Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2012-1690: Oracle Critical Patch Update - April 2012

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1703.

CVE
#sql#vulnerability#web#windows#microsoft#linux#dos#java#oracle#kubernetes#intel#auth#ssh#ibm#zero_day#docker
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Critical Patch Update Advisory - April 2012****Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below.

Oracle released a Security Alert on January 31st, 2012 to address the security issue CVE-2011-5035, a denial of service vulnerability in multiple Oracle products due to hashing collisions. Please see Security Alert (CVE-2011-5035) for the list of affected products and patch availability information.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database 11_g_ Release 2, versions 11.2.0.2, 11.2.0.3

Database

Oracle Database 11_g_ Release 1, version 11.1.0.7

Database

Oracle Database 10_g_ Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Database

Oracle Application Server 10_g_ Release 3, version 10.1.3.5.0

Fusion Middleware

Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2

Fusion Middleware

Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4

Fusion Middleware

Oracle Identity Manager 11_g_, versions 11.1.1.3, 11.1.1.5

Fusion Middleware

Oracle JDeveloper, version 10.1.3.5.0

Fusion Middleware

Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier

Fusion Middleware

Oracle Outside In Technology, versions 8.3.5, 8.3.7

Fusion Middleware

Oracle WebCenter Forms Recognition, version 10.1.3.5

Fusion Middleware

Enterprise Manager Grid Control 11_g_ Release 1, version 11.1.0.1

Enterprise Manager

Enterprise Manager Grid Control 10_g_ Release 1, version 10.2.0.5

Enterprise Manager

Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3

E-Business Suite

Oracle E-Business Suite Release 11_i_, version 11.5.10.2

E-Business Suite

Oracle Agile PLM for Process, versions 5.2.2, 6.0.0, 6.1.1

Supply Chain

Oracle AutoVue Desktop, version 20.1.1

Supply Chain

Oracle PeopleSoft Enterprise CRM, version 9.1

PeopleSoft

Oracle PeopleSoft Enterprise HCM, version 9.1

PeopleSoft

Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1

PeopleSoft

Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1

PeopleSoft

Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52

PeopleSoft

Oracle PeopleSoft Enterprise Portal version 9.1

PeopleSoft

Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1

PeopleSoft

Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2

Health Sciences

Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0

Contact Oracle Customer Support

Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0

Contact Oracle Customer Support

Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2

Primavera

Oracle Sun Product Suite

Oracle Sun Product Suite

Oracle MySQL Server, versions 5.1, 5.5

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, FLEXCUBE, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update April 2012 Documentation Map, My Oracle Support Note 1395797.1.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or proof of concept code for product vulnerabilities. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all its secure variants (if applicable) are affected too. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update April 2012 Availability Document, My Oracle Support Note 1406574.1.

Critical Patch Update Supported Products and Versions

Critical Patch Update patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Critical Patch Update patches are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Critical Patch Update patches are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download Critical Patch Update patches for products in the Extended Support Phase.

On Request Model

Oracle proactively creates patches only for platform/version combinations that, based on historical data, customers are likely to download for the next Critical Patch Update. Patches for historically inactive platform/version combinations of the Oracle Database, Oracle Application Server and Enterprise Manager will be created only if requested by customers.

Refer to Patch Set Update and Critical Patch Update April 2012 Availability Document, My Oracle Support Note 1406574.1 for further details regarding the On Request patches.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Alexander Kornbrust of Red Database Security; Andrea Micalizzi aka rgod, working with TippingPoint’s Zero Day Initiative; Brian Gorenc TippingPoint DVLabs; Dave Love; David Litchfield of V3rity; Edward Torkington; Esteban Martinez Fayo of Application Security, Inc.; Frank Stuart; G & W Laboratories of TippingPoint’s Zero Day Initiative; Nathan Catlow of Recx; Peter Maklary of LYNX Ltd.; Pierre Ernst of IBM Canada; Roberto Suggi Liverani of Security-Assessment.com; Shrikant Antre and Sunil Yadav of Network Intelligence; Sow Ching Shiong, reported through Secunia; Vishal K; and William Hay.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexander Kornbrust of Red Database Security; Joxean Koret of iSIGHT Partners Global Vulnerability Partnership; and Stephen Kost of Integrigy for contributions to Oracle’s Security-In-Depth program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 July 2012
  • 16 October 2012
  • 15 January 2013
  • 16 April 2013

References

  • Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
  • Critical Patch Update - April 2012 Documentation Map [ My Oracle Support Note 1395797.1 ]
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
  • Risk Matrix definitions [ Risk Matrix Definitions ]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
  • English text version of the risk matrices [ Oracle Technology Network ]
  • CVRF XML version of the risk matrices [Oracle Technology Network]
  • List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
  • Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

2012-April-17

Rev 1. Initial Release

2012-July-19

Rev 2. Updated affected versions for Oracle Supply Chain Products.

