CVE-2013-5807: Oracle Critical Patch Update - October 2013

• Click to view our Accessibility Policy

• Skip to content

• Security Alerts

Oracle Critical Patch Update Advisory - October 2013****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Starting Oct 2013, the Java SE Critical Patch Update will be released quarterly every year as per the main Oracle Critical Patch Update Schedule. This Critical Patch Update contains 127 new security fixes (including 51 Java fixes) across the product families listed below.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database 11_g_ Release 1, version 11.1.0.7

Database

Oracle Database 11_g_ Release 2, versions 11.2.0.2, 11.2.0.3

Database

Oracle Database 12_c_ Release 1, version 12.1.0.1

Database

Oracle Fusion Middleware 11_g_ Release 1, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle Access Manager, versions 11.1.1.5.0, 11.1.2.0.0

Fusion Middleware

Oracle Forms and Reports 11_g_, Release 2, version 11.1.2.1

Fusion Middleware

Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2

Fusion Middleware

Oracle HTTP Server 12_c_, version 12.1.2

Fusion Middleware

Oracle Identity Analytics, version 11.1.1.5; Sun Role Manager, versions 4.1, 5.0

Fusion Middleware

Oracle Identity Manager, versions 11.1.2.0.0, 11.1.2.1.0

Fusion Middleware

Oracle JDeveloper, versions 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0

Fusion Middleware

Oracle Outside In Technology, versions 8.4.0, 8.4.1

Fusion Middleware

Oracle Portal, version 11.1.1.6.0

Fusion Middleware

Oracle Web Cache, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0

Fusion Middleware

Oracle WebLogic Server, versions 10.3.6.0, 12.1.1.0

Fusion Middleware

Oracle Web Services, versions 10.1.3.5, 11.1.1.6.0

Fusion Middleware

Oracle Enterprise Manager Grid Control 10_g_ Release 1, version 10.2.0.5

Enterprise Manager

Oracle Enterprise Manager Grid Control 11_g_ Release 1, version 11.1.0.1

Enterprise Manager

Oracle Enterprise Manager Plugin for Database 12_c_ Release 1, versions 12.1.0.2, 12.1.0.3, 12.1.0.4

Enterprise Manager

Oracle E-Business Suite Release R12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2

E-Business Suite

Oracle Agile PLM Framework, version 9.3.2

Oracle Supply Chain

Oracle Transportation Management, versions 6.3, 6.3.1

Oracle Supply Chain

Oracle PeopleSoft HRMS, version 9.1

PeopleSoft

Oracle PeopleSoft HRMS eCompensation, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53

PeopleSoft

Oracle Siebel Core, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Server Remote, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel UI Framework, versions 8.1.1, 8.2.2

Siebel

Oracle iLearning, versions 5.2.1, 6.0

iLearning

Oracle Health Sciences InForm, versions 4.5.x, 4.6.x, 5.0.x, 5.5.x and 6.0.0

Oracle Health Sciences Products Suite

Oracle Siebel CTMS, version 8.1.1.x

Oracle Health Sciences Products Suite

Oracle Retail Invoice Matching, versions 10.2, 11.0, 12.0, 12.0IN, 12.1, 13.0, 13.1, 13.2

Oracle Retail Products Suite

Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1

Oracle FLEXCUBE

Oracle Instantis EnterpriseTrack, versions 8.0.6, 8.5

Oracle Primavera Products Suite

Oracle Primavera P6 Enterprise Project Portfolio Management, versions 8.1, 8.2, 8.3

Oracle Primavera Products Suite

Oracle JavaFX, versions 2.2.40 and earlier

Oracle Java SE

Oracle Java JDK and JRE, versions 5.0u51 and earlier, 6u60 and earlier, 7u40 and earlier

