Headline
CVE-2016-5612: Oracle Critical Patch Update - October 2016
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - October 2016****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.
For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2016 Documentation Map, My Oracle Support Note.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Application Express, version(s) prior to 5.0.4.0.7
Database
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2
Database
Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0
Oracle Secure Backup
Big Data Graph, version(s) prior to 1.2
Oracle Big Data Graph
NetBeans, version(s) 8.1
Fusion Middleware
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
Fusion Middleware
Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
Fusion Middleware
Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
Fusion Middleware
Oracle Discoverer, version(s) 11.1.1.7.0
Fusion Middleware
Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1
Fusion Middleware
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
Fusion Middleware
Oracle Identity Manager, version(s) -
Fusion Middleware
Oracle iPlanet Web Proxy Server, version(s) 4.0
Fusion Middleware
Oracle iPlanet Web Server, version(s) 7.0
Fusion Middleware
Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3
Fusion Middleware
Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
Fusion Middleware
Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
Fusion Middleware
Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1
Fusion Middleware
Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2
Enterprise Manager
Enterprise Manager Base Platform, version(s) 12.1.0.5
Enterprise Manager
Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3
Enterprise Manager
Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
E-Business Suite
Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5
Oracle Supply Chain Products
Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
Oracle Supply Chain Products
Oracle Agile PLM, version(s) 9.3.4, 9.3.5
Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0
Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
Oracle Supply Chain Products
PeopleSoft Enterprise HCM, version(s) 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
PeopleSoft
PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2
PeopleSoft
JD Edwards EnterpriseOne Tools, version(s) 9.1
JD Edwards
JD Edwards World Security, version(s) A9.4
JD Edwards
Siebel Applications, version(s) 7.1, 16.1
Siebel
Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2
Oracle Commerce
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
Oracle Commerce
Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1
Oracle Commerce
Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5
Oracle Commerce
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
Fusion Applications
Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior
Oracle Communications Policy Management
Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier
Oracle Enterprise Communications Broker
Oracle Enterprise Session Border Controller, version(s) Ecz7.3m1p4 and earlier
Oracle Enterprise Session Border Controller
Oracle Banking Digital Experience, version(s) 15.1
Oracle Financial Services Applications
Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
Oracle Financial Services Applications
Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0
Oracle Financial Services Applications
Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0
Oracle Financial Services Applications
Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0
Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1
Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2
Oracle Financial Services Applications
Oracle Life Sciences Data Hub, version(s) 2.x
Health Sciences
Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
Oracle Hospitality OPERA 5 Property Services
Oracle Insurance IStream, version(s) 4.3.2
Oracle Insurance Applications
MICROS XBR, version(s) 7.0.2, 7.0.4
MICROS XBR
Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Back Office
Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Central Office
Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0
Oracle Retail Clearance Optimization Engine
Oracle Retail Customer Insights, version(s) 15.0
Oracle Retail Customer Insights
Oracle Retail Merchandising Insights, version(s) 15.0
Oracle Retail Merchandising Insights
Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Returns Management
Oracle Retail Xstore Payment, version(s) 1.x
Oracle Retail Xstore Payment
Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1
Oracle Retail Xstore Point of Service
Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x
Oracle Primavera Products Suite
Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x
Oracle Primavera Products Suite
Oracle Java SE, version(s) 6u121, 7u111, 8u102
Oracle Java SE
Oracle Java SE Embedded, version(s) 8u101
Oracle Java SE
Solaris, version(s) 10, 11.3
Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4.3
Oracle and Sun Systems Products Suite
Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
Oracle and Sun Systems Products Suite
Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8
Oracle Linux and Virtualization
Secure Global Desktop, version(s) 4.7, 5.2
Oracle Linux and Virtualization
Sun Ray Operating Software, version(s) prior to 11.1.7
Oracle Linux and Virtualization
Virtual Desktop Infrastructure, version(s) prior to 3.5.3
Oracle Linux and Virtualization
MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior
Oracle MySQL Product Suite
MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior
Oracle MySQL Product Suite
Note:
- Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
- Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.
- Users can download the latest release of Netbeans from http://netbeans.org. Users running earlier versions of Netbeans can use automatic updates to get the latest patches.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2016 Availability Document, My Oracle Support Note 2171485.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Abhishek Singh; Alejo Popovici; Alexander Kornbrust of Red Database Security; Amichai Shulman of Imperva, Inc.; Ariel Walter Garcia; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; bo13oy of Trend Micro’s Zero Day Initiative; Cezar Santos; David Litchfield of Google; Dawid Golunski; Denis Shpektorov; Devin Rosenbauer of Identity Works LLC; Emiliano J. Fausto of Onapsis; Felix Wilhelm; Hunter Liu of Huawei’s IT Infrastructure & Security Dept, BPIT&QM; Jackson Thuraisamy of Security Compass; Jacob Baines - Tenable Network Security working with Trend Micro’s Zero Day Initiative; Jakub Palaczynski of ING Services Polska; John Page (hyp3rlinx); Jordan Milne; Mateusz Guzik; Matias Mevied of Onapsis; Matthias Kaiser of Code White; Michael Miller of Integrigy; Okan Basegmez of DORASEC Consulting; Pete Finnigan; Peter Moody; Rahmat Nur Fauzi; Reno Robert; Rex Dale Stevens; Sahar Sabban of Intel; Suraj Khetani of Gulf Business Machines; Sven Blumenstein of Google; Tommy DeVoss of Evolution Security; Valentin Dornauer; and Vishnu Padmakumar.
Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Adam Willard of Raytheon Foreground Security; Christopher Lamberson; Masato Kinugawa; Max Pilar of Blue Canopy; Michael Rasmussen of Zeroturnaround; Recx Ltd; Shanliang Jiang; Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.; and Talib Osmani for contributions to Oracle’s Security-In-Depth program.
On-Line Presence Security Contributors
Oracle provides acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Adam Willard, reported through CMS; Ahmad Amjad Alfoqha’a; Amine HM; Arbin Godar; Ayoub Ait Elmokhtar; Ben Khilfa Fahmi - SIFARIS Tunisia; Cameron Dawe of Spam404.com; Dhiraj Mishra of TMT ITRA Cyber Security Team at EY; Filippos Mastrogiannis of Hellenic Telecommunications Organization S.A (OTE); Hamza Bachikh; Jatinpreet Singh; Jayvardhan Singh; Jiri Stary; Kamran Saifullah (ImpactX Technologies); Ketankumar B. Godhani of Ketankumar Godhani; Mandeep Jadon; Mudit Punia of Torrid Networks Pvt. Ltd; Muhammad Zeeshan; Nikhil Mittal; Pradeep Kumar; Pravin Nagare; Ravindra Singh Rathore; Shahmeer Baloch; Shawar Khan; Sree Visakh Jain; and wh0ami for contributions to Oracle’s On-Line Presence Security program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 17 January 2017
- 18 April 2017
- 18 July 2017
- 17 October 2017
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - October 2016 Documentation Map [ My Oracle Support Note ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
Date
Note
2019-May-16
Rev 5. Added note to Fusion Middleware risk matrix indicating that the fix of CVE-2016-5535 also addresses CVE-2016-1000031.
2016-November-21
Rev 4. Vulnerable component for CVE-2016-1181 changed to Portal SEC. Added note to MySQL risk matrix concerning equivalent CVEs.
2016-October-24
Rev 3. Version updated to Ecz7.3m1p4, sub-component changed for CVE-2013-2566, CVE-2014-2532.
2016-October-19
Rev 2. CVSS score updated for CVE-2016-5610.
2016-October-18
Rev 1. Initial Release.
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 12 new security fixes for the Oracle Database Server divided as follows:
- 9 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
- 2 new security fixes for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
- 1 new security fix for Oracle Big Data Graph. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Package and/or Privilege Required
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5555
OJVM
Create Session, Create Procedure
Multiple
No
9.1
Network
Low
High
None
Changed
High
High
High
11.2.0.4, 12.1.0.2
CVE-2016-5572
Kernel PDB
Create Session
Oracle Net
No
6.4
Local
High
High
None
Un- changed
High
High
High
12.1.0.2
CVE-2016-5497
RDBMS Security
Create Session
Oracle Net
No
6.4
Local
High
High
None
Un- changed
High
High
High
12.1.0.2
CVE-2010-5312
Application Express
None
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
Prior to 5.0.4.00.07
CVE-2016-5516
Kernel PDB
Execute on DBMS_PDB_EXEC_SQL
Oracle Net
No
6.0
Local
Low
High
None
Changed
None
None
High
12.1.0.2
CVE-2016-5505
RDBMS Programmable Interface
Create Session
Oracle Net
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
11.2.0.4, 12.1.0.2
CVE-2016-5498
RDBMS Security
Create Session
Oracle Net
No
3.3
Local
Low
Low
None
Un- changed
Low
None
None
11.2.0.4, 12.1.0.2
CVE-2016-5499
RDBMS Security
Create Session
Oracle Net
No
3.3
Local
Low
Low
None
Un- changed
Low
None
None
11.2.0.4, 12.1.0.2
CVE-2016-3562
RDBMS Security and SQL*Plus
DBA level privileged account
Oracle Net
No
2.4
Network
Low
High
Required
Un- changed
Low
None
None
11.2.0.4, 12.1.0.2
See Note 1
Notes:
- Fix applicable to both server and client side installations.
Oracle Database Server Client-Only Installations
The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2016-3562. .