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0552

Oracle Spatial

Oracle NET

Create session, create index, alter index, create table

No

9.0

Network

Low

Single

Complete

Complete

Complete

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

See Note 1

CVE-2012-0519

Core RDBMS

Oracle NET

Create library, create procedure

No

7.1

Network

High

Single

Complete

Complete

Complete

11.2.0.2

See Note 2

CVE-2012-0510

Core RDBMS

Oracle Net

None

Yes

6.4

Network

Low

None

None

Partial

Partial

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7

CVE-2012-0511

OCI

Oracle NET

None

Yes

6.4

Network

Low

None

Partial

Partial

None

10.2.0.3, 10.2.0.4, 11.1.0.7

CVE-2012-0528
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Security Framework

Yes

5.8

Network

Medium

None

Partial

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7

CVE-2012-0512
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Enterprise Config Management

No

5.5

Network

Low

Single

Partial+

Partial+

None

11.1.0.7, 11.2.0.2

CVE-2012-0525
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Enterprise Config Management

No

4.9

Network

Medium

Single

Partial+

Partial

None

11.1.0.7, 11.2.0.2, 11.2.0.3

CVE-2012-1708

Application Express

HTTP

None

Yes

4.3

Network

Medium

None

None

Partial

None

4.0, 4.1

CVE-2012-0526
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Schema Management

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

CVE-2012-0527
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Schema Management

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

CVE-2012-0520
(Oracle Enterprise Manager Grid Control)

Enterprise Manager Base Platform

HTTP

Security Framework

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2

CVE-2012-0534

RDBMS Core

Oracle Net

Create Session

No

4.0

Network

Low

Single

None

Partial

None

10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Notes:

  1. The CVSS Base Score is 9.0 only for Windows. For Linux, Unix and other platforms, the CVSS Base Score is 6.5, and the impacts for Confidentiality, Integrity and Availability are Partial+.
  2. The vulnerability affects Microsoft Windows platforms only.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2012-0511.

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2012 Patch Availability Document for Oracle Products, My Oracle Support Note 1406574.1.

Starting again with the April 2012 Critical Patch Update, security vulnerability fixes for Oracle JRockit will be released with the Oracle Critical Patch Updates instead of the Oracle Java SE Critical Patch Updates.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-1695

Oracle JRockit

Multiple

-

Yes

10.0

Network

Low

None

Complete

Complete

Complete

28.2.2 and before: JDK/JRE 5 and 6, 27.7.1 and before: JKD/JRE 5 and 6

See Note 1

CVE-2012-0554

Oracle Outside In Technology

None

Outside In Image Export SDK

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

8.3.5, 8.3.7

See Note 2

CVE-2012-0555

Oracle Outside In Technology

None

Outside In Image Export SDK

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

8.3.5, 8.3.7

See Note 2

CVE-2012-0556

Oracle Outside In Technology

None

Outside In Image Export SDK

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

8.3.5, 8.3.7

See Note 2

CVE-2012-0557

Oracle Outside In Technology

None

Outside In Image Export SDK

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

8.3.5, 8.3.7

See Note 2

CVE-2012-1709

Oracle WebCenter Forms Recognition

HTTP

Designer

Yes

7.5

Network

Low

None

Partial

Partial

Partial

10.1.3.5

CVE-2012-1710

Oracle WebCenter Forms Recognition

HTTP

Designer

Yes

7.5

Network

Low

None

Partial

Partial

Partial

10.1.3.5

CVE-2012-0532

Identity Manager

HTTP

User Config Management

No

5.5

Network

Low

Single

Partial+

Partial+

None

11.1.1.3, 11.1.1.5

CVE-2012-0543

BI Publisher (formerly XML Publisher)

HTTP

Administration

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.3.4.1, 10.1.3.4.2

CVE-2012-0522

Oracle JDeveloper

HTTP

Java Business Objects

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.3.5

CVE-2012-0515

Identity Manager Connector

HTTP

Database User

No

4.0

Network

Low

Single

None

Partial+

None

9.1.0.4

Notes:

  1. Oracle released a Java SE Critical Patch Update on February 2012 to address multiple vulnerabilities affecting the Java Runtime Environment. Oracle CVE-2012-1695 refers to the advisories that were applicable to JRockit from the Java SE Critical Patch Update. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The complete list of all vulnerabilities addressed in JRockit under CVE-2012-1695 is as follows: CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2011-3563, CVE-2012-0501, and CVE-2011-5035.
  2. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. In determining the CVSS score for this vulnerability we have assumed the hosting software exposes this functionality over the network without authentication. If this is not the case, the CVSS score could be much lower.

