Headline
CVE-2013-5891: Oracle Critical Patch Update - January 2014
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Critical Patch Update Advisory - January 2014****Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions
Patch Availability
Oracle Database 11_g_ Release 1, version 11.1.0.7
Database
Oracle Database 11_g_ Release 2, versions 11.2.0.3, 11.2.0.4
Database
Oracle Database 12_c_ Release 1, version 12.1.0.1
Database
Oracle Fusion Middleware 11_g_ Release 1, versions 11.1.1.6, 11.1.1.7
Fusion Middleware
Oracle Fusion Middleware 11_g_ Release 2, versions 11.1.2.0, 11.1.2.1
Fusion Middleware
Oracle Fusion Middleware 12_c_ Release 2, version 12.1.2
Fusion Middleware
Oracle Enterprise Data Quality, versions 8.1, 9.0.8
Fusion Middleware
Oracle Forms and Reports 11_g_, Release 2, version 11.1.2.1
Fusion Middleware
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
Fusion Middleware
Oracle HTTP Server 11_g_, versions 11.1.1.6, 11.1.1.7
Fusion Middleware
Oracle HTTP Server 12_c_, version 12.1.2
Fusion Middleware
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
Fusion Middleware
Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7
Fusion Middleware
Oracle iPlanet Web Proxy Server, version 4.0
Fusion Middleware
Oracle iPlanet Web Server, versions 6.1, 7.0
Fusion Middleware
Oracle Outside In Technology, versions 8.4.0, 8.4.1
Fusion Middleware
Oracle Portal, version 11.1.1.6
Fusion Middleware
Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1
Fusion Middleware
Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7
Fusion Middleware
Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
Fusion Middleware
Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0
Fusion Middleware
Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3
Fusion Middleware
Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2
Fusion Middleware
Oracle E-Business Suite Release 11_i_, version 11.5.10.2
E-Business Suite
Oracle E-Business Suite Release 12_i_, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2
E-Business Suite
Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
Oracle Supply Chain
Oracle AutoVue, versions 20.1.1
Oracle Supply Chain
Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Oracle Supply Chain
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
Oracle Supply Chain
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
PeopleSoft
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
PeopleSoft
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
PeopleSoft
Oracle Siebel Core, versions 8.1.1, 8.2.2
Siebel
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
Siebel
Oracle iLearning, version 6.0
iLearning
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
Oracle FLEXCUBE
Oracle JavaFX, versions 2.2.45 and earlier
Oracle Java SE
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
Oracle Java SE
Oracle Java SE Embedded, versions 7u45 and earlier
Oracle Java SE
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
Oracle Java SE
Oracle Solaris versions 8, 9, 10, 11.1
Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
Oracle Linux and Virtualization
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
Oracle Linux and Virtualization
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
Oracle MySQL Product Suite
Oracle MySQL Server, versions 5.1, 5.5, 5.6
Oracle MySQL Product Suite
Patch Availability Table and Risk Matrices****Products with Cumulative Patches
The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.
Patch Availability Table
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2014 Documentation Map, My Oracle Support Note 1592294.1.
Product Group
Risk Matrix
Patch Availability and Installation Information
Oracle Database
Oracle Database Risk Matrix
Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Fusion Middleware
Oracle Fusion Middleware Risk Matrix
Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1
Oracle Applications - E-Business Suite
Oracle E-Business Suite Risk Matrix
Oracle E-Business Suite Releases 11_i_ and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1
Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite
Oracle Supply Chain Risk Matrix
Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle iLearning Products Risk Matrix
Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products suite, My Oracle Support Note 1608821.1
Oracle FLEXCUBE Products Suite
Oracle Financial Services Software Risk Matrix
Contact Oracle Customer Support for patches, https://support.oracle.com
Oracle Java
Oracle JDK and JRE Risk Matrix
- Critical Patch Update January 2014 Patch Availability Document for Java, My Oracle Support Note 1607034.1
- Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
- The latest JavaFX release is included with the latest update of JDK and JRE 7.