Oracle Secure Backup Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Secure Backup. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Secure Backup Risk Matrix
CVE#
Component
Package and/or Privilege Required
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-1351
Oracle Secure Backup
None
Multiple
Yes
5.8
Network
Low
None
None
Changed
None
None
Low
Prior to 12.1.0.2.0
CVE-2015-0286
Oracle Secure Backup
None
SSL
Yes
5.8
Network
Low
None
None
Changed
None
None
Low
Prior to 10.4.0.4.0
Oracle Big Data Graph Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Big Data Graph. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Big Data Graph Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Big Data Graph
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
Prior to 1.2
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2171485.1.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3253
Oracle Big Data Discovery
Data Processing
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
1.1.1, 1.1.3, 1.2.0
CVE-2016-3551
Oracle Web Services
JAXWS Web Services Stack
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
CVE-2015-7501
Oracle WebLogic Server
None
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-5535
Oracle WebLogic Server
None
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1
CVE-2016-5531
Oracle WebLogic Server
WLS-WebServices
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-1950
Oracle GlassFish Server
Security
HTTPS
Yes
8.8
Network
Low
None
Required
Un- changed
High
High
High
2.1.1
CVE-2016-5519
Oracle GlassFish Server
Java Server Faces
Multiple
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
2.1.1, 3.0.1, 3.1.2
CVE-2016-3505
Oracle WebLogic Server
JavaServer Faces
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-1950
Oracle iPlanet Web Proxy Server
Security
HTTPS
Yes
8.8
Network
Low
None
Required
Un- changed
High
High
High
4.0
CVE-2016-1950
Oracle iPlanet Web Server
Security
HTTPS
Yes
8.8
Network
Low
None
Required
Un- changed
High
High
High
7.0
CVE-2016-5558
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-5574
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-5577
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-5578
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-5579
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-5588
Oracle Outside In Technology
Outside In Filters
HTTP
Yes
8.6
Network
Low
None
None
Un- changed
High
Low
Low
8.4.0, 8.5.1, 8.5.2, 8.5.3
See Note 1
CVE-2016-3473
BI Publisher (formerly XML Publisher)
Security
HTTP
No
7.7
Network
Low
Low
None
Changed
High
None
None
11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
CVE-2016-8281
Oracle Platform Security for Java
Audit Reports
HTTP
No
7.6
Network
Low
Low
None
Un- changed
High
Low
Low
12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
CVE-2016-5536
Oracle Platform Security for Java
Audit Schema
HTTP
No
7.6
Network
Low
Low
None
Un- changed
High
Low
Low
12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
CVE-2016-5495
Oracle Discoverer
EUL Code & Schema
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
11.1.1.7.0
CVE-2016-5500
Oracle Discoverer
Viewer
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
11.1.1.7.0
CVE-2016-5601
Oracle WebLogic Server
CIE Related Components
HTTP
No
6.3
Local
Low
High
Required
Changed
Low
High
None
12.1.3.0, 12.2.1.0, 12.2.1.1
CVE-2016-2107
Oracle Business Intelligence Enterprise Edition
Installation
HTTPS
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
CVE-2016-5537
NetBeans
Project Import
HTTP
No
5.7
Local
Low
High
None
Changed
Low
Low
Low
8.1
CVE-2016-5602
Oracle Data Integrator
Code Generation Engine
HTTP
No
5.7
Network
Low
Low
Required
Un- changed
High
None
None
11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
See Note 2
CVE-2016-5488
Oracle WebLogic Server
Web Container
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
10.3.6.0, 12.1.3.0
CVE-2016-5511
Oracle WebCenter Sites
Security
HTTP
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
See Note 3
CVE-2016-5618
Oracle Data Integrator
Code Generation Engine
HTTP
No
3.1
Network
High
Low
None
Un- changed
Low
None
None
11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
See Note 4
CVE-2016-5506
Oracle Identity Manager
App Server
XML
No
3.1
Local
Low
High
Required
Un- changed
Low
Low
None
-
See Note 5
Notes:
- Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
- Please refer to My Oracle Support Note 2188855.1 for instructions on how to address this issue.
- Please refer to My Oracle Support Note 2188873.1 for instructions on how to address this issue.
- Please refer to My Oracle Support Note 2188871.1 for instructions on how to address this issue.
- Fixed in all supported releases and patchsets.
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2015-3197.
- The fix for CVE-2016-5535 also addresses CVE-2016-1000031.
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 5 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2171485.1.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-2107
Enterprise Manager
Ops Center
HTTPS
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
12.1.4, 12.2.2, 12.3.2
CVE-2016-4979
Enterprise Manager
Ops Center
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
None
High
None
12.1.4, 12.2.2, 12.3.2
CVE-2015-7940
Enterprise Manager
Ops Center
HTTPS
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
12.1.4, 12.2.2
CVE-2015-7940
Oracle Application Testing Suite
Load Testing for Web Apps
HTTPS
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
12.5.0.1, 12.5.0.2, 12.5.0.3
CVE-2016-5604
Enterprise Manager Base Platform
Security Framework
None
No
6.3
Local
Low
High
Required
Changed
Low
High
None
12.1.0.5
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2099-1234.
- The fix for CVE-2016-4979 also addresses CVE-2016-1546.
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 21 new security fixes for the Oracle E-Business Suite. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 12 Critical Patch Update Knowledge Document (October 2016), My Oracle Support Note 2181748.1.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5557
Oracle Advanced Pricing
Price Book
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5589
Oracle CRM Technical Foundation
Responsibility Management
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5587
Oracle Customer Interaction History
Outcome-Result
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5591
Oracle Customer Interaction History
Outcome-Result
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5593
Oracle Customer Interaction History
Outcome-Result
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5592
Oracle Customer Interaction History
Result-Reason
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5595
Oracle Customer Interaction History
Result-Reason
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5586
Oracle Email Center
Dispatch/Service Call Requests
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
High
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-2176
Oracle HTTP Server
OpenSSL
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
12.1.3
CVE-2016-5489
Oracle iStore
Runtime Catalog
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2016-5562
Oracle iProcurement
Requisition Management
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5581
Oracle iRecruitment
Candidate Self Service
None
No
6.6
Physical
Low
Low
None
Un- changed
High
High
High
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5567
Oracle Applications DBA
AD Utilities
HTTP
No
6.5
Network
Low
High
None
Un- changed
High
High
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5570
Oracle Applications DBA
AD Utilities
HTTP
No
6.5
Network
Low
High
None
Un- changed
High
High
None
12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5571
Oracle Applications DBA
AD Utilities
HTTP
No
6.5
Network
Low
High
None
Un- changed
High
High
None
12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5585
Oracle Interaction Center Intelligence
Select Application Dependencies
HTTP
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
12.1.1, 12.1.2, 12.1.3
CVE-2016-5517
Oracle Applications DBA
AD Utilities
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
12.1.3
CVE-2016-5575
Oracle Common Applications Calendar
Resources Module
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5583
Oracle One-to-One Fulfillment
File Upload
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
None
Low
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5532
Oracle Shipping Execution
Workflow Events
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2016-5596
Oracle CRM Technical Foundation
Default Responsibility
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
Additional CVEs addressed:
- The fix for CVE-2016-2176 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-2109.
