Headline
CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - July 2015****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
Please note that on May 15, 2015, Oracle released Security Alert for CVE-2015-3456 (QEMU “Venom”) .Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456.
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Application Express, version(s) prior to 5.0
Database
Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
Database
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
Fusion Applications
Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3
Fusion Middleware
Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39)
Fusion Middleware
Oracle Data Integrator, version(s) 11.1.1.3.0
Fusion Middleware
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
Fusion Middleware
Oracle Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1
Fusion Middleware
Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0
Fusion Middleware
Oracle Exalogic Infrastructure, version(s) 2.0.6.2
Fusion Middleware
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
Fusion Middleware
Oracle iPlanet Web Proxy Server, version(s) 4.0
Fusion Middleware
Oracle iPlanet Web Server, version(s) 6.1, 7.0
Fusion Middleware
Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
Fusion Middleware
Oracle OpenSSO, version(s) 3.0-05
Fusion Middleware
Oracle Traffic Director, version(s) 11.1.1.7.0
Fusion Middleware
Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0
Fusion Middleware
Oracle Web Cache, version(s) 11.1.1.7.0
Fusion Middleware
Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0
Fusion Middleware
Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0
Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
Fusion Middleware
Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4
Fusion Middleware
Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3
Fusion Middleware
Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3
Fusion Middleware
Enterprise Manager Base Platform, version(s) 11.1.0.1
Enterprise Manager
Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4
Enterprise Manager
Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7
Enterprise Manager
Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
E-Business Suite
Oracle Agile PLM, version(s) 9.3.4
Oracle Supply Chain Products
Oracle Agile PLM Framework, version(s) 9.3.3
Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0
Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
Oracle Supply Chain Products
PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2
PeopleSoft
PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
PeopleSoft
PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00
PeopleSoft
Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2
Siebel
Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0
Siebel
Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0
Siebel
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
Oracle Commerce
Oracle Communications Messaging Server, version(s) 7.0
Communications
Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4
Communications
Oracle Java FX, version(s) 2.2.80
Oracle Java SE
Oracle Java SE, version(s) 6u95, 7u80, 8u45
Oracle Java SE
Oracle Java SE Embedded, version(s) 7u75, 8u33
Oracle Java SE
Oracle JRockit, version(s) R28.3.6
Oracle Java SE
Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260
Oracle and Sun Systems Products Suite
Integrated Lights Out Manager (ILOM), Sun System Firmware version(s) prior to 8.7.2.b, 9.4.2e
Oracle and Sun Systems Products Suite
Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2
Oracle and Sun Systems Products Suite
Oracle Switch ES1-24, version(s) prior to 1.3.1
Oracle and Sun Systems Products Suite
Oracle VM Server for SPARC, version(s) 3.2
Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120
Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.2
Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4.2
Oracle and Sun Systems Products Suite
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2
Oracle and Sun Systems Products Suite
Sun Network 10GE Switch 72p, version(s) prior to 1.2.2
Oracle and Sun Systems Products Suite
Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2
Oracle Linux and Virtualization
Sun Ray Software, version(s) prior to 5.4.4
Oracle Linux and Virtualization
Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
Oracle Linux and Virtualization
MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier
Oracle MySQL Product Suite
Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
Berkeley DB
Patch Availability Table and Risk Matrices****Patch Availability Table
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2015 Documentation Map, My Oracle Support Note 1999242.1.
Product Group
Risk Matrix
Patch Availability and Installation Information
Oracle Database
Oracle Database Risk Matrix
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1
Oracle Fusion Middleware
Oracle Fusion Middleware Risk Matrix
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1
Oracle Fusion Applications
Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix
Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (July 2015) My Oracle Support Note 2019778.1 for information on patches to be applied to Fusion Application environments.
