CVE-2014-4265: Oracle Critical Patch Update - July 2014

• Click to view our Accessibility Policy

• Skip to content

• Security Alerts

Oracle Critical Patch Update Advisory - July 2014****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 113 new security fixes across the product families listed below.

Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Please note that on April 18, 2014, Oracle released a Security Alert for CVE-2014-0160 OpenSSL "Heartbleed". This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-0160.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database 11_g_ Release 1, version 11.1.0.7

Database

Oracle Database 11_g_ Release 2, versions 11.2.0.3, 11.2.0.4

Database

Oracle Database 12_c_ Release 1, version 12.1.0.1

Database

Oracle Fusion Middleware 11_g_ Release 1, version 11.1.1.7

Fusion Middleware

Oracle Fusion Middleware 12_c_ Release 1, version 12.1.2.0

Fusion Middleware

Oracle Fusion Applications, versions 11.1.2 through 11.1.8

Fusion Applications

Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2

Fusion Middleware

Oracle Traffic Director, version 11.1.1.7.0

Fusion Middleware

Oracle iPlanet Web Proxy Server, version 4.0.24

Fusion Middleware

Oracle iPlanet Web Server, versions 6.1, 7.0

Fusion Middleware

Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0

Fusion Middleware

Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

Fusion Middleware

Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0

Fusion Middleware

Oracle BI Publisher, version 11.1.1.7

Fusion Middleware

Oracle Glassfish Communications Server, version 2.0

Fusion Middleware

Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0

Fusion Middleware

Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle E-Business Suite Release 11_i_, version 11.5.10.2

E-Business Suite

Oracle E-Business Suite Release 12_i_, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3

E-Business Suite

Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

Oracle Supply Chain

Oracle Agile Product Collaboration, version 9.3.3

Oracle Supply Chain

Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53

PeopleSoft

Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2

PeopleSoft

Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel UI Framework, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2

Siebel

Oracle Communications Messaging Server, version 7.0.5.30.0

Oracle Communications Applications

Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5

Oracle Java SE

Oracle JRockit, versions R27.8.2, R28.3.2

Oracle Java SE

Oracle Solaris, versions 8, 9, 10, 11.1

Oracle and Sun Systems Products Suite

Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1

Oracle Linux and Virtualization

Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

Oracle Linux and Virtualization

Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1

Oracle Linux and Virtualization

Sun Ray Software, versions prior to 5.4.3

Oracle Linux and Virtualization

Oracle MySQL Server, versions 5.5, 5.6

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2014 Documentation Map, My Oracle Support Note 1662887.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle Fusion Applications

Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (July 2014) My Oracle Support Note 1907352.1 for information on patches to be applied to Fusion Application environments.

Oracle Hyperion

Oracle Hyperion Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle E-Business Suite

Oracle E-Business Suite Risk Matrix

Critical Patch Update Knowledge Document for Oracle E-Business Suite My Oracle Support Note 1668237.1

Oracle Applications - PeopleSoft Enterprise, Siebel CRM, Oracle Supply Chain Product Suite

Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle Supply Chain Risk Matrix

Critical Patch Update Knowledge Document for PeopleSoft Enterprise, Siebel Core, and Oracle Supply Chain Products Suite My Oracle Support Note 1684873.1

Oracle Communications Applications

Oracle Communications Messaging Server Risk Matrix

Critical Patch Update Knowledge Document for Oracle Communications Messaging Server My Oracle Support Note 1906392.1

Oracle Retail Industry Suite

Oracle Retail Applications Risk Matrix

Critical Patch Update July 2014 Patch Delivery Document for Oracle Retail Products, My Oracle Support Note 1684864.1