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 19 new security fixes for the Oracle Supply Chain Products Suite. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5599
Oracle Advanced Supply Chain Planning
MscObieeSrvlt
HTTP
Yes
9.1
Network
Low
None
None
Un- changed
High
High
None
12.2.3, 12.2.4, 12.2.5
CVE-2015-7501
Oracle Agile PLM
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2016-5523
Oracle Agile PLM
AutoVue Java Applet
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2015-3253
Oracle Agile PLM
Event Java PX
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2016-5514
Oracle Agile PLM
ExportServlet
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2016-5515
Oracle Agile PLM
RMIServlet
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2016-0635
Oracle Agile PLM
Spring
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
9.3.4, 9.3.5
CVE-2016-0714
Oracle Transportation Management
Install
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
CVE-2016-2107
Oracle Transportation Management
Install
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
6.1, 6.2
CVE-2016-5518
Oracle Agile Engineering Data Management
webfileservices
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
6.1.3.0, 6.2.0.0
CVE-2016-5526
Oracle Agile PLM
Apache Tomcat
HTTP
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.3.4, 9.3.5
CVE-2016-5521
Oracle Agile PLM
Security
HTTP
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-5512
Oracle Agile PLM
Security
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.3.4, 9.3.5
CVE-2016-5527
Oracle Agile PLM
Security
HTTP
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
9.3.4, 9.3.5
CVE-2016-5510
Oracle Agile PLM
Folders, Files & Attachments
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-5524
Oracle Agile PLM
Security
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-5513
Oracle Agile PLM
File Manager
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-5522
Oracle Agile PLM
Security
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
9.3.4, 9.3.5
CVE-2016-5504
Oracle Agile Product Lifecycle Management for Process
Supplier Portal
HTTP
No
4.1
Local
High
High
None
Un- changed
High
None
None
6.1.0.4, 6.1.1.6, 6.2.0.0
Additional CVEs addressed:
- The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706, and CVE-2016-0763.
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 11 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-8293
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
8.54, 8.55
CVE-2016-8291
PeopleSoft Enterprise PeopleTools
Mobile Application Platform
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
8.54, 8.55
CVE-2016-8296
PeopleSoft Enterprise PeopleTools
LDAP
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
8.54, 8.55
CVE-2015-7940
PeopleSoft Enterprise PeopleTools
Bouncy Castle Java
HTTP
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
8.54, 8.55
CVE-2016-5529
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2016-5530
PeopleSoft Enterprise PeopleTools
Integration Broker
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.54, 8.55
CVE-2016-5600
PeopleSoft Enterprise SCM Services Procurement
Security
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
9.1, 9.2
CVE-2016-8285
PeopleSoft Enterprise HCM
Candidate Gateway
HTTP
No
4.8
Network
High
High
Required
Un- changed
High
Low
None
9.2
CVE-2016-8295
PeopleSoft Enterprise HCM
Schedule
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
9.2
CVE-2016-8294
PeopleSoft Enterprise PeopleTools
Query
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
8.54, 8.55
CVE-2016-8292
PeopleSoft Enterprise HCM
Talent Acquisition Manager
HTTP
No
4.2
Network
High
Low
None
Un- changed
Low
Low
None
9.2
Oracle JD Edwards Products Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle JD Edwards Products Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-1181
JD Edwards EnterpriseOne Tools
Portal SEC
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
9.1
CVE-2015-1793
JD Edwards World Security
GUI / World Vision
HTTPS
Yes
6.5
Network
Low
None
None
Un- changed
Low
Low
None
A9.4
Additional CVEs addressed:
- The fix for CVE-2016-1181 also addresses CVE-2016-1182.