Oracle Hyperion
Oracle Hyperion
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1
Oracle Enterprise Manager
Oracle Enterprise Manage Risk Matrix
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1
Oracle Applications - E-Business Suite
Oracle E-Business Suite Risk Matrix
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2013117.1
Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, and Siebel
Oracle Supply Chain Risk Matrix Oracle PeopleSoft Enterprise Risk Matrix Oracle Siebel Risk Matrix
Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, and Siebel Product Suite, My Oracle Support Note 2024178.1
Oracle Commerce Platform
Oracle Commerce Platform Risk Matrix
Critical Patch Update July 2015 Patch Availability Document for Oracle Commerce Guided Search / Oracle Commerce Experience Manager, My Oracle Support Note 2030072.1
Oracle Industry Applications - Oracle Communications Applications
Oracle Communications Applications Risk Matrix
- Critical Patch Update July 2015 Patch Availability Document for Oracle Communications Messaging Server, My Oracle Support Note 2024564.1
- Critical Patch Update July 2015 Patch Availability Document for Oracle Communications Session Border Controller, My Oracle Support Note 2030705.1
Oracle Java SE
Oracle SE Risk Matrix
- Critical Patch Update July 2015 Patch Availability Document for Java SE, My Oracle Support Note 2011937.1
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release
- The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8
Oracle and Sun Systems Products Suite
Oracle and Sun Systems Products Suite Risk Matrix
Critical Patch Update July 2015 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 2018633.1
Oracle Linux and Virtualization Products
Oracle Linux and Virtualization Products Risk Matrix
Critical Patch Update July 2015 Patch Delivery Document for Oracle Linux and Virtualization Products, My Oracle Support Note 1992929.1
Oracle MySQL
Oracle MySQL Risk Matrix
Critical Patch Update July 2015 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 2024204.1
Oracle Berkeley DB
Oracle Berkeley DB Risk Matrix
Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2030291.1
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories . An English text version of the risk matrices provided in this document is available here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy . We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy . Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security’s SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP’s Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security; Borked of the Google Security Team; Brooks Li of Trend Micro; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky of McAfee Security Research; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab; Florian Weimer of Red Hat; Hanno Böck; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jörg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Lionel Debroux; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero; Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency; Sandeep Kamble of SecureLayer7; Steven Seeley of HP’s Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.
Security-In-Depth Contributors
Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of ERPScan; Bart Kulach of NN Group N.V.; Chirag Paghadal; David Litchfield of Google; Jeroen Frijters; Mahesh V. Tripunitara of University of Waterloo; Mateusz Jurczyk of Google Project Zero; Pete Finnigan; Puneeth Gowda; Sumit Sahoo (54H00); Thomas Biege of SUSE; and Vishal V. Sonar of Control Case International Pvt Ltd. for contributions to Oracle’s Security-In-Depth program.
On-Line Presence Security Contributors
Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes Adam Willard of Foreground Security; Ali Salem Saeed (Ali BawazeEer); Elvin Hayes Gentiles; Hamit ABİS; Indrajith AN; Jeremy Dilliplane; Milan A Solanki; Murat Yilmazlar; Peter Freak; Rodolfo Godalle Jr.; Shawar Khan; and Yuhong Bao for contributions to Oracle’s On-Line Presence Security program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 October 2015
- 19 January 2016
- 19 April 2016
- 19 July 2016
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - July 2015 Documentation Map [ My Oracle Support Note 1999242.1 ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
Date
Note
2016-July-07
Rev 5. Correction to Acknowledgements
2015-July-30
Rev 4. Correction to Acknowledgements
2015-July-17
Rev 3. Updated ILOM version
2015-July-15
Rev 2. Added note for CVE-2015-2629
2015-July-14
Rev 1. Initial Release
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 10 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Protocol
Package and/or Privilege Required
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2629
Java VM
Multiple
Create Session
No
9.0
Network
Low
Single
Complete
Complete
Complete
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
See Note 1
CVE-2015-2595
Oracle OLAP
Oracle Net
Create Session
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
12.1.0.1, 12.1.0.2
CVE-2015-0468
Core RDBMS
Oracle Net
Analyze Any or Create Materialized View
No
6.0
Network
Medium
Single
Partial+
Partial+
Partial+
11.1.0.7, 11.2.0.3, 12.1.0.1
CVE-2015-4740
RDBMS Partitioning
Oracle Net
Create Session, Create Any Index, Index object privilege on a Table
No
6.0
Network
Medium
Single
Partial+
Partial+