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2012 Patch Availability Document, My Oracle Support Note 1406574.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0528

Enterprise Manager Base Platform

HTTP

Security Framework

Yes

5.8

Network

Medium

None

Partial

Partial

None

-

See Note 1

CVE-2012-0512

Enterprise Manager Base Platform

HTTP

Enterprise Config Management

No

5.5

Network

Low

Single

Partial+

Partial+

None

-

See Note 1

CVE-2012-0525

Enterprise Manager Base Platform

HTTP

Enterprise Config Management

No

4.9

Network

Medium

Single

Partial+

Partial

None

10.2.0.5, 11.1.0.1

CVE-2012-0526

Enterprise Manager Base Platform

HTTP

Schema Management

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.5

CVE-2012-0527

Enterprise Manager Base Platform

HTTP

Schema Management

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.5

CVE-2012-0520

Enterprise Manager Base Platform

HTTP

Security Framework

Yes

4.3

Network

Medium

None

None

Partial

None

10.2.0.5, 11.1.0.1

Notes:

  1. Fixed in all supported releases and patchsets.

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Critical Patch Update for April 2012, My Oracle Support Note 1406263.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0537

Oracle Application Object Library

HTTP

HTML pages

Yes

6.4

Network

Low

None

Partial+

Partial+

None

12.1.3

CVE-2012-0535

Oracle Application Object Library

HTTP

Change Password Page

Yes

5.0

Network

Low

None

Partial

None

None

12.0.6, 12.1.3

CVE-2012-0513

Oracle Application Object Library

HTTP

REST Services

Yes

2.6

Network

High

None

None

Partial

None

12.0.6, 12.1.3

CVE-2012-0542

Oracle iStore

HTTP

Runtime Catalog

Yes

2.6

Network

High

None

None

Partial

None

11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0549

Oracle AutoVue Desktop

HTTP

Desktop API

Yes

7.5

Network

Low

None

Partial

Partial

Partial

20.1.1

CVE-2012-0565

Oracle Agile PLM for Process

HTTP

Install

No

5.5

Network

Low

Single

Partial+

Partial+

None

5.2.2, 6.0.0, 6.1.1

CVE-2012-0580

Oracle Agile PLM for Process

HTTP

Supplier Portal

Yes

5.0

Network

Low

None

None

Partial

None

5.2.2, 6.0.0, 6.1.1

CVE-2012-0581

Oracle Agile PLM for Process

HTTP

SCRM - Company Profiles

Yes

4.3

Network

Medium

None

None

Partial

None

5.2.2, 6.0.0, 6.1.1

CVE-2012-0566

Oracle Agile PLM for Process

HTTP

Supplier Portal

Yes

4.3

Network

Medium

None

None

Partial

None

5.2.2, 6.0.0, 6.1.1

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0564

PeopleSoft Enterprise PeopleTools

HTTP

Query

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

8.50, 8.51

CVE-2012-0517

PeopleSoft Enterprise HRMS

HTTP

eCompensation Manager Desktop

No

5.5

Network

Low

Single

Partial

Partial

None

9.0

CVE-2012-0538

PeopleSoft Enterprise PeopleTools

HTTP

Search

No

5.5

Network

Low

Single

Partial+

Partial+

None

8.50, 8.51, 8.52

CVE-2012-0560

PeopleSoft Enterprise PeopleTools

HTTP

Portal

Yes

4.3

Network

Medium

None

None

Partial

None

8.50, 8.51, 8.52

CVE-2012-0514

PeopleSoft Enterprise CRM

HTTP

SEC

No

4.0

Network

Low

Single

Partial

None

None

9.1

CVE-2012-0533

PeopleSoft Enterprise FCSM

HTTP

Receivables

No

4.0

Network

Low

Single

Partial

None

None

9.0, 9.1

CVE-2012-0521

PeopleSoft Enterprise HCM

HTTP

Human Resources

No

4.0

Network

Low

Single

Partial

None

None

9.1 Bundle #9

CVE-2012-0562

PeopleSoft Enterprise HRMS

HTTP

Candidate Gateway

No

4.0

Network

Low

Single

Partial

None

None

9.1

CVE-2012-0536

PeopleSoft Enterprise HRMS

HTTP

eCompensation

No

4.0

Network

Low

Single

Partial

None

None

8.9 through Bundle #26

CVE-2012-0559

PeopleSoft Enterprise SCM

HTTP

Billing

No

4.0

Network

Low

Single

Partial

None

None

9.0, 9.1

CVE-2012-0530

PeopleSoft Enterprise SCM

HTTP

eProcurement

No

4.0

Network

Low

Single

None

Partial

None

9.0, 9.1

CVE-2012-0561

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

No

3.5

Network

Medium

Single

None

Partial

None

8.50, 8.51, 8.52

CVE-2012-0529

PeopleSoft Enterprise PeopleTools

