Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE
#sql#vulnerability#web#mac#windows#apple#google#linux#apache#memcached#git#java#oracle#kubernetes#intel#ldap#huawei#auth#ssh#zero_day#docker#ssl
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Critical Patch Update Advisory - October 2016****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2016 Documentation Map, My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Application Express, version(s) prior to 5.0.4.0.7

Database

Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2

Database

Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0

Oracle Secure Backup

Big Data Graph, version(s) prior to 1.2

Oracle Big Data Graph

NetBeans, version(s) 8.1

Fusion Middleware

Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0

Fusion Middleware

Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0

Fusion Middleware

Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

Fusion Middleware

Oracle Discoverer, version(s) 11.1.1.7.0

Fusion Middleware

Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1

Fusion Middleware

Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2

Fusion Middleware

Oracle Identity Manager, version(s) -

Fusion Middleware

Oracle iPlanet Web Proxy Server, version(s) 4.0

Fusion Middleware

Oracle iPlanet Web Server, version(s) 7.0

Fusion Middleware

Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3

Fusion Middleware

Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

Fusion Middleware

Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0

Fusion Middleware

Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0

Fusion Middleware

Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1

Fusion Middleware

Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2

Enterprise Manager

Enterprise Manager Base Platform, version(s) 12.1.0.5

Enterprise Manager

Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3

Enterprise Manager

Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

E-Business Suite

Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5

Oracle Supply Chain Products

Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0

Oracle Supply Chain Products

Oracle Agile PLM, version(s) 9.3.4, 9.3.5

Oracle Supply Chain Products

Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0

Oracle Supply Chain Products

Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

Oracle Supply Chain Products

PeopleSoft Enterprise HCM, version(s) 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55

PeopleSoft

PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2

PeopleSoft

JD Edwards EnterpriseOne Tools, version(s) 9.1

JD Edwards

JD Edwards World Security, version(s) A9.4

JD Edwards

Siebel Applications, version(s) 7.1, 16.1

Siebel

Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2

Oracle Commerce

Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2

Oracle Commerce

Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1

Oracle Commerce

Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5

Oracle Commerce

Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9

Fusion Applications

Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior

Oracle Communications Policy Management

Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier

Oracle Enterprise Communications Broker

Oracle Enterprise Session Border Controller, version(s) Ecz7.3m1p4 and earlier

Oracle Enterprise Session Border Controller

Oracle Banking Digital Experience, version(s) 15.1

Oracle Financial Services Applications

Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3

Oracle Financial Services Applications

Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0

Oracle Financial Services Applications

Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0

Oracle Financial Services Applications

Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0

Oracle Financial Services Applications

Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1

Oracle Financial Services Applications

Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0

Oracle Financial Services Applications

Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2

Oracle Financial Services Applications

Oracle Life Sciences Data Hub, version(s) 2.x

Health Sciences

Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0

Oracle Hospitality OPERA 5 Property Services

Oracle Insurance IStream, version(s) 4.3.2

Oracle Insurance Applications

MICROS XBR, version(s) 7.0.2, 7.0.4

MICROS XBR

Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

Oracle Retail Back Office

Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

Oracle Retail Central Office

Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0

Oracle Retail Clearance Optimization Engine

Oracle Retail Customer Insights, version(s) 15.0

Oracle Retail Customer Insights

Oracle Retail Merchandising Insights, version(s) 15.0

Oracle Retail Merchandising Insights

Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

Oracle Retail Returns Management

Oracle Retail Xstore Payment, version(s) 1.x

Oracle Retail Xstore Payment

Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1

Oracle Retail Xstore Point of Service

Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x

Oracle Primavera Products Suite

Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x

Oracle Primavera Products Suite

Oracle Java SE, version(s) 6u121, 7u111, 8u102

Oracle Java SE

Oracle Java SE Embedded, version(s) 8u101

Oracle Java SE

Solaris, version(s) 10, 11.3

Oracle and Sun Systems Products Suite

Solaris Cluster, version(s) 3.3, 4.3

Oracle and Sun Systems Products Suite

Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013

Oracle and Sun Systems Products Suite

Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8

Oracle Linux and Virtualization

Secure Global Desktop, version(s) 4.7, 5.2

Oracle Linux and Virtualization

Sun Ray Operating Software, version(s) prior to 11.1.7

Oracle Linux and Virtualization

Virtual Desktop Infrastructure, version(s) prior to 3.5.3

Oracle Linux and Virtualization

MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior

Oracle MySQL Product Suite

MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior

Oracle MySQL Product Suite

Note:

  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.
  • Users can download the latest release of Netbeans from http://netbeans.org. Users running earlier versions of Netbeans can use automatic updates to get the latest patches.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2016 Availability Document, My Oracle Support Note 2171485.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Abhishek Singh; Alejo Popovici; Alexander Kornbrust of Red Database Security; Amichai Shulman of Imperva, Inc.; Ariel Walter Garcia; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; bo13oy of Trend Micro’s Zero Day Initiative; Cezar Santos; David Litchfield of Google; Dawid Golunski; Denis Shpektorov; Devin Rosenbauer of Identity Works LLC; Emiliano J. Fausto of Onapsis; Felix Wilhelm; Hunter Liu of Huawei’s IT Infrastructure & Security Dept, BPIT&QM; Jackson Thuraisamy of Security Compass; Jacob Baines - Tenable Network Security working with Trend Micro’s Zero Day Initiative; Jakub Palaczynski of ING Services Polska; John Page (hyp3rlinx); Jordan Milne; Mateusz Guzik; Matias Mevied of Onapsis; Matthias Kaiser of Code White; Michael Miller of Integrigy; Okan Basegmez of DORASEC Consulting; Pete Finnigan; Peter Moody; Rahmat Nur Fauzi; Reno Robert; Rex Dale Stevens; Sahar Sabban of Intel; Suraj Khetani of Gulf Business Machines; Sven Blumenstein of Google; Tommy DeVoss of Evolution Security; Valentin Dornauer; and Vishnu Padmakumar.