Partial+
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2015-2655
Application Express
HTTP
Valid Account
No
5.5
Network
Low
Single
Partial
Partial
None
All versions prior to 4.2.3.00.08
CVE-2015-4755
RDBMS Security
Oracle Net
None
Yes
5.0
Network
Low
None
Partial
None
None
12.1.0.2
CVE-2015-2586
Application Express
HTTP
None
Yes
4.3
Network
Medium
None
None
None
Partial
All releases prior to 4.2.1
CVE-2015-2599
RDBMS Scheduler
Oracle Net
Alter Session
No
4.0
Network
Low
Single
Partial+
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2015-2585
Application Express
HTTP
Valid Account
No
2.1
Network
High
Single
None
None
Partial
All versions prior to 5.0
CVE-2015-4753
RDBMS Support Tools
None
None
No
2.1
Local
Low
None
Partial+
None
None
11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
Notes:
- The CVSS score is 9.0 only on Windows for Database versions prior to 12c. The CVSS is 6.5 (Confidentiality, Integrity and Availability is “Partial+”) for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 39 new security fixes for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2015 Patch Availability Document for Oracle Products,My Oracle Support Note 2005667.1.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2013-2186
Oracle Business Intelligence Enterprise Edition
HTTP
BI Platform Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11.1.1.7, 11.1.1.9
CVE-2014-1568
Oracle Directory Server Enterprise Edition
HTTPS
Admin Server
Yes
7.5
Network
Low
None
Partial
Partial
Partial
7.0, 11.1.1.7
CVE-2015-4745
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2015-2603
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2015-2602
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2015-2604
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2015-2605
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2015-2606
Oracle Endeca Information Discovery Studio
HTTP
Integrator
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.2.2, 2.3, 2.4, 3.0, 3.1
CVE-2014-1569
Oracle GlassFish Server
SSL/TLS
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
2.1.1
CVE-2014-1568
Oracle OpenSSO
HTTPS
Web Agents
Yes
7.5
Network
Low
None
Partial
Partial
Partial
3.0-05
See Note 1
CVE-2014-1568
Oracle Traffic Director
HTTPS
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11.1.1.7.0
CVE-2014-1569
Oracle iPlanet Web Proxy Server
HTTPS
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
4.0
CVE-2014-1569
Oracle iPlanet Web Server
HTTPS
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
6.1, 7.0
CVE-2015-2593
Oracle Access Manager
HTTP
Configuration Service
No
7.1
Adjacent Network
Low
Single
Complete
Complete
None
11.1.2.2
CVE-2014-3567
Oracle Tuxedo
HTTPS
Network Encryption
Yes
7.1
Network
Medium
None
None
None
Complete
Tuxedo 12.1.1.0
CVE-2015-0443
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-0444
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-0445
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-0446
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-4759
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-4758
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-2634
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-2635
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-2636
Oracle Data Integrator
HTTP
Data Quality based on Trillium
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.3.0
CVE-2015-4747
Oracle Event Processing
HTTP
CEP system
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.7, 12.1.3.0
CVE-2014-7809
Oracle WebCenter Sites
HTTP
Community
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0
CVE-2015-1926
Oracle WebCenter Portal
HTTP
Portlet Services
No
5.5
Network
Low
Single
Partial
Partial
None
11.1.1.8.0, 11.1.1.9.0
See Note 2
CVE-2015-4751
Oracle Access Manager
HTTP
Authentication Engine
Yes
5.0
Network
Low
None
None
None
Partial
11.1.1.7, 11.1.2.2
CVE-2015-0286
Oracle Exalogic Infrastructure
HTTPS
Network Infra Framework
Yes
5.0
Network
Low
None
None
None
Partial
2.0.6.2
See Note 3
CVE-2015-4742
Oracle JDeveloper
HTTP
ADF Faces
Yes
5.0
Network
Low
None
None
None
Partial+
11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
CVE-2014-3571
Oracle Tuxedo
HTTPS
Network Encryption
Yes
5.0
Network
Low
None
None
None
Partial
Tuxedo 12.1.1.0
CVE-2015-0286
Oracle Tuxedo
HTTPS
Network Encryption
Yes
5.0
Network
Low
None
None
None
Partial
Tuxedo 12.1.1.0
CVE-2015-2658
Web Cache
HTTPS
SSL/TLS Support
Yes
5.0
Network
Low
None
Partial
None
None
11.1.1.7.0
CVE-2015-2623
Oracle GlassFish Server
HTTP
Java Server Faces
Yes
4.3
Network
Medium
None
None
Partial
None
3.0.1, 3.1.2
CVE-2014-3566
Oracle Tuxedo
HTTPS
Network Encryption
Yes
4.3
Network
Medium
None
Partial
None
None
SALT 10.3, SALT 11.1.1.2.2
CVE-2015-2623
Oracle WebLogic Server
HTTP
Java Server Faces
Yes
4.3
Network
Medium
None
None
Partial
None
10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
CVE-2015-2598
Oracle Business Intelligence Enterprise Edition
HTTP
Mobile - iPad
No
3.5
Network
Medium
Single
None
Partial
None
All versions prior to mobile app 11.1.1.7.0 (11.6.39)
CVE-2015-4744
Oracle GlassFish Server
HTTP
Java Server Faces
Yes
2.6
Network
High
None
None
Partial
None
2.1.1, 3.0.1, 3.1.2
CVE-2015-4744
Oracle WebLogic Server
HTTP
Web Container
Yes
2.6
Network
High
None
None
Partial
None
10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
Notes:
- This fix also addresses CVE-2014-1569.