Oracle Java SE

Oracle Java SE Embedded, versions 7u40 and earlier

Oracle Java SE

Oracle JRockit, versions R27.7.6 and earlier, R28.2.8 and earlier

Oracle Java SE

Oracle Solaris versions 10, 11.1

Oracle and Sun Systems Products Suite

Oracle SPARC Enterprise T series and M Series Servers Firmware versions prior to 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d, 9.0.1.e

Oracle and Sun Systems Products Suite

Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3

Oracle and Sun Systems Products Suite

Oracle Secure Global Desktop, version 5

Oracle Linux and Virtualization

Oracle VM VirtualBox, versions prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18

Oracle Linux and Virtualization

Oracle MySQL Server, versions 5.1, 5.5, 5.6

Oracle MySQL Product Suite

Oracle MySQL Enterprise Monitor, version 2.3

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2013 Documentation Map, My Oracle Support Note 1569424.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update October 2013 Availability Document, My Oracle Support Note 1571391.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update October 2013 Availability Document, My Oracle Support Note 1571391.1

Oracle Enterprise Manager

Oracle Enterprise Manage Risk Matrix

Patch Set Update and Critical Patch Update October 2013 Availability Document, My Oracle Support Note 1571391.1

Oracle Applications - E-Business Suite

Oracle Applications, E-Business Suite Risk Matrix

Oracle E-Business Suite Releases 11_i_ and 12 Critical Patch Update Knowledge Document (October 2013), My Oracle Support Note 1585639.1

Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite

Oracle Supply Chain Risk Matrix
Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle iLearning Products Risk Matrix

Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products suite, My Oracle Support Note 1586836.1

Oracle FLEXCUBE Products Suite

Oracle Financial Services Software Risk Matrix

Contact Oracle Customer Support for patches, https://support.oracle.com

Oracle Health Sciences Products Suite

Oracle Industry Applications Risk Matrix

Critical Patch Update October 2013 Patch Availability Document for Oracle Health Sciences, My Oracle Support Note 1586473.1

Oracle Retail Products Suite

Oracle Industry Applications Risk Matrix

Critical Patch Update October 2013 Patch Availability Document for Oracle Retail, My Oracle Support Note 1585139.1

Oracle Primavera Products Suite

Oracle Primavera Products Risk Matrix

Critical Patch Update October 2013 Patch Availability Document for Oracle Primavera, My Oracle Support Note 1586098.1

Oracle Java

Oracle JDK and JRE Risk Matrix

• Critical Patch Update October 2013 Patch Availability Document for Java, My Oracle Support Note 1585614.1
• Users running Java SE with a browser can download the latest release from http://www.java.com/en/. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
• The latest JavaFX release is included with the latest update of JDK and JRE 7.

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update October 2013 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1586053.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Patch Set Update and Critical Patch Update October 2013 Availability Document, My Oracle Support Note 1586550.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update October 2013 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1591383.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2013 Availability Document, My Oracle Support Note 1571391.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, customers are recommended to upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Adi Ludmer of McAfee Labs; Ajinkya Patil of AVsecurity.in; Alex Kouzemtchenko of Security Research Lab via CERT/CC; Alex Rajan of Network Intelligence; Alexander Polyakov of ERPScan; Alexander Tlyapov of Positive Technologies; Alexey Osipov of Positive Technologies; Alexey Tyurin of ERPScan (Digital Security Research Group); Anagha Devale-Vartak of AVsecurity.in; Andrea Micalizzi aka rgod, working with HP’s Zero Day Initiative; Andrew Davies formerly of NCC Group; Ben Murphy via HP’s Zero Day Initiative; CERT/CC; Chris Ries via the Exodus Intelligence Program; Dave Bryant of Orion Health; Dmitry Sklyarov of Positive Technologies; Esteban Martinez Fayo formerly of Application Security Inc.; HUAWEI PSIRT; James Forshaw of Context Information Security; Jeroen Frijters; Jon Passki of Security Research Lab via CERT/CC; Juraj Somorovsky of Ruhr-University Bochum; Manuel García Cárdenas of Internet Security Auditors; Positive Research Center (Positive Technologies Company); Qinglin Jiang formerly of Application Security Inc; Rohan Stelling of BAE Systems Detica; Sam Thomas of Pentest Limited; Timur Yunusov of Positive Technologies; Tom Parker of Orion Health; Travis Emmert via iDefense; Vinesh N. Redkar; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Vitaliy Toropov via the Exodus Intelligence Program; and Yuki Chen of Trend Micro for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Alok Saurabh; Danish Tariq; Ehraz Ahmed and Umraz Ahmed; Faisal ait hamou; Hamza Ghled; Harsha Vardhan Boppana; Jatinpreet Singh; Jigar Thakkar; Kamil Sevi; Kotros Nadara; Mahadev Subedi; Mahesh Darji of SRIMCA; Rishal Dwivedi & Manjot Singh; Muhammad Ahmed Siddiqui; Narendra Bhati; Osanda Malith Jayathissa; Ravi Chandroliya; Ravikumar R. Paghdal of SRIMCA; Riaz Ebrahim; Simone Memoli; SimranJeet Singh; Sunil Dadhich; Wong Chieh Yie(wcypierre); and Yasir Altaf Zargar for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