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Adam Willard of Raytheon Foreground Security; Christopher Lamberson; Masato Kinugawa; Max Pilar of Blue Canopy; Michael Rasmussen of Zeroturnaround; Recx Ltd; Shanliang Jiang; Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.; and Talib Osmani for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Adam Willard, reported through CMS; Ahmad Amjad Alfoqha’a; Amine HM; Arbin Godar; Ayoub Ait Elmokhtar; Ben Khilfa Fahmi - SIFARIS Tunisia; Cameron Dawe of Spam404.com; Dhiraj Mishra of TMT ITRA Cyber Security Team at EY; Filippos Mastrogiannis of Hellenic Telecommunications Organization S.A (OTE); Hamza Bachikh; Jatinpreet Singh; Jayvardhan Singh; Jiri Stary; Kamran Saifullah (ImpactX Technologies); Ketankumar B. Godhani of Ketankumar Godhani; Mandeep Jadon; Mudit Punia of Torrid Networks Pvt. Ltd; Muhammad Zeeshan; Nikhil Mittal; Pradeep Kumar; Pravin Nagare; Ravindra Singh Rathore; Shahmeer Baloch; Shawar Khan; Sree Visakh Jain; and wh0ami for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 January 2017
  • 18 April 2017
  • 18 July 2017
  • 17 October 2017

References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
  • Critical Patch Update - October 2016 Documentation Map [ My Oracle Support Note ]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
  • Risk Matrix definitions [ Risk Matrix Definitions ]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
  • English text version of the risk matrices [ Oracle Technology Network ]
  • CVRF XML version of the risk matrices [ Oracle Technology Network ]
  • The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
  • List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
  • Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

Date

Note

2019-May-16

Rev 5. Added note to Fusion Middleware risk matrix indicating that the fix of CVE-2016-5535 also addresses CVE-2016-1000031.

2016-November-21

Rev 4. Vulnerable component for CVE-2016-1181 changed to Portal SEC. Added note to MySQL risk matrix concerning equivalent CVEs.

2016-October-24

Rev 3. Version updated to Ecz7.3m1p4, sub-component changed for CVE-2013-2566, CVE-2014-2532.

2016-October-19

Rev 2. CVSS score updated for CVE-2016-5610.

2016-October-18

Rev 1. Initial Release.

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 12 new security fixes for the Oracle Database Server divided as follows:

  • 9 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
  • 2 new security fixes for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
  • 1 new security fix for Oracle Big Data Graph. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Package and/or Privilege Required

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5555

OJVM

Create Session, Create Procedure

Multiple

No

9.1

Network

Low

High

None

Changed

High

High

High

11.2.0.4, 12.1.0.2

CVE-2016-5572

Kernel PDB

Create Session

Oracle Net

No

6.4

Local

High

High

None

Un- changed

High

High

High

12.1.0.2

CVE-2016-5497

RDBMS Security

Create Session

Oracle Net

No

6.4

Local

High

High

None

Un- changed

High

High

High

12.1.0.2

CVE-2010-5312

Application Express

None

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

Prior to 5.0.4.00.07

CVE-2016-5516

Kernel PDB

Execute on DBMS_PDB_EXEC_SQL

Oracle Net

No

6.0

Local

Low

High

None

Changed

None

None

High

12.1.0.2

CVE-2016-5505

RDBMS Programmable Interface

Create Session

Oracle Net

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

11.2.0.4, 12.1.0.2

CVE-2016-5498

RDBMS Security

Create Session

Oracle Net

No

3.3

Local

Low

Low

None

Un- changed

Low

None

None

11.2.0.4, 12.1.0.2

CVE-2016-5499

RDBMS Security

Create Session

Oracle Net

No

3.3

Local

Low

Low

None

Un- changed

Low

None

None

11.2.0.4, 12.1.0.2

CVE-2016-3562

RDBMS Security and SQL*Plus

DBA level privileged account

Oracle Net

No

2.4

Network

Low

High

Required

Un- changed

Low

None

None

11.2.0.4, 12.1.0.2

See Note 1

Notes:

  1. Fix applicable to both server and client side installations.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2016-3562. .

Oracle Secure Backup Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Secure Backup Risk Matrix

CVE#

Component

Package and/or Privilege Required

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-1351

Oracle Secure Backup

None

Multiple

Yes

5.8

Network

Low

None

None

Changed

None

None

Low

Prior to 12.1.0.2.0

CVE-2015-0286

Oracle Secure Backup

None

SSL

Yes

5.8

Network

Low

None

None

Changed

None

None

Low

Prior to 10.4.0.4.0

Oracle Big Data Graph Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Big Data Graph. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Big Data Graph Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-7501

Big Data Graph

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

Prior to 1.2

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2171485.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-3253