- Please refer to My Oracle Support Note 2029169.1 for instructions on how to address this issue.This fix also addresses CVE-2015-3244.
- The fix also addresses CVE-2015-0204,CVE-2015-0288,CVE-2015-0291,CVE-2015-0289,CVE-2015-0287,CVE-2015-0285,CVE-2015-0209,CVE-2015-0290,CVE-2015-0208,CVE-2015-0207,CVE-2015-0293,CVE-2015-0292 and CVE-2015-1787.
Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary
This Critical Patch Update contains 4 new security fixes for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .
Oracle Hyperion Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2012-0036
Hyperion Essbase
HTTP
Infrastructure
Yes
7.5
Network
Low
None
Partial
Partial
Partial
11.1.2.2, 11.1.2.3
See Note 1
CVE-2015-4773
Hyperion Common Security
HTTP
User Account Update
No
4.0
Network
Low
Single
None
None
Partial
11.1.2.2, 11.1.2.3, 11.1.2.4
CVE-2015-2584
Hyperion Enterprise Performance Management Architect
HTTP
Security
No
4.0
Network
Low
Single
None
Partial
None
11.1.2.2, 11.1.2.3
CVE-2015-2592
Hyperion Enterprise Performance Management Architect
HTTP
Security
No
3.5
Network
Medium
Single
None
Partial
None
11.1.2.2, 11.1.2.3
Notes:
- This fix also addresses CVE-2011-3389, CVE-2013-0249, CVE-2013-2174, CVE-2013-4545, CVE-2013-6422, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3707 .
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 3 new security fixes for Oracle Enterprise Manager Grid Control. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2015 Patch Availability Document for Oracle Products, My Oracle Support Note 2005667.1.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2647
Enterprise Manager for Oracle Database
HTTP
Content Management
No
5.5
Network
Low
Single
Partial+
Partial+
None
EM Base Platform: 11.1.0.1; EM Plugin for DB: 12.1.0.5, 12.1.0.6, 12.1.0.7; EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4
CVE-2015-4735
Enterprise Manager for Oracle Database
HTTP
RAC Management
Yes
5.0
Network
Low
None
Partial
None
None
EM Base Platform: 11.1.0.1; EM DB Control: 11.2.0.3, 11.2.0.4
CVE-2015-2646
Enterprise Manager for Oracle Database
HTTP
Content Management
Yes
4.3
Network
Medium
None
None
Partial
None
EM Base Platform: 11.1.0.1; EM Plugin for DB: 12.1.0.5, 12.1.0.6, 12.1.0.7; EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 13 new security fixes for the Oracle E-Business Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2015), My Oracle Support Note 2013117.1.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2615
Oracle Applications Framework
HTTP
Portal
Yes
5.0
Network
Low
None
Partial
None
None
12.0.6, 12.1.3, 12.2.3
CVE-2014-3571
Oracle HTTP Server
HTTPS
OpenSSL
Yes
5.0
Network
Low
None
None
None
Partial
11.5.10.2
CVE-2015-2652
Oracle Marketing
HTTP
Web Management
Yes
5.0
Network
Low
None
None
Partial
None
11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2015-2610
Oracle Applications Framework
HTTP
Popup windows
Yes
4.3
Network
Medium
None
None
Partial
None
12.0.6, 12.1.3, 12.2.3, 12.2.4
CVE-2015-2630
Technology stack
HTTP
Applet startup
Yes
4.3
Network
Medium
None
None
Partial
None
11.5.10.2, 12.0.6, 12.1.3
CVE-2015-4743
Oracle Applications DBA
HTTP
AD Utilities
No
4.0
Network
Low
Single
Partial
None
None
12.2.3
CVE-2015-1926
Oracle Applications Framework
HTTP
Portal
No
4.0
Network
Low
Single
Partial
None
None
12.2.3, 12.2.4
CVE-2015-4728
Oracle Sourcing
HTTP
Bid/Quote creation
No
4.0
Network
Low
Single
Partial
None
None
12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
CVE-2015-4739
Oracle Application Object Library
HTTP
Help screens
No
3.5
Network
Medium
Single
None
Partial
None
11.5.10.2
CVE-2015-4741
Oracle Applications Framework
HTTP
Dialog popup
No
3.5
Network
Medium
Single
None
Partial
None
12.2.4
CVE-2015-4765
Oracle Applications Manager
HTTP
OAM Dashboard
No
3.5
Network
Medium
Single
None
Partial
None
12.1.3, 12.2.3, 12.2.4
CVE-2015-2645
Oracle Web Applications Desktop Integrator
HTTP
Create document
No
3.5
Network
Medium
Single
None
Partial
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4
CVE-2015-2618
Oracle Application Object Library
HTTP
Input validation
No
2.1
Network
High
Single
None
Partial
