Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2015-2590: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVE
#sql#vulnerability#web#mac#windows#apple#google#microsoft#linux#red_hat#apache#memcached#js#java#oracle#kubernetes#intel#ldap#auth#zero_day#docker#wifi#ssl
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Critical Patch Update Advisory - July 2015****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that on May 15, 2015, Oracle released Security Alert for CVE-2015-3456 (QEMU “Venom”) .Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Application Express, version(s) prior to 5.0

Database

Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

Database

Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9

Fusion Applications

Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3

Fusion Middleware

Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39)

Fusion Middleware

Oracle Data Integrator, version(s) 11.1.1.3.0

Fusion Middleware

Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7

Fusion Middleware

Oracle Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1

Fusion Middleware

Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0

Fusion Middleware

Oracle Exalogic Infrastructure, version(s) 2.0.6.2

Fusion Middleware

Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2

Fusion Middleware

Oracle iPlanet Web Proxy Server, version(s) 4.0

Fusion Middleware

Oracle iPlanet Web Server, version(s) 6.1, 7.0

Fusion Middleware

Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0

Fusion Middleware

Oracle OpenSSO, version(s) 3.0-05

Fusion Middleware

Oracle Traffic Director, version(s) 11.1.1.7.0

Fusion Middleware

Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0

Fusion Middleware

Oracle Web Cache, version(s) 11.1.1.7.0

Fusion Middleware

Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0

Fusion Middleware

Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0

Fusion Middleware

Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0

Fusion Middleware

Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4

Fusion Middleware

Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3

Fusion Middleware

Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3

Fusion Middleware

Enterprise Manager Base Platform, version(s) 11.1.0.1

Enterprise Manager

Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4

Enterprise Manager

Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7

Enterprise Manager

Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

E-Business Suite

Oracle Agile PLM, version(s) 9.3.4

Oracle Supply Chain Products

Oracle Agile PLM Framework, version(s) 9.3.3

Oracle Supply Chain Products

Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0

Oracle Supply Chain Products

Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

Oracle Supply Chain Products

PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2

PeopleSoft

PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54

PeopleSoft

PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00

PeopleSoft

Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2

Siebel

Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0

Siebel

Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0

Siebel

Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1

Oracle Commerce

Oracle Communications Messaging Server, version(s) 7.0

Communications

Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4

Communications

Oracle Java FX, version(s) 2.2.80

Oracle Java SE

Oracle Java SE, version(s) 6u95, 7u80, 8u45

Oracle Java SE

Oracle Java SE Embedded, version(s) 7u75, 8u33

Oracle Java SE

Oracle JRockit, version(s) R28.3.6

Oracle Java SE

Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260

Oracle and Sun Systems Products Suite

Integrated Lights Out Manager (ILOM), Sun System Firmware version(s) prior to 8.7.2.b, 9.4.2e

Oracle and Sun Systems Products Suite

Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2

Oracle and Sun Systems Products Suite

Oracle Switch ES1-24, version(s) prior to 1.3.1

Oracle and Sun Systems Products Suite

Oracle VM Server for SPARC, version(s) 3.2

Oracle and Sun Systems Products Suite

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120

Oracle and Sun Systems Products Suite

Solaris, version(s) 10, 11.2

Oracle and Sun Systems Products Suite

Solaris Cluster, version(s) 3.3, 4.2

Oracle and Sun Systems Products Suite

Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2

Oracle and Sun Systems Products Suite

Sun Network 10GE Switch 72p, version(s) prior to 1.2.2

Oracle and Sun Systems Products Suite

Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2

Oracle Linux and Virtualization

Sun Ray Software, version(s) prior to 5.4.4

Oracle Linux and Virtualization

Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30

Oracle Linux and Virtualization

MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier

Oracle MySQL Product Suite

Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

Berkeley DB

Patch Availability Table and Risk Matrices****Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2015 Documentation Map, My Oracle Support Note 1999242.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1

Oracle Fusion Applications

Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (July 2015) My Oracle Support Note 2019778.1 for information on patches to be applied to Fusion Application environments.

Oracle Hyperion

Oracle Hyperion

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1

Oracle Enterprise Manager

Oracle Enterprise Manage Risk Matrix

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1

Oracle Applications - E-Business Suite

Oracle E-Business Suite Risk Matrix

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2013117.1

Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, and Siebel

Oracle Supply Chain Risk Matrix Oracle PeopleSoft Enterprise Risk Matrix Oracle Siebel Risk Matrix

Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, and Siebel Product Suite, My Oracle Support Note 2024178.1

Oracle Commerce Platform

Oracle Commerce Platform Risk Matrix

Critical Patch Update July 2015 Patch Availability Document for Oracle Commerce Guided Search / Oracle Commerce Experience Manager, My Oracle Support Note 2030072.1