Oracle Big Data Discovery

Data Processing

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

1.1.1, 1.1.3, 1.2.0

CVE-2016-3551

Oracle Web Services

JAXWS Web Services Stack

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0

CVE-2015-7501

Oracle WebLogic Server

None

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0, 12.2.1.0

CVE-2016-5535

Oracle WebLogic Server

None

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1

CVE-2016-5531

Oracle WebLogic Server

WLS-WebServices

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0, 12.2.1.0

CVE-2016-1950

Oracle GlassFish Server

Security

HTTPS

Yes

8.8

Network

Low

None

Required

Un- changed

High

High

High

2.1.1

CVE-2016-5519

Oracle GlassFish Server

Java Server Faces

Multiple

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

2.1.1, 3.0.1, 3.1.2

CVE-2016-3505

Oracle WebLogic Server

JavaServer Faces

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0, 12.2.1.0

CVE-2016-1950

Oracle iPlanet Web Proxy Server

Security

HTTPS

Yes

8.8

Network

Low

None

Required

Un- changed

High

High

High

4.0

CVE-2016-1950

Oracle iPlanet Web Server

Security

HTTPS

Yes

8.8

Network

Low

None

Required

Un- changed

High

High

High

7.0

CVE-2016-5558

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-5574

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-5577

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-5578

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-5579

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-5588

Oracle Outside In Technology

Outside In Filters

HTTP

Yes

8.6

Network

Low

None

None

Un- changed

High

Low

Low

8.4.0, 8.5.1, 8.5.2, 8.5.3

See Note 1

CVE-2016-3473

BI Publisher (formerly XML Publisher)

Security

HTTP

No

7.7

Network

Low

Low

None

Changed

High

None

None

11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0

CVE-2016-8281

Oracle Platform Security for Java

Audit Reports

HTTP

No

7.6

Network

Low

Low

None

Un- changed

High

Low

Low

12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

CVE-2016-5536

Oracle Platform Security for Java

Audit Schema

HTTP

No

7.6

Network

Low

Low

None

Un- changed

High

Low

Low

12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

CVE-2016-5495

Oracle Discoverer

EUL Code & Schema

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

11.1.1.7.0

CVE-2016-5500

Oracle Discoverer

Viewer

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

11.1.1.7.0

CVE-2016-5601

Oracle WebLogic Server

CIE Related Components

HTTP

No

6.3

Local

Low

High

Required

Changed

Low

High

None

12.1.3.0, 12.2.1.0, 12.2.1.1

CVE-2016-2107

Oracle Business Intelligence Enterprise Edition

Installation

HTTPS

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0

CVE-2016-5537

NetBeans

Project Import

HTTP

No

5.7

Local

Low

High

None

Changed

Low

Low

Low

8.1

CVE-2016-5602

Oracle Data Integrator

Code Generation Engine

HTTP

No

5.7

Network

Low

Low

Required

Un- changed

High

None

None

11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

See Note 2

CVE-2016-5488

Oracle WebLogic Server

Web Container

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

10.3.6.0, 12.1.3.0

CVE-2016-5511

Oracle WebCenter Sites

Security

HTTP

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0

See Note 3

CVE-2016-5618

Oracle Data Integrator

Code Generation Engine

HTTP

No

3.1

Network

High

Low

None

Un- changed

Low

None

None

11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

See Note 4

CVE-2016-5506

Oracle Identity Manager

App Server

XML

No

3.1

Local

Low

High

Required

Un- changed

Low

Low

None

-

See Note 5

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
  2. Please refer to My Oracle Support Note 2188855.1 for instructions on how to address this issue.
  3. Please refer to My Oracle Support Note 2188873.1 for instructions on how to address this issue.
  4. Please refer to My Oracle Support Note 2188871.1 for instructions on how to address this issue.
  5. Fixed in all supported releases and patchsets.

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2015-3197.
  • The fix for CVE-2016-5535 also addresses CVE-2016-1000031.

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2171485.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-2107

Enterprise Manager

Ops Center

HTTPS

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

12.1.4, 12.2.2, 12.3.2

CVE-2016-4979

Enterprise Manager

Ops Center

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

None

High

None

12.1.4, 12.2.2, 12.3.2

CVE-2015-7940

Enterprise Manager

Ops Center

HTTPS

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

12.1.4, 12.2.2

CVE-2015-7940

Oracle Application Testing Suite

Load Testing for Web Apps

HTTPS

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

12.5.0.1, 12.5.0.2, 12.5.0.3

CVE-2016-5604

Enterprise Manager Base Platform

Security Framework

None

No

6.3

Local

Low

High

Required

Changed

Low

High

None

12.1.0.5

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2099-1234.
  • The fix for CVE-2016-4979 also addresses CVE-2016-1546.

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 21 new security fixes for the Oracle E-Business Suite. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 12 Critical Patch Update Knowledge Document (October 2016), My Oracle Support Note 2181748.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5557

Oracle Advanced Pricing

Price Book

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5589

Oracle CRM Technical Foundation

Responsibility Management

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5587

Oracle Customer Interaction History

Outcome-Result

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5591

Oracle Customer Interaction History

Outcome-Result

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5593

Oracle Customer Interaction History

Outcome-Result

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5592

Oracle Customer Interaction History

Result-Reason

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5595

Oracle Customer Interaction History

Result-Reason

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5586

Oracle Email Center

Dispatch/Service Call Requests

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

High

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-2176

Oracle HTTP Server

OpenSSL

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

12.1.3

CVE-2016-5489

Oracle iStore

Runtime Catalog

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2016-5562

Oracle iProcurement

Requisition Management

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5581

Oracle iRecruitment

Candidate Self Service

None

No

6.6

Physical

Low

Low

None

Un- changed

High

High

High

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5567

Oracle Applications DBA

AD Utilities

HTTP

No

6.5

Network

Low

High

None

Un- changed

High

High

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5570

Oracle Applications DBA

AD Utilities

HTTP

No

6.5

Network

Low

High

None

Un- changed

High

High

None

12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5571

Oracle Applications DBA

AD Utilities

HTTP

No

6.5

Network

Low

High

None

Un- changed

High

High

None

12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5585

Oracle Interaction Center Intelligence

Select Application Dependencies

HTTP

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

12.1.1, 12.1.2, 12.1.3

CVE-2016-5517

Oracle Applications DBA

AD Utilities

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

12.1.3

CVE-2016-5575

Oracle Common Applications Calendar

Resources Module

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5583

Oracle One-to-One Fulfillment

File Upload

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

None

Low

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5532

Oracle Shipping Execution

Workflow Events

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

CVE-2016-5596

Oracle CRM Technical Foundation

Default Responsibility

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

Additional CVEs addressed:

  • The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-2109.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 19 new security fixes for the Oracle Supply Chain Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5599

Oracle Advanced Supply Chain Planning

MscObieeSrvlt

HTTP

Yes

9.1

Network

Low

None

None

Un- changed

High

High

None

12.2.3, 12.2.4, 12.2.5

CVE-2015-7501

Oracle Agile PLM

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2016-5523

Oracle Agile PLM

AutoVue Java Applet

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2015-3253

Oracle Agile PLM

Event Java PX

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2016-5514

Oracle Agile PLM

ExportServlet

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2016-5515

Oracle Agile PLM

RMIServlet

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2016-0635

Oracle Agile PLM

Spring

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

9.3.4, 9.3.5

CVE-2016-0714

Oracle Transportation Management

Install

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

CVE-2016-2107

Oracle Transportation Management

Install

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

6.1, 6.2

CVE-2016-5518

Oracle Agile Engineering Data Management

webfileservices

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

6.1.3.0, 6.2.0.0

CVE-2016-5526

Oracle Agile PLM

Apache Tomcat

HTTP

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.3.4, 9.3.5

CVE-2016-5521

Oracle Agile PLM

Security

HTTP

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

9.3.4, 9.3.5

CVE-2016-5512

Oracle Agile PLM

Security

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

9.3.4, 9.3.5

CVE-2016-5527

Oracle Agile PLM

Security

HTTP

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

9.3.4, 9.3.5

CVE-2016-5510

Oracle Agile PLM

Folders, Files & Attachments

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.3.4, 9.3.5

CVE-2016-5524

Oracle Agile PLM

Security

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.3.4, 9.3.5

CVE-2016-5513

Oracle Agile PLM

File Manager

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

9.3.4, 9.3.5

CVE-2016-5522

Oracle Agile PLM

Security

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

9.3.4, 9.3.5

CVE-2016-5504

Oracle Agile Product Lifecycle Management for Process

Supplier Portal

HTTP

No

4.1

Local

High

High

None

Un- changed

High

None

None

6.1.0.4, 6.1.1.6, 6.2.0.0

Additional CVEs addressed:

  • The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706, and CVE-2016-0763.
  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-8293

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

8.54, 8.55

CVE-2016-8291

PeopleSoft Enterprise PeopleTools

Mobile Application Platform

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

8.54, 8.55

CVE-2016-8296

PeopleSoft Enterprise PeopleTools

LDAP

HTTP

No

7.6

Network

Low

Low

Required

Changed

High

Low

None

8.54, 8.55

CVE-2015-7940

PeopleSoft Enterprise PeopleTools

Bouncy Castle Java

HTTP

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

8.54, 8.55

CVE-2016-5529

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2016-5530

PeopleSoft Enterprise PeopleTools

Integration Broker

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

8.54, 8.55

CVE-2016-5600

PeopleSoft Enterprise SCM Services Procurement

Security

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

9.1, 9.2

CVE-2016-8285

PeopleSoft Enterprise HCM

Candidate Gateway

HTTP

No

4.8

Network

High

High

Required

Un- changed

High

Low

None

9.2

CVE-2016-8295

PeopleSoft Enterprise HCM

Schedule

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

9.2

CVE-2016-8294

PeopleSoft Enterprise PeopleTools

Query

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

8.54, 8.55

CVE-2016-8292

PeopleSoft Enterprise HCM

Talent Acquisition Manager

HTTP

No

4.2

Network

High

Low

None

Un- changed

Low

Low

None

9.2

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-1181

JD Edwards EnterpriseOne Tools

Portal SEC

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

9.1

CVE-2015-1793

JD Edwards World Security

GUI / World Vision

HTTPS

Yes

6.5

Network

Low

None

None

Un- changed

Low

Low

None

A9.4

Additional CVEs addressed:

  • The fix for CVE-2016-1181 also addresses CVE-2016-1182.

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-3081

Siebel Apps - E-Billing

Security

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

7.1

CVE-2016-5534

Siebel Apps - Customer Order Management

Customizable Prod/Configurator

HTTP

No

6.5

Network

Low

Low

None

Un- changed

High

None

None

16.1

CVE-2016-5560

Siebel UI Framework

OpenUI

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

16.1

Oracle Commerce Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Commerce. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Commerce Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-3253

Oracle Commerce Platform

Dynamo Application Framework

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.0.3.5, 10.2.0.5, 11.2.0.1

CVE-2015-7501

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

Content Acquisition System

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

3.1.1, 3.1.2, 11.0, 11.1, 11.2

CVE-2016-0635

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

Content Acquisition System

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

3.1.1, 3.1.2, 11.0, 11.1, 11.2

CVE-2016-0635

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

Tools and Frameworks

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

3.1.1, 3.1.2, 11.0, 11.1, 11.2

CVE-2016-5482

Oracle Commerce Guided Search

Oracle Commerce Guided Search

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2

CVE-2016-2107

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

MDEX

HTTPS

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2

CVE-2016-5491

Oracle Commerce Service Center

Commerce Service Center

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

10.0.3.5, 10.2.0.5

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.

