Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2014-4265: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CVE
#sql#vulnerability#web#mac#windows#apple#google#linux#red_hat#apache#js#git#java#oracle#kubernetes#auth#zero_day#docker#ssl
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Critical Patch Update Advisory - July 2014****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 113 new security fixes across the product families listed below.

Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Please note that on April 18, 2014, Oracle released a Security Alert for CVE-2014-0160 OpenSSL "Heartbleed". This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-0160.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database 11_g_ Release 1, version 11.1.0.7

Database

Oracle Database 11_g_ Release 2, versions 11.2.0.3, 11.2.0.4

Database

Oracle Database 12_c_ Release 1, version 12.1.0.1

Database

Oracle Fusion Middleware 11_g_ Release 1, version 11.1.1.7

Fusion Middleware

Oracle Fusion Middleware 12_c_ Release 1, version 12.1.2.0

Fusion Middleware

Oracle Fusion Applications, versions 11.1.2 through 11.1.8

Fusion Applications

Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2

Fusion Middleware

Oracle Traffic Director, version 11.1.1.7.0

Fusion Middleware

Oracle iPlanet Web Proxy Server, version 4.0.24

Fusion Middleware

Oracle iPlanet Web Server, versions 6.1, 7.0

Fusion Middleware

Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0

Fusion Middleware

Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

Fusion Middleware

Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0

Fusion Middleware

Oracle BI Publisher, version 11.1.1.7

Fusion Middleware

Oracle Glassfish Communications Server, version 2.0

Fusion Middleware

Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0

Fusion Middleware

Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle E-Business Suite Release 11_i_, version 11.5.10.2

E-Business Suite

Oracle E-Business Suite Release 12_i_, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3

E-Business Suite

Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

Oracle Supply Chain

Oracle Agile Product Collaboration, version 9.3.3

Oracle Supply Chain

Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53

PeopleSoft

Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2

PeopleSoft

Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel UI Framework, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2

Siebel

Oracle Communications Messaging Server, version 7.0.5.30.0

Oracle Communications Applications

Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0

Retail

Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5

Oracle Java SE

Oracle JRockit, versions R27.8.2, R28.3.2

Oracle Java SE

Oracle Solaris, versions 8, 9, 10, 11.1

Oracle and Sun Systems Products Suite

Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1

Oracle Linux and Virtualization

Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

Oracle Linux and Virtualization

Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1

Oracle Linux and Virtualization

Sun Ray Software, versions prior to 5.4.3

Oracle Linux and Virtualization

Oracle MySQL Server, versions 5.5, 5.6

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2014 Documentation Map, My Oracle Support Note 1662887.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle Fusion Applications

Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (July 2014) My Oracle Support Note 1907352.1 for information on patches to be applied to Fusion Application environments.

Oracle Hyperion

Oracle Hyperion Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1

Oracle E-Business Suite

Oracle E-Business Suite Risk Matrix

Critical Patch Update Knowledge Document for Oracle E-Business Suite My Oracle Support Note 1668237.1

Oracle Applications - PeopleSoft Enterprise, Siebel CRM, Oracle Supply Chain Product Suite

Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle Supply Chain Risk Matrix

Critical Patch Update Knowledge Document for PeopleSoft Enterprise, Siebel Core, and Oracle Supply Chain Products Suite My Oracle Support Note 1684873.1

Oracle Communications Applications

Oracle Communications Messaging Server Risk Matrix

Critical Patch Update Knowledge Document for Oracle Communications Messaging Server My Oracle Support Note 1906392.1

Oracle Retail Industry Suite

Oracle Retail Applications Risk Matrix

Critical Patch Update July 2014 Patch Delivery Document for Oracle Retail Products, My Oracle Support Note 1684864.1