Oracle and Sun Systems Products Suite
Oracle and Sun Systems Products Suite Risk Matrix
Critical Patch Update January 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1607615.1
Oracle Linux and Virtualization Products
Oracle Linux and Virtualization Products Risk Matrix
Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1608471.1
Oracle MySQL
Oracle MySQL Risk Matrix
Critical Patch Update January 2014 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1609570.1
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.
Product Dependencies
Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; Alexander Kornbrust of Red Database Security; Alexey Tyurin of ERPScan (Digital Security Research Group); Apple Inc.; Arseniy Akuney of TELUS Security Labs; Borked of the Google Security Team; Carlo Di Dato of iDefense; Christopher Meyer of Ruhr-University Bochum; Daniel EkBerg of Kentor AB Sweden; Esteban Martinez Fayo formerly of Application Security Inc.; Fernando Muñoz; Information Security Office for the University of Texas at Austin; John Leitch working with HP’s Zero Day Initiative; Joseph Sheridan of Reactionis; Juraj Somorovsky of Ruhr-University Bochum; Matthew Daley; Oliver Gruskovnjak of Portcullis Inc; Sam Thomas of Pentest Limited; Sebastian Schinzel of University of Applied Sciences Münster; Tanel Poder; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.
Security-In-Depth Contributors
Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update Advisory, Oracle recognizes Moez Roy; Owais Mohammad Khan formerly of KPMG; Tor Erling Bjorstad; and Yash Kadakia of Security Brigade for contributions to Oracle’s Security-In-Depth program.
On-Line Presence Security Contributors
Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes Abdullah Hussam Gazi; Adam Willard of Foreground Security; Ali Hasan Ghauri; Ali Hussein of Help AG Middle East; Anand Tiwari; Ben Khlifa Fahmi; Dibyendu Sikdar; Griffin Francis; James Pearson; Johnathan Simon; Koutrouss Naddara of Kotros Nadara; Mohammed Osman; Muhammad Talha Khan; Osanda Malith Jayathissa; Peter Jaric; Rafay Baloch; Rakesh Singh of Zero Day Guys; Sky_BlaCk; Sunil Dadhich; Suraj Radhakrishnan; and Vishnu Patel for contributions to Oracle’s On-Line Presence Security program.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 15 April 2014
- 15 July 2014
- 14 October 2014
- 20 January 2015
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Critical Patch Update - January 2014 Documentation Map [ My Oracle Support Note 1592294.1 ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
2014-January-14
Rev 1. Initial Release
Appendix - Oracle Database Server****Oracle Database Server Executive Summary
This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
CVE#
Component
Protocol
Package and/or Privilege Required
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-5853
Core RDBMS
Oracle Net
-
Yes
5.0
Network
Low
None
None
None
Partial
11.1.0.7, 11.2.0.3, 12.1.0.1
CVE-2014-0378
Spatial
Oracle Net
Local Login, Create Session
No
4.1
Local
Medium
Single
Partial
Partial
Partial
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2014-0377
Core RDBMS
Oracle Net
Create Session, Create Role, Create User, Select privilege on SYS tables.
No
4.0
Network
Low
Single
Partial
None
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5858
Core RDBMS
Oracle Net
Create Session, Create View
No
4.0
Network
Low
Single
None
Partial
None
11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1
CVE-2013-5764
Core RDBMS
Oracle Net
Create Session, Alter Session
No
3.5
Network
Medium
Single
None
None
Partial+
11.1.0.7, 11.2.0.3, 12.1.0.1
Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary
This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1594621.1.