Appendix - Oracle Communications Applications****Oracle Communications Applications Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-2107

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

Ecz7.3m1p4 and earlier

CVE-2015-0235

Oracle Communications Policy Management

Glibc

Multiple

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0411

Oracle Communications Policy Management

MySQL

Multiple

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0050

Oracle Communications Policy Management

Tomcat

Multiple

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0224

Oracle Communications Policy Management

OpenSSL

SSL

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0286

Oracle Communications Policy Management

OpenSSL

SSL

Yes

7.3

Network

Low

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-2067

Oracle Communications Policy Management

Tomcat

Multiple

Yes

6.5

Network

Low

None

None

Un- changed

None

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0227

Oracle Communications Policy Management

Tomcat

Multiple

Yes

6.5

Network

Low

None

None

Un- changed

None

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-2566

Oracle Enterprise Session Border Controller

Security

SSH

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

Ecz7.3m1p4 and earlier

CVE-2015-3197

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

Ecz7.3m1p4 and earlier

CVE-2013-4444

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-2067

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0224

Oracle Enterprise Communications Broker

OpenSSL

SSL

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

Pcz2.0.0m4p5 and earlier

CVE-2014-0224

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

Ecz7.3m1p4 and earlier

CVE-2015-1791

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

Ecz7.3m1p4 and earlier

CVE-2015-2568

Oracle Communications Policy Management

MySQL

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0096

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-4590

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0099

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

Low

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0075

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-0119

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-4322

Oracle Communications Policy Management

Tomcat

Multiple

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-9296

Oracle Communications Policy Management

NTP

NTP

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-3571

Oracle Communications Policy Management

OpenSSL

SSL

Yes

5.3

Network

Low

None

None

Un- changed

None

Low

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2014-3571

Oracle Enterprise Communications Broker

OpenSSL

SSL

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Pcz2.0.0m4p5 and earlier

CVE-2014-3571

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Ecz7.3m1p4 and earlier

CVE-2015-0286

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Ecz7.3m1p4 and earlier

CVE-2015-3195

Oracle Enterprise Session Border Controller

OpenSSL

SSL

Yes

5.3

Network

Low

None

None

Un- changed

None

None

Low

Ecz7.3m1p4 and earlier

CVE-2014-2532

Oracle Communications Policy Management

Security

SSH

No

4.9

Network

High

Low

None

Changed

Low

Low

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2013-4286

Oracle Communications Policy Management

Tomcat

Multiple

Yes

4.8

Network

High

None

None

Un- changed

Low

Low

None

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0433

Oracle Communications Policy Management

MySQL

Multiple

No

4.4

Network

High

High

None

Un- changed

None

None

High

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0423

Oracle Communications Policy Management

MySQL

Multiple

No

4.3

Network

Low

Low

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0500

Oracle Communications Policy Management

MySQL

Multiple

No

4.3

Network

Low

Low

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0409

Oracle Communications Policy Management

MySQL

Multiple

No

4.3

Network

Low

Low

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0381

Oracle Communications Policy Management

MySQL

Multiple

Yes

3.7

Network

High

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

CVE-2015-0382

Oracle Communications Policy Management

MySQL

Multiple

Yes

3.7

Network

High

None

None

Un- changed

None

None

Low

9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier

Additional CVEs addressed:

  • The fix for CVE-2014-9296 also addresses CVE-2014-9293, CVE-2014-9294, and CVE-2014-9295.
  • The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, and CVE-2015-1792.

Appendix - Oracle Financial Services Applications****Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 24 new security fixes for Oracle Financial Services Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-7501

Oracle FLEXCUBE Core Banking

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.5.0.0.0, 11.6.0.0.0

CVE-2015-7501

Oracle FLEXCUBE Enterprise Limits and Collateral Management

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

12.0.0, 12.1.0

CVE-2015-7501

Oracle FLEXCUBE Investor Servicing

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

12.0.1

CVE-2015-7501

Oracle FLEXCUBE Private Banking

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0

CVE-2015-7501

Oracle FLEXCUBE Universal Banking

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

12.87.1, 12.87.2

CVE-2015-7501

Oracle FLEXCUBE Universal Banking

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-5607

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2015-7501

Oracle Financial Services Analytical Applications Infrastructure

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3

CVE-2016-0635

Oracle Financial Services Analytical Applications Infrastructure

Inline Processing

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

8.0.0, 8.0.1, 8.0.2, 8.0.3

CVE-2015-7501

Oracle Financial Services Lending and Leasing

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

14.1.0, 14.2.0

CVE-2016-5622

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

Yes

8.2

Network

Low

None

Required

Changed

High

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-3081

Oracle FLEXCUBE Private Banking

Struts

HTTP

Yes

8.1

Network

High

None

None

Un- changed

High

High

High

2.0.0, 2.0.1, 2.2.0, 12.0.1, 12.0.3, 12.1.0

CVE-2016-5619

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

8.1

Network

Low

Low

None

Un- changed

High

High

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-5543

Oracle FLEXCUBE Enterprise Limits and Collateral Management

INFRA

HTTP

Yes

6.1

Network

Low

None

Required

Changed

Low

Low

None

12.0.0, 12.1.0

CVE-2016-5569

Oracle FLEXCUBE Enterprise Limits and Collateral Management

Limits and Collateral

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

12.0.0, 12.1.0

CVE-2016-5502

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3

CVE-2016-5620

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-5594

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

5.0

Network

Low

Low

None

Changed

Low

None

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3

CVE-2016-5479

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

11.3.0, 11.4.0, 12.0.1

CVE-2016-5603

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-5621

Oracle FLEXCUBE Universal Banking

INFRA

HTTP

No

4.3

Network

Low

Low

None

Un- changed

Low

None

None

11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0

CVE-2016-5493

Oracle FLEXCUBE Private Banking

Admin

HTTP

No

4.2

Network

High

Low

None

Un- changed

Low

Low

None

12.0.1, 12.0.2, 12.0.3

CVE-2016-5490

Oracle FLEXCUBE Universal Banking

INFRA

NONE

No

3.3

Local

Low

Low

None

Un- changed

Low

None

None

11.4.0

CVE-2015-7501

Oracle Banking Digital Experience

Apache Commons Collections

HTTP

No

2.0

Network

High

High

Required

Un- changed

Low

None

None

15.1

Additional CVEs addressed:

  • The fix for CVE-2016-3081 also addresses CVE-2014-7809.