• 14 January 2014
• 15 April 2014
• 15 July 2014
• 14 October 2014

References

• Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
• Critical Patch Update - October 2013 Documentation Map [ My Oracle Support Note 1569424.1 ]
• Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
• Risk Matrix definitions [ Risk Matrix Definitions ]
• Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
• English text version of the risk matrices [ Oracle Technology Network ]
• CVRF XML version of the risk matrices [ Oracle Technology Network ]
• List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
• Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

2021-January-04

Rev 6

• Updated credite statement.

2015-February-24

Rev 5

• Updated CVSS score for CVE-2013-5813.

2013-November-22

Rev 4

• Updated affected versions of Oracle Transportation Management.

2013-November-08

Rev 3

• Updated affected versions of EBS.

2013-October-22

Rev 2

• Changed CVE# for Outside In from CVE-2013-3624 to CVE-2013-5763.
• Updated Note 1 of Database Server risk matrix.

2013-October-15

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database 10g and 11g include Enterprise Manager Database Control which can be exploited by the vulnerabilities listed in the Oracle Enterprise Manager section. These vulnerabilities are not listed in the Oracle Database risk matrix. Oracle customers should refer to the section, Oracle Enterprise Manager for affected versions of Enterprise Manager Database Control and apply the patches as per the instructions in the Database Section of the Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5771

XML Parser

Oracle Net

None

Yes

6.4

Network

Low

None

Partial

None

Partial

-

See Note 1

CVE-2013-3826

Core RDBMS

Oracle Net

None

Yes

5.0

Network

Low

None

Partial

None

None

11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1

See Note 2

CVE-2011-3389 (Oracle Fusion Middleware)

Oracle Security Service

SSL/TLS

None

Yes

4.3

Network

Medium

None

Partial

None

None

11.1.0.7, 11.2.0.2, 11.2.0.3

CVE-2013-0169 (Oracle Fusion Middleware)

Oracle Security Service

SSL/TLS

None

Yes

2.6

Network

High

None

Partial

None

None

11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1

Notes:

1. This vulnerability does not affect supported versions. Unsupported versions may be affected and should be upgraded to a supported release or patch set. Refer to the Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1 for information on supported versions. Refer to Critical Patch Update Supported Products and Versions for links to support policies.
2. Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database. To remediate this security vulnerability, customers should configure network encryption in their clients and servers to protect sensitive data sent over untrusted networks. Refer to http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#CIHFDJDG - “Oracle Advanced Security section” of "Oracle Database Licensing Information 11_g_ Release 2 (11.2)" for details of this licensing change.

