Headline
CVE-2012-1690: Oracle Critical Patch Update - April 2012
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1703.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - April 2012****Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below.
Oracle released a Security Alert on January 31st, 2012 to address the security issue CVE-2011-5035, a denial of service vulnerability in multiple Oracle products due to hashing collisions. Please see Security Alert (CVE-2011-5035) for the list of affected products and patch availability information.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Oracle Database 11_g_ Release 2, versions 11.2.0.2, 11.2.0.3
Database
Oracle Database 11_g_ Release 1, version 11.1.0.7
Database
Oracle Database 10_g_ Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Database
Oracle Application Server 10_g_ Release 3, version 10.1.3.5.0
Fusion Middleware
Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2
Fusion Middleware
Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4
Fusion Middleware
Oracle Identity Manager 11_g_, versions 11.1.1.3, 11.1.1.5
Fusion Middleware
Oracle JDeveloper, version 10.1.3.5.0
Fusion Middleware
Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier
Fusion Middleware
Oracle Outside In Technology, versions 8.3.5, 8.3.7
Fusion Middleware
Oracle WebCenter Forms Recognition, version 10.1.3.5
Fusion Middleware
Enterprise Manager Grid Control 11_g_ Release 1, version 11.1.0.1
Enterprise Manager
Enterprise Manager Grid Control 10_g_ Release 1, version 10.2.0.5
Enterprise Manager
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
E-Business Suite
Oracle E-Business Suite Release 11_i_, version 11.5.10.2
E-Business Suite
Oracle Agile PLM for Process, versions 5.2.2, 6.0.0, 6.1.1
Supply Chain
Oracle AutoVue Desktop, version 20.1.1
Supply Chain
Oracle PeopleSoft Enterprise CRM, version 9.1
PeopleSoft
Oracle PeopleSoft Enterprise HCM, version 9.1
PeopleSoft
Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
PeopleSoft
Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1
PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
PeopleSoft
Oracle PeopleSoft Enterprise Portal version 9.1
PeopleSoft
Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
PeopleSoft
Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2
Health Sciences
Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0
Contact Oracle Customer Support
Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0
Contact Oracle Customer Support
Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2
Primavera
Oracle Sun Product Suite
Oracle Sun Product Suite
Oracle MySQL Server, versions 5.1, 5.5
Oracle MySQL Product Suite
Patch Availability Table and Risk Matrices****Products with Cumulative Patches
The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, FLEXCUBE, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.
Patch Availability Table
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update April 2012 Documentation Map, My Oracle Support Note 1395797.1.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or proof of concept code for product vulnerabilities. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all its secure variants (if applicable) are affected too. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update April 2012 Availability Document, My Oracle Support Note 1406574.1.
Critical Patch Update Supported Products and Versions
Critical Patch Update patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Critical Patch Update patches are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Critical Patch Update patches are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download Critical Patch Update patches for products in the Extended Support Phase.
On Request Model
Oracle proactively creates patches only for platform/version combinations that, based on historical data, customers are likely to download for the next Critical Patch Update. Patches for historically inactive platform/version combinations of the Oracle Database, Oracle Application Server and Enterprise Manager will be created only if requested by customers.
Refer to Patch Set Update and Critical Patch Update April 2012 Availability Document, My Oracle Support Note 1406574.1 for further details regarding the On Request patches.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Alexander Kornbrust of Red Database Security; Andrea Micalizzi aka rgod, working with TippingPoint’s Zero Day Initiative; Brian Gorenc TippingPoint DVLabs; Dave Love; David Litchfield of V3rity; Edward Torkington; Esteban Martinez Fayo of Application Security, Inc.; Frank Stuart; G & W Laboratories of TippingPoint’s Zero Day Initiative; Nathan Catlow of Recx; Peter Maklary of LYNX Ltd.; Pierre Ernst of IBM Canada; Roberto Suggi Liverani of Security-Assessment.com; Shrikant Antre and Sunil Yadav of Network Intelligence; Sow Ching Shiong, reported through Secunia; Vishal K; and William Hay.
Security-In-Depth Contributors
Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Alexander Kornbrust of Red Database Security; Joxean Koret of iSIGHT Partners Global Vulnerability Partnership; and Stephen Kost of Integrigy for contributions to Oracle’s Security-In-Depth program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 17 July 2012
- 16 October 2012
- 15 January 2013
- 16 April 2013
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - April 2012 Documentation Map [ My Oracle Support Note 1395797.1 ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [Oracle Technology Network]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
2012-April-17
Rev 1. Initial Release
2012-July-19
Rev 2. Updated affected versions for Oracle Supply Chain Products.