Appendix - Oracle Health Sciences Applications****Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-2107

Oracle Life Sciences Data Hub

OpenSSL

SSL

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

2.x

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2099-1234.

Appendix - Oracle Hospitality Applications****Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Hospitality Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5563

Oracle Hospitality OPERA 5 Property Services

OPERA File Upload Download

HTTP

No

7.9

Network

High

High

None

Changed

High

High

Low

5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0

CVE-2016-5565

Oracle Hospitality OPERA 5 Property Services

OPERA Xchange Interface (OXI)

HTTP

No

7.7

Network

Low

Low

None

Changed

High

None

None

5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0

CVE-2016-5564

Oracle Hospitality OPERA 5 Property Services

OPERA Application Login

HTTP

No

7.4

Network

Low

Low

None

Changed

Low

Low

Low

5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0

Appendix - Oracle Insurance Applications****Oracle Insurance Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Insurance Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Insurance Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-7501

Oracle Insurance IStream

Apache Commons Collections

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

4.3.2

Appendix - Oracle Retail Applications****Oracle Retail Applications Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle Retail Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2015-3253

Oracle Retail Customer Insights

Security

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

15.0

CVE-2015-3253

Oracle Retail Merchandising Insights

Security

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

15.0

CVE-2015-7501

MICROS XBR

Liferay

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

7.0.2, 7.0.4

CVE-2015-7501

Oracle Retail Clearance Optimization Engine

General Application

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

13.2, 13.3, 13.4, 14.0

CVE-2015-7501

Oracle Retail Xstore Point of Service

Xenvironment

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

5.0, 5.5, 6.0, 6.5, 7.0, 7.1

CVE-2016-1881

Oracle Retail Back Office

Security

HTTP

Yes

8.3

Network

Low

None

None

Changed

Low

Low

Low

13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

CVE-2016-1881

Oracle Retail Central Office

Security

HTTP

Yes

8.3

Network

Low

None

None

Changed

Low

Low

Low

13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

CVE-2016-1881

Oracle Retail Returns Management

Security

HTTP

Yes

8.3

Network

Low

None

None

Changed

Low

Low

Low

13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

CVE-2016-5539

Oracle Retail Xstore Payment

Security

HTTP

No

7.3

Physical

Low

Low

None

Changed

High

High

Low

1.x

CVE-2016-5540

Oracle Retail Xstore Payment

Security

HTTP

No

6.7

Physical

High

Low

None

Changed

High

High

None

1.x

Additional CVEs addressed:

  • The fix for CVE-2015-7501 also addresses CVE-2015-4852.
  • The fix for CVE-2016-1881 also addresses CVE-2012-1007, CVE-2014-0114, CVE-2016-1181, and CVE-2016-1182.

Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-2107

Primavera P6 Professional Project Management

OpenSSL

HTTP

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

8.3, 8.4, 15.x, 16.x

CVE-2016-5533

Primavera P6 Enterprise Project Portfolio Management

Team Member

HTTP

No

5.4

Network

Low

Low

None

Un- changed

Low

Low

None

8.4, 15.x, 16.x

Additional CVEs addressed:

  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5556

Java SE

2D

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u121, 7u111, 8u102

See Note 1

CVE-2016-5568

Java SE

AWT

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u121, 7u111, 8u102

See Note 1

CVE-2016-5582

Java SE, Java SE Embedded

Hotspot

Multiple

Yes

9.6

Network

Low

None

Required

Changed

High

High

High

Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101

See Note 1

CVE-2016-5573

Java SE, Java SE Embedded

Hotspot

Multiple

Yes

8.3

Network

High

None

Required

Changed

High

High

High

Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101

See Note 1

CVE-2016-5597

Java SE, Java SE Embedded

Networking

Multiple

Yes

5.9

Network

High

None

None

Un- changed

High

None

None

Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101

See Note 1

CVE-2016-5554

Java SE, Java SE Embedded

JMX

Multiple

Yes

4.3

Network

Low

None

Required

Un- changed

None

Low

None

Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101

See Note 1

CVE-2016-5542

Java SE, Java SE Embedded

Libraries

Multiple

Yes

3.1

Network

High

None

Required

Un- changed

None

Low

None

Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101

See Note 1

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 16 new security fixes for the Oracle Sun Systems Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5503

Sun ZFS Storage Appliance Kit (AK)

Core Services

None

No

8.2

Local

Low

High

None

Changed

High

High

High

AK 2013

CVE-2016-5544

Solaris

Kernel/X86

None

No

7.8

Local

Low

Low

None

Un- changed

High

High

High

10, 11.3

CVE-2016-5492

Sun ZFS Storage Appliance Kit (AK)

SMB Users

None

No

7.1

Local

Low

Low

None

Un- changed

High

High

None

AK 2013

See Note 1

CVE-2016-5606

Solaris

Kernel Zones

None

No

6.1

Local

Low

Low

None

Un- changed

None

Low

High

11.3

CVE-2016-5576

Solaris

Kernel Zones

None

No

5.5

Local

Low

Low

None

Un- changed

None

None

High

11.3

CVE-2016-5486

Sun ZFS Storage Appliance Kit (AK)

