQL Cluster
  • Cluster: Configuration (dojo): CVE-2020-4051

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2018-11058

PeopleSoft Enterprise PeopleTools

Weblogic (RSA BSafe)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

8.56, 8.57, 8.58

CVE-2020-14865

PeopleSoft Enterprise SCM eSupplier Connection

eSupplier Connection

HTTP

No

8.1

Network

Low

Low

None

Un-
changed

High

High

None

9.2

CVE-2020-14795

PeopleSoft Enterprise PeopleTools

PIA Core Technology

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

8.57, 8.58

CVE-2020-14778

PeopleSoft Enterprise HCM Global Payroll Core

Security

HTTP

No

6.3

Network

Low

Low

None

Un-
changed

Low

Low

Low

9.2

CVE-2020-14832

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-14801

PeopleSoft Enterprise PeopleTools

PIA Core Technology

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-14802

PeopleSoft Enterprise PeopleTools

PIA Core Technology

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-11022

PeopleSoft Enterprise PeopleTools

PIA Core Technology (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-14813

PeopleSoft Enterprise PeopleTools

PIA Grids

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-11022

PeopleSoft Enterprise PeopleTools

Portal, Charting (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.56, 8.57, 8.58

CVE-2020-1954

PeopleSoft Enterprise PeopleTools

Elastic Search (Apache CXF)

HTTP

Yes

5.3

Adjacent
Network

High

None

None

Un-
changed

High

None

None

8.56

CVE-2020-14806

PeopleSoft Enterprise PeopleTools

Query

HTTP

Yes

5.3

Network

Low

None

None

Un-
changed

Low

None

None

8.56, 8.57, 8.58

CVE-2020-9488

PeopleSoft Enterprise PeopleTools

Tools Admin API (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.56, 8.57, 8.58

CVE-2020-9488

PeopleSoft Enterprise PeopleTools

Updates Environment Mgmt (Apache Log4j)

SMTPS

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

8.56, 8.57, 8.58

CVE-2020-14847

PeopleSoft Enterprise PeopleTools

Query

HTTP

No

2.7

Network

Low

High

None

Un-
changed

Low

None

None

8.56, 8.57, 8.58

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-11022

Oracle Policy Automation

Core (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.0 - 12.2.20

CVE-2020-11022

Oracle Policy Automation Connector for Siebel

Core (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

10.4.6

CVE-2020-11022

Oracle Policy Automation for Mobile Devices

Core (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.2.0 - 12.2.20

CVE-2020-9488

Oracle Policy Automation

Core (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

12.2.0 - 12.2.20

CVE-2020-9488

Oracle Policy Automation Connector for Siebel

Core (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

10.4.6

CVE-2020-9488

Oracle Policy Automation for Mobile Devices

Core (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

12.2.0 - 12.2.20

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 28 new security patches for Oracle Retail Applications. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-10683

Oracle Retail Order Broker

System Administration (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

15.0, 16.0, 18.0, 19.0, 19.1

CVE-2020-10683

Oracle Retail Price Management

Security (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0

CVE-2020-9546

Oracle Retail Service Backbone

RSB kernel (jackson-databind)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

14.1, 15.0, 16.0

CVE-2020-1945

Oracle Retail Back Office

Security (Apache Ant)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

14.0, 14.1

CVE-2020-1945

Oracle Retail Central Office

Security (Apache Ant)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

14.0, 14.1

CVE-2020-1945

Oracle Retail Integration Bus

RIB Kernal (Apache Ant)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

14.1, 15.0, 16.0

CVE-2020-1945

Oracle Retail Point-of-Service

Security (Apache Ant)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

14.0, 14.1

CVE-2020-1945

Oracle Retail Returns Management

Security (Apache Ant)

HTTP

Yes

9.1

Network

Low

None

None

Un-
changed

High

High

None

14.0, 14.1

CVE-2020-9410

Oracle Retail Order Broker

Order Broker Foundation (jasperreports_server)

HTTP

Yes

8.8

Network

Low

None

Required

Un-
changed

High

High

High

15.0, 16.0

CVE-2019-3740

Oracle Retail Assortment Planning

Application Core (RSA BSAFE Crypto-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