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 7 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2663
Oracle Transportation Management
HTTPS
Business Process Automation
No
7.5
Network
Low
Single
Complete
Partial+
None
6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
CVE-2015-2644
Oracle Agile PLM Framework
HTTPS
Security
Yes
4.3
Network
Medium
None
Partial
None
None
9.3.3
CVE-2015-4746
Oracle Agile Product Lifecycle Management for Process
HTTPS
Global Spec Management
No
4.0
Network
Low
Single
Partial
None
None
6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0
CVE-2015-4768
Oracle Transportation Management
HTTP
Diagnostics
No
4.0
Network
Low
Single
Partial
None
None
6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
CVE-2015-2657
Oracle Transportation Management
HTTPS
Business Process Automation
No
4.0
Network
Low
Single
Partial
None
None
6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
CVE-2015-2660
Oracle Agile PLM
HTTPS
Oracle Agile PLM Framework
No
3.6
Network
High
Single
Partial
Partial
None
9.3.4
CVE-2015-4763
Oracle Agile PLM
HTTPS
Security
No
3.6
Network
High
Single
Partial
Partial
None
9.3.4
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-3456
PeopleSoft Enterprise PT PeopleTools
None
PeopleSoft-VM
No
7.7
Adjacent Network
Low
Single
Complete
Complete
Complete
8.53, 8.54
CVE-2015-0286
PeopleSoft Enterprise PeopleTools
HTTPS
Security
Yes
5.0
Network
Low
None
None
None
Partial
8.53, 8.54
CVE-2015-0467
PeopleSoft Enterprise HCM Talent Acquisition Manager
HTTPS
Security
Yes
4.3
Network
Medium
None
None
Partial
None
9.1, 9.2
CVE-2015-2588
PeopleSoft Enterprise PeopleTools
HTTP
PIA Core Technology
Yes
4.3
Network
Medium
None
None
Partial
None
8.53, 8.54
CVE-2015-2622
PeopleSoft Enterprise PeopleTools
HTTPS
Fluid Core
Yes
4.3
Network
Medium
None
None
Partial
None
8.54
CVE-2015-2591
PeopleSoft Enteprise Portal - Interaction Hub
HTTPS
Enterprise Portal
No
4.0
Network
Low
Single
None
Partial
None
9.1.00
CVE-2015-4738
PeopleSoft Enterprise HCM Candidate Gateway
HTTPS
Security
No
4.0
Network
Low
Single
Partial
None
None
9.1, 9.2
CVE-2015-2650
PeopleSoft Enterprise PeopleTools
HTTPS
Multichannel Framework
No
4.0
Network
Low
Single
Partial
None
None
8.53, 8.54
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 5 new security fixes for Oracle Siebel CRM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Siebel CRM Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2013-2251
Siebel Apps - E-Billing
HTTPS
Security
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
6.1, 6.1.1, 6.2
CVE-2015-2612
Siebel Core - Server OM Svcs
HTTPS
LDAP Security Adapter
Yes
4.3
Network
Medium
None
Partial
None
None
8.1.1, 8.2.2, 15.0
CVE-2015-2587
Siebel UI Framework
HTTPS
SWSE Server Infrastructure
Yes
4.3
Network
Medium
None
None
Partial
None
8.1.1, 8.2.2, 15.0
CVE-2015-2600
Siebel Core - Server OM Svcs
HTTPS
Security
No
3.5
Network
Medium
Single
Partial
None
None
8.1.1, 8.2.2, 15.0
CVE-2015-2649
Siebel UI Framework
HTTPS
UIF Open UI
No
3.5
Network
Medium
Single
Partial
None
None
8.1.1, 8.22, 15.0
Oracle Commerce Platform Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Commerce Platform. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Commerce Platform Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2653
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
HTTP
Content Acquisition System
Yes
6.4
Network
Low
None
Partial
Partial
None
3.1.1, 3.1.2, 11.0, 11.1
CVE-2015-2607
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
HTTP
Content Acquisition System
Yes
5.0
Network
Low
None
Partial
None
None
3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
Appendix - Oracle Industry Applications****Oracle Communications Applications Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Communications Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Communications Applications Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-0235
Oracle Communications Session Border Controller
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Versions prior to 7.2.0m4
CVE-2014-1569
Oracle Communications Messaging Server
SSL/TLS
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
7.0
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.