Core Services

None

No

5.5

Local

Low

Low

None

Un- changed

High

None

None

AK 2013

CVE-2016-5566

Solaris

Installation

HTTP

Yes

5.3

Network

Low

None

None

Un- changed

Low

None

None

11.3

CVE-2016-5487

Solaris

Files

None

No

5.3

Local

Low

Low

None

Un- changed

Low

Low

Low

11.3

CVE-2016-5553

Solaris

Filesystem

None

No

5.0

Local

Low

Low

Required

Un- changed

None

None

High

10, 11.3

CVE-2016-5559

Solaris

Kernel

None

No

4.1

Local

High

High

None

Un- changed

None

High

None

10, 11.3

CVE-2016-5481

Sun ZFS Storage Appliance Kit (AK)

Core Services

DNS

Yes

3.7

Network

High

None

None

Un- changed

Low

None

None

AK 2013

CVE-2016-5615

Solaris

Lynx

None

No

3.3

Local

Low

Low

None

Un- changed

None

None

Low

11.3

CVE-2016-5508

Solaris Cluster

Cluster Geo

None

No

3.3

Local

Low

Low

None

Un- changed

Low

None

None

4.3

CVE-2016-5525

Solaris Cluster

Cluster check files

None

No

3.3

Local

Low

Low

None

Un- changed

None

Low

None

3.3, 4.3

CVE-2016-5561

Solaris

IKE

IKEv2

Yes

3.1

Network

High

None

Required

Un- changed

None

None

Low

11.3

CVE-2016-5480

Solaris

Bash

None

No

2.8

Local

Low

Low

Required

Un- changed

None

Low

None

10

Notes:

  1. This vulnerability applies to local users (i.e. users in /etc/passwd) and not applicable to other (e.g. LDAP) users.

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 13 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-5580

Secure Global Desktop

Web Services

Multiple

No

9.6

Network

Low

Low

None

Changed

High

None

High

4.7, 5.2

CVE-2016-5605

Oracle VM VirtualBox

VirtualBox Remote Desktop Extension (VRDE)

VRDP

Yes

9.1

Network

Low

None

None

Un- changed

High

High

None

VirtualBox prior to 5.1.4

CVE-2016-0714

Virtual Desktop Infrastructure

Apache Tomcat

HTTP

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

VDI prior to 3.5.3

CVE-2015-7501

Virtual Desktop Infrastructure

Apache Commons Collection

Multiple

No

8.8

Network

Low

Low

None

Un- changed

High

High

High

VDI prior to 3.5.3

CVE-2016-2107

Sun Ray Operating Software

OpenSSL

SSL/TLS

Yes

8.2

Network

Low

None

None

Un- changed

Low

None

High

SROS prior to 11.1.7

CVE-2016-5501

Oracle VM VirtualBox

Core

None

No

7.8

Local

High

Low

None

Changed

High

High

High

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2016-6304

Oracle VM VirtualBox

OpenSSL

SSL/TLS

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2015-7940

Virtual Desktop Infrastructure

Bouncy Castle Java

Multiple

Yes

7.5

Network

Low

None

None

Un- changed

High

None

None

VDI prior to 3.5.3

CVE-2016-5610

Oracle VM VirtualBox

Core

None

No

6.8

Local

Low

None

None

Changed

Low

Low

Low

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2016-5538

Oracle VM VirtualBox

Core

None

No

6.7

Local

Low

High

None

Un-changed

High

High

High

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2016-5608

Oracle VM VirtualBox

Core

None

No

5.5

Local

Low

Low

None

Un- changed

None

None

High

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2016-5611

Oracle VM VirtualBox

Core

None

No

4.3

Local

Low

None

None

Changed

Low

None

None

VirtualBox prior to 5.0.28, prior to 5.1.8

CVE-2016-5613

Oracle VM VirtualBox

Core

None

No

4.3

Local

Low

None

None

Changed

None

None

Low

VirtualBox prior to 5.0.28, prior to 5.1.8

Additional CVEs addressed:

  • The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706, and CVE-2016-0763.
  • The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, and CVE-2016-2109.
  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Sub­component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2016-6304

MySQL Server

Server: Security: Encryption

MySQL Protocol

Yes

7.5

Network

Low

None

None

Un- changed

None

None

High

5.6.33 and earlier, 5.7.15 and earlier

CVE-2016-6662

MySQL Server

Server: Logging

None

No

7.2

Local

High

High

Required

Changed

High

High

High

5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier

CVE-2016-5617

MySQL Server

Server: Error Handling

None

No

7.0

Local

High

Low

None

Un- changed

High

High

High

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-5616

MySQL Server

Server: MyISAM

None

No

7.0

Local

High

Low

None

Un- changed

High

High

High

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-5625

MySQL Server

Server: Packaging

None

No

7.0

Local

High

Low

None

Un- changed

High

High

High

5.7.14 and earlier

CVE-2016-5609

MySQL Server

Server: DML

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.6.31 and earlier 5.7.13 and earlier

CVE-2016-5612

MySQL Server

Server: DML

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.5.50 and earlier, 5.6.31 and earlier, 5.7.13 and earlier

CVE-2016-5624

MySQL Server

Server: DML

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.5.51 and earlier

CVE-2016-5626

MySQL Server

Server: GIS

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-5627

MySQL Server

Server: InnoDB

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.6.31 and earlier, 5.7.13 and earlier

CVE-2016-3492

MySQL Server

Server: Optimizer

MySQL Protocol

No

6.5

Network

Low

Low

None

Un- changed

None

None

High

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-5598

MySQL Connector

Connector/Python

MySQL Protocol

Yes

5.6

Network

High

None

None

Un- changed

Low

Low

Low

2.1.3 and earlier, 2.0.4 and earlier

CVE-2016-7440

MySQL Server

Server: Security: Encryption

None

No

5.1

Local

High

None

None

Un- changed

High

None

None

5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier

CVE-2016-5628

MySQL Server

Server: DML

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5629

MySQL Server

Server: Federated

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-3495

MySQL Server

Server: InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5630

MySQL Server

Server: InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.6.31 and earlier 5.7.13 and earlier