15.0.3.0, 16.0.3.0

CVE-2019-3740

Oracle Retail Integration Bus

RIB Kernal (RSA BSAFE Crypto-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

14.1, 15.0, 16.0

CVE-2019-3740

Oracle Retail Predictive Application Server

RPAS Server (RSA BSAFE Crypto-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

14.1.3.0, 15.0.3.0, 16.0.3.0

CVE-2019-3740

Oracle Retail Service Backbone

RSB kernel (RSA BSAFE Crypto-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

14.1, 15.0, 16.0

CVE-2019-3740

Oracle Retail Xstore Point of Service

Xenvironment (RSA BSAFE Crypto-J)

HTTP

Yes

6.5

Network

Low

None

Required

Un-
changed

High

None

None

15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1

CVE-2020-11022

Oracle Retail Back Office

Security (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

14.0, 14.1

CVE-2020-11022

Oracle Retail Central Office

Security (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

14.0, 14.1

CVE-2020-11022

Oracle Retail Customer Management and Segmentation Foundation

Segments (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

19.0

CVE-2019-11358

Oracle Retail Point-of-Service

Mobile POS (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

14.0, 14.1

CVE-2020-11022

Oracle Retail Returns Management

Security (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

14.0, 14.1

CVE-2019-12415

Oracle Retail Order Broker

Store Connect (Apache POI)

none

No

5.5

Local

Low

Low

None

Un-
changed

High

None

None

15.0, 16.0

CVE-2020-9488

Oracle Retail Advanced Inventory Planning

AIP Dashboard (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

14.1

CVE-2020-9488

Oracle Retail Assortment Planning

Application Core (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

15.0.3.0, 16.0.3.0

CVE-2020-9488

Oracle Retail Bulk Data Integration

BDI Job Scheduler (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

15.0.3.0, 16.0.3.0

CVE-2020-9488

Oracle Retail Integration Bus

RIB Kernal (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

14.1, 15.0, 16.0

CVE-2020-9488

Oracle Retail Order Broker

Store Connect (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

16.0, 18.0, 19.0, 19.1, 19.2, 19.3

CVE-2020-9488

Oracle Retail Predictive Application Server

RPAS Fusion Client (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

14.1.3.0, 15.0.3.0, 16.0.3.0

CVE-2020-14732

Oracle Retail Customer Management and Segmentation Foundation

Promotions

HTTP

No

3.1

Network

High

Low

None

Un-
changed

Low

None

None

19.0

CVE-2020-14731

Oracle Retail Customer Management and Segmentation Foundation

Segment

HTTP

No

3.1

Network

High

Low

None

Un-
changed

Low

None

None

18.0, 19.0

Additional CVEs addressed are:

• The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
• The patch for CVE-2020-11022 also addresses CVE-2020-11023
• The patch for CVE-2020-1945 also addresses CVE-2017-5645
• The patch for CVE-2020-9410 also addresses CVE-2020-9409
• The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2016-1000031

Siebel Apps - Marketing

Mktg/Email Mktg Stand-Alone (Apache Commons File Upload)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

20.7

CVE-2019-10072

Siebel Apps - Marketing

Mktg/Campaign Mgmt (Apache Tomcat)

HTTP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

20.7

CVE-2020-11022

Siebel UI Framework

UIF Open UI (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

20.8

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-1938

Oracle Agile PLM

Folders, Files & Attachments (Apache Tomcat)

AJP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

9.3.3, 9.3.5, 9.3.6

CVE-2020-10683

Oracle Agile PLM

Security (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

9.3.3, 9.3.5

CVE-2020-9484

Oracle Transportation Management

Install (Apache Tomcat)

AJP

No

7.0

Local

High

Low

None

Un-
changed

High

High

High

6.3.7

CVE-2020-11022

Oracle Agile Product Lifecycle Management for Process

Supplier Portal (jQuery)

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

6.2.0.0

Additional CVEs addressed are:

• The patch for CVE-2020-11022 also addresses CVE-2020-11023
• The patch for CVE-2020-1938 also addresses CVE-2019-17569, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9484

Oracle Systems Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Systems. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14871