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle Fusion Middleware. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5815

Oracle Identity Analytics

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial+

Partial

Oracle Identity Analytics 11.1.1.5, Sun Role Manager 4.1, 5.0

CVE-2013-3831

Oracle Portal

HTTP

Demos

No

5.5

Network

Low

Single

Partial+

Partial+

None

11.1.1.6.0

CVE-2013-5813

Oracle WebCenter Content

HTTP

Content Server

No

6.4

Network

Low

None

Partial+

Partial+

None

10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0

CVE-2013-3827

Oracle GlassFish Server

HTTP

Java Server Faces

Yes

5.0

Network

Low

None

Partial

None

None

2.1.1, 3.0.1, 3.1.2

CVE-2013-5816

Oracle GlassFish Server

SOAP

Metro

Yes

5.0

Network

Low

None

None

None

Partial

2.1.1, 3.0.1, 3.1.2

CVE-2013-3827

Oracle JDeveloper

HTTP

Java Server Faces

Yes

5.0

Network

Low

None

Partial

None

None

11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0

CVE-2013-3828

Oracle Web Services

HTTP

Test Page

Yes

5.0

Network

Low

None

Partial

None

None

10.1.3.5.0, 11.1.1.6.0

CVE-2013-3827

Oracle WebLogic Server

HTTP

Web Container

Yes

5.0

Network

Low

None

Partial

None

None

10.3.6.0, 12.1.1.0

CVE-2013-3833

Oracle Access Manager

HTTP

Authentication Engine

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.1.5.0, 11.1.2.0.0

CVE-2013-5773

Oracle Containers for J2EE

HTTP

Servlet Runtime

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.3.5.0

See Note 1

CVE-2013-2172

Oracle GlassFish Server

SOAP

Metro

Yes

4.3

Network

Medium

None

None

Partial

None

2.1.1, 3.0.1, 3.1.2

See Note 2

CVE-2013-5798

Oracle Identity Manager

HTTP

End User Self Service

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.2.0.0, 11.1.2.1.0

CVE-2011-3389

Oracle Security Service

SSL/TLS

None

Yes

4.3

Network

Medium

None

Partial

None

None

FMW: 11.1.1.6, 11.1.1.7 Forms: 11.1.2.1

CVE-2013-3836

Oracle Web Cache

HTTP

ESI/Partial Page Caching

No

3.5

Network

Medium

Single

Partial+

None

None

11.1.1.6, 11.1.1.7

CVE-2013-0169

Oracle Security Service

SSL/TLS

None

Yes

2.6

Network

High

None

Partial

None

None

FMW: 11.1.1.6, 11.1.1.7 Forms: 11.1.2.1 OHS: 12.1.2

CVE-2013-5791

Oracle Outside In Technology

None

Outside In Filters

No

1.5

Local

Medium

Single

None

None

Partial+

8.4.0, 8.4.1

See Note 3

CVE-2013-5763

Oracle Outside In Technology

None

Outside In Maintenance

No

1.5

Local

Medium

Single

None

None

Partial

8.4.0

See Note 3

Notes:

1. Please refer to MOS note https://support.oracle.com/epmos/faces/DocumentDisplay?id=1586861.1 for configuration.
2. CVE-2013-2172 is equivalent to CVE-2013-2461.
3. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Enterprise Manager Grid Control. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2013 Patch Availability Document for Oracle Products, My Oracle Support Note 1571391.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5766

Enterprise Manager Base Platform

HTTP

DB Performance Advisories/UIs

Yes

4.3

Network

Medium

None

None

Partial

None

EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3 EM Plugin for DB: 12.1.0.2, 12.1.0.3

CVE-2013-3762

Enterprise Manager Base Platform

HTTP

Schema Management

Yes

4.3

Network

Medium

None

None

Partial

None

EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3 EM Plugin for DB: 12.1.0.2, 12.1.0.3, 12.1.0.4