Oracle Java SE

Oracle SE Risk Matrix

• Critical Patch Update July 2014 Patch Availability Document for Java SE, My Oracle Support Note 1900468.1
• Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
• The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update July 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1900373.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1684947.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update July 2014 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 1684603.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Alon Friedman; Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Borked of the Google Security Team; CERT/CC; Cihan Öncü of Biznet Bilişim A.Ş; David Litchfield of Datacom TSS; Florian Weimer of Red Hat; Ilja van Sprundel of ioactive.com; Jeroen Frijters; John Leitch working with HP’s Zero Day Initiative; Larry W. Cashdollar; Matt Bergin of KoreLogic Disclosures; Michael Miller of Integrigy; Peter Kamensky of ERPScan (Digital Security Research Group); Rafal Wojtczuk of Bromium; Rohan Stelling of BAE Systems Detica; Sayan Malakshinov of PSBank; Serguei Mourachov; Toby Clarke of Gotham Digital Science; and Yash Kadakia of Security Brigade.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexander Kornbrust of Red Database Security; Bartlomiej Balcerek of Wroclaw University of Technology; David Litchfield of Datacom TSS; Lutz Wolf of RedTeam Pentesting GmbH and Paul M. Wright for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Ateeq Khan; Bikash Dash; Cameron Crowley; Inti de Ceukalaire; Jayson Zabate; Provensec Labs; Koutrouss Naddara; Manoj Kumar; Monendra Sahu; Osanda Malith Jayathissa; Rodolfo Godalle; S. Venkatesh; Satheesh Raj; Suraj Radhakrishnan; and Yasser Gamal Ahmed for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

• 14 October 2014
• 20 January 2015
• 14 April 2015
• 14 July 2015

References

• Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
• Critical Patch Update - July 2014 Documentation Map [ My Oracle Support Note 1662887.1 ]
• Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
• Risk Matrix definitions [ Risk Matrix Definitions ]
• Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
• English text version of the risk matrices [ Oracle Technology Network ]
• CVRF XML version of the risk matrices [ Oracle Technology Network ]
• The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
• List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
• Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