Oracle Solaris

Pluggable authentication module

Multiple

Yes

10.0

Network

Low

None

None

Changed

High

High

High

10, 11

See Note 1

CVE-2020-14871

Oracle ZFS Storage Appliance Kit

Operating System Image

Multiple

Yes

10.0

Network

Low

None

None

Changed

High

High

High

8.8

See Note 1

CVE-2019-11477

Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers

XCP Firmware (Linux Kernel)

TCP

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Prior to XCP2362, prior to XCP3090

CVE-2018-3693

Fujitsu M12-1, M12-2, M12-2S Servers

XCP Firmware (Kernel)

None

No

5.6

Local

High

Low

None

Changed

High

None

None

Prior to XCP3090

CVE-2020-14758

Oracle Solaris

Kernel

None

No

5.6

Local

Low

Low

Required

Un-
changed

High

None

Low

11

CVE-2020-14754

Oracle Solaris

Filesystem

None

No

5.5

Local

Low

Low

None

Un-
changed

None

None

High

11

CVE-2020-14818

Oracle Solaris

Utility

SSH

No

3.0

Network

High

Low

Required

Changed

None

Low

None

11

CVE-2020-14759

Oracle Solaris

Kernel

None

No

2.5

Local

High

Low

Required

Changed

None

Low

None

11

Notes:

1. This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0.

Additional CVEs addressed are:

• The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479
• The patch for CVE-2020-14871 for Oracle ZFS Storage Appliance Kit also addresses CVE-2019-18348, CVE-2020-3909, CVE-2020-10108, CVE-2020-12243, CVE-2020-13630, CVE-2020-14758 and CVE-2020-14759

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-10173

Oracle Utilities Framework

Common (xstream)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0

CVE-2020-10683

Oracle Utilities Framework

General (dom4j)

HTTP

Yes

9.8

Network

Low

None

None

Un-
changed

High

High

High

2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

CVE-2020-1945

Oracle Utilities Framework

General (Apache Ant)

None

No

6.3

Local

High

Low

None

Un-
changed

High

High

None

2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

CVE-2020-14895

Oracle Utilities Framework

System Wide

HTTP

No

5.4

Network

Low

Low

None

Un-
changed

Low

Low

None

2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

CVE-2020-9488

Oracle Utilities Framework

Common (Apache Log4j)

HTTP

Yes

3.7

Network

High

None

None

Un-
changed

Low

None

None

2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Additional CVEs addressed are:

• The patch for CVE-2020-1945 also addresses CVE-2017-5645

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req’d

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2020-14872

Oracle VM VirtualBox

Core

None

No

8.2

Local

Low

High

None

Changed

High

High

High

Prior to 6.1.16

CVE-2020-14881

Oracle VM VirtualBox

Core

None

No

6.0

Local

Low

High

None

Changed

High

None

None

Prior to 6.1.16

CVE-2020-14884

Oracle VM VirtualBox

Core

None

No

6.0

Local

Low

High

None

Changed

High

None

None

Prior to 6.1.16

CVE-2020-14885

Oracle VM VirtualBox

Core

None

No

6.0

Local

Low

High

None

Changed

High

None

None

Prior to 6.1.16

CVE-2020-14886

Oracle VM VirtualBox

Core

None

No

6.0

Local

Low

High

None

Changed

High

None

None

Prior to 6.1.16

CVE-2020-14889

Oracle VM VirtualBox

Core

None

No

6.0

Local

Low

High

None

Changed

High

None

None

Prior to 6.1.16

CVE-2020-14892

Oracle VM VirtualBox

Core

None

No

5.5

Local

Low

Low

None

Un-
changed

None

None

High

Prior to 6.1.16

Why Oracle

• Analyst Reports
• Gartner MQ for ERP Cloud
• Cloud Economics
• Corporate Responsibility
• Diversity and Inclusion
• Security Practices

Learn

• What is cloud computing?
• What is CRM?
• What is Docker?
• What is Kubernetes?
• What is Python?
• What is SaaS?

What’s New

• Try Oracle Cloud Free Tier

• Oracle Product Navigator

• Oracle and Premier League

• Oracle and Red Bull Racing Honda

• Employee Experience Platform

• Oracle Support Rewards

• © 2022 Oracle

• Site Map

• Privacy/Do Not Sell My Info

• Ad Choices

• Careers

• Facebook

• Twitter

• LinkedIn

• YouTube