Oracle Fusion Middleware Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-4316
Oracle WebCenter Sites
HTTP
WebCenter Sites Community
Yes
10.0
Network
Low
None
Complete
Complete
Complete
11.1.1.6.1, 11.1.1.8.0
See Note 1
CVE-2013-5785
Oracle Reports Developer
HTTP
Security and Authentication
Yes
7.5
Network
Low
None
Partial+
Partial+
Partial+
11.1.1.6, 11.1.1.7, 11.1.2.1
See Note 2
CVE-2007-0009
Oracle HTTP Server
HTTPS
OSSL Module
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
See Note 3
CVE-2014-0400
Oracle Internet Directory
HTTP
OID LDAP server
No
6.3
Network
Medium
Single
Complete
None
None
11.1.1.6, 11.1.1.7
CVE-2013-1862
Oracle HTTP Server
HTTP
Web Listener
Yes
5.1
Network
High
None
Partial
Partial
Partial
OHS: 11.1.1.6.0, 11.1.1.7.0, 12.1.2.0 Oracle Forms and Reports: 11.1.2.1
CVE-2012-3544
Oracle Enterprise Data Quality
HTTP
Internal Operations
Yes
5.0
Network
Low
None
None
None
Partial
8.1, 9.0.8
See Note 4
CVE-2013-1654
Oracle HTTP Server
HTTPS
OSSL Module
Yes
5.0
Network
Low
None
None
Partial
None
OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 Fusion Middleware: 10.1.3.5.0
CVE-2012-4605
Oracle HTTP Server
HTTPS
OSSL Module
Yes
5.0
Network
Low
None
Partial
None
None
OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
See Note 5
CVE-2014-0391
Oracle Identity Manager
HTTP
End User Self Service
Yes
5.0
Network
Low
None
Partial
None
None
11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5869
Oracle WebCenter Portal
HTTP
Page Service
Yes
5.0
Network
Low
None
Partial
None
None
11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
CVE-2013-1620
Oracle GlassFish Server
HTTPS
Security
Yes
4.3
Network
Medium
None
Partial
None
None
GlassFish Enterprise Server 2.1.1, Sun Java Application Server 8.1, 8.2
CVE-2012-3499
Oracle HTTP Server
HTTP
Web Listener
Yes
4.3
Network
Medium
None
None
Partial
None
OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
See Note 6
CVE-2013-5900
Oracle Identity Manager
HTTP
End User Self Service
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
CVE-2013-5901
Oracle Identity Manager
HTTP
Identity Console
Yes
4.3
Network
Medium
None
Partial+
None
None
11.1.2.0, 11.1.2.1
CVE-2014-0374
Oracle Portal
HTTP
Page Parameters and Events
Yes
4.3
Network
Medium
None
None
Partial
None
11.1.1.6
CVE-2013-1620
Oracle Traffic Director
HTTPS
Security
Yes
4.3
Network
Medium
None
Partial
None
None
11.1.1.6, 11.1.1.7
CVE-2013-1620
Oracle iPlanet Web Proxy Server
HTTPS
Security
Yes
4.3
Network
Medium
None
Partial
None
None
4.0
CVE-2013-1620
Oracle iPlanet Web Server
HTTPS
Security
Yes
4.3
Network
Medium
None
Partial
None
None
6.1, 7.0
CVE-2014-0383
Oracle Identity Manager
HTTP
Identity Console
No
3.5
Network
Medium
Single
Partial
None
None
11.1.2.0, 11.1.2.1
CVE-2007-1858
Oracle HTTP Server
HTTPS
OSSL Module
Yes
2.6
Network
High
None
Partial
None
None
OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1
CVE-2013-5808
Oracle iPlanet Web Proxy Server
HTTP
Administration
Yes
2.6
Network
High
None
Partial
None
None
4.0
CVE-2013-5879
Oracle Outside In Technology
HTTP
Outside In Maintenance
No
1.5
Local
Medium
Single
None
None
Partial
8.4.0, 8.4.1
See Note 7
Notes:
- The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316, CVE-2013-2251, CVE-2013-2248, CVE-2013-2135 and CVE-2013-2134. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.
- Please refer to Doc ID My Oracle Support Note 1608683.1 for instructions on how to address this issue.
- This fix also addresses CVE-2007-0008.
- Please refer to Doc ID My Oracle Support Note 1595538.1 for instructions on how to address this issue.
- This fix also addresses CVE-2006-0998 and CVE-2006-0999.
- This fix also addresses CVE-2012-4558.
- Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.
Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Hyperion Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-3830
Hyperion Strategic Finance
Microsoft RPC
Server
No
7.1
Network
High
Single
Complete
Complete
Complete
11.1.2.1, 11.1.2.2
CVE-2014-0367
Hyperion Essbase Administration Services
HTTP
Admin Console
No
5.5
Network
Low
Single
Partial
Partial
None
11.1.2.1, 11.1.2.2, 11.1.2.3
Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary
This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1.
Oracle E-Business Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-5890
Oracle Payroll
HTTP
Exception Reporting
No
5.5
Network
Low
Single
Partial+
Partial+
None
11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2
CVE-2014-0398
Oracle Application Object Library
HTTP
Discoverer
Yes
5.0
Network
Low
None
Partial
None
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2014-0366
Oracle Applications Framework
HTTP
Attachments
No
4.0
Network
Low
Single
Partial
None
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.2
CVE-2013-5874
Oracle Application Object Library
None
Logging
No
1.7
Local
Low
Single
Partial
None
None
11.5.10.2, 12.0.6, 12.1.3, 12.2.2
Oracle Supply Chain Products Suite Executive Summary
This Critical Patch Update contains 16 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Supply Chain Products Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-5897
Oracle Agile Product Lifecycle Management for Process
HTTP
Manage Data Cache
No
5.5
Network
Low
Single
Partial+
Partial+
None
6.0, 6.1, 6.1.1
CVE-2014-0372
Oracle Demantra Demand Management
HTTP
DM Others
No
5.5
Network
Low
Single
Partial+
Partial+
None
7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2
CVE-2013-5877
Oracle Demantra Demand Management
HTTP
DM Others
Yes
5.0
Network
Low
None
Partial
None
None
7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1
CVE-2013-5880
Oracle Demantra Demand Management
HTTP
DM Others
Yes
5.0
Network
Low
None
Partial
None
None
12.2.0, 12.2.1, 12.2.2
CVE-2013-5795
Oracle Demantra Demand Management
HTTP
DM Others
Yes
5.0
Network
Low
None
Partial+
None
None
7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
CVE-2012-3544
Oracle Transportation Management
HTTP
Application Server
Yes
5.0
Network
Low
None
None
None
Partial
6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0434
Oracle Agile Product Lifecycle Management for Process
HTTP
Installation
Yes
4.3
Network
Medium
None
None
Partial
None
6.0, 6.1, 6.1.1
CVE-2014-0379
Oracle Demantra Demand Management
HTTP
DM Others
Yes
4.3
Network
Medium
None
None
Partial
None
7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2
CVE-2013-2067
Oracle Transportation Management
HTTP
Application Server
No
4.0
Network
Low
Single
Partial+
None
None
6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-2071
Oracle Transportation Management
HTTP
Application Server
No
4.0
Network
Low
Single
Partial
None
None
6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0399
Oracle Transportation Management
HTTP
Data, Domain & Function Security
No
4.0
Network
Low
Single
Partial
None
None
6.2, 6.3, 6.3.1, 6.3.2
CVE-2014-0435
Oracle Transportation Management
HTTP
Data, Domain & Function Security
No
4.0
Network
Low
Single
None
None
Partial
6.1, 6.2, 6.3, 6.3.1, 6.3.2
CVE-2013-5871
Oracle AutoVue
HTTP
Web General
No
3.5
Network
Medium
Single
Partial
None
None
20.1.1
CVE-2013-5868
Oracle AutoVue
HTTP
Web General
No
3.5
Network
Medium
Single
Partial+
None
None
20.1.1
CVE-2014-0444
Oracle AutoVue
HTTP
Web General
No
3.5
Network
Medium
Single
Partial
None
None
20.1.1
CVE-2014-0371
Oracle Demantra Demand Management
HTTP
DM Others
No
3.5
Network
Medium
Single
None
Partial