Oracle Industry Applications - Oracle Communications Applications

Oracle Communications Applications Risk Matrix

  • Critical Patch Update July 2015 Patch Availability Document for Oracle Communications Messaging Server, My Oracle Support Note 2024564.1
  • Critical Patch Update July 2015 Patch Availability Document for Oracle Communications Session Border Controller, My Oracle Support Note 2030705.1

Oracle Java SE

Oracle SE Risk Matrix

  • Critical Patch Update July 2015 Patch Availability Document for Java SE, My Oracle Support Note 2011937.1
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release
  • The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update July 2015 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 2018633.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Critical Patch Update July 2015 Patch Delivery Document for Oracle Linux and Virtualization Products, My Oracle Support Note 1992929.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update July 2015 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 2024204.1

Oracle Berkeley DB

Oracle Berkeley DB Risk Matrix

Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2030291.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories . An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2015 Availability Document, My Oracle Support Note 2005667.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy . We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy . Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security’s SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP’s Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security; Borked of the Google Security Team; Brooks Li of Trend Micro; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky of McAfee Security Research; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab; Florian Weimer of Red Hat; Hanno Böck; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jörg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Lionel Debroux; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero; Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency; Sandeep Kamble of SecureLayer7; Steven Seeley of HP’s Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of ERPScan; Bart Kulach of NN Group N.V.; Chirag Paghadal; David Litchfield of Google; Jeroen Frijters; Mahesh V. Tripunitara of University of Waterloo; Mateusz Jurczyk of Google Project Zero; Pete Finnigan; Puneeth Gowda; Sumit Sahoo (54H00); Thomas Biege of SUSE; and Vishal V. Sonar of Control Case International Pvt Ltd. for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Ali Salem Saeed (Ali BawazeEer); Elvin Hayes Gentiles; Hamit ABİS; Indrajith AN; Jeremy Dilliplane; Milan A Solanki; Murat Yilmazlar; Peter Freak; Rodolfo Godalle Jr.; Shawar Khan; and Yuhong Bao for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 October 2015
  • 19 January 2016
  • 19 April 2016
  • 19 July 2016

References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
  • Critical Patch Update - July 2015 Documentation Map [ My Oracle Support Note 1999242.1 ]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
  • Risk Matrix definitions [ Risk Matrix Definitions ]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
  • English text version of the risk matrices [ Oracle Technology Network ]
  • CVRF XML version of the risk matrices [ Oracle Technology Network ]
  • The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
  • List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
  • Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

Date

Note

2016-July-07

Rev 5. Correction to Acknowledgements

2015-July-30

Rev 4. Correction to Acknowledgements

2015-July-17

Rev 3. Updated ILOM version

2015-July-15

Rev 2. Added note for CVE-2015-2629

2015-July-14

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2629

Java VM

Multiple

Create Session

No

9.0

Network

Low

Single

Complete

Complete

Complete

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

See Note 1

CVE-2015-2595

Oracle OLAP

Oracle Net

Create Session

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

12.1.0.1, 12.1.0.2

CVE-2015-0468

Core RDBMS

Oracle Net

Analyze Any or Create Materialized View

No

6.0

Network

Medium

Single

Partial+

Partial+

Partial+

11.1.0.7, 11.2.0.3, 12.1.0.1

CVE-2015-4740

RDBMS Partitioning

Oracle Net

Create Session, Create Any Index, Index object privilege on a Table

No

6.0

Network

Medium

Single

Partial+

Partial+

Partial+

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

CVE-2015-2655

Application Express

HTTP

Valid Account

No

5.5

Network

Low

Single

Partial

Partial

None

All versions prior to 4.2.3.00.08

CVE-2015-4755

RDBMS Security

Oracle Net

None

Yes

5.0

Network

Low

None

Partial

None

None

12.1.0.2

CVE-2015-2586

Application Express

HTTP

None

Yes

4.3

Network

Medium

None

None

None

Partial

All releases prior to 4.2.1

CVE-2015-2599

RDBMS Scheduler

Oracle Net

Alter Session

No

4.0

Network

Low

Single

Partial+

None

None

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

CVE-2015-2585

Application Express

HTTP

Valid Account

No

2.1

Network

High

Single

None

None

Partial

All versions prior to 5.0

CVE-2015-4753

RDBMS Support Tools

None

None

No

2.1

Local

Low

None

Partial+

None

None

11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

Notes:

  1. The CVSS score is 9.0 only on Windows for Database versions prior to 12c. The CVSS is 6.5 (Confidentiality, Integrity and Availability is “Partial+”) for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 39 new security fixes for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2015 Patch Availability Document for Oracle Products,My Oracle Support Note 2005667.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2013-2186