2014-July-24

Rev 2. Updated Package and/or Privilege Required for CVE-2014-4236

2014-July-15

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-3751

XML Parser

HTTP

Create Session

No

9.0

Network

Low

Single

Complete

Complete

Complete

12.1.0.1

CVE-2013-3774

Network Layer

Oracle Net

None

Yes

7.6

Network

High

None

Complete

Complete

Complete

12.1.0.1

CVE-2014-4236

RDBMS Core

Oracle Net

Create Session, Grant on DBMS_REDACT

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

11.2.0.4, 12.1.0.1

CVE-2014-4237

RDBMS Core

Oracle Net

Create Session

No

4.0

Network

Low

Single

Partial

None

None

11.2.0.4, 12.1.0.1

CVE-2014-4245

RDBMS Core

Oracle Net

Create Session

No

3.5

Network

Medium

Single

Partial+

None

None

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-1741

Oracle GlassFish Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

2.1.1

See Note 1

CVE-2013-1741

Oracle Traffic Director

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

11.1.1.7.0

See Note 1

CVE-2013-1741

Oracle iPlanet Web Proxy Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

4.0.24

See Note 1

CVE-2013-1741

Oracle iPlanet Web Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

6.1, 7.0

See Note 1

CVE-2014-4257

Oracle WebCenter Portal

HTTP

Portlet Services

Yes

7.1

Network

Medium

None

Complete

None

None

11.1.1.7.0, 11.1.1.8.0

CVE-2014-2481

Oracle WebLogic Server

HTTP

-

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2480

Oracle WebLogic Server

HTTP

-

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4255

Oracle WebLogic Server

HTTP

WLS - Security and Policy

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4254

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2479

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4267

Oracle WebLogic Server

HTTP

WLS Core Components

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2493

Oracle JDeveloper

HTTP

ADF Faces

Yes

6.4

Network

Low

None

Partial

None

Partial

11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0

CVE-2014-4256

Oracle WebLogic Server

HTTP

WLS - Deployment

Yes

5.8

Network

Medium

None

Partial

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4249

BI Publisher

HTTP

Mobile Service

Yes

5.0

Network

Low

None

Partial

None

None

11.1.1.7

CVE-2014-4211

Oracle WebCenter Portal

HTTP

Portlet Services

Yes

5.0

Network

Low

None

None

Partial

None

11.1.1.7, 11.1.1.8

CVE-2014-4201

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

None

None

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4202

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

None

None

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4210

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

Partial

None

None

10.0.2.0, 10.3.6.0

CVE-2014-4253

Oracle WebLogic Server

T3

WebLogic Server JVM

Yes

5.0

Network

Low

None

None

None

Partial+

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2013-1620

GlassFish Communications Server

Multiple

Security

Yes

4.3

Network

Medium

None

Partial

None

None

2.0

See Note 2

CVE-2014-4212

Oracle Fusion Middleware

HTTPS

Process Mgmt & Notification

Yes

4.3

Network

Medium

None

Partial

None

None

11.1.1.7

See Note 3

CVE-2013-5855

Oracle GlassFish Server

HTTP

JavaServer Faces

Yes

4.3

Network

Medium

None

None

Partial

None

3.0.1, 3.1.2

CVE-2013-5855

Oracle JDeveloper

HTTP

JavaServer Faces

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.2.4.0, 12.1.2.0.0

CVE-2014-4242

Oracle WebLogic Server

HTTP

Console

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4217

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0

CVE-2014-4241

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0

CVE-2013-5855

Oracle WebLogic Server

HTTP

Web Container

Yes

4.3

Network

Medium

None

None

Partial

None

12.1.1.0, 12.1.2.0

CVE-2014-4251

Oracle HTTP Server

HTTP

plugin 1.1

No

3.5

Network

Medium

Single

None

Partial

None

11.1.1.7.0, 12.1.2.0

CVE-2014-4222

Oracle HTTP Server

HTTPS

plugin 1.1

No

2.1

Network

High

Single

Partial

None

None

11.1.1.7.0, 12.1.2.0

Notes:

1. This fix also addresses CVE-2013-1739,CVE-2013-1740, CVE-2013-5605, CVE-2013-5606,CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
2. This fix also addresses CVE-2013-2172. CVE-2013-2172 is equivalent to CVE-2013-2461
3. Please refer to My Oracle Support Note 1905314.1 for instructions on optional configuration steps.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Hyperion. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4271

Hyperion Essbase

TCP

Agent

Yes

5.0

Network

Low

None

None

None

Partial+

11.1.2.2, 11.1.2.3

CVE-2014-0436

Hyperion BI+

HTTP

Web Analysis

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.2.2, 11.1.2.3

CVE-2014-4203

Hyperion Enterprise Performance Management Architect

HTTP

Property Editing

No

4.1

Local

Medium

Single

Partial

Partial

Partial

11.1.2.2, 11.1.2.3

CVE-2014-4270

Hyperion Common Admin

HTTP

User Interface

No

4.0

Network

Low

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4269

Hyperion Common Admin

HTTP

User Interface

No

4.0

Network

Low

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4246

Hyperion Analytic Provider Services

XML

SVP

No

3.5

Network

Medium

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4206

Hyperion Enterprise Performance Management Architect

HTTP

Data Synchronizer

No

3.3

Local

Medium

None

None

Partial

Partial

11.1.2.2, 11.1.2.3

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4239

Solaris

SSL/TLS

Common Agent Container (Cacao)

No

4.0

Network

Low

Single

Partial

None

None

2.3.1.0, 2.3.1.1, 2.3.1.2, 2.4.0.0, 2.4.1.0, 2.4.2.0

See Note 1

Notes:

1. Applies only when Cacao is running on Solaris platform.

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0224

Oracle Applications Technology Stack

HTTPS

IAS For App Technology

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.5.10.2

CVE-2014-2482

Oracle Concurrent Processing

HTTP

-

No

5.5

Network

Low

Single

Partial

Partial

None

12.1.3, 12.2.2, 12.2.3

CVE-2014-4213

Oracle Applications Manager

HTTP

-

Yes

4.3

Network

Medium

None

None

Partial

None

12.0.6, 12.1.3, 12.2.2, 12.2.3

CVE-2014-4235

Oracle iStore

HTTP

-

No

3.5

Network

Medium

Single

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3

CVE-2014-4248

Oracle Application Object Library

HTTP

Logging

No

1.0

Local

High

Single

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle Supply Chain Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4229

Oracle Transportation Management

HTTP

Data, Domain & Function Security

No

5.5

Network

Low

Single

Partial

Partial

None

6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

CVE-2014-4234

Oracle Transportation Management

HTTP

Data, Domain & Function Security

Yes

5.0

Network

Low

None

Partial

None

None

6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

CVE-2014-2492

Oracle Agile Product Collaboration

HTTP

Web client (PC)

Yes

4.3

Network

Medium

None

None

Partial

None

9.3.3

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-2456

PeopleSoft Enterprise ELS Enterprise Learning Management

HTTP

Enterprise Learning Mgmt

No

5.5

Network

Low

Single

Partial

Partial

None

9.1, 9.2

CVE-2014-2496

PeopleSoft Enterprise PT PeopleTools

HTTPS

Test Framework

No

5.5

Network

Low

Single

Partial

Partial

None

8.52, 8.53

CVE-2014-4226

PeopleSoft Enterprise FIN Install

HTTPS

Install

Yes

5.1

Network

High

None

Partial+

Partial+

Partial+

9.1, 9.2

CVE-2014-4204

PeopleSoft Enterprise PT PeopleTools

HTTP

PIA Core Technology

No

3.5

Network

Medium

Single

None

Partial

None

8.53

CVE-2014-2495

PeopleSoft Enterprise SCM Purchasing

HTTP

Purchasing

No

2.3

Adjacent Network

Medium

Single

Partial+

None

None

9.1, 9.2

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Siebel CRM. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4231