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Protocol
Package and/or Privilege Required
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0552
Oracle Spatial
Oracle NET
Create session, create index, alter index, create table
No
9.0
Network
Low
Single
Complete
Complete
Complete
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
See Note 1
CVE-2012-0519
Core RDBMS
Oracle NET
Create library, create procedure
No
7.1
Network
High
Single
Complete
Complete
Complete
11.2.0.2
See Note 2
CVE-2012-0510
Core RDBMS
Oracle Net
None
Yes
6.4
Network
Low
None
None
Partial
Partial
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7
CVE-2012-0511
OCI
Oracle NET
None
Yes
6.4
Network
Low
None
Partial
Partial
None
10.2.0.3, 10.2.0.4, 11.1.0.7
CVE-2012-0528
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Security Framework
Yes
5.8
Network
Medium
None
Partial
Partial
None
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7
CVE-2012-0512
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Enterprise Config Management
No
5.5
Network
Low
Single
Partial+
Partial+
None
11.1.0.7, 11.2.0.2
CVE-2012-0525
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Enterprise Config Management
No
4.9
Network
Medium
Single
Partial+
Partial
None
11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2012-1708
Application Express
HTTP
None
Yes
4.3
Network
Medium
None
None
Partial
None
4.0, 4.1
CVE-2012-0526
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Schema Management
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2012-0527
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Schema Management
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
CVE-2012-0520
(Oracle Enterprise Manager Grid Control)
Enterprise Manager Base Platform
HTTP
Security Framework
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2
CVE-2012-0534
RDBMS Core
Oracle Net
Create Session
No
4.0
Network
Low
Single
None
Partial
None
10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Notes:
- The CVSS Base Score is 9.0 only for Windows. For Linux, Unix and other platforms, the CVSS Base Score is 6.5, and the impacts for Confidentiality, Integrity and Availability are Partial+.
- The vulnerability affects Microsoft Windows platforms only.
Oracle Database Server Client-Only Installations
The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2012-0511.
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2012 Patch Availability Document for Oracle Products, My Oracle Support Note 1406574.1.
Starting again with the April 2012 Critical Patch Update, security vulnerability fixes for Oracle JRockit will be released with the Oracle Critical Patch Updates instead of the Oracle Java SE Critical Patch Updates.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-1695
Oracle JRockit
Multiple
-
Yes
10.0
Network
Low
None
Complete
Complete
Complete
28.2.2 and before: JDK/JRE 5 and 6, 27.7.1 and before: JKD/JRE 5 and 6
See Note 1
CVE-2012-0554
Oracle Outside In Technology
None
Outside In Image Export SDK
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
8.3.5, 8.3.7
See Note 2
CVE-2012-0555
Oracle Outside In Technology
None
Outside In Image Export SDK
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
8.3.5, 8.3.7
See Note 2
CVE-2012-0556
Oracle Outside In Technology
None
Outside In Image Export SDK
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
8.3.5, 8.3.7
See Note 2
CVE-2012-0557
Oracle Outside In Technology
None
Outside In Image Export SDK
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
8.3.5, 8.3.7
See Note 2
CVE-2012-1709
Oracle WebCenter Forms Recognition
HTTP
Designer
Yes
7.5
Network
Low
None
Partial
Partial
Partial
10.1.3.5
CVE-2012-1710
Oracle WebCenter Forms Recognition
HTTP
Designer
Yes
7.5
Network
Low
None
Partial
Partial
Partial
10.1.3.5
CVE-2012-0532
Identity Manager
HTTP
User Config Management
No
5.5
Network
Low
Single
Partial+
Partial+
None
11.1.1.3, 11.1.1.5
CVE-2012-0543
BI Publisher (formerly XML Publisher)
HTTP
Administration
Yes
4.3
Network
Medium
None
None
Partial
None
10.1.3.4.1, 10.1.3.4.2
CVE-2012-0522
Oracle JDeveloper
HTTP
Java Business Objects
Yes
4.3
Network
Medium
None
None
Partial
None
10.1.3.5
CVE-2012-0515
Identity Manager Connector
HTTP
Database User
No
4.0
Network
Low
Single
None
Partial+
None
9.1.0.4
Notes:
- Oracle released a Java SE Critical Patch Update on February 2012 to address multiple vulnerabilities affecting the Java Runtime Environment. Oracle CVE-2012-1695 refers to the advisories that were applicable to JRockit from the Java SE Critical Patch Update. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The complete list of all vulnerabilities addressed in JRockit under CVE-2012-1695 is as follows: CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2011-3563, CVE-2012-0501, and CVE-2011-5035.
- Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. In determining the CVSS score for this vulnerability we have assumed the hosting software exposes this functionality over the network without authentication. If this is not the case, the CVSS score could be much lower.
Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary
This Critical Patch Update contains 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2012 Patch Availability Document, My Oracle Support Note 1406574.1.
Oracle Enterprise Manager Grid Control Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0528
Enterprise Manager Base Platform
HTTP
Security Framework
Yes
5.8
Network
Medium
None
Partial
Partial
None
-
See Note 1
CVE-2012-0512
Enterprise Manager Base Platform
HTTP
Enterprise Config Management
No
5.5
Network
Low
Single
Partial+
Partial+
None
-
See Note 1
CVE-2012-0525
Enterprise Manager Base Platform
HTTP
Enterprise Config Management
No
4.9
Network
Medium
Single
Partial+
Partial
None
10.2.0.5, 11.1.0.1
CVE-2012-0526
Enterprise Manager Base Platform
HTTP
Schema Management
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.5
CVE-2012-0527
Enterprise Manager Base Platform
HTTP
Schema Management
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.5
CVE-2012-0520
Enterprise Manager Base Platform
HTTP
Security Framework
Yes
4.3
Network
Medium
None
None
Partial
None
10.2.0.5, 11.1.0.1
Notes:
- Fixed in all supported releases and patchsets.
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2012 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Critical Patch Update for April 2012, My Oracle Support Note 1406263.1.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0537
Oracle Application Object Library
HTTP
HTML pages
Yes
6.4
Network
Low
None
Partial+
Partial+
None
12.1.3
CVE-2012-0535
Oracle Application Object Library
HTTP
Change Password Page
Yes
5.0
Network
Low
None
Partial
None
None
12.0.6, 12.1.3
CVE-2012-0513
Oracle Application Object Library
HTTP
REST Services
Yes
2.6
Network
High
None
None
Partial
None
12.0.6, 12.1.3
CVE-2012-0542
Oracle iStore
HTTP
Runtime Catalog
Yes
2.6
Network
High
None
None
Partial
None
11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0549
Oracle AutoVue Desktop
HTTP
Desktop API
Yes
7.5
Network
Low
None
Partial
Partial
Partial
20.1.1
CVE-2012-0565
Oracle Agile PLM for Process
HTTP
Install
No
5.5
Network
Low
Single
Partial+
Partial+
None
5.2.2, 6.0.0, 6.1.1
CVE-2012-0580
Oracle Agile PLM for Process
HTTP
Supplier Portal
Yes
5.0
Network
Low
None
None
Partial
None
5.2.2, 6.0.0, 6.1.1
CVE-2012-0581
Oracle Agile PLM for Process
HTTP
SCRM - Company Profiles
Yes
4.3
Network
Medium
None
None
Partial
None
5.2.2, 6.0.0, 6.1.1
CVE-2012-0566
Oracle Agile PLM for Process
HTTP
Supplier Portal
Yes
4.3
Network
Medium
None
None
Partial
None
5.2.2, 6.0.0, 6.1.1
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0564
PeopleSoft Enterprise PeopleTools
HTTP
Query
No
6.5
Network
Low
Single
Partial+
Partial+
Partial+
8.50, 8.51
CVE-2012-0517
PeopleSoft Enterprise HRMS
HTTP
eCompensation Manager Desktop
No
5.5
Network
Low
Single
Partial
Partial
None
9.0
CVE-2012-0538
PeopleSoft Enterprise PeopleTools
HTTP
Search
No
5.5
Network
Low
Single
Partial+
Partial+
None
8.50, 8.51, 8.52
CVE-2012-0560
PeopleSoft Enterprise PeopleTools
HTTP
Portal
Yes
4.3
Network
Medium
None
None
Partial
None
8.50, 8.51, 8.52
CVE-2012-0514
PeopleSoft Enterprise CRM
HTTP
SEC
No
4.0
Network
Low
Single
Partial
None
None
9.1
CVE-2012-0533
PeopleSoft Enterprise FCSM
HTTP
Receivables
No
4.0
Network
Low
Single
Partial
None
None
9.0, 9.1
CVE-2012-0521
PeopleSoft Enterprise HCM
HTTP
Human Resources
No
4.0
Network
Low
Single
Partial
None
None
9.1 Bundle #9
CVE-2012-0562
PeopleSoft Enterprise HRMS
HTTP
Candidate Gateway
No
4.0
Network
Low
Single
Partial
None
None
9.1
CVE-2012-0536
PeopleSoft Enterprise HRMS