None
7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2
Oracle PeopleSoft Products Executive Summary
This Critical Patch Update contains 17 new security fixes for Oracle PeopleSoft Products. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle PeopleSoft Products Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-5873
PeopleSoft Enterprise PeopleTools
HTTP
Integration Broker
Yes
5.0
Network
Low
None
Partial
None
None
8.52, 8.53
CVE-2014-0441
PeopleSoft Enterprise PeopleTools
HTTP
Integration Broker
Yes
5.0
Network
Low
None
None
None
Partial
8.52, 8.53
CVE-2014-0396
PeopleSoft Enterprise PeopleTools
HTTP
Portal - Web Services
Yes
5.0
Network
Low
None
Partial
None
None
8.52, 8.53
CVE-2014-0443
PeopleSoft Enterprise PeopleTools
HTTP
Security
Yes
5.0
Network
Low
None
None
Partial
None
8.52
CVE-2014-0394
PeopleSoft Enterprise PeopleTools
HTTP
Updates Environment Mgmt
Yes
5.0
Network
Low
None
Partial
None
None
8.52, 8.53
CVE-2014-0395
PeopleSoft Enterprise PeopleTools
HTTP
Updates Environment Mgmt
Yes
5.0
Network
Low
None
Partial
None
None
8.52, 8.53
CVE-2013-5909
PeopleSoft Enterprise HRMS
HTTP
Org and Workforce Dev
No
4.9
Network
Medium
Single
Partial
Partial
None
9.1, 9.2
CVE-2013-5886
PeopleSoft Enterprise HRMS
HTTP
Common Application Objects
Yes
4.3
Network
Medium
None
None
Partial
None
9.1, 9.2
CVE-2014-0380
PeopleSoft Enterprise PeopleTools
HTTP
MultiChannel Framework (MCF)
Yes
4.3
Network
Medium
None
None
Partial
None
8.52, 8.53
CVE-2014-0445
PeopleSoft Enterprise PeopleTools
HTTP
PIA Core Technology
Yes
4.3
Network
Medium
None
None
Partial
None
8.52, 8.53
CVE-2014-0392
PeopleSoft Enterprise HRMS
HTTP
Security
No
4.0
Network
Low
Single
Partial
None
None
9.1, 9.2
CVE-2014-0388
PeopleSoft Enterprise HRMS Human Resources
HTTP
Org and Workforce Dev
No
4.0
Network
Low
Single
Partial
None
None
9.1, 9.2
CVE-2014-0440
PeopleSoft Enterprise PeopleTools
HTTP
PIA Core Technology
No
4.0
Network
Low
Single
None
None
Partial
8.52, 8.53
CVE-2014-0439
PeopleSoft Enterprise PeopleTools
HTTP
Report Distribution
No
4.0
Network
Low
Single
None
Partial
None
8.52, 8.53
CVE-2014-0438
PeopleSoft Enterprise PeopleTools
None
Panel Processor
No
4.0
Network
Low
Single
Partial
None
None
8.52, 8.53
CVE-2014-0425
PeopleSoft Enterprise SCM Services Procurement
HTTP
Security
No
4.0
Network
Low
Single
Partial
None
None
9.2
CVE-2014-0381
PeopleSoft Enterprise PeopleTools
HTTP
PIA Core Technology
Yes
2.6
Network
High
None
None
Partial
None
8.52, 8.53
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Siebel CRM Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2014-0369
Siebel Core - EAI
HTTP
Java Integration
Yes
5.0
Network
Low
None
Partial
None
None
8.1.1, 8.2.2
CVE-2014-0370
Siebel Life Sciences
HTTP
Clinical Trip Report
No
2.8
Network
Medium
Multiple
None
None
Partial
8.1.1, 8.2.2
Oracle iLearning Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle iLearning Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2014-0389
Oracle iLearning
HTTP
Learner Pages
Yes
4.3
Network
Medium
None
None
Partial
None
6.0
Appendix - Oracle Financial Services Software****Oracle Financial Services Software Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Financial Services Software Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-4316
Oracle FLEXCUBE Private Banking
HTTP
Core
Yes
10.0
Network
Low
None
Complete
Complete
Complete
1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
See Note 1
Notes:
- The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.
Appendix - Oracle Java SE****Oracle Java SE Executive Summary
This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.
My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.