Oracle Business Intelligence Enterprise Edition

HTTP

BI Platform Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

11.1.1.7, 11.1.1.9

CVE-2014-1568

Oracle Directory Server Enterprise Edition

HTTPS

Admin Server

Yes

7.5

Network

Low

None

Partial

Partial

Partial

7.0, 11.1.1.7

CVE-2015-4745

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2015-2603

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2015-2602

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2015-2604

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2015-2605

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2015-2606

Oracle Endeca Information Discovery Studio

HTTP

Integrator

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.2.2, 2.3, 2.4, 3.0, 3.1

CVE-2014-1569

Oracle GlassFish Server

SSL/TLS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

2.1.1

CVE-2014-1568

Oracle OpenSSO

HTTPS

Web Agents

Yes

7.5

Network

Low

None

Partial

Partial

Partial

3.0-05

See Note 1

CVE-2014-1568

Oracle Traffic Director

HTTPS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

11.1.1.7.0

CVE-2014-1569

Oracle iPlanet Web Proxy Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

4.0

CVE-2014-1569

Oracle iPlanet Web Server

HTTPS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

6.1, 7.0

CVE-2015-2593

Oracle Access Manager

HTTP

Configuration Service

No

7.1

Adjacent Network

Low

Single

Complete

Complete

None

11.1.2.2

CVE-2014-3567

Oracle Tuxedo

HTTPS

Network Encryption

Yes

7.1

Network

Medium

None

None

None

Complete

Tuxedo 12.1.1.0

CVE-2015-0443

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-0444

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-0445

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-0446

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-4759

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-4758

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-2634

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-2635

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-2636

Oracle Data Integrator

HTTP

Data Quality based on Trillium

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.3.0

CVE-2015-4747

Oracle Event Processing

HTTP

CEP system

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.7, 12.1.3.0

CVE-2014-7809

Oracle WebCenter Sites

HTTP

Community

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0

CVE-2015-1926

Oracle WebCenter Portal

HTTP

Portlet Services

No

5.5

Network

Low

Single

Partial

Partial

None

11.1.1.8.0, 11.1.1.9.0

See Note 2

CVE-2015-4751

Oracle Access Manager

HTTP

Authentication Engine

Yes

5.0

Network

Low

None

None

None

Partial

11.1.1.7, 11.1.2.2

CVE-2015-0286

Oracle Exalogic Infrastructure

HTTPS

Network Infra Framework

Yes

5.0

Network

Low

None

None

None

Partial

2.0.6.2

See Note 3

CVE-2015-4742

Oracle JDeveloper

HTTP

ADF Faces

Yes

5.0

Network

Low

None

None

None

Partial+

11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0

CVE-2014-3571

Oracle Tuxedo

HTTPS

Network Encryption

Yes

5.0

Network

Low

None

None

None

Partial

Tuxedo 12.1.1.0

CVE-2015-0286

Oracle Tuxedo

HTTPS

Network Encryption

Yes

5.0

Network

Low

None

None

None

Partial

Tuxedo 12.1.1.0

CVE-2015-2658

Web Cache

HTTPS

SSL/TLS Support

Yes

5.0

Network

Low

None

Partial

None

None

11.1.1.7.0

CVE-2015-2623

Oracle GlassFish Server

HTTP

Java Server Faces

Yes

4.3

Network

Medium

None

None

Partial

None

3.0.1, 3.1.2

CVE-2014-3566

Oracle Tuxedo

HTTPS

Network Encryption

Yes

4.3

Network

Medium

None

Partial

None

None

SALT 10.3, SALT 11.1.1.2.2

CVE-2015-2623

Oracle WebLogic Server

HTTP

Java Server Faces

Yes

4.3

Network

Medium

None

None

Partial

None

10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0

CVE-2015-2598

Oracle Business Intelligence Enterprise Edition

HTTP

Mobile - iPad

No

3.5

Network

Medium

Single

None

Partial

None

All versions prior to mobile app 11.1.1.7.0 (11.6.39)

CVE-2015-4744

Oracle GlassFish Server

HTTP

Java Server Faces

Yes

2.6

Network

High

None

None

Partial

None

2.1.1, 3.0.1, 3.1.2

CVE-2015-4744

Oracle WebLogic Server

HTTP

Web Container

Yes

2.6

Network

High

None

None

Partial

None

10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0

Notes:

  1. This fix also addresses CVE-2014-1569.
  2. Please refer to My Oracle Support Note 2029169.1 for instructions on how to address this issue.This fix also addresses CVE-2015-3244.
  3. The fix also addresses CVE-2015-0204,CVE-2015-0288,CVE-2015-0291,CVE-2015-0289,CVE-2015-0287,CVE-2015-0285,CVE-2015-0209,CVE-2015-0290,CVE-2015-0208,CVE-2015-0207,CVE-2015-0293,CVE-2015-0292 and CVE-2015-1787.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .

Oracle Hyperion Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2012-0036

Hyperion Essbase

HTTP

Infrastructure

Yes

7.5

Network

Low

None

Partial

Partial

Partial

11.1.2.2, 11.1.2.3

See Note 1

CVE-2015-4773

Hyperion Common Security

HTTP

User Account Update

No

4.0

Network

Low

Single

None

None

Partial

11.1.2.2, 11.1.2.3, 11.1.2.4

CVE-2015-2584

Hyperion Enterprise Performance Management Architect

HTTP

Security

No

4.0

Network

Low

Single

None

Partial

None

11.1.2.2, 11.1.2.3

CVE-2015-2592

Hyperion Enterprise Performance Management Architect

HTTP

Security

No

3.5

Network

Medium

Single

None

Partial

None

11.1.2.2, 11.1.2.3

Notes:

  1. This fix also addresses CVE-2011-3389, CVE-2013-0249, CVE-2013-2174, CVE-2013-4545, CVE-2013-6422, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3707 .

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Enterprise Manager Grid Control. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2015 Patch Availability Document for Oracle Products, My Oracle Support Note 2005667.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2647

Enterprise Manager for Oracle Database

HTTP

Content Management

No

5.5

Network

Low

Single

Partial+

Partial+

None

EM Base Platform: 11.1.0.1; EM Plugin for DB: 12.1.0.5, 12.1.0.6, 12.1.0.7; EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4

CVE-2015-4735

Enterprise Manager for Oracle Database

HTTP

RAC Management

Yes

5.0

Network

Low

None

Partial

None

None

EM Base Platform: 11.1.0.1; EM DB Control: 11.2.0.3, 11.2.0.4

CVE-2015-2646

Enterprise Manager for Oracle Database

HTTP

Content Management

Yes

4.3

Network

Medium

None

None

Partial

None

EM Base Platform: 11.1.0.1; EM Plugin for DB: 12.1.0.5, 12.1.0.6, 12.1.0.7; EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 13 new security fixes for the Oracle E-Business Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (July 2015), My Oracle Support Note 2013117.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2615

Oracle Applications Framework

HTTP

Portal

Yes

5.0

Network

Low

None

Partial

None

None

12.0.6, 12.1.3, 12.2.3

CVE-2014-3571

Oracle HTTP Server

HTTPS

OpenSSL

Yes

5.0

Network

Low

None

None

None

Partial

11.5.10.2

CVE-2015-2652

Oracle Marketing

HTTP

Web Management

Yes

5.0

Network

Low

None

None

Partial

None

11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2015-2610

Oracle Applications Framework

HTTP

Popup windows

Yes

4.3

Network

Medium

None

None

Partial

None

12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-2630

Technology stack

HTTP

Applet startup

Yes

4.3

Network

Medium

None

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3

CVE-2015-4743

Oracle Applications DBA

HTTP

AD Utilities

No

4.0

Network

Low

Single

Partial

None

None

12.2.3

CVE-2015-1926

Oracle Applications Framework

HTTP

Portal

No

4.0

Network

Low

Single

Partial

None

None

12.2.3, 12.2.4

CVE-2015-4728

Oracle Sourcing

HTTP

Bid/Quote creation

No

4.0

Network

Low

Single

Partial

None

None

12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4739

Oracle Application Object Library

HTTP

Help screens

No

3.5

Network

Medium

Single

None

Partial

None

11.5.10.2

CVE-2015-4741

Oracle Applications Framework

HTTP

Dialog popup

No

3.5

Network

Medium

Single

None

Partial

None

12.2.4

CVE-2015-4765

Oracle Applications Manager

HTTP

OAM Dashboard

No

3.5

Network

Medium

Single

None

Partial

None

12.1.3, 12.2.3, 12.2.4

CVE-2015-2645

Oracle Web Applications Desktop Integrator

HTTP

Create document

No

3.5

Network

Medium

Single

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-2618

Oracle Application Object Library

HTTP

Input validation

No

2.1

Network

High

Single

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2663

Oracle Transportation Management

HTTPS

Business Process Automation

No

7.5

Network

Low

Single

Complete

Partial+

None

6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

CVE-2015-2644

Oracle Agile PLM Framework

HTTPS

Security

Yes

4.3

Network

Medium

None

Partial

None

None

9.3.3

CVE-2015-4746

Oracle Agile Product Lifecycle Management for Process

HTTPS

Global Spec Management

No

4.0

Network

Low

Single

Partial

None

None

6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0

CVE-2015-4768

Oracle Transportation Management

HTTP

Diagnostics

No

4.0

Network

Low

Single

Partial

None

None

6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

CVE-2015-2657

Oracle Transportation Management

HTTPS

Business Process Automation

No

4.0

Network

Low

Single

Partial

None

None

6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

CVE-2015-2660

Oracle Agile PLM

HTTPS

Oracle Agile PLM Framework

No

3.6

Network

High

Single

Partial

Partial

None

9.3.4

CVE-2015-4763

Oracle Agile PLM

HTTPS

Security

No

3.6

Network

High

Single

Partial

Partial

None

9.3.4

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-3456

PeopleSoft Enterprise PT PeopleTools

None

PeopleSoft-VM

No

7.7

Adjacent Network

Low

Single

Complete

Complete

Complete

8.53, 8.54

CVE-2015-0286

PeopleSoft Enterprise PeopleTools

HTTPS

Security

Yes

5.0

Network

Low

None

None

None

Partial

8.53, 8.54

CVE-2015-0467

PeopleSoft Enterprise HCM Talent Acquisition Manager

HTTPS

Security

Yes

4.3

Network

Medium

None

None

Partial

None

9.1, 9.2

CVE-2015-2588

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

Yes

4.3

Network

Medium

None

None

Partial

None

8.53, 8.54

CVE-2015-2622

PeopleSoft Enterprise PeopleTools

HTTPS

Fluid Core

Yes

4.3

Network

Medium

None

None

Partial

None

8.54

CVE-2015-2591

PeopleSoft Enteprise Portal - Interaction Hub

HTTPS

Enterprise Portal

No

4.0

Network

Low

Single

None

Partial

None

9.1.00

CVE-2015-4738

PeopleSoft Enterprise HCM Candidate Gateway

HTTPS

Security

No

4.0

Network

Low

Single

Partial

None

None

9.1, 9.2

CVE-2015-2650

PeopleSoft Enterprise PeopleTools

HTTPS

Multichannel Framework

No

4.0

Network

Low

Single

Partial

None

None

8.53, 8.54

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Siebel CRM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2013-2251

Siebel Apps - E-Billing

HTTPS

Security

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

6.1, 6.1.1, 6.2

CVE-2015-2612

Siebel Core - Server OM Svcs

HTTPS

LDAP Security Adapter

Yes

4.3

Network

Medium

None

Partial

None

None

8.1.1, 8.2.2, 15.0

CVE-2015-2587

Siebel UI Framework

HTTPS

SWSE Server Infrastructure

Yes

4.3

Network

Medium

None

None

Partial

None

8.1.1, 8.2.2, 15.0

CVE-2015-2600

Siebel Core - Server OM Svcs

HTTPS

Security

No

3.5

Network

Medium

Single

Partial

None

None

8.1.1, 8.2.2, 15.0

CVE-2015-2649

Siebel UI Framework

HTTPS

UIF Open UI

No

3.5

Network

Medium

Single

Partial

None

None

8.1.1, 8.22, 15.0

Oracle Commerce Platform Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Commerce Platform. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Commerce Platform Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2653

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

HTTP

Content Acquisition System

Yes

6.4

Network

Low

None

Partial

Partial

None

3.1.1, 3.1.2, 11.0, 11.1

CVE-2015-2607

Oracle Commerce Guided Search / Oracle Commerce Experience Manager

HTTP

Content Acquisition System

Yes

5.0

Network

Low

None

Partial

None

None

3.0.2, 3.1.1, 3.1.2, 11.0, 11.1

Appendix - Oracle Industry Applications****Oracle Communications Applications Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Communications Applications. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-0235

Oracle Communications Session Border Controller

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Versions prior to 7.2.0m4

CVE-2014-1569

Oracle Communications Messaging Server

SSL/TLS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

7.0

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-4760

Java SE

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45

See Note 1

CVE-2015-2628

Java SE, Java SE Embedded

Multiple

CORBA

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-4731

Java SE, Java SE Embedded

Multiple

JMX

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-2590

Java SE, Java SE Embedded

Multiple

Libraries

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-4732

Java SE, Java SE Embedded

Multiple

Libraries

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-4733

Java SE, Java SE Embedded

Multiple

RMI

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-2638

Java SE, JavaFX, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-4736

Java SE

Multiple

Deployment

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u80, Java SE 8u45

See Note 1

CVE-2015-4748

Java SE, JRockit, Java SE Embedded

OCSP

Security

Yes

7.6

Network

High

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 2

CVE-2015-2597

Java SE

None

Install

No

7.2

Local

Low

None

Complete

Complete

Complete

Java SE 7u80, Java SE 8u45

See Note 3

CVE-2015-2664

Java SE

None

Deployment

No

6.9

Local

Medium

None

Complete

Complete

Complete

Java SE 6u95, Java SE 7u80, Java SE 8u45

See Note 1

CVE-2015-2632

Java SE

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45

See Note 1

CVE-2015-2601

Java SE, JRockit, Java SE Embedded

Multiple

JCE

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 2

CVE-2015-2613

Java SE, Java SE Embedded

Multiple

JCE

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 2

CVE-2015-2621

Java SE, Java SE Embedded

Multiple

JMX

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-2659

Java SE, Java SE Embedded

Multiple

Security

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 8u45, Java SE Embedded 8u33

See Note 2

CVE-2015-2619

Java SE, JavaFX, Java SE Embedded

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-2637

Java SE, JavaFX, Java SE Embedded

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, JavaFX 2.2.80, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 1

CVE-2015-2596

Java SE

Multiple

Hotspot

Yes

4.3

Network

Medium

None

None

Partial

None

Java SE 7u80

See Note 1

CVE-2015-4749

Java SE, JRockit, Java SE Embedded

Multiple

JNDI

Yes

4.3

Network

Medium

None

None

None

Partial

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 2

CVE-2015-4729

Java SE

Multiple

Deployment

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 7u80, Java SE 8u45

See Note 1

CVE-2015-4000

Java SE, JRockit, Java SE Embedded

SSL/TLS

JSSE

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 4

CVE-2015-2808

Java SE, JRockit, Java SE Embedded

SSL/TLS

JSSE

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 4

CVE-2015-2627

Java SE

Multiple

Install

Yes

2.6

Network

High

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45

See Note 5

CVE-2015-2625

Java SE, JRockit, Java SE Embedded

SSL/TLS

JSSE

Yes

2.6

Network

High

None

Partial

None

None

Java SE 6u95, Java SE 7u80, Java SE 8u45, JRockit R28.3.6, Java SE Embedded 7u75, Java SE Embedded 8u33

See Note 4

Notes:

  1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  3. Applies to Mac OS X only.
  4. Applies to client and server deployment of JSSE.
  5. Applies to installation process on client deployment of Java.

Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 21 new security fixes for the Oracle Sun Systems Products Suite. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-0235

Integrated Lights Out Manager (ILOM)

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Sun System Firmware prior to 8.7.2.b, 9.4.2e

CVE-2015-0235

Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Versions prior to 1.9.1.2

CVE-2015-0235

Oracle Switch ES1-24

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Versions prior to 1.3.1

CVE-2015-0235

Sun Blade 6000 Ethernet Switched NEM 24P 10GE

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Versions prior to 1.2.2

CVE-2015-0235

Sun Network 10GE Switch 72p

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Versions prior to 1.2.2

CVE-2015-0235

Fujitsu M10-1, M10-4, M10-4S Servers

None

XCP Firmware

No

7.2

Local

Low

None

Complete

Complete

Complete

XCP prior to XCP 2260

CVE-2015-0235

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers

None

XCP Firmware

No

7.2

Local

Low

None

Complete

Complete

Complete

XCP prior to XCP 1120

CVE-2015-2631

Solaris

None

rmformat Utility

No

7.2

Local

Low

None

Complete

Complete

Complete

10, 11.2

CVE-2014-3571

Fujitsu M10-1, M10-4, M10-4S Servers

SSL/TLS

OpenSSL

Yes

5.0

Network

Low

None

None

None

Partial

XCP prior to XCP 2260

See Note 1

CVE-2014-3571

Integrated Lights Out Manager (ILOM)

SSL/TLS

OpenSSL

Yes

5.0

Network

Low

None

None

None

Partial

Sun System Firmware prior to 8.7.2.b, 9.4.2e

See Note 2

CVE-2015-4750

Oracle VM Server for SPARC

Multiple

LDOM Manager

Yes

5.0

Network

Low

None

None

None

Partial

3.2

CVE-2013-5704

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers

HTTP

Apache HTTP Server

Yes

5.0

Network

Low

None

None

Partial

None

XCP prior to XCP 1120

CVE-2014-3570

SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers

SSL/TLS

OpenSSL

Yes

5.0

Network

Low

None

Partial

None

None

XCP prior to XCP 1120

See Note 3

CVE-2015-2609

Solaris

None

CPU performance counters drivers

No

4.9

Local

Low

None

None

None

Complete

11.2

CVE-2015-2614

Solaris

None

NVM Express SSD driver

No

4.9

Local

Low

None

None

None

Complete

11.2

CVE-2015-2589

Solaris

None

S10 Branded Zone

No

4.9

Local

Low

None

None

None

Complete

10, 11.2

CVE-2015-4770

Solaris

None

UNIX filesystem

No

4.9

Local

Low

None

None

None

Complete

10, 11.2

CVE-2015-2616

Solaris Cluster

None

DevFS

No

4.9

Local

Low

None

None

None

Complete

3.3, 4.2

CVE-2015-2651

Solaris

None

Kernel Zones virtualized NIC driver

No

3.8

Local

High

Single

None

None

Complete

11.2

CVE-2015-2662

Solaris

None

DHCP Server

No

1.9

Local

Medium

None

None

None

Partial

10, 11.2

CVE-2015-2580

Solaris

None

NFSv4

No

1.9

Local

Medium

None

None

None

Partial+

10, 11.2

Notes:

  1. This fix also addresses CVE-2014-3570, CVE-2014-3572, CVE-2014-8275 and CVE-2015-0204.
  2. This fix also addresses CVE-2015-0206, CVE-2015-0205, CVE-2015-0204, CVE-2014-8275, CVE-2014-3572, CVE-2014-3570 and CVE-2014-3569.
  3. This fix also addresses CVE-2014-3572, CVE-2014-8275 and CVE-2015-0204.

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Virtualization. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2014-0230

Oracle Secure Global Desktop

HTTP

Apache Tomcat

Yes

7.8

Network

Low

None

None

None

Complete

4.63, 4.71, 5.1

CVE-2015-4727

Sun Ray Software

HTTP

Web Console

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Sun Ray Software prior to 5.4.4

CVE-2015-1803

Oracle Secure Global Desktop

None

LibXFont

No

6.8

Local

Low

Single

Complete

Complete

Complete

4.63, 4.71, 5.1, 5.2

See Note 1

CVE-2015-2594

Oracle VM VirtualBox

None

Core

No

6.6

Local

Medium

Single

Complete

Complete

Complete

VirtualBox prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30

See Note 2

CVE-2014-8102

Oracle Secure Global Desktop

X11

X Server

No

6.5

Network

Low

Single

Partial

Partial

Partial

4.63, 4.71, 5.1, 5.2

See Note 3

CVE-2014-0227

Oracle Secure Global Desktop

HTTP

Apache Tomcat

Yes

6.4

Network

Low

None

None

Partial

Partial

4.63, 4.71, 5.1

CVE-2015-2581

Oracle Secure Global Desktop

HTTP

JServer

Yes

6.4

Network

Low

None

Partial

None

Partial

5.1, 5.2

CVE-2015-0255

Oracle Secure Global Desktop

X11

X Server

Yes

6.4

Network

Low

None

Partial

None

Partial

4.63, 4.71, 5.1, 5.2

CVE-2014-3571

Oracle Secure Global Desktop

SSL/TLS

OpenSSL

Yes

5.0

Network

Low

None

None

None

Partial

4.63, 4.71, 5.1

See Note 4

CVE-2015-0286

Oracle Secure Global Desktop

SSL/TLS

OpenSSL

Yes

5.0

Network

Low

None

None

None

Partial

4.63, 4.71, 5.1, 5.2

See Note 5

CVE-2010-1324

Oracle Secure Global Desktop

Kerberos

Kerberos

Yes

4.3

Network

Medium

None

None

Partial

None

4.63, 4.71, 5.1, 5.2

See Note 6

Notes:

  1. This fix also addresses CVE-2015-1802 and CVE-2015-1804.
  2. This issue affects Windows, Linux and Mac OS X hosts only when guests using bridged networking over Wifi. Solaris hosts don’t support this mode and therefore not affected by this issue.
  3. This fix also addresses CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8100 and CVE-2014-8101.
  4. This fix also addresses CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206.
  5. This fix also addresses CVE-2015-0287 and CVE-2015-0289. This fix also addresses CVE-2015-0204 in SGD 4.63, 4.71 and 5.1.
  6. This fix also addresses CVE-2010-1323 and CVE-2010-4020.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here .

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2617

MySQL Server

MySQL Protocol

Server : Partition

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

5.6.24 and earlier

CVE-2015-2648

MySQL Server

MySQL Protocol

Server : DML

No

4.0

Network

Low

Single

None

None

Partial+

5.5.43 and earlier, 5.6.24 and earlier

CVE-2015-2611

MySQL Server

MySQL Protocol

Server : DML

No

4.0

Network

Low

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-2582

MySQL Server

MySQL Protocol

Server : GIS

No

4.0

Network

Low

Single

None

None

Partial+

5.5.43 and earlier, 5.6.24 and earlier

CVE-2015-4752

MySQL Server

MySQL Protocol

Server : I_S

No

4.0

Network

Low

Single

None

None

Partial+

5.5.43 and earlier, 5.6.24 and earlier

CVE-2015-4756

MySQL Server

MySQL Protocol

Server : InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.6.22 and earlier

CVE-2015-2643

MySQL Server

MySQL Protocol

Server : Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.5.43 and earlier, 5.6.24 and earlier

CVE-2015-4772

MySQL Server

MySQL Protocol

Server : Partition

No

4.0

Network

Low

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-4761

MySQL Server

MySQL Protocol

Server : Memcached

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-4757

MySQL Server

MySQL Protocol

Server : Optimizer

No

3.5

Network

Medium

Single

None

None

Partial+

5.5.42 and earlier, 5.6.23 and earlier

CVE-2015-4737

MySQL Server

MySQL Protocol

Server : Pluggable Auth

No

3.5

Network

Medium

Single

Partial

None

None

5.5.43 and earlier, 5.6.23 and earlier

CVE-2015-4771

MySQL Server

MySQL Protocol

Server : RBR

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-4769

MySQL Server

MySQL Protocol

Server : Security : Firewall

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-2639

MySQL Server

MySQL Protocol

Server : Security : Firewall

No

3.5

Network

Medium

Single

None

Partial

None

5.6.24 and earlier

CVE-2015-2620

MySQL Server

MySQL Protocol

Server : Security : Privileges

No

3.5

Network

Medium

Single

Partial

None

None

5.5.43 and earlier, 5.6.23 and earlier

CVE-2015-2641

MySQL Server

MySQL Protocol

Server : Security : Privileges

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.24 and earlier

CVE-2015-2661

MySQL Server

None

Client

No

2.1

Local

Low

None

None

None

Partial

5.6.24 and earlier

CVE-2015-4767

MySQL Server

MySQL Protocol

Server : Security : Firewall

No

1.7

Network

High

Multiple

None

None

Partial+

5.6.24 and earlier

Appendix - Oracle Berkeley DB****Oracle Berkeley DB Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Berkeley DB Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen- tication

Confiden- tiality

Integrity

Avail- ability

CVE-2015-2583

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-2626

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-2640

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-2654

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-2656

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4754

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-2624

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4784

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4787

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4789

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4785

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4786

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4783

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4764

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4780

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4790

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4776

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4775

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4778

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4777

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4782

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4781

Data Store

None

None

No

6.9

Local

Medium

None

Complete

Complete

Complete

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4788

Data Store

None

None

No

3.3

Local

Medium

None

None

Partial+

Partial

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4774

Data Store

None

None

No

3.3

Local

Medium

None

None

Partial+

Partial

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

CVE-2015-4779

Data Store

None

None

No

3.3

Local

Medium

None

None

Partial+

Partial

11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • Oracle Supports Ukraine

  • Oracle CloudWorld

  • Oracle and Premier League

  • Oracle Red Bull Racing

  • Employee Experience Platform

  • Oracle Support Rewards

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

CVE-2023-29382: Security Center - Zimbra :: Tech Center

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

CVE-2022-34456: DSA-2022-267: Dell EMC Metronode VS5 Security Update for Multiple Third-Party Component Vulnerabilities

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE-2022-2255: mod_wsgi/mod_wsgi.c at 4.9.2 · GrahamDumpleton/mod_wsgi

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

CVE-2022-34009: Fossil: Change Log

Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

CVE-2022-21938: Product Security Advisories

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2020-28017

Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.

CVE-2021-2119: Oracle Critical Patch Update Advisory - January 2021

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-9490: Apache HTTP Server 2.4 vulnerabilities

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

CVE-2019-4136: Security Bulletin: IBM Cognos Controller 2019Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controller

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158332.

CVE-2019-2455: Oracle Critical Patch Update Advisory - January 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3133: Oracle Critical Patch Update - October 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2018-3064: CPU July 2018

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVE-2018-2637: Oracle Critical Patch Update - January 2018

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/A...

CVE-2017-10378: Oracle Critical Patch Update - October 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2016-5612: Oracle Critical Patch Update - October 2016

Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-3471: Oracle Critical Patch Update - July 2016

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

CVE-2016-0642: Oracle Critical Patch Update Advisory - April 2016

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.

CVE-2016-0502: Oracle Critical Patch Update - January 2016

Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

CVE-2015-4879: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-2582: Oracle Critical Patch Update Advisory - July 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.

CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0501: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-0480: Oracle Critical Patch Update - April 2015

Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.

CVE-2015-2808

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

CVE-2015-0235: oss-sec: Qualys Security Advisory CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0395: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2015-0391: Oracle Critical Patch Update Advisory - January 2015

Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.

CVE-2014-3620: Debian -- Security Information -- DSA-3022-1 curl

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.

CVE-2014-3566

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2013-5891: Oracle Critical Patch Update - January 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

CVE-2013-5807: Oracle Critical Patch Update - October 2013

Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.

CVE-2013-5802: Oracle Critical Patch Update - October 2013

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.

CVE-2012-0053: Apache HTTP Server 2.2 vulnerabilities

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVE-2011-3389: Get to know Opera

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

CVE-2011-2729: Apache Tomcat® - Apache Tomcat 7 vulnerabilities

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907