CVE-2013-5827

Enterprise Manager Base Platform

HTTP

Storage Management

Yes

4.3

Network

Medium

None

None

Partial+

None

EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3 EM Plugin for DB: 12.1.0.2

CVE-2013-5828

Enterprise Manager Base Platform

HTTP

Storage Management

Yes

4.3

Network

Medium

None

None

Partial+

None

EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.2, 11.2.0.3 EM Plugin for DB: 12.1.0.2, 12.1.0.3

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the October 2013 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2013), My Oracle Support Note 1585639.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5792

Techstack

HTTP

Apache

Yes

5.0

Network

Low

None

Partial

None

None

12.1

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Supply Chain Products Suite. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5826

Oracle Transportation Management

HTTP

Install / Installation

Yes

5.0

Network

Low

None

None

None

Partial

6.3, 6.3.1

CVE-2013-5799

Oracle Agile PLM Framework

HTTP

Security

Yes

4.3

Network

Medium

None

None

Partial

None

9.3.2

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5836

PeopleSoft Enterprise PeopleTools

HTTP

Business Interlink

Yes

5.0

Network

Low

None

Partial

None

None

8.51, 8.52, 8.53

CVE-2013-3835

PeopleSoft Enterprise PeopleTools

HTTP

Integration Broker

Yes

5.0

Network

Low

None

Partial

None

None

8.51, 8.52, 8.53

CVE-2013-5794

PeopleSoft Enterprise PeopleTools

HTTP

Portal

Yes

5.0

Network

Low

None

Partial

None

None

8.51, 8.52, 8.53

CVE-2013-5841

PeopleSoft Enterprise PeopleTools

HTTP

Portal

Yes

5.0

Network

Low

None

Partial

None

None

8.51, 8.52, 8.53

CVE-2013-5765

PeopleSoft Enterprise PeopleTools

HTTP

XML Publisher

Yes

5.0

Network

Low

None

None

None

Partial

8.51, 8.52, 8.53

CVE-2013-3785

PeopleSoft Enterprise HRMS

HTTP

Career’s Home

No

4.0

Network

Low

Single

Partial

None

None

9.1

CVE-2013-5847

PeopleSoft Enterprise HRMS eCompensation

HTTP

eCompensation

No

4.0

Network

Low

Single

Partial

None

None

9.1, 9.2

CVE-2013-5779

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

No

4.0

Network

Low

Single

Partial

None

None

8.51, 8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Siebel CRM. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5835

Siebel UI Framework

HTTP

Open_UI

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

8.1.1, 8.2.2

CVE-2013-5761

Siebel Core - Server BizLogic Script

HTTP

Integration - Scripting

Yes

5.8

Network

Medium

None

Partial

Partial

None

8.1.1, 8.2.2

CVE-2013-3841

Siebel Core - EAI

HTTP

Web Services

Yes

5.0

Network

Low

None

Partial

None

None

8.1.1, 8.2.2

CVE-2013-5867

Siebel Core - Server Infrastructure

HTTP

SISNAPI & Network Infrastructu

Yes

5.0

Network

Low

None

None

None

Partial

8.1.1, 8.2.2

CVE-2013-5796

Siebel Core - EAI

HTTP

Web Services

Yes

4.3

Network

Medium

None

None

None

Partial

8.1.1, 8.2.2

CVE-2013-5769

Siebel Core - EAI

HTTP

Web Services

No

4.0

Network

Low

Single

None

None

Partial

8.1.1

CVE-2013-3840

Siebel Core - EAI

HTTP

Web Services

No

4.0

Network

Low

Single

Partial

None

None

8.1.1, 8.2.2

CVE-2013-3832

Siebel Server Remote

HTTP

File System Management

No

4.0

Network

Low

Single

None

Partial

None

8.1.1, 8.2.2

CVE-2013-5768

Siebel UI Framework

HTTP

ActiveX Controls

No

4.0

Network

Low

Single

None

Partial

None

8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle iLearning. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5822