HTTP

core

No

3.5

Network

Medium

Single

None

Partial

None

8.51

CVE-2012-0531

PeopleSoft Enterprise Portal

HTTP

Enterprise Portal

No

3.5

Network

Medium

Single

None

Partial

None

9.1

CVE-2012-0524

PeopleSoft Enterprise PeopleTools

HTTP

File Processing

No

3.2

Local

Low

Single

Partial

Partial

None

8.50, 8.51, 8.52

Appendix - Oracle Industry Applications****Oracle Industry Applications Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Industry Applications. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Industry Applications Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0582

Siebel Clinical

HTTP

Web UI

No

4.0

Network

Low

Single

None

Partial

None

7.7, 7.8, 8.0.0.x, 8.1.1.x, 8.2.2.x

CVE-2012-1674

Siebel Clinical

HTTP

Web UI

No

4.0

Network

Low

Single

None

Partial

None

7.7, 7.8, 8.0.0.x, 8.1.1.x, 8.2.2.x

Appendix - Oracle Financial Services Software****Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Contact Oracle Customer Support for Oracle FLEXCUBE Universal Banking and Oracle FLEXCUBE Direct Banking fixes.

Oracle Financial Services Software Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0575

Oracle FLEXCUBE Universal Banking

HTTP

Core

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

10.0.0 - 10.5.0, 11.0.0 - 11.2.0

CVE-2012-0567

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

5.5

Network

Low

Single

Partial

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.2.0

CVE-2012-0573

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

4.9

Network

Medium

Single

Partial

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.4.0

CVE-2012-1706

Oracle FLEXCUBE Direct Banking

File

Logging

No

4.7

Network

Low

Multiple

Partial

Partial

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-1707

Oracle FLEXCUBE Direct Banking

HTTP

Core-Base

No

4.0

Network

Low

Single

Partial

None

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-0576

Oracle FLEXCUBE Direct Banking

HTTP

Core-Help

No

4.0

Network

Low

Single

None

Partial

None

6.0.1, 6.2.0

CVE-2012-0571

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

4.0

Network

Low

Single

None

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.4.0

CVE-2012-0545

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

3.6

Network

High

Single

Partial

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.2.0

CVE-2012-0546

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

3.6

Network

High

Single

Partial

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.2.0

CVE-2012-1704

Oracle FLEXCUBE Direct Banking

HTTP

Core-Base

No

3.5

Network

Medium

Single

Partial

None

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-0509

Oracle FLEXCUBE Direct Banking

HTTP

Core-Base

No

3.5

Network

Medium

Single

None

Partial

None

5.0.2, 5.3.0 - 5.3.4

CVE-2012-1679

Oracle FLEXCUBE Direct Banking

HTTP

Core-Base

No

3.5

Network

Medium

Single

None

Partial

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-0541

Oracle FLEXCUBE Direct Banking

HTTP

Core-My Services

No

3.5

Network

Medium

Single

Partial

None

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-1676

Oracle FLEXCUBE Direct Banking

HTTP

Virtual Banking

No

3.5

Network

Medium

Single

Partial

None

None

5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0

CVE-2012-0544

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

3.5

Network

Medium

Single

None

Partial

None

10.0.0 - 10.5.0, 11.0.0 - 11.4.0

CVE-2012-0577

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

3.5

Network

Medium

Single

None

None

Partial

10.0.0 - 10.5.0, 11.0.0 - 11.4.0

CVE-2012-0579

Oracle FLEXCUBE Universal Banking

HTTP

Core

No

3.5

Network

Medium

Single

Partial

None

None

10.0.0 - 10.5.0, 11.0.0 - 11.4.0

Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0558

Primavera P6 Enterprise Project Portfolio Management

HTTP

Web application

Yes

4.3

Network

Medium

None

None

Partial

None

6.2.1, 8.0, 8.1, 8.2

Appendix - Oracle Sun Products Suite****Oracle Sun Products Suite Executive Summary