Siebel Travel & Transportation

HTTP

Diary

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4230

Siebel UI Framework

HTTP

Open_UI

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-2491

Siebel UI Framework

HTTP

Portal Framework

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4205

Siebel UI Framework

HTTP

Portal Framework

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4250

Siebel Core - Server OM Frwks

HTTP

Object Manager

No

3.5

Network

Medium

Single

Partial

None

None

8.1.1, 8.2.2

CVE-2014-2485

Siebel Core - EAI

HTTP

Integration Business Services

No

1.4

Local

Low

Multiple

Partial

None

None

8.1.1, 8.2.2

Appendix - Oracle Industry Applications****Oracle Communications Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-1741

Oracle Communications Messaging Server

SSL/TLS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

7.0.5.30.0 and earlier

See Note 1

Notes:

1. This fix also addresses CVE-2013-1620, CVE-2013-1739, CVE-2013-1740, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491 and CVE-2014-1492.

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0114

Oracle Retail Back Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

CVE-2014-0114

Oracle Retail Central Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

CVE-2014-0114

Oracle Retail Returns Management

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.0, 13.1, 13.2, 13.3, 13.4, 14.0

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4227

Java SE

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4219

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-2490

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4216

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4247

Java SE

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 8u5

See Note 1

CVE-2014-2483

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60

See Note 1

CVE-2014-4223

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60

See Note 1

CVE-2014-4262

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4209

Java SE

Multiple

JMX

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4265

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4220

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4218

Java SE

Multiple

Libraries

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4252

Java SE

Multiple

Security

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4266

Java SE

Multiple

Serviceability

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4268

Java SE

Multiple

Swing

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4264

Java SE

SSL/TLS

Security

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 7u60, Java SE 8u5

See Note 2

CVE-2014-4221

Java SE

Multiple

Libraries

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4244

Java SE, JRockit

Multiple

Security

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2

See Note 3

CVE-2014-4263

Java SE, JRockit

Multiple

Security

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2

See Note 4

CVE-2014-4208

Java SE

Multiple

Deployment

Yes

2.6

Network

High

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

Notes:

1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
2. Applies to client and server deployment of JSSE.
3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
4. Applies to Diffie-Hellman key agreement in client and server deployment of Java.

Appendix - Oracle and Sun Systems Products Suite****Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle and Sun Systems Products Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4225

Solaris

None

Patch installation scripts

No

6.9

Local

Medium

None

Complete

Complete

Complete

10

CVE-2014-4215

Solaris

None

CPU performance counters (CPC) drivers

No

4.9

Local

Low

None

None

None

Complete

10, 11.1

CVE-2014-4224

Solaris

None

sockfs

No

4.9

Local

Low

None

None

None

Complete

8, 9, 10, 11.1

CVE-2014-4239 (Oracle Enterprise Manager Grid Control)

Solaris

SSL/TLS

Common Agent Container (Cacao)

No

4.0

Network

Low

Single

Partial

None

None

8, 9, 10, 11.1

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0211

Oracle Secure Global Desktop (SGD)

TCP

LibXfont

Yes

7.5

Network

Low

None

Partial

Partial

Partial

4.63, 4.71, 5.0, 5.1

See Note 1

CVE-2014-2487

Oracle VM VirtualBox

None

Core

No

6.9

Local

Medium

None

Complete

Complete

Complete

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

See Note 2

CVE-2014-4261

Oracle VM VirtualBox

None

Core

No

6.9

Local

Medium

None

Complete

Complete

Complete

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

See Note 2

CVE-2014-0224

Oracle Secure Global Desktop (SGD)

SSL/TLS

OpenSSL

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

4.63, 4.71, 5.0, 5.1

See Note 3

CVE-2013-4286

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

5.8

Network

Medium

None

Partial

Partial

None

4.63, 4.71, 5.0, 5.1

See Note 4

CVE-2014-0098

Oracle Secure Global Desktop (SGD)