Oracle Java SE

Oracle SE Risk Matrix

  • Critical Patch Update July 2014 Patch Availability Document for Java SE, My Oracle Support Note 1900468.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update July 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1900373.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1684947.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update July 2014 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 1684603.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2014 Availability Document, My Oracle Support Note 1666884.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Alon Friedman; Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Borked of the Google Security Team; CERT/CC; Cihan Öncü of Biznet Bilişim A.Ş; David Litchfield of Datacom TSS; Florian Weimer of Red Hat; Ilja van Sprundel of ioactive.com; Jeroen Frijters; John Leitch working with HP’s Zero Day Initiative; Larry W. Cashdollar; Matt Bergin of KoreLogic Disclosures; Michael Miller of Integrigy; Peter Kamensky of ERPScan (Digital Security Research Group); Rafal Wojtczuk of Bromium; Rohan Stelling of BAE Systems Detica; Sayan Malakshinov of PSBank; Serguei Mourachov; Toby Clarke of Gotham Digital Science; and Yash Kadakia of Security Brigade.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexander Kornbrust of Red Database Security; Bartlomiej Balcerek of Wroclaw University of Technology; David Litchfield of Datacom TSS; Lutz Wolf of RedTeam Pentesting GmbH and Paul M. Wright for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Ateeq Khan; Bikash Dash; Cameron Crowley; Inti de Ceukalaire; Jayson Zabate; Provensec Labs; Koutrouss Naddara; Manoj Kumar; Monendra Sahu; Osanda Malith Jayathissa; Rodolfo Godalle; S. Venkatesh; Satheesh Raj; Suraj Radhakrishnan; and Yasser Gamal Ahmed for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 October 2014
  • 20 January 2015
  • 14 April 2015
  • 14 July 2015

References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
  • Critical Patch Update - July 2014 Documentation Map [ My Oracle Support Note 1662887.1 ]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
  • Risk Matrix definitions [ Risk Matrix Definitions ]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
  • English text version of the risk matrices [ Oracle Technology Network ]
  • CVRF XML version of the risk matrices [ Oracle Technology Network ]
  • The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
  • List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
  • Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

2014-July-24

Rev 2. Updated Package and/or Privilege Required for CVE-2014-4236

2014-July-15

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-3751

XML Parser

HTTP

Create Session

No

9.0

Network

Low

Single

Complete

Complete

Complete

12.1.0.1

CVE-2013-3774

Network Layer

Oracle Net

None

Yes

7.6

Network

High

None

Complete

Complete

Complete

12.1.0.1

CVE-2014-4236

RDBMS Core

Oracle Net

Create Session, Grant on DBMS_REDACT

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

11.2.0.4, 12.1.0.1

CVE-2014-4237

RDBMS Core

Oracle Net

Create Session

No

4.0

Network

Low

Single

Partial

None

None

11.2.0.4, 12.1.0.1

CVE-2014-4245

RDBMS Core

Oracle Net

Create Session

No

3.5

Network

Medium

Single

Partial+

None

None

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware. 27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-1741