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 3 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Siebel CRM Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-3081
Siebel Apps - E-Billing
Security
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
7.1
CVE-2016-5534
Siebel Apps - Customer Order Management
Customizable Prod/Configurator
HTTP
No
6.5
Network
Low
Low
None
Un- changed
High
None
None
16.1
CVE-2016-5560
Siebel UI Framework
OpenUI
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
16.1
Oracle Commerce Executive Summary
This Critical Patch Update contains 7 new security fixes for Oracle Commerce. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Commerce Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3253
Oracle Commerce Platform
Dynamo Application Framework
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.0.3.5, 10.2.0.5, 11.2.0.1
CVE-2015-7501
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
Content Acquisition System
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
3.1.1, 3.1.2, 11.0, 11.1, 11.2
CVE-2016-0635
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
Content Acquisition System
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
3.1.1, 3.1.2, 11.0, 11.1, 11.2
CVE-2016-0635
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
Tools and Frameworks
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
3.1.1, 3.1.2, 11.0, 11.1, 11.2
CVE-2016-5482
Oracle Commerce Guided Search
Oracle Commerce Guided Search
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2
CVE-2016-2107
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
MDEX
HTTPS
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2
CVE-2016-5491
Oracle Commerce Service Center
Commerce Service Center
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
10.0.3.5, 10.2.0.5
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
Appendix - Oracle Communications Applications****Oracle Communications Applications Executive Summary
This Critical Patch Update contains 16 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Communications Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-2107
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
Ecz7.3m1p4 and earlier
CVE-2015-0235
Oracle Communications Policy Management
Glibc
Multiple
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0411
Oracle Communications Policy Management
MySQL
Multiple
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0050
Oracle Communications Policy Management
Tomcat
Multiple
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0224
Oracle Communications Policy Management
OpenSSL
SSL
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0286
Oracle Communications Policy Management
OpenSSL
SSL
Yes
7.3
Network
Low
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-2067
Oracle Communications Policy Management
Tomcat
Multiple
Yes
6.5
Network
Low
None
None
Un- changed
None
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0227
Oracle Communications Policy Management
Tomcat
Multiple
Yes
6.5
Network
Low
None
None
Un- changed
None
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-2566
Oracle Enterprise Session Border Controller
Security
SSH
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
Ecz7.3m1p4 and earlier
CVE-2015-3197
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
Ecz7.3m1p4 and earlier
CVE-2013-4444
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-2067
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0224
Oracle Enterprise Communications Broker
OpenSSL
SSL
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
Pcz2.0.0m4p5 and earlier
CVE-2014-0224
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
Ecz7.3m1p4 and earlier
CVE-2015-1791
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
Ecz7.3m1p4 and earlier
CVE-2015-2568
Oracle Communications Policy Management
MySQL
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0096
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-4590
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0099
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
Low
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0075
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-0119
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-4322
Oracle Communications Policy Management
Tomcat
Multiple
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-9296
Oracle Communications Policy Management
NTP
NTP
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-3571
Oracle Communications Policy Management
OpenSSL
SSL
Yes
5.3
Network
Low
None
None
Un- changed
None
Low
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2014-3571
Oracle Enterprise Communications Broker
OpenSSL
SSL
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Pcz2.0.0m4p5 and earlier
CVE-2014-3571
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Ecz7.3m1p4 and earlier
CVE-2015-0286
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Ecz7.3m1p4 and earlier
CVE-2015-3195
Oracle Enterprise Session Border Controller
OpenSSL
SSL
Yes
5.3
Network
Low
None
None
Un- changed
None
None
Low
Ecz7.3m1p4 and earlier
CVE-2014-2532
Oracle Communications Policy Management
Security
SSH
No
4.9
Network
High
Low
None
Changed
Low
Low
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2013-4286
Oracle Communications Policy Management
Tomcat
Multiple
Yes
4.8
Network
High
None
None
Un- changed
Low
Low
None
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0433
Oracle Communications Policy Management
MySQL
Multiple
No
4.4
Network
High
High
None
Un- changed
None
None
High
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0423
Oracle Communications Policy Management
MySQL
Multiple
No
4.3
Network
Low
Low
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0500
Oracle Communications Policy Management
MySQL
Multiple
No
4.3
Network
Low
Low
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0409
Oracle Communications Policy Management
MySQL
Multiple
No
4.3
Network
Low
Low
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0381
Oracle Communications Policy Management
MySQL
Multiple
Yes
3.7
Network
High
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
CVE-2015-0382
Oracle Communications Policy Management
MySQL
Multiple
Yes
3.7
Network
High
None
None
Un- changed
None
None
Low
9.7.3, 9.9.1, 10.4.1, 12.1.1 and earlier
Additional CVEs addressed:
- The fix for CVE-2014-9296 also addresses CVE-2014-9293, CVE-2014-9294, and CVE-2014-9295.
- The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, and CVE-2015-1792.