CVE-2016-5507

MySQL Server

Server: InnoDB

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-5631

MySQL Server

Server: Memcached

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5632

MySQL Server

Server: Optimizer

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.14 and earlier

CVE-2016-5633

MySQL Server

Server: Performance Schema

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5634

MySQL Server

Server: RBR

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5635

MySQL Server

Server: Security: Audit

MySQL Protocol

No

4.9

Network

Low

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-8289

MySQL Server

Server: InnoDB

None

No

4.7

Local

High

High

None

Un- changed

None

Low

High

5.7.13 and earlier

CVE-2016-8287

MySQL Server

Server: Replication

MySQL Protocol

No

4.5

Network

Low

High

Required

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-8290

MySQL Server

Server: Performance Schema

MySQL Protocol

No

4.4

Network

High

High

None

Un- changed

None

None

High

5.7.13 and earlier

CVE-2016-5584

MySQL Server

Server: Security: Encryption

MySQL Protocol

No

4.4

Network

High

High

None

Un- changed

High

None

None

5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier

CVE-2016-8283

MySQL Server

Server: Types

MySQL Protocol

No

4.3

Network

Low

Low

None

Un- changed

None

None

Low

5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier

CVE-2016-8288

MySQL Server

Server: InnoDB Plugin

MySQL Protocol

No

3.1

Network

High

Low

None

Un- changed

None

Low

None

5.6.30 and earlier, 5.7.12 and earlier

CVE-2016-8286

MySQL Server

Server: Security: Privileges

MySQL Protocol

No

3.1

Network

High

Low

None

Un- changed

Low

None

None

5.7.14 and earlier

CVE-2016-8284

MySQL Server

Server: Replication

None

No

1.8

Local

High

High

Required

Un- changed

None

None

Low

5.6.31 and earlier, 5.7.13 and earlier

Notes:

  1. CVE-2016-5616 is equivalent to CVE-2016-6663, and CVE-2016-5617 is equivalent to CVE-2016-6664.

Additional CVEs addressed:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, and CVE-2016-6306.

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • News

  • Oracle CloudWorld

  • Oracle Supports Ukraine

  • Oracle Red Bull Racing

  • Oracle Sustainability

  • Employee Experience Platform

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

Ubuntu Security Notice USN-6936-1

Ubuntu Security Notice 6936-1 - It was discovered that Apache Commons Collections allowed serialization support for unsafe classes by default. A remote attacker could possibly use this issue to execute arbitrary code.

CVE-2023-49145: Apache NiFi Security Reports

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

CVE-2023-40037: Apache NiFi Security Reports

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2023-34468: Apache NiFi Security Reports

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

CVE-2023-25409: Multiple vulnerabilities in Aten PE8108 power distribution unit

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have access to other users outlets.

CVE-2023-25413: Multiple vulnerabilities in Aten PE8108 power distribution unit

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Telnet and SNMP credentials.

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

Critical OpenSSL fix due Nov 1—what you need to know

Categories: News Tags: fix Tags: bug Tags: vulnerability Tags: exploit Tags: attack Tags: patch Tags: update Tags: OpenSSL Tags: v3 Tags: v1 Tags: 3.0.5. Version 3.0.7 of OpenSSL will fix the software's first critical issue for six years. (Read more...) The post Critical OpenSSL fix due Nov 1—what you need to know appeared first on Malwarebytes Labs.

CVE-2012-2160: Fix List for Rational Change

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2021-44718: wolfSSL Security Vulnerabilities | wolfSSL Embedded SSL/TLS Library

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

CVE-2022-33140: Apache NiFi Security Reports

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2021-2119: Oracle Critical Patch Update Advisory - January 2021

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-17521: The Apache Groovy programming language

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

CVE-2020-14829: Oracle Critical Patch Update Advisory - October 2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-14829: Oracle Critical Patch Update Advisory - October 2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-14829: Oracle Critical Patch Update Advisory - October 2020

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-9490: Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2019-2999: Oracle Critical Patch Update Advisory - October 2019

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...

CVE-2019-2808: Oracle Critical Patch Update Advisory - July 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2628: Oracle Critical Patch Update Advisory - April 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2455: Oracle Critical Patch Update Advisory - January 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-2755: Oracle Critical Patch Update - April 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2637: Oracle Critical Patch Update - January 2018

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2016-8735: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE-2016-6816: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

CVE-2017-3238: Oracle Critical Patch Update Advisory - January 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).

CVE-2016-6664: Full Disclosure: MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition Exploit [CVE-2016-6663

mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.

CVE-2016-7440: Bugtraq

The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences.

CVE-2016-6308

statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.

CVE-2016-7052

crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.

CVE-2016-6304

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

CVE-2016-6303: Invalid Bug ID

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

CVE-2016-2183: Invalid Bug ID

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-2178

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

CVE-2016-2107

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

CVE-2016-2105

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

CVE-2016-0642: Oracle Critical Patch Update Advisory - April 2016

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.

CVE-2016-0706

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

CVE-2016-0714

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

CVE-2016-0502: Oracle Critical Patch Update - January 2016

Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2015-4879: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-2582: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-1352: security - Re: CVE Request: PHP

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name.

CVE-2015-1351: : Bug #68677 :: use-after-free

Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

CVE-2015-0235: oss-sec: Qualys Security Advisory CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0391: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2010-5312: Dialog: Extract setting the title into a _title method, use .text() t… · jquery/jquery-ui@7e9060c

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4260: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-0224

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

CVE-2013-5891: Oracle Critical Patch Update - January 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

CVE-2011-2729: Apache Tomcat® - Apache Tomcat 7 vulnerabilities

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907