Oracle GlassFish Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

2.1.1

See Note 1

CVE-2013-1741

Oracle Traffic Director

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

11.1.1.7.0

See Note 1

CVE-2013-1741

Oracle iPlanet Web Proxy Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

4.0.24

See Note 1

CVE-2013-1741

Oracle iPlanet Web Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

6.1, 7.0

See Note 1

CVE-2014-4257

Oracle WebCenter Portal

HTTP

Portlet Services

Yes

7.1

Network

Medium

None

Complete

None

None

11.1.1.7.0, 11.1.1.8.0

CVE-2014-2481

Oracle WebLogic Server

HTTP

-

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2480

Oracle WebLogic Server

HTTP

-

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4255

Oracle WebLogic Server

HTTP

WLS - Security and Policy

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4254

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2479

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4267

Oracle WebLogic Server

HTTP

WLS Core Components

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-2493

Oracle JDeveloper

HTTP

ADF Faces

Yes

6.4

Network

Low

None

Partial

None

Partial

11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0

CVE-2014-4256

Oracle WebLogic Server

HTTP

WLS - Deployment

Yes

5.8

Network

Medium

None

Partial

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4249

BI Publisher

HTTP

Mobile Service

Yes

5.0

Network

Low

None

Partial

None

None

11.1.1.7

CVE-2014-4211

Oracle WebCenter Portal

HTTP

Portlet Services

Yes

5.0

Network

Low

None

None

Partial

None

11.1.1.7, 11.1.1.8

CVE-2014-4201

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

None

None

Partial

10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4202

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

None

None

Partial

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4210

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

5.0

Network

Low

None

Partial

None

None

10.0.2.0, 10.3.6.0

CVE-2014-4253

Oracle WebLogic Server

T3

WebLogic Server JVM

Yes

5.0

Network

Low

None

None

None

Partial+

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2013-1620

GlassFish Communications Server

Multiple

Security

Yes

4.3

Network

Medium

None

Partial

None

None

2.0

See Note 2

CVE-2014-4212

Oracle Fusion Middleware

HTTPS

Process Mgmt & Notification

Yes

4.3

Network

Medium

None

Partial

None

None

11.1.1.7

See Note 3

CVE-2013-5855

Oracle GlassFish Server

HTTP

JavaServer Faces

Yes

4.3

Network

Medium

None

None

Partial

None

3.0.1, 3.1.2

CVE-2013-5855

Oracle JDeveloper

HTTP

JavaServer Faces

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.2.4.0, 12.1.2.0.0

CVE-2014-4242

Oracle WebLogic Server

HTTP

Console

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0

CVE-2014-4217

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0, 12.1.1.0

CVE-2014-4241

Oracle WebLogic Server

HTTP

WLS - Web Services

Yes

4.3

Network

Medium

None

None

Partial

None

10.0.2.0, 10.3.6.0

CVE-2013-5855

Oracle WebLogic Server

HTTP

Web Container

Yes

4.3

Network

Medium

None

None

Partial

None

12.1.1.0, 12.1.2.0

CVE-2014-4251

Oracle HTTP Server

HTTP

plugin 1.1

No

3.5

Network

Medium

Single

None

Partial

None

11.1.1.7.0, 12.1.2.0

CVE-2014-4222

Oracle HTTP Server

HTTPS

plugin 1.1

No

2.1

Network

High

Single

Partial

None

None

11.1.1.7.0, 12.1.2.0

Notes:

  1. This fix also addresses CVE-2013-1739,CVE-2013-1740, CVE-2013-5605, CVE-2013-5606,CVE-2014-1490, CVE-2014-1491, CVE-2014-1492.
  2. This fix also addresses CVE-2013-2172. CVE-2013-2172 is equivalent to CVE-2013-2461
  3. Please refer to My Oracle Support Note 1905314.1 for instructions on optional configuration steps.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle Hyperion. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4271

Hyperion Essbase

TCP

Agent

Yes

5.0

Network

Low

None

None

None

Partial+

11.1.2.2, 11.1.2.3

CVE-2014-0436

Hyperion BI+

HTTP

Web Analysis

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.2.2, 11.1.2.3

CVE-2014-4203

Hyperion Enterprise Performance Management Architect

HTTP

Property Editing

No

4.1

Local

Medium

Single

Partial

Partial

Partial

11.1.2.2, 11.1.2.3

CVE-2014-4270

Hyperion Common Admin

HTTP

User Interface

No

4.0

Network

Low

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4269

Hyperion Common Admin

HTTP

User Interface

No

4.0

Network

Low

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4246

Hyperion Analytic Provider Services

XML

SVP

No

3.5

Network

Medium

Single

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2014-4206

Hyperion Enterprise Performance Management Architect

HTTP

Data Synchronizer

No

3.3

Local

Medium

None

None

Partial

Partial

11.1.2.2, 11.1.2.3

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4239

Solaris

SSL/TLS

Common Agent Container (Cacao)

No

4.0

Network

Low

Single

Partial

None

None

2.3.1.0, 2.3.1.1, 2.3.1.2, 2.4.0.0, 2.4.1.0, 2.4.2.0

See Note 1

Notes:

  1. Applies only when Cacao is running on Solaris platform.

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0224

Oracle Applications Technology Stack

HTTPS

IAS For App Technology

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.5.10.2

CVE-2014-2482

Oracle Concurrent Processing

HTTP

-

No

5.5

Network

Low

Single

Partial

Partial

None

12.1.3, 12.2.2, 12.2.3

CVE-2014-4213

Oracle Applications Manager

HTTP

-

Yes

4.3

Network

Medium

None

None

Partial

None

12.0.6, 12.1.3, 12.2.2, 12.2.3

CVE-2014-4235

Oracle iStore

HTTP

-

No

3.5

Network

Medium

Single

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3

CVE-2014-4248

Oracle Application Object Library

HTTP

Logging

No

1.0

Local

High

Single

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle Supply Chain Products Suite. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4229