Appendix - Oracle Financial Services Applications****Oracle Financial Services Applications Executive Summary
This Critical Patch Update contains 24 new security fixes for Oracle Financial Services Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Financial Services Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle FLEXCUBE Core Banking
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.5.0.0.0, 11.6.0.0.0
CVE-2015-7501
Oracle FLEXCUBE Enterprise Limits and Collateral Management
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
12.0.0, 12.1.0
CVE-2015-7501
Oracle FLEXCUBE Investor Servicing
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
12.0.1
CVE-2015-7501
Oracle FLEXCUBE Private Banking
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
CVE-2015-7501
Oracle FLEXCUBE Universal Banking
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
12.87.1, 12.87.2
CVE-2015-7501
Oracle FLEXCUBE Universal Banking
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-5607
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2015-7501
Oracle Financial Services Analytical Applications Infrastructure
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
CVE-2016-0635
Oracle Financial Services Analytical Applications Infrastructure
Inline Processing
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
8.0.0, 8.0.1, 8.0.2, 8.0.3
CVE-2015-7501
Oracle Financial Services Lending and Leasing
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
14.1.0, 14.2.0
CVE-2016-5622
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-3081
Oracle FLEXCUBE Private Banking
Struts
HTTP
Yes
8.1
Network
High
None
None
Un- changed
High
High
High
2.0.0, 2.0.1, 2.2.0, 12.0.1, 12.0.3, 12.1.0
CVE-2016-5619
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
8.1
Network
Low
Low
None
Un- changed
High
High
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-5543
Oracle FLEXCUBE Enterprise Limits and Collateral Management
INFRA
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.0.0, 12.1.0
CVE-2016-5569
Oracle FLEXCUBE Enterprise Limits and Collateral Management
Limits and Collateral
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
12.0.0, 12.1.0
CVE-2016-5502
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3
CVE-2016-5620
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-5594
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
5.0
Network
Low
Low
None
Changed
Low
None
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3
CVE-2016-5479
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
11.3.0, 11.4.0, 12.0.1
CVE-2016-5603
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-5621
Oracle FLEXCUBE Universal Banking
INFRA
HTTP
No
4.3
Network
Low
Low
None
Un- changed
Low
None
None
11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
CVE-2016-5493
Oracle FLEXCUBE Private Banking
Admin
HTTP
No
4.2
Network
High
Low
None
Un- changed
Low
Low
None
12.0.1, 12.0.2, 12.0.3
CVE-2016-5490
Oracle FLEXCUBE Universal Banking
INFRA
NONE
No
3.3
Local
Low
Low
None
Un- changed
Low
None
None
11.4.0
CVE-2015-7501
Oracle Banking Digital Experience
Apache Commons Collections
HTTP
No
2.0
Network
High
High
Required
Un- changed
Low
None
None
15.1
Additional CVEs addressed:
- The fix for CVE-2016-3081 also addresses CVE-2014-7809.
Appendix - Oracle Health Sciences Applications****Oracle Health Sciences Applications Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Health Sciences Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-2107
Oracle Life Sciences Data Hub
OpenSSL
SSL
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
2.x
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2099-1234.
Appendix - Oracle Hospitality Applications****Oracle Hospitality Applications Executive Summary
This Critical Patch Update contains 3 new security fixes for Oracle Hospitality Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Hospitality Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5563
Oracle Hospitality OPERA 5 Property Services
OPERA File Upload Download
HTTP
No
7.9
Network
High
High
None
Changed
High
High
Low
5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
CVE-2016-5565
Oracle Hospitality OPERA 5 Property Services
OPERA Xchange Interface (OXI)
HTTP
No
7.7
Network
Low
Low
None
Changed
High
None
None
5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
CVE-2016-5564
Oracle Hospitality OPERA 5 Property Services
OPERA Application Login
HTTP
No
7.4
Network
Low
Low
None
Changed
Low
Low
Low
5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
Appendix - Oracle Insurance Applications****Oracle Insurance Applications Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Insurance Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Insurance Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-7501
Oracle Insurance IStream
Apache Commons Collections
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
4.3.2
Appendix - Oracle Retail Applications****Oracle Retail Applications Executive Summary
This Critical Patch Update contains 10 new security fixes for Oracle Retail Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Retail Applications Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2015-3253
Oracle Retail Customer Insights
Security
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
15.0
CVE-2015-3253
Oracle Retail Merchandising Insights
Security
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
15.0
CVE-2015-7501
MICROS XBR
Liferay
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
7.0.2, 7.0.4
CVE-2015-7501
Oracle Retail Clearance Optimization Engine
General Application
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
13.2, 13.3, 13.4, 14.0
CVE-2015-7501
Oracle Retail Xstore Point of Service
Xenvironment
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
5.0, 5.5, 6.0, 6.5, 7.0, 7.1
CVE-2016-1881
Oracle Retail Back Office
Security
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
CVE-2016-1881
Oracle Retail Central Office
Security
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
CVE-2016-1881
Oracle Retail Returns Management
Security
HTTP
Yes
8.3
Network
Low
None
None
Changed
Low
Low
Low
13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
CVE-2016-5539
Oracle Retail Xstore Payment
Security
HTTP
No
7.3
Physical
Low
Low
None
Changed
High
High
Low
1.x
CVE-2016-5540
Oracle Retail Xstore Payment
Security
HTTP
No
6.7
Physical
High
Low
None
Changed
High
High
None
1.x
Additional CVEs addressed:
- The fix for CVE-2015-7501 also addresses CVE-2015-4852.
- The fix for CVE-2016-1881 also addresses CVE-2012-1007, CVE-2014-0114, CVE-2016-1181, and CVE-2016-1182.
Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary
This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Primavera Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-2107
Primavera P6 Professional Project Management
OpenSSL
HTTP
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
8.3, 8.4, 15.x, 16.x
CVE-2016-5533
Primavera P6 Enterprise Project Portfolio Management
Team Member
HTTP
No
5.4
Network
Low
Low
None
Un- changed
Low
Low
None
8.4, 15.x, 16.x
Additional CVEs addressed:
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 7 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Low” instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.
Oracle Java SE Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5556
Java SE
2D
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u121, 7u111, 8u102
See Note 1
CVE-2016-5568
Java SE
AWT
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u121, 7u111, 8u102
See Note 1
CVE-2016-5582
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101
See Note 1
CVE-2016-5573
Java SE, Java SE Embedded
Hotspot
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101
See Note 1
CVE-2016-5597
Java SE, Java SE Embedded
Networking
Multiple
Yes
5.9
Network
High
None
None
Un- changed
High
None
None
Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101
See Note 1
CVE-2016-5554
Java SE, Java SE Embedded
JMX
Multiple
Yes
4.3
Network
Low
None
Required
Un- changed
None
Low
None
Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101
See Note 1
CVE-2016-5542
Java SE, Java SE Embedded
Libraries
Multiple
Yes
3.1
Network
High
None
Required
Un- changed
None
Low
None
Java SE: 6u121, 7u111, 8u102; Java SE Embedded: 8u101
See Note 1
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 16 new security fixes for the Oracle Sun Systems Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Sun Systems Products Suite Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5503
Sun ZFS Storage Appliance Kit (AK)
Core Services
None
No
8.2
Local
Low
High
None
Changed
High
High
High
AK 2013
CVE-2016-5544
Solaris
Kernel/X86
None
No
7.8
Local
Low
Low
None
Un- changed
High
High
High
10, 11.3
CVE-2016-5492
Sun ZFS Storage Appliance Kit (AK)
SMB Users
None
No
7.1
Local
Low
Low
None
Un- changed
High
High
None
AK 2013
See Note 1
CVE-2016-5606
Solaris
Kernel Zones
None
No
6.1
Local
Low
Low
None
Un- changed
None
Low
High
11.3
CVE-2016-5576
Solaris
Kernel Zones
None
No
5.5
Local
Low
Low
None
Un- changed
None
None
High
11.3
CVE-2016-5486
Sun ZFS Storage Appliance Kit (AK)
Core Services
None
No
5.5
Local
Low
Low
None
Un- changed
High
None
None
AK 2013
CVE-2016-5566
Solaris
Installation
HTTP
Yes
5.3
Network
Low
None
None
Un- changed
Low
None
None
11.3
CVE-2016-5487
Solaris
Files
None
No
5.3
Local
Low
Low
None
Un- changed
Low
Low
Low
11.3
CVE-2016-5553
Solaris
Filesystem
None
No
5.0
Local
Low
Low
Required
Un- changed
None
None
High
10, 11.3
CVE-2016-5559
Solaris
Kernel
None
No
4.1
Local
High
High
None
Un- changed
None
High
None
10, 11.3
CVE-2016-5481
Sun ZFS Storage Appliance Kit (AK)
Core Services
DNS
Yes
3.7
Network
High
None
None
Un- changed
Low
None
None
AK 2013
CVE-2016-5615
Solaris
Lynx
None
No
3.3
Local
Low
Low
None
Un- changed
None
None
Low
11.3
CVE-2016-5508
Solaris Cluster
Cluster Geo
None
No
3.3
Local
Low
Low
None
Un- changed
Low
None
None
4.3
CVE-2016-5525
Solaris Cluster
Cluster check files
None
No
3.3
Local
Low
Low
None
Un- changed
None
Low
None
3.3, 4.3
CVE-2016-5561
Solaris
IKE
IKEv2
Yes
3.1
Network
High
None
Required
Un- changed
None
None
Low
11.3
CVE-2016-5480
Solaris
Bash
None
No
2.8
Local
Low
Low
Required
Un- changed
None
Low
None
10
Notes:
- This vulnerability applies to local users (i.e. users in /etc/passwd) and not applicable to other (e.g. LDAP) users.
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 13 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-5580
Secure Global Desktop
Web Services
Multiple
No
9.6
Network
Low
Low
None
Changed
High
None
High
4.7, 5.2
CVE-2016-5605
Oracle VM VirtualBox
VirtualBox Remote Desktop Extension (VRDE)
VRDP
Yes
9.1
Network
Low
None
None
Un- changed
High
High
None
VirtualBox prior to 5.1.4
CVE-2016-0714
Virtual Desktop Infrastructure
Apache Tomcat
HTTP
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
VDI prior to 3.5.3
CVE-2015-7501
Virtual Desktop Infrastructure
Apache Commons Collection
Multiple
No
8.8
Network
Low
Low
None
Un- changed
High
High
High
VDI prior to 3.5.3
CVE-2016-2107
Sun Ray Operating Software
OpenSSL
SSL/TLS
Yes
8.2
Network
Low
None
None
Un- changed
Low
None
High
SROS prior to 11.1.7
CVE-2016-5501
Oracle VM VirtualBox
Core
None
No
7.8
Local
High
Low
None
Changed
High
High
High
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2016-6304
Oracle VM VirtualBox
OpenSSL
SSL/TLS
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2015-7940
Virtual Desktop Infrastructure
Bouncy Castle Java
Multiple
Yes
7.5
Network
Low
None
None
Un- changed
High
None
None
VDI prior to 3.5.3
CVE-2016-5610
Oracle VM VirtualBox
Core
None
No
6.8
Local
Low
None
None
Changed
Low
Low
Low
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2016-5538
Oracle VM VirtualBox
Core
None
No
6.7
Local
Low
High
None
Un-changed
High
High
High
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2016-5608
Oracle VM VirtualBox
Core
None
No
5.5
Local
Low
Low
None
Un- changed
None
None
High
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2016-5611
Oracle VM VirtualBox
Core
None
No
4.3
Local
Low
None
None
Changed
Low
None
None
VirtualBox prior to 5.0.28, prior to 5.1.8
CVE-2016-5613
Oracle VM VirtualBox
Core
None
No
4.3
Local
Low
None
None
Changed
None
None
Low
VirtualBox prior to 5.0.28, prior to 5.1.8
Additional CVEs addressed:
- The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706, and CVE-2016-0763.
- The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, and CVE-2016-2109.
- The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Component
Subcomponent
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confidentiality
Integrity
Availability
CVE-2016-6304
MySQL Server
Server: Security: Encryption
MySQL Protocol
Yes
7.5
Network
Low
None
None
Un- changed
None
None
High
5.6.33 and earlier, 5.7.15 and earlier
CVE-2016-6662
MySQL Server
Server: Logging
None
No
7.2
Local
High
High
Required
Changed
High
High
High
5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier
CVE-2016-5617
MySQL Server
Server: Error Handling
None
No
7.0
Local
High
Low
None
Un- changed
High
High
High
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-5616
MySQL Server
Server: MyISAM
None
No
7.0
Local
High
Low
None
Un- changed
High
High
High
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-5625
MySQL Server
Server: Packaging
None
No
7.0
Local
High
Low
None
Un- changed
High
High
High
5.7.14 and earlier
CVE-2016-5609
MySQL Server
Server: DML
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.6.31 and earlier 5.7.13 and earlier
CVE-2016-5612
MySQL Server
Server: DML
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.5.50 and earlier, 5.6.31 and earlier, 5.7.13 and earlier
CVE-2016-5624
MySQL Server
Server: DML
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.5.51 and earlier
CVE-2016-5626
MySQL Server
Server: GIS
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-5627
MySQL Server
Server: InnoDB
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.6.31 and earlier, 5.7.13 and earlier
CVE-2016-3492
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un- changed
None
None
High
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-5598
MySQL Connector
Connector/Python
MySQL Protocol
Yes
5.6
Network
High
None
None
Un- changed
Low
Low
Low
2.1.3 and earlier, 2.0.4 and earlier
CVE-2016-7440
MySQL Server
Server: Security: Encryption
None
No
5.1
Local
High
None
None
Un- changed
High
None
None
5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier
CVE-2016-5628
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5629
MySQL Server
Server: Federated
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-3495
MySQL Server
Server: InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5630
MySQL Server
Server: InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.6.31 and earlier 5.7.13 and earlier
CVE-2016-5507
MySQL Server
Server: InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-5631
MySQL Server
Server: Memcached
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5632
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.14 and earlier
CVE-2016-5633
MySQL Server
Server: Performance Schema
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5634
MySQL Server
Server: RBR
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5635
MySQL Server
Server: Security: Audit
MySQL Protocol
No
4.9
Network
Low
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-8289
MySQL Server
Server: InnoDB
None
No
4.7
Local
High
High
None
Un- changed
None
Low
High
5.7.13 and earlier
CVE-2016-8287
MySQL Server
Server: Replication
MySQL Protocol
No
4.5
Network
Low
High
Required
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-8290
MySQL Server
Server: Performance Schema
MySQL Protocol
No
4.4
Network
High
High
None
Un- changed
None
None
High
5.7.13 and earlier
CVE-2016-5584
MySQL Server
Server: Security: Encryption
MySQL Protocol
No
4.4
Network
High
High
None
Un- changed
High
None
None
5.5.52 and earlier, 5.6.33 and earlier, 5.7.15 and earlier
CVE-2016-8283
MySQL Server
Server: Types
MySQL Protocol
No
4.3
Network
Low
Low
None
Un- changed
None
None
Low
5.5.51 and earlier, 5.6.32 and earlier, 5.7.14 and earlier
CVE-2016-8288
MySQL Server
Server: InnoDB Plugin
MySQL Protocol
No
3.1
Network
High
Low
None
Un- changed
None
Low
None
5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-8286
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
3.1
Network
High
Low
None
Un- changed
Low
None
None
5.7.14 and earlier
CVE-2016-8284
MySQL Server
Server: Replication
None
No
1.8
Local
High
High
Required
Un- changed
None
None
Low
5.6.31 and earlier, 5.7.13 and earlier
Notes:
- CVE-2016-5616 is equivalent to CVE-2016-6663, and CVE-2016-5617 is equivalent to CVE-2016-6664.
Additional CVEs addressed:
- The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, and CVE-2016-6306.
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
Ubuntu Security Notice 6936-1 - It was discovered that Apache Commons Collections allowed serialization support for unsafe classes by default. A remote attacker could possibly use this issue to execute arbitrary code.
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have access to other users outlets.
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Telnet and SNMP credentials.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email
Categories: News Tags: fix Tags: bug Tags: vulnerability Tags: exploit Tags: attack Tags: patch Tags: update Tags: OpenSSL Tags: v3 Tags: v1 Tags: 3.0.5. Version 3.0.7 of OpenSSL will fix the software's first critical issue for six years. (Read more...) The post Critical OpenSSL fix due Nov 1—what you need to know appeared first on Malwarebytes Labs.
IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences.
statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name.
Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.