Oracle Java SE Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-4760
Java SE
Multiple
2D
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45
See Note 1
CVE-2015-2628
Java SE, Java SE Embedded
Multiple
CORBA
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-4731
Java SE, Java SE Embedded
Multiple
JMX
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-2590
Java SE, Java SE Embedded
Multiple
Libraries
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-4732
Java SE, Java SE Embedded
Multiple
Libraries
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-4733
Java SE, Java SE Embedded
Multiple
RMI
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-2638
Java SE, JavaFX, Java SE Embedded
Multiple
2D
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-4736
Java SE
Multiple
Deployment
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 7u80, Java SE 8u45
See Note 1
CVE-2015-4748
Java SE, JRockit, Java SE Embedded
OCSP
Security
Yes
7.6
Network
High
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 2
CVE-2015-2597
Java SE
None
Install
No
7.2
Local
Low
None
Complete
Complete
Complete
Java SE 7u80, Java SE 8u45
See Note 3
CVE-2015-2664
Java SE
None
Deployment
No
6.9
Local
Medium
None
Complete
Complete
Complete
Java SE 6u95, Java SE 7u80, Java SE 8u45
See Note 1
CVE-2015-2632
Java SE
Multiple
2D
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45
See Note 1
CVE-2015-2601
Java SE, JRockit, Java SE Embedded
Multiple
JCE
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 2
CVE-2015-2613
Java SE, Java SE Embedded
Multiple
JCE
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 2
CVE-2015-2621
Java SE, Java SE Embedded
Multiple
JMX
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-2659
Java SE, Java SE Embedded
Multiple
Security
Yes
5.0
Network
Low
None
None
None
Partial
Java SE 8u45, Java SE Embedded 8u33
See Note 2
CVE-2015-2619
Java SE, JavaFX, Java SE Embedded
Multiple
2D
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-2637
Java SE, JavaFX, Java SE Embedded
Multiple
2D
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 1
CVE-2015-2596
Java SE
Multiple
Hotspot
Yes
4.3
Network
Medium
None
None
Partial
None
Java SE 7u80
See Note 1
CVE-2015-4749
Java SE, JRockit, Java SE Embedded
Multiple
JNDI
Yes
4.3
Network
Medium
None
None
None
Partial
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 2
CVE-2015-4729
Java SE
Multiple
Deployment
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 7u80, Java SE 8u45
See Note 1
CVE-2015-4000
Java SE, JRockit, Java SE Embedded
SSL/TLS
JSSE
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 4
CVE-2015-2808
Java SE, JRockit, Java SE Embedded
SSL/TLS
JSSE
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 4
CVE-2015-2627
Java SE
Multiple
Install
Yes
2.6
Network
High
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45
See Note 5
CVE-2015-2625
Java SE, JRockit, Java SE Embedded
SSL/TLS
JSSE
Yes
2.6
Network
High
None
Partial
None
None
Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33
See Note 4
Notes:
- Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Applies to Mac OS X only.
- Applies to client and server deployment of JSSE.
- Applies to installation process on client deployment of Java.
Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 21 new security fixes for the Oracle Sun Systems Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Sun Systems Products Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-0235
Integrated Lights Out Manager (ILOM)
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Sun System Firmware prior to 8.7.2.b, 9.4.2e
CVE-2015-0235
Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Versions prior to 1.9.1.2
CVE-2015-0235
Oracle Switch ES1-24
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Versions prior to 1.3.1
CVE-2015-0235
Sun Blade 6000 Ethernet Switched NEM 24P 10GE
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Versions prior to 1.2.2
CVE-2015-0235
Sun Network 10GE Switch 72p
Multiple
Glibc
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Versions prior to 1.2.2
CVE-2015-0235
Fujitsu M10-1, M10-4, M10-4S Servers
None
XCP Firmware
No
7.2
Local
Low
None
Complete
Complete
Complete
XCP prior to XCP 2260
CVE-2015-0235
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers
None
XCP Firmware
No
7.2
Local
Low
None
Complete
Complete
Complete
XCP prior to XCP 1120
CVE-2015-2631
Solaris
None
rmformat Utility
No
7.2
Local
Low
None
Complete
Complete
Complete
10, 11.2
CVE-2014-3571
Fujitsu M10-1, M10-4, M10-4S Servers
SSL/TLS
OpenSSL
Yes
5.0
Network
Low
None
None
None
Partial
XCP prior to XCP 2260
See Note 1
CVE-2014-3571
Integrated Lights Out Manager (ILOM)
SSL/TLS
OpenSSL
Yes
5.0
Network
Low
None
None
None
Partial
Sun System Firmware prior to 8.7.2.b, 9.4.2e
See Note 2
CVE-2015-4750
Oracle VM Server for SPARC
Multiple
LDOM Manager
Yes
5.0
Network
Low
None
None
None
Partial
3.2
CVE-2013-5704
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers
HTTP
Apache HTTP Server
Yes
5.0
Network
Low
None
None
Partial
None
XCP prior to XCP 1120
CVE-2014-3570
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers
SSL/TLS
OpenSSL
Yes
5.0
Network
Low
None
Partial
None
None
XCP prior to XCP 1120
See Note 3
CVE-2015-2609
Solaris
None
CPU performance counters drivers
No
4.9
Local
Low
None
None
None
Complete
11.2
CVE-2015-2614
Solaris
None
NVM Express SSD driver
No
4.9
Local
Low
None
None
None
Complete
11.2
CVE-2015-2589
Solaris
None
S10 Branded Zone
No
4.9
Local
Low
None
None
None
Complete
10, 11.2
CVE-2015-4770
Solaris
None
UNIX filesystem
No
4.9
Local
Low
None
None
None
Complete
10, 11.2
CVE-2015-2616
Solaris Cluster
None
DevFS
No
4.9
Local
Low
None
None
None
Complete
3.3, 4.2
CVE-2015-2651
Solaris
None
Kernel Zones virtualized NIC driver
No
3.8
Local
High
Single
None
None
Complete
11.2
CVE-2015-2662
Solaris
None
DHCP Server
No
1.9
Local
Medium
None
None
None
Partial
10, 11.2
CVE-2015-2580
Solaris
None
NFSv4
No
1.9
Local
Medium
None
None
None
Partial+
10, 11.2
Notes:
- This fix also addresses CVE-2014-3570, CVE-2014-3572, CVE-2014-8275 and CVE-2015-0204.
- This fix also addresses CVE-2015-0206, CVE-2015-0205, CVE-2015-0204, CVE-2014-8275, CVE-2014-3572, CVE-2014-3570 and CVE-2014-3569.
- This fix also addresses CVE-2014-3572, CVE-2014-8275 and CVE-2015-0204.
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 11 new security fixes for Oracle Virtualization. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2014-0230
Oracle Secure Global Desktop
HTTP
Apache Tomcat
Yes
7.8
Network
Low
None
None
None
Complete
4.63, 4.71, 5.1
CVE-2015-4727
Sun Ray Software
HTTP
Web Console
Yes
7.5
Network
Low
None
Partial
Partial
Partial
Sun Ray Software prior to 5.4.4
CVE-2015-1803
Oracle Secure Global Desktop
None
LibXFont
No
6.8
Local
Low
Single
Complete
Complete
Complete
4.63, 4.71, 5.1, 5.2
See Note 1
CVE-2015-2594
Oracle VM VirtualBox
None
Core
No
6.6
Local
Medium
Single
Complete
Complete
Complete
VirtualBox prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
See Note 2
CVE-2014-8102
Oracle Secure Global Desktop
X11
X Server
No
6.5
Network
Low
Single
Partial
Partial
Partial
4.63, 4.71, 5.1, 5.2
See Note 3
CVE-2014-0227
Oracle Secure Global Desktop
HTTP
Apache Tomcat
Yes
6.4
Network
Low
None
None
Partial
Partial
4.63, 4.71, 5.1
CVE-2015-2581
Oracle Secure Global Desktop
HTTP
JServer
Yes
6.4
Network
Low
None
Partial
None
Partial
5.1, 5.2
CVE-2015-0255
Oracle Secure Global Desktop
X11
X Server
Yes
6.4
Network
Low
None
Partial
None
Partial
4.63, 4.71, 5.1, 5.2
CVE-2014-3571
Oracle Secure Global Desktop
SSL/TLS
OpenSSL
Yes
5.0
Network
Low
None
None
None
Partial
4.63, 4.71, 5.1
See Note 4
CVE-2015-0286
Oracle Secure Global Desktop
SSL/TLS
OpenSSL
Yes
5.0
Network
Low
None
None
None
Partial
4.63, 4.71, 5.1, 5.2
See Note 5
CVE-2010-1324
Oracle Secure Global Desktop
Kerberos
Kerberos
Yes
4.3
Network
Medium
None
None
Partial
None
4.63, 4.71, 5.1, 5.2
See Note 6
Notes:
- This fix also addresses CVE-2015-1802 and CVE-2015-1804.
- This issue affects Windows, Linux and Mac OS X hosts only when guests using bridged networking over Wifi. Solaris hosts don’t support this mode and therefore not affected by this issue.
- This fix also addresses CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8100 and CVE-2014-8101.
- This fix also addresses CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206.
- This fix also addresses CVE-2015-0287 and CVE-2015-0289. This fix also addresses CVE-2015-0204 in SGD 4.63, 4.71 and 5.1.
- This fix also addresses CVE-2010-1323 and CVE-2010-4020.
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 18 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .
Oracle MySQL Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2617
MySQL Server
MySQL Protocol
Server : Partition
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
5.6.24 and earlier
CVE-2015-2648
MySQL Server
MySQL Protocol
Server : DML
No
4.0
Network
Low
Single
None
None
Partial+
5.5.43 and earlier, 5.6.24 and earlier
CVE-2015-2611
MySQL Server
MySQL Protocol
Server : DML
No
4.0
Network
Low
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-2582
MySQL Server
MySQL Protocol
Server : GIS
No
4.0
Network
Low
Single
None
None
Partial+
5.5.43 and earlier, 5.6.24 and earlier
CVE-2015-4752
MySQL Server
MySQL Protocol
Server : I_S
No
4.0
Network
Low
Single
None
None
Partial+
5.5.43 and earlier, 5.6.24 and earlier
CVE-2015-4756
MySQL Server
MySQL Protocol
Server : InnoDB
No
4.0
Network
Low
Single
None
None
Partial+
5.6.22 and earlier
CVE-2015-2643
MySQL Server
MySQL Protocol
Server : Optimizer
No
4.0
Network
Low
Single
None
None
Partial+
5.5.43 and earlier, 5.6.24 and earlier
CVE-2015-4772
MySQL Server
MySQL Protocol
Server : Partition
No
4.0
Network
Low
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-4761
MySQL Server
MySQL Protocol
Server : Memcached
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-4757
MySQL Server
MySQL Protocol
Server : Optimizer
No
3.5
Network
Medium
Single
None
None
Partial+
5.5.42 and earlier, 5.6.23 and earlier
CVE-2015-4737
MySQL Server
MySQL Protocol
Server : Pluggable Auth
No
3.5
Network
Medium
Single
Partial
None
None
5.5.43 and earlier, 5.6.23 and earlier
CVE-2015-4771
MySQL Server
MySQL Protocol
Server : RBR
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-4769
MySQL Server
MySQL Protocol
Server : Security : Firewall
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-2639
MySQL Server
MySQL Protocol
Server : Security : Firewall
No
3.5
Network
Medium
Single
None
Partial
None
5.6.24 and earlier
CVE-2015-2620
MySQL Server
MySQL Protocol
Server : Security : Privileges
No
3.5
Network
Medium
Single
Partial
None
None
5.5.43 and earlier, 5.6.23 and earlier
CVE-2015-2641
MySQL Server
MySQL Protocol
Server : Security : Privileges
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.24 and earlier
CVE-2015-2661
MySQL Server
None
Client
No
2.1
Local
Low
None
None
None
Partial
5.6.24 and earlier
CVE-2015-4767
MySQL Server
MySQL Protocol
Server : Security : Firewall
No
1.7
Network
High
Multiple
None
None
Partial+
5.6.24 and earlier
Appendix - Oracle Berkeley DB****Oracle Berkeley DB Executive Summary
This Critical Patch Update contains 25 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Berkeley DB Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen- tication
Confiden- tiality
Integrity
Avail- ability
CVE-2015-2583
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-2626
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-2640
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-2654
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-2656
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4754
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-2624
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4784
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4787
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4789
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4785
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4786
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4783
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4764
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4780
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4790
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4776
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4775
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4778
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4777
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4782
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4781
Data Store
None
None
No
6.9
Local
Medium
None
Complete
Complete
Complete
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4788
Data Store
None
None
No
3.3
Local
Medium
None
None
Partial+
Partial
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4774
Data Store
None
None
No
3.3
Local
Medium
None
None
Partial+
Partial
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
CVE-2015-4779
Data Store
None
None
No
3.3
Local
Medium
None
None
Partial+
Partial
11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
Oracle Supports Ukraine
Oracle CloudWorld
Oracle and Premier League
Oracle Red Bull Racing
Employee Experience Platform
Oracle Support Rewards
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.
libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.