HTTP

Apache HTTP Server

Yes

5.0

Network

Low

None

None

None

Partial

4.63, 4.71, 5.0, 5.1

See Note 5

CVE-2012-3544

Oracle Virtual Desktop Infrastructure (VDI)

HTTP

Apache Tomcat

Yes

5.0

Network

Low

None

None

None

Partial

VDI prior to 3.5.1

CVE-2012-3544

Sun Ray Software

HTTP

Apache Tomcat

Yes

5.0

Network

Low

None

None

None

Partial

Sun Ray Software prior to 5.4.3

CVE-2014-4228

Oracle VM VirtualBox

None

Graphics driver (WDDM) for Windows guests

No

4.4

Local

Medium

None

Partial

Partial

Partial+

VirtualBox prior to 4.1.34, 4.2.26, 4.3.12

CVE-2014-0033

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

4.3

Network

Medium

None

Partial

None

None

4.63

CVE-2014-4232

Oracle Secure Global Desktop (SGD)

HTTP

Workspace Web Application

Yes

4.3

Network

Medium

None

None

Partial

None

4.63, 4.71, 5.0, 5.1

CVE-2014-2489

Oracle VM VirtualBox

None

Core

No

4.1

Local

Medium

Single

Partial+

Partial+

Partial+

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2477

Oracle VM VirtualBox

None

Core

No

3.6

Local

Low

None

None

Partial

Partial

VirtualBox prior to 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2486

Oracle VM VirtualBox

None

Core

No

3.0

Local

Medium

Single

None

Partial+

Partial+

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2488

Oracle VM VirtualBox

None

Core

No

1.0

Local

High

Single

Partial+

None

None

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

Notes:

1. This fix also addresses CVE-2014-0209 and CVE-2014-0210.
2. Applies only when VirtualBox is running on a Windows host operating system.
3. This fix also addresses CVE-2010-5298, CVE-2013-6449 and CVE-2013-6450, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221 and CVE-2014-3470.
4. This fix also addresses CVE-2013-4322, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119.
5. This fix also addresses CVE-2013-6438.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-2484

MySQL Server

MySQL Protocol

SRFTS

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

5.6.17 and earlier

CVE-2014-4258

MySQL Server

MySQL Protocol

SRINFOSC

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

5.5.37 and earlier, 5.6.17 and earlier

CVE-2014-4260

MySQL Server

MySQL Protocol

SRCHAR

No

5.5

Network

Low

Single

None

Partial

Partial+

5.5.37 and earlier, 5.6.17 and earlier

CVE-2014-2494

MySQL Server

MySQL Protocol

ENARC

No

4.0

Network

Low

Single

None

None

Partial+

5.5.37 and earlier

CVE-2014-4238

MySQL Server

MySQL Protocol

SROPTZR

No

4.0

Network

Low

Single

None

None

Partial+

5.6.17 and earlier

CVE-2014-4207

MySQL Server

MySQL Protocol

SROPTZR

No

4.0

Network

Low

Single

None

None

Partial+

5.5.37 and earlier

CVE-2014-4233

MySQL Server

MySQL Protocol

SRREP

No

4.0

Network

Low

Single

None

None

Partial+

5.6.17 and earlier

CVE-2014-4240

MySQL Server

MySQL Protocol

SRREP

No

3.6

Local

Low

None

Partial

Partial

None

5.6.17 and earlier

CVE-2014-4214

MySQL Server

MySQL Protocol

SRSP

No

3.3

Network

Low

Multiple

None

None

Partial+

5.6.17 and earlier

CVE-2014-4243

MySQL Server

MySQL Protocol

ENFED

No

2.8

Network

Medium

Multiple

None

None

Partial+

5.5.35 and earlier, 5.6.15 and earlier

Why Oracle

• Analyst Reports
• Gartner MQ for Cloud ERP
• Cloud Economics
• Corporate Responsibility
• Diversity and Inclusion
• Security Practices

Learn

• What is cloud computing?
• What is CRM?
• What is Docker?
• What is Kubernetes?
• What is Python?
• What is SaaS?

What’s New

• Oracle Supports Ukraine

• Oracle CloudWorld

• Oracle and Premier League

• Oracle Red Bull Racing

• Employee Experience Platform

• Oracle Support Rewards

• © 2022 Oracle

• Site Map

• Privacy/Do Not Sell My Info

• Ad Choices

• Careers

• Facebook

• Twitter

• LinkedIn

• YouTube