Oracle Transportation Management

HTTP

Data, Domain & Function Security

No

5.5

Network

Low

Single

Partial

Partial

None

6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

CVE-2014-4234

Oracle Transportation Management

HTTP

Data, Domain & Function Security

Yes

5.0

Network

Low

None

Partial

None

None

6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4

CVE-2014-2492

Oracle Agile Product Collaboration

HTTP

Web client (PC)

Yes

4.3

Network

Medium

None

None

Partial

None

9.3.3

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-2456

PeopleSoft Enterprise ELS Enterprise Learning Management

HTTP

Enterprise Learning Mgmt

No

5.5

Network

Low

Single

Partial

Partial

None

9.1, 9.2

CVE-2014-2496

PeopleSoft Enterprise PT PeopleTools

HTTPS

Test Framework

No

5.5

Network

Low

Single

Partial

Partial

None

8.52, 8.53

CVE-2014-4226

PeopleSoft Enterprise FIN Install

HTTPS

Install

Yes

5.1

Network

High

None

Partial+

Partial+

Partial+

9.1, 9.2

CVE-2014-4204

PeopleSoft Enterprise PT PeopleTools

HTTP

PIA Core Technology

No

3.5

Network

Medium

Single

None

Partial

None

8.53

CVE-2014-2495

PeopleSoft Enterprise SCM Purchasing

HTTP

Purchasing

No

2.3

Adjacent Network

Medium

Single

Partial+

None

None

9.1, 9.2

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Siebel CRM. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4231

Siebel Travel & Transportation

HTTP

Diary

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4230

Siebel UI Framework

HTTP

Open_UI

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-2491

Siebel UI Framework

HTTP

Portal Framework

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4205

Siebel UI Framework

HTTP

Portal Framework

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2

CVE-2014-4250

Siebel Core - Server OM Frwks

HTTP

Object Manager

No

3.5

Network

Medium

Single

Partial

None

None

8.1.1, 8.2.2

CVE-2014-2485

Siebel Core - EAI

HTTP

Integration Business Services

No

1.4

Local

Low

Multiple

Partial

None

None

8.1.1, 8.2.2

Appendix - Oracle Industry Applications****Oracle Communications Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-1741

Oracle Communications Messaging Server

SSL/TLS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

7.0.5.30.0 and earlier

See Note 1

Notes:

  1. This fix also addresses CVE-2013-1620, CVE-2013-1739, CVE-2013-1740, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491 and CVE-2014-1492.

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0114

Oracle Retail Back Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

CVE-2014-0114

Oracle Retail Central Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0

CVE-2014-0114

Oracle Retail Returns Management

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.0, 13.1, 13.2, 13.3, 13.4, 14.0

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4227

Java SE

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4219

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-2490

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4216

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4247

Java SE

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 8u5

See Note 1

CVE-2014-2483

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60

See Note 1

CVE-2014-4223

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u60

See Note 1

CVE-2014-4262

Java SE

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4209

Java SE

Multiple

JMX

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4265

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4220

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4218

Java SE

Multiple

Libraries

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4252

Java SE

Multiple

Security

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4266

Java SE

Multiple

Serviceability

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4268

Java SE

Multiple

Swing

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4264

Java SE

SSL/TLS

Security

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 7u60, Java SE 8u5

See Note 2

CVE-2014-4221

Java SE

Multiple

Libraries

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u60, Java SE 8u5

See Note 1

CVE-2014-4244

Java SE, JRockit

Multiple

Security

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2

See Note 3

CVE-2014-4263

Java SE, JRockit

Multiple

Security

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5, JRockit R27.8.2, JRockit R28.3.2

See Note 4

CVE-2014-4208

Java SE

Multiple

Deployment

Yes

2.6

Network

High

None

None

Partial

None

Java SE 7u60, Java SE 8u5

See Note 1

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of JSSE.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. Applies to Diffie-Hellman key agreement in client and server deployment of Java.