Oracle iLearning

HTTP

Learner Administration

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

5.2.1, 6.0

CVE-2013-5845

Oracle iLearning

HTTP

Learner Administration

Yes

4.3

Network

Medium

None

None

Partial

None

5.2.1, 6.0

Appendix - Oracle Industry Applications****Oracle Industry Applications Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Industry Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Industry Applications Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-3814

Oracle Retail Invoice Matching

HTTP

System Administration

No

5.5

Network

Low

Single

Partial+

Partial+

None

10.2, 11.0, 12.0, 12.0IN, 12.1, 13.0, 13.1, 13.2

CVE-2013-5856

Oracle Health Sciences InForm

HTTP

Web

No

3.6

Network

High

Single

Partial

Partial

None

4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.5 SP0, 5.5 SP0b, 5.5.1, 6.0.0

CVE-2013-5857

Oracle Health Sciences InForm

HTTP

Web

No

3.6

Network

High

Single

Partial

Partial

None

4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b

CVE-2013-5811

Oracle Health Sciences InForm

HTTP

Web

No

3.5

Network

Medium

Single

Partial+

None

None

4.5 SP3, 4.5 SP3a-k, 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b

CVE-2013-5762

Oracle Siebel CTMS

HTTP

SC-OC Integration

No

2.4

Local

High

Single

Partial

None

Partial+

8.1.1.x

CVE-2013-5837

Oracle Health Sciences InForm

None

Cognos

No

2.1

Network

High

Single

Partial+

None

None

4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.0.3, 5.0.4

Appendix - Oracle Financial Services Software****Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-2251

Oracle FLEXCUBE Private Banking

HTTP

Core

No

6.0

Network

Medium

Single

Partial+

Partial+

Partial+

1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1

See Note 1

Notes:

1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.1: CVE-2013-2251, CVE-2013-2248, CVE-2013-2135, and CVE-2013-2134.

Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5859

Instantis EnterpriseTrack

HTTP

Instantis EnterpriseTrack

Yes

5.0

Network

Low

None

Partial

None

None

8.0.6, 8.5

CVE-2013-3766

Primavera P6 Enterprise Project Portfolio Management

HTTP

Web Access

No

4.0

Network

Low

Single

None

Partial

None

8.1, 8.2, 8.3

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 51 new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5782

Java SE, JRockit, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5830

Java SE, JRockit, Java SE Embedded

Multiple

Libraries

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5809

Java SE, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5829

Java SE, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5814

Java SE, Java SE Embedded

Multiple

CORBA

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5824

Java SE, Java SE Embedded

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5788

Java SE, Java SE Embedded

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5787

Java SE, Java SE Embedded

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5789

Java SE, Java SE Embedded

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5817

Java SE, Java SE Embedded

Multiple

JNDI

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5842

Java SE, Java SE Embedded

Multiple

Libraries

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5843

Java SE, JavaFX, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JavaFX 2.2.40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5832

Java SE, Java SE Embedded

Multiple

Deployment

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5850

Java SE, Java SE Embedded

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5838

Java SE, Java SE Embedded

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u25 and earlier, Java SE Embedded 7u25 and earlier