Oracle Java SE Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2014-0410
Java SE
Multiple
Deployment
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0415
Java SE
Multiple
Deployment
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2013-5907
Java SE, JRockit, Java SE Embedded
Multiple
2D
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45
See Note 2
CVE-2014-0428
Java SE, Java SE Embedded
Multiple
CORBA
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0422
Java SE, Java SE Embedded
Multiple
JNDI
Yes
10.0
Network
Low
None
Complete
Complete
Complete
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0385
Java SE
HTTP
Install
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 7u45 on OS X
See Note 3
CVE-2013-5889
Java SE
Multiple
Deployment
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0408
Java SE
Multiple
Hotspot
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 7u45 on OS X
See Note 1
CVE-2013-5893
Java SE, Java SE Embedded
Multiple
Libraries
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0417
Java SE, JavaFX, Java SE Embedded
Multiple
2D
Yes
9.3
Network
Medium
None
Complete
Complete
Complete
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JavaFX 2.2.45, Java SE Embedded 7u45
See Note 1
CVE-2014-0387
Java SE
Multiple
Deployment
Yes
7.6
Network
High
None
Complete
Complete
Complete
Java SE 6u65, Java SE 7u45 on Firefox
See Note 1
CVE-2014-0424
Java SE
Multiple
Deployment
Yes
7.5
Network
Low
None
Partial
Partial
Partial
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0373
Java SE
Multiple
Serviceability
Yes
7.5
Network
Low
None
Partial
Partial
Partial
Java SE 5.0u55, Java SE 6u65, Java SE 7u45
See Note 1
CVE-2013-5878
Java SE, Java SE Embedded
Multiple
Security
Yes
7.5
Network
Low
None
Partial
Partial
Partial
Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2013-5904
Java SE
Multiple
Deployment
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
Java SE 7u45
See Note 1
CVE-2013-5870
Java SE, JavaFX
Multiple
JavaFX
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
Java SE 7u45, JavaFX 2.2.45
See Note 1
CVE-2014-0403
Java SE
Multiple
Deployment
Yes
5.8
Network
Medium
None
Partial
Partial
None
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0375
Java SE
Multiple
Deployment
Yes
5.8
Network
Medium
None
Partial
Partial
None
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0423
Java SE, JRockit, Java SE Embedded
Multiple
Beans
No
5.5
Network
Low
Single
Partial
None
Partial
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45
See Note 2
CVE-2013-5905
Java SE
HTTP
Install
Yes
5.1
Network
High
None
Partial
Partial
Partial
Java SE 5.0u55, Java SE 6u65, Java SE 7u45
See Note 3
CVE-2013-5906
Java SE
HTTP
Install
Yes
5.1
Network
High
None
Partial
Partial
Partial
Java SE 5.0u55, Java SE 6u65, Java SE 7u45
See Note 3
CVE-2013-5902
Java SE
Multiple
Deployment
Yes
5.1
Network
High
None
Partial
Partial
Partial
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0418
Java SE
Multiple
Deployment
Yes
5.1
Network
High
None
Partial
Partial
Partial
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2013-5887
Java SE
HTTP
Deployment
Yes
5.0
Network
Low
None
None
None
Partial
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2013-5899
Java SE
Multiple
Deployment
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2013-5896
Java SE, Java SE Embedded
Multiple
CORBA
Yes
5.0
Network
Low
None
None
None
Partial
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2013-5884
Java SE, Java SE Embedded
Multiple
CORBA
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0416
Java SE, Java SE Embedded
Multiple
JAAS
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0376
Java SE, Java SE Embedded
Multiple
JAXP
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2014-0368
Java SE, Java SE Embedded
Multiple
Networking
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2013-5910
Java SE, Java SE Embedded
Multiple
Security
Yes
5.0
Network
Low
None
None
Partial
None
Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45
See Note 1
CVE-2013-5895
Java SE, JavaFX
Multiple
JavaFX
Yes
5.0
Network
Low
None
Partial
None
None
Java SE 7u45, JavaFX 2.2.45
See Note 1
CVE-2013-5888
Java SE
Multiple
Deployment
No
4.6
Local
Low
None
Partial
Partial
Partial
Java SE 6u65, Java SE 7u45
See Note 4
CVE-2014-0382
Java SE, JavaFX
Multiple
JavaFX
Yes
4.3
Network
Medium
None
None
None
Partial
Java SE 7u45, JavaFX 2.2.45
See Note 1
CVE-2013-5898
Java SE
HTTP
Deployment
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 6u65, Java SE 7u45
See Note 1
CVE-2014-0411
Java SE, JRockit, Java SE Embedded
SSL/TLS
JSSE
Yes
4.0
Network
High
None
Partial
Partial
None
Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45
See Note 5
Notes:
- Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Applies to installation process on client deployment of Java.