HTTP
eCompensation
No
4.0
Network
Low
Single
Partial
None
None
8.9 through Bundle #26
CVE-2012-0559
PeopleSoft Enterprise SCM
HTTP
Billing
No
4.0
Network
Low
Single
Partial
None
None
9.0, 9.1
CVE-2012-0530
PeopleSoft Enterprise SCM
HTTP
eProcurement
No
4.0
Network
Low
Single
None
Partial
None
9.0, 9.1
CVE-2012-0561
PeopleSoft Enterprise PeopleTools
HTTP
PIA Core Technology
No
3.5
Network
Medium
Single
None
Partial
None
8.50, 8.51, 8.52
CVE-2012-0529
PeopleSoft Enterprise PeopleTools
HTTP
core
No
3.5
Network
Medium
Single
None
Partial
None
8.51
CVE-2012-0531
PeopleSoft Enterprise Portal
HTTP
Enterprise Portal
No
3.5
Network
Medium
Single
None
Partial
None
9.1
CVE-2012-0524
PeopleSoft Enterprise PeopleTools
HTTP
File Processing
No
3.2
Local
Low
Single
Partial
Partial
None
8.50, 8.51, 8.52
Appendix - Oracle Industry Applications****Oracle Industry Applications Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Industry Applications. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Industry Applications Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0582
Siebel Clinical
HTTP
Web UI
No
4.0
Network
Low
Single
None
Partial
None
7.7, 7.8, 8.0.0.x, 8.1.1.x, 8.2.2.x
CVE-2012-1674
Siebel Clinical
HTTP
Web UI
No
4.0
Network
Low
Single
None
Partial
None
7.7, 7.8, 8.0.0.x, 8.1.1.x, 8.2.2.x
Appendix - Oracle Financial Services Software****Oracle Financial Services Software Executive Summary
This Critical Patch Update contains 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Contact Oracle Customer Support for Oracle FLEXCUBE Universal Banking and Oracle FLEXCUBE Direct Banking fixes.
Oracle Financial Services Software Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0575
Oracle FLEXCUBE Universal Banking
HTTP
Core
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
10.0.0 - 10.5.0, 11.0.0 - 11.2.0
CVE-2012-0567
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
5.5
Network
Low
Single
Partial
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.2.0
CVE-2012-0573
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
4.9
Network
Medium
Single
Partial
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.4.0
CVE-2012-1706
Oracle FLEXCUBE Direct Banking
File
Logging
No
4.7
Network
Low
Multiple
Partial
Partial
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-1707
Oracle FLEXCUBE Direct Banking
HTTP
Core-Base
No
4.0
Network
Low
Single
Partial
None
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-0576
Oracle FLEXCUBE Direct Banking
HTTP
Core-Help
No
4.0
Network
Low
Single
None
Partial
None
6.0.1, 6.2.0
CVE-2012-0571
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
4.0
Network
Low
Single
None
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.4.0
CVE-2012-0545
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
3.6
Network
High
Single
Partial
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.2.0
CVE-2012-0546
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
3.6
Network
High
Single
Partial
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.2.0
CVE-2012-1704
Oracle FLEXCUBE Direct Banking
HTTP
Core-Base
No
3.5
Network
Medium
Single
Partial
None
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-0509
Oracle FLEXCUBE Direct Banking
HTTP
Core-Base
No
3.5
Network
Medium
Single
None
Partial
None
5.0.2, 5.3.0 - 5.3.4
CVE-2012-1679
Oracle FLEXCUBE Direct Banking
HTTP
Core-Base
No
3.5
Network
Medium
Single
None
Partial
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-0541
Oracle FLEXCUBE Direct Banking
HTTP
Core-My Services
No
3.5
Network
Medium
Single
Partial
None
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-1676
Oracle FLEXCUBE Direct Banking
HTTP
Virtual Banking
No
3.5
Network
Medium
Single
Partial
None
None
5.0.2, 5.3.0 - 5.3.4, 6.0.1, 6.2.0
CVE-2012-0544
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