Appendix - Oracle and Sun Systems Products Suite****Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle and Sun Systems Products Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-4225

Solaris

None

Patch installation scripts

No

6.9

Local

Medium

None

Complete

Complete

Complete

10

CVE-2014-4215

Solaris

None

CPU performance counters (CPC) drivers

No

4.9

Local

Low

None

None

None

Complete

10, 11.1

CVE-2014-4224

Solaris

None

sockfs

No

4.9

Local

Low

None

None

None

Complete

8, 9, 10, 11.1

CVE-2014-4239 (Oracle Enterprise Manager Grid Control)

Solaris

SSL/TLS

Common Agent Container (Cacao)

No

4.0

Network

Low

Single

Partial

None

None

8, 9, 10, 11.1

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0211

Oracle Secure Global Desktop (SGD)

TCP

LibXfont

Yes

7.5

Network

Low

None

Partial

Partial

Partial

4.63, 4.71, 5.0, 5.1

See Note 1

CVE-2014-2487

Oracle VM VirtualBox

None

Core

No

6.9

Local

Medium

None

Complete

Complete

Complete

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

See Note 2

CVE-2014-4261

Oracle VM VirtualBox

None

Core

No

6.9

Local

Medium

None

Complete

Complete

Complete

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14

See Note 2

CVE-2014-0224

Oracle Secure Global Desktop (SGD)

SSL/TLS

OpenSSL

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

4.63, 4.71, 5.0, 5.1

See Note 3

CVE-2013-4286

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

5.8

Network

Medium

None

Partial

Partial

None

4.63, 4.71, 5.0, 5.1

See Note 4

CVE-2014-0098

Oracle Secure Global Desktop (SGD)

HTTP

Apache HTTP Server

Yes

5.0

Network

Low

None

None

None

Partial

4.63, 4.71, 5.0, 5.1

See Note 5

CVE-2012-3544

Oracle Virtual Desktop Infrastructure (VDI)

HTTP

Apache Tomcat

Yes

5.0

Network

Low

None

None

None

Partial

VDI prior to 3.5.1

CVE-2012-3544

Sun Ray Software

HTTP

Apache Tomcat

Yes

5.0

Network

Low

None

None

None

Partial

Sun Ray Software prior to 5.4.3

CVE-2014-4228

Oracle VM VirtualBox

None

Graphics driver (WDDM) for Windows guests

No

4.4

Local

Medium

None

Partial

Partial

Partial+

VirtualBox prior to 4.1.34, 4.2.26, 4.3.12

CVE-2014-0033

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

4.3

Network

Medium

None

Partial

None

None

4.63

CVE-2014-4232

Oracle Secure Global Desktop (SGD)

HTTP

Workspace Web Application

Yes

4.3

Network

Medium

None

None

Partial

None

4.63, 4.71, 5.0, 5.1

CVE-2014-2489

Oracle VM VirtualBox

None

Core

No

4.1

Local

Medium

Single

Partial+

Partial+

Partial+

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2477

Oracle VM VirtualBox

None

Core

No

3.6

Local

Low

None

None

Partial

Partial

VirtualBox prior to 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2486

Oracle VM VirtualBox

None

Core

No

3.0

Local

Medium

Single

None

Partial+

Partial+

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

CVE-2014-2488

Oracle VM VirtualBox

None

Core

No

1.0

Local

High

Single

Partial+

None

None

VirtualBox prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.12

Notes:

  1. This fix also addresses CVE-2014-0209 and CVE-2014-0210.
  2. Applies only when VirtualBox is running on a Windows host operating system.
  3. This fix also addresses CVE-2010-5298, CVE-2013-6449 and CVE-2013-6450, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221 and CVE-2014-3470.
  4. This fix also addresses CVE-2013-4322, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119.
  5. This fix also addresses CVE-2013-6438.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub-component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-2484