See Note 2

CVE-2013-5805

Java SE, Java SE Embedded

Multiple

Swing

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5806

Java SE, Java SE Embedded

Multiple

Swing

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5846

Java SE, JavaFX

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5810

Java SE, JavaFX

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5844

Java SE, JavaFX

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5777

Java SE, JavaFX

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5852

Java SE, Java SE Embedded

Multiple

Deployment

Yes

7.6

Network

High

None

Complete

Complete

Complete

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 3

CVE-2013-5802

Java SE, JRockit, Java SE Embedded

Multiple

JAXP

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5775

Java SE, JavaFX

Multiple

JavaFX

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5804

Java SE, JRockit

HTTP

Javadoc

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier

See Note 4

CVE-2013-5812

Java SE, Java SE Embedded

Multiple

Deployment

Yes

6.4

Network

Low

None

Partial

None

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-3829

Java SE, Java SE Embedded

Multiple

Libraries

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5783

Java SE, Java SE Embedded

Multiple

Swing

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5825

Java SE, JRockit, Java SE Embedded

Multiple

JAXP

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-4002

Java SE, JRockit, Java SE Embedded

Multiple

JAXP

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5823

Java SE, JRockit, Java SE Embedded

Multiple

Security

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5778

Java SE, Java SE Embedded

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5801

Java SE, Java SE Embedded

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5776

Java SE, Java SE Embedded

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5818

Java SE, Java SE Embedded

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5819

Java SE, Java SE Embedded

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5831

Java SE, Java SE Embedded

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5820

Java SE, Java SE Embedded

Multiple

JAX-WS

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5851

Java SE, Java SE Embedded

Multiple

JAXP

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5840

Java SE, Java SE Embedded

Multiple

Libraries

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5774

Java SE, Java SE Embedded

Multiple

Libraries

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5848

Java SE, JavaFX

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, JavaFX 2.2.40 and earlier

See Note 2

CVE-2013-5780

Java SE, JRockit, Java SE Embedded

Multiple

Libraries

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5800

Java SE, Java SE Embedded

Kerberos

JGSS

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u40 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5849

Java SE, Java SE Embedded

Multiple

AWT

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5790

Java SE, Java SE Embedded

Multiple

BEANS

Yes

4.3

Network

Medium

None

Partial

None

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5784

Java SE, Java SE Embedded

Multiple

SCRIPTING

Yes

4.3

Network

Medium

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE Embedded 7u40 and earlier

See Note 2

CVE-2013-5797

Java SE, JRockit, JavaFX

HTTP

Javadoc

No

3.5

Network

Medium

Single

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, JavaFX 2.2.40 and earlier

See Note 4

CVE-2013-5772

Java SE

HTTP

jhat

Yes

2.6

Network

High

None

None

Partial

None

Java SE 7u40 and earlier, Java SE 6u60 and earlier

See Note 5

CVE-2013-5803

Java SE, JRockit, Java SE Embedded

Kerberos

JGSS

Yes

2.6

Network

High

None

None

None

Partial

Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier

See Note 1

CVE-2013-5854

Java SE, JavaFX

Multiple

JavaFX

Yes

2.6

Network

High

None

Partial

None

None

Java SE 7u40 and earlier, JavaFX 2.2.40 and earlier

See Note 2

Notes:

1. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
2. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
3. Applies to installation process on client deployment of Java.
4. Applies to sites that run the Javadoc tool as a service and then host the resulting documentation. It is recommended that sites filter HTML where it is not explicitly allowed for javadocs.
5. Applies to the jhat developer tool.

Appendix - Oracle and Sun Systems Products Suite****Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 12 new security fixes for the Oracle and Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5781

SPARC Enterprise T4 Servers

None

Sun System Firmware/Integrated Lights Out Manager (ILOM)

No

6.9

Local

Medium

None

Complete

Complete

Complete

Sun System Firmware before 8.3.0.b

CVE-2013-0149

Sun Blade 6000 10GBE switched NEM, Sun Network 10GBE Switch 72P, Oracle Switch

OSPF

Switch Platform Software

Yes

5.8

Network

Medium

None

Partial

None

Partial

Sun Blade 6000 10GBE switched NEM 1.2 prior to Patch 13255101, Sun Network 10GBE Switch 72P 1.2 prior to Patch 13255111, Oracle Switch ES1-24 1.3 prior to Patch 17050841

CVE-2013-5866

Solaris

None

Kernel

No

5.2

Local

High

None

Partial

Partial

Complete

11.1

CVE-2013-5862

Solaris

None

CPU performance counters (CPC) drivers

No

4.9

Local

Low

None

None

None

Complete

10, 11.1

CVE-2013-5864

Solaris

None

USB hub driver

No

4.9

Local

Low

None

None

None

Complete

10, 11.1

CVE-2013-5863

Solaris

HTTP

IPS repository daemon

Yes

4.3

Network

Medium

None

None

Partial

None

11.1

CVE-2013-5839

Solaris

HTTP

Oracle Java Web Console

Yes

4.3

Network

Medium

None

None

Partial

None

10

CVE-2013-3837

Solaris

SNMP

Cacao

Yes

4.3

Network

Medium

None

None

None

Partial

10, 11.1

CVE-2013-5861

Solaris

SSL

Kernel/KSSL

Yes

4.3

Network

Medium

None

None

None

Partial

11.1

CVE-2013-3838

SPARC Enterprise T & M Series Servers

None

Sun System Firmware/Hypervisor

No

4.0

Local

High

None

None

None

Complete

Sun System Firmware before 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d and 9.0.1.e

See Note 1

CVE-2013-3842

Solaris

None

Oracle Configuration Manager (OCM)

No

2.1

Local

Low

None

Partial

None

None

10

CVE-2013-5865

Solaris

None

Utility/User administration

No

1.7

Local

Low

Single

None

None

Partial

11.1

Notes:

1. CVE-2013-3838 applies to Sun System Firmware before 6.7.13 for SPARC T1, 7.4.6.c for SPARC T2, 8.3.0.b for SPARC T3 & T4, 9.0.0.d for SPARC T5 and 9.0.1.e for SPARC M5.

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-3834

Oracle Secure Global Desktop

Multiple

ttaauxserv

Yes

5.0

Network

Low

None

None

None

Partial

5

CVE-2013-3792

Oracle VM VirtualBox

None

Core

No

3.8

Local

High

Single

None

None

Complete

VirtualBox prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-2251

MySQL Enterprise Monitor

HTTP

Service Manager

No

8.5

Network

Medium

Single

Complete

Complete

Complete

2.3.13 and earlier

See Note 1

CVE-2013-5807

MySQL Server

MySQL Protocol

Replication

No

4.9

Network

Medium

Single

Partial+

Partial+

None

5.5.32 and earlier, 5.6.12 and earlier

CVE-2013-5786

MySQL Server

MySQL Protocol

InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.6.12 and earlier

CVE-2012-2750

MySQL Server

MySQL Protocol

Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.1, 5.5.22 and earlier

CVE-2013-3839

MySQL Server

MySQL Protocol

Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.1.70 and earlier, 5.5.32 and earlier, 5.6.12 and earlier

CVE-2013-5767

MySQL Server

MySQL Protocol

Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.6.12 and earlier

CVE-2013-5793

MySQL Server

MySQL Protocol

InnoDB

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.12 and earlier

CVE-2013-5770

MySQL Server

MySQL Protocol

Locking

No

2.1

Network

High

Single

None

None

Partial+

5.6.11 and earlier

Notes:

1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.1: CVE-2013-2251, CVE-2013-2248, CVE-2013-2135, and CVE-2013-2134. The CVSS score is 8.5 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 6.0 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial.

Why Oracle

• Analyst Reports
• Gartner MQ for Cloud ERP
• Cloud Economics
• Corporate Responsibility
• Diversity and Inclusion
• Security Practices

Learn

• What is cloud computing?
• What is CRM?
• What is Docker?
• What is Kubernetes?
• What is Python?
• What is SaaS?

What’s New

• News

• Oracle CloudWorld

• Oracle Supports Ukraine

• Oracle Red Bull Racing

• Oracle Sustainability

• Employee Experience Platform

• © 2022 Oracle

• Site Map

• Privacy/Do Not Sell My Info

• Ad Choices

• Careers

• Facebook

• Twitter

• LinkedIn

• YouTube