- Applies to client deployment of Java under GNOME environment on Linux and Solaris.
- Applies to client and server deployment of JSSE.
Appendix - Oracle and Sun Systems Products Suite****Oracle and Sun Systems Products Suite Executive Summary
This Critical Patch Update contains 11 new security fixes for the Oracle and Sun Systems Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle and Sun Systems Products Suite Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2003-1067
Solaris
None
Localization (L10N)
No
7.2
Local
Low
None
Complete
Complete
Complete
8, 9
See Note 1
CVE-2013-5834
Solaris
None
“ps” command line utility
No
6.2
Local
High
None
Complete
Complete
Complete
8
CVE-2013-5833
Solaris
None
Filesystem
No
4.9
Local
Low
None
None
None
Complete
8, 9
CVE-2013-5876
Solaris
None
Kernel
No
4.9
Local
Low
None
None
None
Complete
10, 11.1
CVE-2013-5821
Solaris
None
Remote Procedure Call (RPC)
No
4.6
Local
Low
None
Partial
Partial
Partial
8, 9, 10, 11.1
CVE-2014-0390
Solaris
HTTP
Java Web Console
Yes
4.3
Network
Medium
None
None
Partial
None
10
CVE-2013-5883
Solaris
None
Kernel
No
3.2
Local
Low
Single
None
Partial
Partial
8
See Note 1
CVE-2013-5875
Solaris
None
Role Based Access Control (RBAC)
No
2.7
Local
Medium
Multiple
None
Partial
Partial
11.1
CVE-2013-5872
Solaris
None
Name Service Cache Daemon (NSCD)
No
2.1
Local
Low
None
None
None
Partial+
10, 11.1
CVE-2013-2924
Solaris
None
Localization (L10N)
No
1.9
Local
Medium
None
None
None
Partial
11.1
CVE-2013-5885
Solaris
None
Audit
No
1.7
Local
Low
Single
None
Partial
None
11.1
Notes:
- Applies only when Solaris is running on SPARC platform.
Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary
This Critical Patch Update contains 9 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-2067
Oracle Secure Global Desktop (SGD)
HTTP
Apache Tomcat
Yes
6.8
Network
Medium
None
Partial
Partial
Partial
SGD prior to SGD 4.63 with December 2013 PSU , 4.71
CVE-2014-0419
Oracle Secure Global Desktop (SGD)
HTTP
Administration Console and Workspace Web Applications
Yes
5.1
Network
High
None
Partial
Partial
Partial
SGD prior to 4.63 with December 2013 PSU , 4.71, 5.0 with December 2013 PSU, 5.10
CVE-2012-3544
Oracle Secure Global Desktop (SGD)
HTTP
Apache Tomcat
Yes
5.0
Network
Low
None
None
None
Partial
SGD prior to 4.63 with December 2013 PSU, 4.71
CVE-2013-5892
Oracle VM VirtualBox
None
Core
No
3.5
Local
High
Single
Partial+
Partial+
Partial+
VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, 4.3.6
CVE-2014-0407
Oracle VM VirtualBox
None
Core
No
3.5
Local
High
Single
Partial+
Partial+
Partial+
VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0405
Oracle VM VirtualBox
None
Core
No
3.5
Local
High
Single
Partial
Partial
Partial
VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
See Note 1
CVE-2013-2071
Oracle Secure Global Desktop (SGD)
HTTP
Apache Tomcat
Yes
2.6
Network
High
None
Partial
None
None
SGD prior to 4.71 with December 2013 PSU, 5.0 with December 2013 PSU
See Note 2
CVE-2014-0406
Oracle VM VirtualBox
None
Core
No
2.4
Local
High
Single
None
Partial+
Partial
VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
CVE-2014-0404
Oracle VM VirtualBox
None
Core
No
2.4
Local
High
Single
None
Partial
Partial+
VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4
Notes:
- Applies only when a Windows guest with VirtualBox Additions installed is running on VirtualBox.