MySQL Server

MySQL Protocol

SRFTS

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

5.6.17 and earlier

CVE-2014-4258

MySQL Server

MySQL Protocol

SRINFOSC

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

5.5.37 and earlier, 5.6.17 and earlier

CVE-2014-4260

MySQL Server

MySQL Protocol

SRCHAR

No

5.5

Network

Low

Single

None

Partial

Partial+

5.5.37 and earlier, 5.6.17 and earlier

CVE-2014-2494

MySQL Server

MySQL Protocol

ENARC

No

4.0

Network

Low

Single

None

None

Partial+

5.5.37 and earlier

CVE-2014-4238

MySQL Server

MySQL Protocol

SROPTZR

No

4.0

Network

Low

Single

None

None

Partial+

5.6.17 and earlier

CVE-2014-4207

MySQL Server

MySQL Protocol

SROPTZR

No

4.0

Network

Low

Single

None

None

Partial+

5.5.37 and earlier

CVE-2014-4233

MySQL Server

MySQL Protocol

SRREP

No

4.0

Network

Low

Single

None

None

Partial+

5.6.17 and earlier

CVE-2014-4240

MySQL Server

MySQL Protocol

SRREP

No

3.6

Local

Low

None

Partial

Partial

None

5.6.17 and earlier

CVE-2014-4214

MySQL Server

MySQL Protocol

SRSP

No

3.3

Network

Low

Multiple

None

None

Partial+

5.6.17 and earlier

CVE-2014-4243

MySQL Server

MySQL Protocol

ENFED

No

2.8

Network

Medium

Multiple

None

None

Partial+

5.5.35 and earlier, 5.6.15 and earlier

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • Oracle Supports Ukraine

  • Oracle CloudWorld

  • Oracle and Premier League

  • Oracle Red Bull Racing

  • Employee Experience Platform

  • Oracle Support Rewards

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

Weakness risk-patterns: A Red Hat way to identify poor software practices in the secure development lifecycle

Red Hat strives to get better at what we do, faster at how we do it, while maintaining high quality results. In modern software development, that means focusing on security as early as possible into our software development process, and continuously driving improvements by listening and acting upon early feedback in the Secure Development Lifecycle (SDL). One important tool toward that goal is the Common Weakness Enumeration (CWE), a community-developed taxonomy of flaws. We use CWE classifications to gather intelligence and data to visualize clustering common weaknesses. We can then better

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical

Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn

Even if the security bug is not another Heartbleed, prepare like it might be, they note — it has potentially sprawling ramifications.

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

CVE-2021-4234: Access Server Release Notes | OpenVPN

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-21938: Product Security Advisories

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2020-9490: Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

CVE-2019-2808: Oracle Critical Patch Update Advisory - July 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2628: Oracle Critical Patch Update Advisory - April 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2455: Oracle Critical Patch Update Advisory - January 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-2637: Oracle Critical Patch Update - January 2018

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...

CVE-2017-5711: Security Center

Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-0502: Oracle Critical Patch Update - January 2016

Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2015-4879: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0391: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2014-4288: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6469: Oracle Critical Patch Update - October 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER.

CVE-2014-4260: Oracle Critical Patch Update - July 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.

CVE-2014-0224

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

CVE-2014-0195

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

CVE-2014-2421: Oracle Critical Patch Update - April 2014

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVE-2014-2436: Oracle Critical Patch Update - April 2014

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.

CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVE-2014-0098

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

CVE-2013-6438

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

CVE-2013-5891: Oracle Critical Patch Update - January 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

CVE-2013-5807: Oracle Critical Patch Update - October 2013

Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.

CVE-2013-5802: Oracle Critical Patch Update - October 2013

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.

CVE-2013-2172

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVE-2013-3801: Oracle Critical Patch Update - July 2013

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.

CVE-2013-2447: Oracle Java Critical Patch Update - June 2013

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to obtain a socket's local address via vectors involving inconsistencies between Socket.getLocalAddress and InetAddress.getLocalHost.

CVE-2013-1620

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

CVE-2012-0053: Apache HTTP Server 2.2 vulnerabilities

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVE-2011-2729: Apache Tomcat® - Apache Tomcat 7 vulnerabilities

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907