This Critical Patch Update contains 15 new security fixes for the Oracle Sun Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Products Suite Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-0208

Oracle Grid Engine

RSH

qrsh

No

9.0

Network

Low

Single

Complete

Complete

Complete

6.1, 6.2

CVE-2012-0523

Oracle Grid Engine

None

sgepasswd

No

7.2

Local

Low

None

Complete

Complete

Complete

6.1, 6.2

CVE-2012-0550

GlassFish Enterprise Server

HTTP

Web Container

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

GlassFish Enterprise Server 3.1.1

CVE-2012-0516

Oracle iPlanet Web Server

HTTP

Administration Console

Yes

6.8

Network

Medium

None

Partial+

Partial+

Partial+

7.0

CVE-2012-1691

Solaris

None

Kernel/Privileges

No

6.6

Local

Medium

Single

Complete

Complete

Complete

11

CVE-2012-1694

Solaris

TCP/IP

libsasl(3LIB)

Yes

6.4

Network

Low

None

Partial

Partial

None

10

CVE-2012-0539

Solaris

None

bsmconv(1M), bsmunconv(1M)

No

6.2

Local

High

None

Complete

Complete

Complete

8, 9, 10

CVE-2012-1683

Solaris

None

gssd(1M)

No

5.9

Local

High

Multiple

Complete

Complete

Complete

8, 9, 10, 11

CVE-2012-0551

GlassFish Enterprise Server

HTTP

Web Container

Yes

5.8

Network

Medium

None

Partial

Partial

None

GlassFish Enterprise Server 3.1.1

CVE-2012-1681

Solaris

None

Kernel/sockfs

No

4.9

Local

Low

None

None

None

Complete

8, 9, 10, 11

CVE-2012-1692

Solaris

None

SCTP(7P)

No

4.9

Local

Low

None

None

None

Complete

10

CVE-2012-1684

Solaris

None

Password Policy

No

4.3

Local

Low

Single

Partial

Partial

Partial

8, 9, 10, 11

CVE-2012-1693

SPARC Enterprise M Series Servers

SSH

XSCF Control Package (XCP)

Yes

2.6

Network

High

None

None

None

Partial+

XCP 1110

CVE-2012-0548

SPARC Enterprise M Series Servers

None

XSCF Control Package (XCP)

No

2.1

Local

Low

None

Partial

None

None

XCP 1110 and earlier

CVE-2012-1698

Solaris

TCP/IP

Kernel/GLD(7D)

No

2.1

Network

High

Single

Partial

None

None

11

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub­component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen­tication

Confiden­tiality

Integrity

Avail­ability

CVE-2012-1703

MySQL Server

MySQL Protocol

Server Optimizer

No

6.8

Network

Low

Single

None

None

Complete

5.1.61 and earlier, 5.5.21 and earlier

CVE-2012-0583

MySQL Server

MySQL Protocol

MyISAM

No

4.0

Network

Low

Single

None

None

Partial+

5.1.60 and earlier, 5.5.19 and earlier

CVE-2012-1697

MySQL Server

MySQL Protocol

Partition

No

4.0

Network

Low

Single

None

None

Partial+

5.5.21 and earlier

CVE-2012-1688

MySQL Server

MySQL Protocol

Server DML

No

4.0

Network

Low

Single

None

None

Partial+

5.1.61 and earlier, 5.5.21 and earlier

CVE-2012-1696

MySQL Server

MySQL Protocol

Server Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.5.19 and earlier

CVE-2012-1690

MySQL Server

MySQL Protocol

Server Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.1.61 and earlier, 5.5.21 and earlier

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • News

  • Oracle CloudWorld

  • Oracle Supports Ukraine

  • Oracle Red Bull Racing

  • Oracle Sustainability

  • Employee Experience Platform

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

Majority of Ransomware Attacks Last Year Exploited Old Bugs

New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2022-24052: Security Vulnerabilities Fixed in MariaDB

MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2013-0389: Oracle Critical Patch Update - January 2013

Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.

CVE-2012-1717: Oracle Java SE Critical Patch Update Advisory - June 2012

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907