- SGD releases prior to SGD 4.7 are not affected by CVE-2013-2071 as they do not ship with Apache Tomcat 7.x, which is the only affected release of Tomcat.
Appendix - Oracle MySQL****Oracle MySQL Executive Summary
This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle MySQL Risk Matrix
CVE#
Component
Protocol
Sub- component
Remote Exploit without Auth.?
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Access Vector
Access Complexity
Authen-tication
Confiden-tiality
Integrity
Avail-ability
CVE-2013-4316
MySQL Enterprise Monitor
HTTP
Service Manager
Yes
10.0
Network
Low
None
Complete
Complete
Complete
3.0.4 and earlier, 2.3.14 and earlier
See Note 1
CVE-2013-5860
MySQL Server
MySQL Protocol
GIS
No
6.8
Network
Low
Single
None
None
Complete
5.6.14 and earlier
CVE-2013-5882
MySQL Server
MySQL Protocol
Stored Procedure
No
6.8
Network
Low
Single
None
None
Complete
5.6.13 and earlier
CVE-2014-0433
MySQL Server
MySQL Protocol
Thread Pooling
Yes
4.3
Network
Medium
None
None
None
Partial
5.6.13 and earlier
CVE-2013-5894
MySQL Server
MySQL Protocol
InnoDB
No
4.0
Network
Low
Single
None
None
Partial+
5.6.13 and earlier
CVE-2013-5881
MySQL Server
MySQL Protocol
InnoDB
No
4.0
Network
Low
Single
None
None
Partial+
5.6.14 and earlier
CVE-2014-0412
MySQL Server
MySQL Protocol
InnoDB
No
4.0
Network
Low
Single
None
None
Partial+
5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0402
MySQL Server
MySQL Protocol
Locking
No
4.0
Network
Low
Single
None
None
Partial+
5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0386
MySQL Server
MySQL Protocol
Optimizer
No
4.0
Network
Low
Single
None
None
Partial+
5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2013-5891
MySQL Server
MySQL Protocol
Partition
No
4.0
Network
Low
Single
None
None
Partial+
5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0401
MySQL Server
MySQL Protocol
Privileges
No
4.0
Network
Low
Single
None
None
Partial+
5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0427
MySQL Server
MySQL Protocol
FTS
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.13 and earlier
CVE-2014-0431
MySQL Server
MySQL Protocol
InnoDB
No
3.5
Network
Medium
Single
None
None
Partial+
5.6.14 and earlier
CVE-2014-0437
MySQL Server
MySQL Protocol
Optimizer
No
3.5
Network
Medium
Single
None
None
Partial+
5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
CVE-2014-0393
MySQL Server
MySQL Protocol
InnoDB
No
3.3
Network
Low
Multiple
None
Partial
None
5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier
CVE-2014-0430
MySQL Server
MySQL Protocol
Performance Schema
No
2.8
Network
Medium
Multiple
None
None
Partial+
5.6.13 and earlier
CVE-2014-0420
MySQL Server
MySQL Protocol
Replication
No
2.8
Network
Medium
Multiple
None
None
Partial+
5.5.34 and earlier, 5.6.14 and earlier
CVE-2013-5908
MySQL Server
MySQL Protocol
Error Handling
Yes
2.6
Network
High
None
None
None
Partial+
5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier
Notes:
- The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316. The CVSS score is 10.0 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 7.5 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
This Metasploit module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine.
This Metasploit module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.
Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.