3.5
Network
Medium
Single
None
Partial
None
10.0.0 - 10.5.0, 11.0.0 - 11.4.0
CVE-2012-0577
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
3.5
Network
Medium
Single
None
None
Partial
10.0.0 - 10.5.0, 11.0.0 - 11.4.0
CVE-2012-0579
Oracle FLEXCUBE Universal Banking
HTTP
Core
No
3.5
Network
Medium
Single
Partial
None
None
10.0.0 - 10.5.0, 11.0.0 - 11.4.0
Appendix - Oracle Primavera Products Suite****Oracle Primavera Products Suite Executive Summary
This Critical Patch Update contains 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Primavera Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0558
Primavera P6 Enterprise Project Portfolio Management
HTTP
Web application
Yes
4.3
Network
Medium
None
None
Partial
None
6.2.1, 8.0, 8.1, 8.2
Appendix - Oracle Sun Products Suite****Oracle Sun Products Suite Executive Summary
This Critical Patch Update contains 15 new security fixes for the Oracle Sun Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Sun Products Suite Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-0208
Oracle Grid Engine
RSH
qrsh
No
9.0
Network
Low
Single
Complete
Complete
Complete
6.1, 6.2
CVE-2012-0523
Oracle Grid Engine
None
sgepasswd
No
7.2
Local
Low
None
Complete
Complete
Complete
6.1, 6.2
CVE-2012-0550
GlassFish Enterprise Server
HTTP
Web Container
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
GlassFish Enterprise Server 3.1.1
CVE-2012-0516
Oracle iPlanet Web Server
HTTP
Administration Console
Yes
6.8
Network
Medium
None
Partial+
Partial+
Partial+
7.0
CVE-2012-1691
Solaris
None
Kernel/Privileges
No
6.6
Local
Medium
Single
Complete
Complete
Complete
11
CVE-2012-1694
Solaris
TCP/IP
libsasl(3LIB)
Yes
6.4
Network
Low
None
Partial
Partial
None
10
CVE-2012-0539
Solaris
None
bsmconv(1M), bsmunconv(1M)
No
6.2
Local
High
None
Complete
Complete
Complete
8, 9, 10
CVE-2012-1683
Solaris
None
gssd(1M)
No
5.9
Local
High
Multiple
Complete
Complete
Complete
8, 9, 10, 11
CVE-2012-0551
GlassFish Enterprise Server
HTTP
Web Container
Yes
5.8
Network
Medium
None
Partial
Partial
None
GlassFish Enterprise Server 3.1.1
CVE-2012-1681
Solaris
None
Kernel/sockfs
No
4.9
Local
Low
None
None
None
Complete
8, 9, 10, 11
CVE-2012-1692
Solaris
None
SCTP(7P)
No
4.9
Local
Low
None
None
None
Complete
10
CVE-2012-1684
Solaris
None
Password Policy
No
4.3
Local
Low
Single
Partial
Partial
Partial
8, 9, 10, 11
CVE-2012-1693
SPARC Enterprise M Series Servers
SSH
XSCF Control Package (XCP)
Yes
2.6
Network
High
None
None
None
Partial+
XCP 1110
CVE-2012-0548
SPARC Enterprise M Series Servers
None
XSCF Control Package (XCP)
No
2.1
Local
Low
None
Partial
None
None
XCP 1110 and earlier
CVE-2012-1698
Solaris
TCP/IP
Kernel/GLD(7D)
No
2.1
Network
High
Single
Partial
None
None
11
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 6 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Component
Protocol
Subcomponent
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
CVE-2012-1703
MySQL Server
MySQL Protocol
Server Optimizer
No
6.8
Network
Low
Single
None
None
Complete
5.1.61 and earlier, 5.5.21 and earlier
CVE-2012-0583
MySQL Server
MySQL Protocol
MyISAM
No
4.0
Network
Low
Single
None
None
Partial+
5.1.60 and earlier, 5.5.19 and earlier
CVE-2012-1697
MySQL Server
MySQL Protocol
Partition
No
4.0
Network
Low
Single
None
None
Partial+
5.5.21 and earlier
CVE-2012-1688
MySQL Server
MySQL Protocol
Server DML
No
4.0
Network
Low
Single
None
None
Partial+
5.1.61 and earlier, 5.5.21 and earlier
CVE-2012-1696
MySQL Server
MySQL Protocol
Server Optimizer
No
4.0
Network
Low
Single
None
None
Partial+
5.5.19 and earlier
CVE-2012-1690
MySQL Server
MySQL Protocol
Server Optimizer
No
4.0
Network
Low
Single
None
None
Partial+
5.1.61 and earlier, 5.5.21 and earlier
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.5.28 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux.